Network Traffic Analysis

Network traffic analysis challenges give you PCAP files (Packet Capture) — recordings of network traffic between devices. Your job is to identify protocols, extract transmitted data, find credentials, and detect malicious activity.

The primary tools are Wireshark (GUI) and tshark (command-line). In NCL, you typically receive a PCAP and answer questions about what happened in the captured traffic.

1. Reading PCAP Files

A PCAP file contains every packet transmitted during a capture — headers, payloads, timestamps, source/destination addresses. Each packet has multiple layers (Ethernet → IP → TCP/UDP → Application).

tshark (command-line Wireshark)

# Display all packets (summary view)
tshark -r capture.pcap

# Count total packets
tshark -r capture.pcap | wc -l

# Show packet details (verbose)
tshark -r capture.pcap -V | head -100

Wireshark (GUI)

Open a PCAP in Wireshark to see three panels:

Packet list — one row per packet with timestamp, source, destination, protocol, info
Packet details — expandable protocol layers for the selected packet
Packet bytes — raw hex and ASCII

Checkpoint: What is the difference between a PCAP and a PCAPNG file?

PCAP is the original format — one capture interface, basic metadata. PCAPNG (Next Generation) supports multiple interfaces, comments, name resolution, and richer metadata. Both are readable by Wireshark/tshark. NCL typically uses standard PCAP.

2. Filtering Traffic

Filtering is the core skill — a PCAP can contain thousands of packets, and you need to isolate specific traffic.

Display filters (Wireshark/tshark)

# Filter by protocol
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "dns"
tshark -r capture.pcap -Y "ftp"
tshark -r capture.pcap -Y "tcp.port == 22"

# Filter by IP address
tshark -r capture.pcap -Y "ip.addr == 10.0.0.1"
tshark -r capture.pcap -Y "ip.src == 10.0.0.1"
tshark -r capture.pcap -Y "ip.dst == 192.168.1.1"

# Combine filters
tshark -r capture.pcap -Y "http && ip.src == 10.0.0.1"
tshark -r capture.pcap -Y "tcp.port == 80 || tcp.port == 443"

Common filter expressions

Filter	What it matches
`http`	HTTP traffic
`dns`	DNS queries and responses
`tcp.port == 22`	SSH traffic
`ftp`	FTP commands and data
`tcp.flags.syn == 1 && tcp.flags.ack == 0`	TCP SYN packets (connection attempts)
`http.request.method == "POST"`	HTTP POST requests (form submissions, logins)
`frame contains "password"`	Packets containing the string “password”

Checkpoint: You need to find all DNS queries in a PCAP. What tshark command shows just the queried domain names?

tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

-Y "dns.qry.name" filters DNS queries, -T fields -e dns.qry.name extracts only the domain name field, and sort -u deduplicates. This gives a clean list of every domain that was looked up.

3. Extracting Data

Following TCP streams

A TCP stream is the full conversation between two endpoints. Wireshark reassembles the packets in order:

# Follow the first TCP stream (index 0)
tshark -r capture.pcap -z "follow,tcp,ascii,0"

# In Wireshark: right-click a packet → Follow → TCP Stream

This reconstructs the full conversation — you can read HTTP requests/responses, FTP commands, chat messages, or any other TCP-based protocol.

Extracting files

# Extract all HTTP objects (downloaded files)
tshark -r capture.pcap --export-objects http,exported_files/

# List exported files
ls exported_files/

Wireshark GUI: File → Export Objects → HTTP → Save All

Finding credentials

Unencrypted protocols transmit credentials in plaintext:

# HTTP Basic Authentication
tshark -r capture.pcap -Y "http.authbasic" -T fields -e http.authbasic

# FTP credentials
tshark -r capture.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" \
  -T fields -e ftp.request.command -e ftp.request.arg

# Telnet (follow the stream to see typed commands)
tshark -r capture.pcap -Y "telnet" -z "follow,tcp,ascii,0"

Checkpoint: You filter for "ftp" and see "USER admin" followed by "PASS hunter2". What just happened?

Someone logged into an FTP server with username admin and password hunter2. FTP transmits credentials in plaintext — no encryption. Anyone capturing the network traffic (as in this PCAP) can read them directly. This is why SFTP (FTP over SSH) or FTPS (FTP over TLS) should be used instead.

4. Identifying Attacks

Port scan detection

A port scan sends many SYN packets to different ports on the same target:

# Count SYN packets per destination port (scan indicator)
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
  -T fields -e tcp.dstport | sort | uniq -c | sort -rn | head

If one source IP sent SYN packets to hundreds of ports, it was scanning.

DNS exfiltration

Attackers sometimes encode stolen data as DNS queries to bypass firewalls:

# Look for unusually long DNS queries (data exfiltration indicator)
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | \
  awk '{print length, $0}' | sort -rn | head

Domain names over 50 characters or containing hex/Base64-like subdomains are suspicious.

ARP spoofing

# Look for multiple MAC addresses claiming the same IP
tshark -r capture.pcap -Y "arp" -T fields -e arp.src.hw_mac -e arp.src.proto_ipv4 | sort -u

If two different MAC addresses claim the same IP, someone is ARP spoofing.

5. Protocol Quick Reference

Protocol	Port	What to look for
HTTP	80	URLs, form data, file downloads, cookies
HTTPS	443	Encrypted — cannot read content without the key
FTP	21	USER/PASS commands, file transfers on port 20
DNS	53	Queried domains, exfiltration via long subdomains
SSH	22	Encrypted — can only see connection metadata
Telnet	23	Full session in plaintext (commands + output)
SMTP	25	Email content, sender/recipient addresses
SMB	445	File shares, potentially lateral movement

Resources

Practice: Malware Traffic Analysis (real PCAPs with malware) · CyberDefenders (blue team PCAP challenges) · Wireshark Sample Captures

Reference: Wireshark Display Filter Reference · tshark Manual

Video: Chris Greer — Wireshark tutorials · 13Cubed — Network forensics