Network Forensics

Network forensics involves capturing, recording, and analyzing network traffic to detect intrusions, investigate security incidents, and understand network behavior. It's essential for incident response, threat hunting, and understanding attack patterns.

Key Concepts

• Packet Capture (PCAP): Recording network traffic for analysis
• Protocol Analysis: Understanding how different protocols work and communicate
• Traffic Reconstruction: Rebuilding sessions and extracting transferred files
• Anomaly Detection: Identifying unusual patterns or malicious behavior
• Timeline Analysis: Understanding the sequence of network events

Common Use Cases

• Data exfiltration investigations
• Malware command and control (C2) communication analysis
• Lateral movement detection
• Credential theft identification
• Protocol misuse detection

Wireshark is the industry-standard network protocol analyzer. It allows you to capture and interactively browse network traffic.

Essential Display Filters

# Filter by IP address
ip.addr == 192.168.1.100        # Either source or destination
ip.src == 192.168.1.100         # Source only
ip.dst == 192.168.1.100         # Destination only

# Filter by protocol
http                             # HTTP traffic
dns                              # DNS queries/responses
ftp                              # FTP traffic
ssh                              # SSH connections
tcp                              # All TCP traffic
udp                              # All UDP traffic

# Filter by port
tcp.port == 80                   # HTTP
tcp.port == 443                  # HTTPS
tcp.port == 22                   # SSH
udp.port == 53                   # DNS
tcp.port == 3389                 # RDP

# Combined filters
ip.addr == 192.168.1.100 && tcp.port == 80
http.request.method == "POST"
dns.qry.name contains "malicious"

# HTTP-specific filters
http.request                     # All HTTP requests
http.request.method == "GET"     # GET requests
http.request.method == "POST"    # POST requests
http.request.uri contains "login"
http.response.code == 200        # Successful responses
http.response.code >= 400        # Client/server errors

# Filter for file transfers
frame contains "pdf"
frame contains "exe"
http.response.code == 200 && http.content_type contains "application"

# DNS filters
dns.flags.response == 0          # DNS queries only
dns.flags.response == 1          # DNS responses only
dns.qry.name contains ".com"

# TLS/SSL filters
ssl.handshake.type == 1          # Client Hello
ssl.handshake.type == 2          # Server Hello
tls.handshake.extensions_server_name

Wireshark Analysis Techniques

# Follow TCP stream (right-click packet)
# Analyze -> Follow -> TCP Stream

# Follow HTTP stream
# Analyze -> Follow -> HTTP Stream

# Export HTTP objects
# File -> Export Objects -> HTTP

# Protocol hierarchy
# Statistics -> Protocol Hierarchy

# Conversations
# Statistics -> Conversations

# Endpoints
# Statistics -> Endpoints

# IO Graphs
# Statistics -> IO Graph

Useful Wireshark Features

• Coloring Rules: View -> Coloring Rules to highlight specific traffic
• Time Display: View -> Time Display Format for timestamp customization
• Name Resolution: Edit -> Preferences -> Name Resolution
• Expert Information: Analyze -> Expert Information for automated anomaly detection

Tshark is the command-line version of Wireshark, ideal for automation and scripting.

Basic Commands

# Capture live traffic
sudo tshark -i eth0 -w capture.pcap

# Read a pcap file
tshark -r capture.pcap

# Read with specific count
tshark -r capture.pcap -c 100

# Display specific protocols
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "dns"

# Extract specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port

# Extract HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

# Extract DNS queries
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name

# Statistics
tshark -r capture.pcap -q -z io,phs                    # Protocol hierarchy
tshark -r capture.pcap -q -z conv,tcp                  # TCP conversations
tshark -r capture.pcap -q -z endpoints,ip              # IP endpoints

# Export HTTP objects
tshark -r capture.pcap --export-objects http,extracted_files/

# Export SMB objects
tshark -r capture.pcap --export-objects smb,extracted_files/

# Filter and save
tshark -r capture.pcap -Y "http" -w http_only.pcap

Advanced Tshark Usage

# Extract credentials from HTTP traffic
tshark -r capture.pcap -Y "http.request.method == POST" -T fields \
  -e http.host -e http.request.uri -e http.file_data

# Find suspicious User-Agents
tshark -r capture.pcap -Y "http.user_agent" -T fields -e http.user_agent | sort -u

# Analyze DNS queries for C2 beaconing
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq -c | sort -rn

# Extract files from FTP
tshark -r capture.pcap -Y "ftp-data" -T fields -e ftp-data.file-data

# Timeline of HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e frame.time -e ip.src -e http.host -e http.request.uri

tcpdump - Packet Capture

# Basic capture
sudo tcpdump -i eth0 -w capture.pcap

# Capture with filters
sudo tcpdump -i eth0 host 192.168.1.100 -w capture.pcap
sudo tcpdump -i eth0 port 80 -w capture.pcap
sudo tcpdump -i eth0 'tcp port 80 or tcp port 443' -w capture.pcap

