Intermediate

Network Traffic Analysis

Capturing and analyzing network traffic reveals credentials, sensitive data, and attack patterns. Essential for both offense and defense.

Complementary Content

This module covers traffic analysis concepts. For tool-specific commands, see Wireshark and Nmap cheatsheets.

Traffic Capture Methods

🔌 Local Capture

Capture traffic on your own interface. See all traffic your NIC receives.

  • • Wireshark, tcpdump, tshark
  • • Promiscuous mode for all local traffic
  • • Limited to broadcast domain

🔀 SPAN/Mirror Port

Switch copies traffic from one port to another. Used for legitimate monitoring.

  • • Requires switch access
  • • Can mirror VLANs or ports
  • • May drop packets under load

🕵️ ARP Spoofing (MITM)

Poison ARP cache to redirect traffic through attacker machine.

  • • arpspoof, ettercap, bettercap
  • • Captures traffic between hosts
  • • Detectable by IDS/monitoring

📡 Network Tap

Physical device that copies all traffic. Passive and invisible.

  • • Hardware solution
  • • No packet loss
  • • Requires physical access

Analysis Workflow

1. Capture
Collect packets
2. Filter
Reduce noise
3. Analyze
Find patterns
4. Extract
Pull artifacts
5. Report
Document findings

What to Look For

🔓 Credentials in Transit

  • • FTP login (port 21) - plaintext
  • • Telnet (port 23) - plaintext
  • • HTTP Basic Auth - Base64 (decode it!)
  • • HTTP POST with login forms
  • • SMTP auth (port 25)
  • • POP3/IMAP (110/143)

📁 File Transfers

  • • SMB file shares (Follow TCP stream)
  • • HTTP downloads (Export Objects)
  • • FTP data transfers
  • • Email attachments (SMTP/IMAP)
  • • Look for magic bytes (MZ, PK, PDF)

🔍 Reconnaissance Activity

  • • Port scans (SYN packets to many ports)
  • • DNS queries (subdomain enum)
  • • ICMP sweeps (ping scan)
  • • Service banner grabbing
  • • LDAP/AD queries

🦠 Malicious Indicators

  • • C2 beacons (regular intervals)
  • • DNS tunneling (long subdomain names)
  • • Unusual ports for known protocols
  • • Large outbound data transfers
  • • Connections to known bad IPs

Capture & Analysis Commands

tcpdump - Quick Capture

tcpdump.sh
bash 
# Capture on interface to file
tcpdump -i eth0 -w capture.pcap

# Capture specific host
tcpdump -i eth0 host 192.168.1.100 -w host.pcap

# Capture specific port
tcpdump -i eth0 port 80 -w http.pcap

# Live analysis with filters
tcpdump -i eth0 'tcp port 21' -A  # FTP in ASCII
# Capture on interface to file
tcpdump -i eth0 -w capture.pcap

# Capture specific host
tcpdump -i eth0 host 192.168.1.100 -w host.pcap

# Capture specific port
tcpdump -i eth0 port 80 -w http.pcap

# Live analysis with filters
tcpdump -i eth0 'tcp port 21' -A  # FTP in ASCII

tshark - CLI Wireshark

tshark.sh
bash 
# Extract HTTP hosts
tshark -r capture.pcap -Y "http.request" -T fields -e http.host | sort -u

# Extract DNS queries
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

# Statistics
tshark -r capture.pcap -z conv,tcp
# Extract HTTP hosts
tshark -r capture.pcap -Y "http.request" -T fields -e http.host | sort -u

# Extract DNS queries
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

# Statistics
tshark -r capture.pcap -z conv,tcp

Bettercap - MITM Framework

bettercap.sh
bash 
# Start bettercap
sudo bettercap -iface eth0

# Inside bettercap:
net.probe on              # Discover hosts
net.show                  # Show discovered hosts
set arp.spoof.targets 192.168.1.100
arp.spoof on              # Start ARP spoofing
net.sniff on              # Start packet capture
# Start bettercap
sudo bettercap -iface eth0

# Inside bettercap:
net.probe on              # Discover hosts
net.show                  # Show discovered hosts
set arp.spoof.targets 192.168.1.100
arp.spoof on              # Start ARP spoofing
net.sniff on              # Start packet capture

HTTPS Limitation

Most modern traffic is encrypted (HTTPS/TLS). You'll see connection metadata but not content unless you have the private key or perform SSL MITM.

Protocol-Specific Tips

Protocol What to Extract Wireshark Filter
HTTP URLs, cookies, form data, files http.request or http.response
DNS Queries, responses, tunneling dns.qry.name contains "target"
SMB Shares, files, usernames smb2 or smb
FTP Credentials, file transfers ftp.request.command == "PASS"
Telnet Full session content telnet (Follow TCP Stream)
Kerberos Tickets, SPNs, usernames kerberos.CNameString

Related Topics

Packet Analysis

Understanding packet structure.

Wireshark Cheatsheet

Filter expressions and shortcuts.

Credential Attacks

LLMNR poisoning and capture.

DFIR

Digital forensics and incident response.