Investigating network

traffic and identifying

malicious activities
through packet analysis
Prof. Osama Abdel Raouf
 Overview of packet analysis and
its importance in digital forensics.

• Packet analysis, often referred to as "packet

sniffing," is the process of capturing, inspecting,
and analyzing network packets as they traverse a
network.
• Each packet contains crucial data about the
communication, including source and destination
information, protocol details, and potentially the
payload (data being transmitted).
 Why Packet Analysis
Matters in Digital Forensics:

• Network analysis identify, track, and mitigate cyber

threats.
1-Tracing Malicious Activity:
• Digital forensic investigators rely on packet analysis to
identify suspicious patterns and behaviors in network
traffic.
• For instance, identifying abnormal connections or high
volumes of traffic can indicate malicious activities like a
Distributed Denial of Service (DDoS) attack or
unauthorized data exfiltration.
 Why Packet Analysis
Matters in Digital Forensics:

2-Evidence Collection:
• Captured packets can serve as digital
evidence in investigations.
• They may reveal an attacker's IP
address, the tools they used, or the
payload of malicious communications.
 Why Packet Analysis
Matters in Digital Forensics:

3- Incident Response:
• Packet analysis plays a crucial role during incident
response. Analysts can pinpoint the source of an
attack, understand its nature, and develop
immediate countermeasures.
4- Reconstruction of Events:
• By analyzing packets, forensic experts can
reconstruct an attack timeline, including when and
how a system was breached.
Scenarios Where Packet
Analysis is Essential

1. Intrusion Detection:
1. Identifying unauthorized access attempts or
network scans.
2. Malware Detection:
1. Analyzing communication between infected
devices and Command-and-Control (C2) servers.
3. Data Exfiltration Monitoring:
1. Detecting unauthorized transfers of sensitive data.
 Packet Analysis: A Key Tool

• 1. Intrusion Detection
Packet analysis plays a vital role in intrusion detection systems (IDS) by
identifying unusual or unauthorized network activities. Here’s how:
• Detecting Unauthorized Access Attempts:
• Suspicious login attempts, such as brute force attacks or repeated
failed login attempts, often leave telltale signs in packet data. By
analyzing these packets, investigators can identify potential
unauthorized access to sensitive systems.
• Identifying Network Scans:
• Attackers often perform reconnaissance to find vulnerabilities by
scanning ports or probing specific IP addresses. Packet analysis can
reveal this activity by identifying a high number of connection
attempts to multiple ports or a rapid sequence of connection
requests, which are hallmarks of port scanning.
• Example:
• A series of SYN packets to various ports without completing the
handshake process may indicate a SYN scan, a common
reconnaissance technique used by attackers.
 Packet Analysis: A Key Tool

1.Unusual Traffic Patterns:

I. Spike in Traffic Volume: Sudden increases in
traffic may indicate a Distributed Denial of Service
(DDoS) attack.
II. Irregular Intervals: Packets sent at inconsistent
intervals might suggest malware or botnet activity.
2.Anomalous Packet Sizes:
I. Abnormally Large Packets: Could signify data
exfiltration or an attempt to exploit buffer overflow
vulnerabilities.
II. Too Many Small Packets: May indicate
reconnaissance or probing attempts.
 Packet Analysis: A Key Tool

3. Suspicious Protocol Usage:

I. Use of unexpected or rarely seen protocols (e.g., certain
Layer 3/Layer 4 protocols) could signify malicious activity.
II. Protocols on non-standard ports, like HTTP on port 8080
instead of 80, could hint at obfuscation or unauthorized
services.
4.Malformed Packets:
I. Packets that do not conform to expected protocol
standards might result from:
I. Network misconfiguration
II. Packet injection attacks
III. Exploit attempts targeting vulnerabilities in devices
or systems.
 Packet Analysis: A Key Tool