# Capture with packet size limit
sudo tcpdump -i eth0 -s 65535 -w capture.pcap

# Read and display capture
tcpdump -r capture.pcap

# Display with ASCII
tcpdump -A -r capture.pcap

# Display with hex and ASCII
tcpdump -XX -r capture.pcap

# Filter by protocol
tcpdump -r capture.pcap 'tcp'
tcpdump -r capture.pcap 'udp'
tcpdump -r capture.pcap 'icmp'

NetworkMiner - Network Forensic Analysis

NetworkMiner is a passive network sniffer/packet capturing tool that automatically extracts artifacts.

# GUI tool for Windows/Linux
# Features:
# - Automatic file extraction
# - Credential extraction
# - OS fingerprinting
# - Hostname detection
# - Session reconstruction

Zeek (formerly Bro) - Network Analysis Framework

# Analyze pcap file
zeek -r capture.pcap

# This generates multiple log files:
# conn.log - Connection summaries
# http.log - HTTP requests
# dns.log - DNS queries
# files.log - Transferred files
# ssl.log - SSL/TLS connections

# Read Zeek logs
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service

# Analyze HTTP traffic
cat http.log | zeek-cut host uri status_code

# Extract files
zeek -r capture.pcap extract-all-files.zeek

Scapy - Packet Manipulation

# Python packet manipulation library
from scapy.all import *

# Read pcap file
packets = rdpcap('capture.pcap')

# Filter packets
http_packets = [p for p in packets if p.haslayer(TCP) and p[TCP].dport == 80]

# Extract HTTP hosts
for p in http_packets:
    if p.haslayer(Raw):
        payload = p[Raw].load.decode('utf-8', errors='ignore')
        if 'Host:' in payload:
            print(payload)

# Analyze DNS queries
dns_packets = [p for p in packets if p.haslayer(DNS)]
for p in dns_packets:
    if p.haslayer(DNSQR):
        print(p[DNSQR].qname)

Common Attack Patterns

Port Scanning Detection

# Look for SYN packets without established connections
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" -T fields -e ip.dst | sort | uniq -c | sort -rn

# Wireshark filter for port scans
tcp.flags.syn == 1 && tcp.flags.ack == 0

DNS Tunneling Detection

# Look for unusual DNS query patterns
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | awk 'length > 50'

# High frequency DNS queries to same domain
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq -c | sort -rn | head

# Wireshark filter
dns.qry.name && frame.len > 100

Data Exfiltration

# Large POST requests
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e frame.len -e ip.dst -e http.host

# Unusual upload sizes
http.request.method == POST && http.content_length > 1000000

# FTP uploads
ftp.request.command == "STOR"

Command & Control (C2) Detection

# Beaconing detection (regular intervals)
tshark -r capture.pcap -Y "tcp" -T fields -e frame.time_relative -e ip.dst | sort

# Suspicious User-Agents
http.user_agent && !(http.user_agent contains "Mozilla" || http.user_agent contains "Chrome")

# Non-standard ports for HTTP
tcp.port != 80 && tcp.port != 443 && http

Credential Theft

# Unencrypted authentication
http.authorization
ftp.request.command == "USER" || ftp.request.command == "PASS"

# Extract FTP credentials
tshark -r capture.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" \
  -T fields -e ftp.request.arg

# HTTP Basic Auth
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization

Extracting Files from Network Traffic

HTTP File Extraction

# Wireshark: File -> Export Objects -> HTTP

# Tshark
tshark -r capture.pcap --export-objects http,extracted_http/

# Extract specific file types
tshark -r capture.pcap -Y "http.response" -T fields -e http.content_type | sort -u

FTP File Extraction

# Follow FTP-DATA stream in Wireshark
# Filter: ftp-data

# Using Wireshark follow stream
# Select packet -> Analyze -> Follow -> TCP Stream -> Save As

SMB File Extraction

# Tshark
tshark -r capture.pcap --export-objects smb,extracted_smb/

# Filter for SMB traffic
smb || smb2

Session Reconstruction

# Reconstruct HTTP conversations
tshark -r capture.pcap -Y "http" -z follow,tcp,ascii,0

# Extract all TCP streams
for stream in $(tshark -r capture.pcap -T fields -e tcp.stream | sort -nu); do
  tshark -r capture.pcap -q -z follow,tcp,ascii,$stream > stream_$stream.txt
done