0Pricing
Cyber Security Academy · Lesson

Network Forensics with PCAP

Reconstructing attacks from traffic.

What Network Forensics Captures

Network forensics analyzes captured traffic to reconstruct what happened on the wire: connections, transferred files, command-and-control, and data exfiltration.

Unlike disk forensics, network evidence is ephemeral. If you were not capturing during the event, the packets are gone. This is why organizations deploy full-packet capture and flow logging in advance.

PCAP and Capture Tools

The PCAP (packet capture) format stores raw frames with timestamps. tcpdump and tshark capture from a tap or SPAN port.

Capture forensically: write to file, do not resolve names live (DNS lookups add noise), and record the capture filter used.

# Capture all traffic on eth0 to a rotating set of files
tcpdump -i eth0 -n -s 0 -w capture-%Y%m%d-%H%M%S.pcap -G 3600

# -n  no name resolution
# -s 0 full packet (snaplen)
# -G 3600 rotate hourly

All lessons in this course

  1. Forensic Fundamentals and Chain of Custody
  2. Disk Imaging and File System Analysis
  3. Network Forensics with PCAP
  4. Timeline Analysis and Reporting
← Back to Cyber Security Academy