Network Forensics

Analysis

Network forensics involves capturing and analyzing network traffic to identify malicious activity, exfiltration attempts, and command-and-control communication.

PCAP Analysis with Wireshark & tshark

network-forensics.sh

bash

# Capture traffic
tcpdump -i eth0 -w capture.pcap

# tshark filters
tshark -r capture.pcap -Y "http.request"
tshark -r capture.pcap -Y "dns"
tshark -r capture.pcap -Y "tcp.port == 4444"  # Common reverse shell port

# Extract HTTP objects
tshark -r capture.pcap --export-objects http,./extracted_files

# Find DNS queries
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

# Identify beaconing (C2 traffic)
tshark -r capture.pcap -Y "ip.dst == 192.168.1.100" -T fields -e frame.time_delta | sort -n

# Extract files from PCAP with NetworkMiner
# Zeek (Bro) for protocol analysis
zeek -r capture.pcap
cat conn.log    # Connection summary
cat http.log    # HTTP requests
cat dns.log     # DNS queries
cat files.log   # Extracted files

# Suricata IDS analysis
suricata -r capture.pcap -l ./logs

Indicators of Compromise

Suspicious Patterns

• Regular beaconing intervals
• DNS tunneling (long subdomains)
• Connections to known bad IPs
• Unusual ports (4444, 5555, 8080)
• Large outbound data transfers

Tools

• Wireshark / tshark
• NetworkMiner
• Zeek (Bro)
• Suricata
• Arkime (Moloch)

Network Forensics

PCAP Analysis with Wireshark & tshark

Indicators of Compromise

Suspicious Patterns

Tools

Related Topics

Linux Forensics

Incident Response