HomeNetwork Security in 5 DaysDay 4
Day 4 of 5
⏱ ~60 minutes
Network Security in 5 Days — Day 4

Network Traffic Analysis & Threat Hunting

Passive defenders wait for alerts. Threat hunters proactively look for attacker activity that evades automated detection. Today covers packet analysis with Wireshark, behavioral hunting with Zeek logs, and network forensics.

Wireshark Deep Dive

Wireshark captures and dissects packets with protocol-aware filtering. Display filters (ip.addr == 10.0.0.1, tcp.port == 443, http.request.method == 'POST') slice traffic precisely. Follow TCP Stream reconstructs full application-layer sessions. Export Objects extracts files transferred over HTTP, SMB, and FTP. Color rules highlight suspicious patterns visually.

Hunting with Zeek Logs

Threat hunting hypotheses drive log analysis. Hypothesis: 'Attacker used DNS tunneling for C2.' Query: dns.log entries with unusually long query names (> 50 characters) or high query rates from a single host. Hypothesis: 'Lateral movement via SMB.' Query: conn.log for internal hosts connecting to port 445 at unusual hours. Rita (Real Intelligence Threat Analytics) automates beacon detection.

Network Forensics: Reconstructing Attacks

Post-incident, PCAPs tell the full story. Tools: NetworkMiner (passively reassembles files from PCAPs), Xplico (reconstructs web sessions), and Moloch/Arkime (full-packet storage at scale). Timeline reconstruction combines PCAP data with firewall logs, DNS logs, and endpoint telemetry to answer: who attacked, when, how, and what did they take?

bash
# Wireshark capture filter (capture-time)
tcpdump -i eth0 -w capture.pcap 'not port 22'

# Wireshark display filters (analysis-time)
# ip.addr == 192.168.1.100 && tcp
# http.request.method == 'POST'
# dns.qry.name contains '.tk'
# tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN scan

# Zeek: find long DNS queries (possible tunneling)
zeek-cut query < dns.log | awk '{print length, $0}' | sort -rn | head -20

# Zeek: find beaconing (regular intervals to external IP)
zeek-cut id.orig_h id.resp_h id.resp_p duration < conn.log \
  | sort -k2 | uniq -c -f1 | sort -rn | head -20

# Rita beacon detection
rita import /path/to/zeek/logs rita-db
rita show-beacons rita-db
💡
Capture traffic as close to the source as possible. A mirror port (SPAN) on the core switch sees everything. Capturing at the perimeter misses east-west (internal) traffic that reveals lateral movement.
📝 Day 4 Exercise
Hunt Threats in a PCAP
  1. Download a malware PCAP from malware-traffic-analysis.net
  2. Open it in Wireshark and use display filters to isolate suspicious traffic
  3. Export any embedded files (File > Export Objects > HTTP)
  4. Run the PCAP through Zeek and analyze dns.log for suspicious queries
  5. Write a 3-paragraph incident summary: what happened, how it happened, indicators of compromise

Day 4 Summary

  • Wireshark display filters and Follow TCP Stream analyze specific sessions
  • Threat hunting uses hypotheses to proactively search for attacker activity
  • Zeek logs enable behavioral analysis across entire network sessions
  • Rita automates beacon detection by identifying regular communication patterns
  • Network forensics reconstructs full attack timelines from PCAP and log data
Challenge

Download and analyze the 'Cobalt Strike' exercise PCAP from malware-traffic-analysis.net. Identify the C2 IP, the beaconing interval, and any lateral movement activity. Write a formal incident report.

← Previous
Day 3: VPN, Zero Trust & Secure Access
Next →
Day 5: Incident Response & Security Architecture
Finished this lesson?