Network Forensics: Packet Capture and Analysis
Introduction to network forensics using packet capture tools like Wireshark and tcpdump.
What Is Network Forensics?
Network forensics is the capture, recording, and analysis of network traffic to detect security incidents, investigate breaches, and support legal proceedings. Unlike log analysis which shows summaries, packet capture reveals the full content of network communications.
Network forensics answers questions that other security tools cannot: What data was exfiltrated? What commands did the attacker send? Which systems communicated with the C2 server?
Packet Capture Tools
tcpdump is the command-line standard for capturing packets on Unix systems:
# Capture on eth0, write to file
sudo tcpdump -i eth0 -w capture.pcap
# Capture only HTTP traffic
sudo tcpdump -i eth0 port 80 -w http_traffic.pcap
# Capture traffic to/from specific IP
sudo tcpdump host 192.168.1.100
Wireshark provides a graphical interface for deep packet analysis with protocol dissectors, conversation tracking, and stream reassembly.
Analysis Techniques
- Follow TCP streams — Reconstruct complete conversations between hosts
- Protocol hierarchy — Identify unusual protocols or unexpected traffic types
- Display filters — Focus on specific traffic:
http.request.method == POST,dns.qry.name contains "suspicious" - Expert info — Wireshark flags retransmissions, malformed packets, and protocol violations
Forensic Best Practices
Preserve the chain of custody. Capture packets to write-once media and generate checksums immediately. Analyze copies, never originals. Document your methodology for every investigation step. Time synchronization (NTP) across all capture points is essential for correlating events.