5. Unusual Source/Destination Addresses:

I. Spoofed Addresses: Source IPs that are invalid or
impossible for the network might suggest an attempt to
hide the attacker's origin.
II. Frequent External Communication: High-frequency
communication with unrecognized or suspicious
external IPs may indicate malware or C2 (Command and
Control) activity.
6.Repeated Connection Attempts:
I. Port Scanning: Multiple connection attempts to
different ports on the same target are a common
precursor to an attack.
II. Failed Connections: Repeated failed connection
attempts might suggest brute force attacks or scanning.
 Packet Analysis: A Key Tool

7. Payload Inspection:
I. Unexpected Content: Unusual or sensitive
data in the payload, such as passwords, binary
files, or encoded data.
II. Obfuscation: Encoded or encrypted payloads
in plain-text protocols (e.g., HTTP) may signal
an attempt to conceal malicious activity.
8.Latency and Timing Issues:
Unusually high latency or jitter in packet delivery
might indicate congestion or an attack like a man-
in-the-middle (MITM) or packet injection.
 Packet Analysis: A Key Tool

9-TLS/SSL Anomalies:
Use of self-signed or invalid certificates might
indicate a fake website or MITM attack.
Suspicious TLS versions or cipher suites not
aligned with best practices.
10-Command and Control Indicators:
Persistent connections to specific external IPs
or domains associated with known threat
actors.
 Tools for Detecting Telltale
Signs

1. Packet Sniffers: Tools like Wireshark allow for deep

inspection of packet data.
2. Intrusion Detection/Prevention Systems
(IDS/IPS): Tools like Snort or Suricata use signature-
based or anomaly-based detection methods.
3. Behavioral Analytics: Advanced systems like SIEM
(e.g., Splunk) analyze traffic trends for unusual
activity.
4. Threat Intelligence Feeds: Helps identify packets
communicating with known malicious IPs or
domains
 Packet Analysis: A Key Tool

• 2. Malware Detection
Analyzing packets can help detect malicious software (malware)
communication and block its activity before it causes significant
harm.
• Command-and-Control (C2) Communication:
• Many malware types establish communication with C2 servers
for instructions, updates, or data exfiltration. Packet analysis
can uncover these hidden communications by detecting:
• Outbound connections to suspicious IP addresses or
domains.
• Irregular traffic patterns, such as small, frequent packets
often used for heartbeat signals.
Packet Analysis: A Key Tool

2. Malware Detection
Payload Analysis: Inspecting the contents of
packets (when unencrypted) can reveal malicious
payloads, such as encoded commands or embedded
malware.
Example: A spike in DNS requests to random
subdomains of a domain may indicate a Domain
Generation Algorithm (DGA), commonly used by
malware to avoid detection.
 Components of Packet
Analysis

• 1. Dissecting a Packet: Header,

Payload, and Protocols
A network packet is the fundamental
unit of data exchanged over a
network. Understanding its structure
is crucial for effective packet analysis.
 Components of Packet Analysis
1. Dissecting a Packet: Header,
Payload, and Protocols

• Header:
• The header contains metadata about the packet, essential
for routing and processing. Key elements include:
• Source and Destination Addresses: Indicates the
sender and recipient of the packet (e.g., IP addresses).
• Protocol Information: Specifies the protocol used
(e.g., TCP, UDP, ICMP).
• Sequence Numbers: Used to reassemble packets in
the correct order.
• Flags: Indicate the status of the connection (e.g., SYN,
ACK in TCP).
 Components of Packet Analysis
1. Dissecting a Packet: Header,
Payload, and Protocols

Payload:
• The payload contains the actual data being
transmitted. It may include:
• Application-specific data (e.g., HTTP requests,
email content).
• Encoded commands or messages in malware
communications.
• Binary data or files.
 Components of Packet Analysis
1. Dissecting a Packet: Header,
Payload, and Protocols

• Protocols:
• Protocols define the rules for packet communication and
ensure interoperability. Common protocols analyzed include:
• TCP (Transmission Control Protocol): Reliable,
connection-oriented protocol used in web traffic.
• UDP (User Datagram Protocol): Lightweight,
connectionless protocol used in video streaming and
VoIP.
• ICMP (Internet Control Message Protocol): Used for
diagnostic tools like ping.
• HTTP/HTTPS: Protocols for web communications.
 Components of Packet Analysis
2. Understanding the Flow of
Data in Networks

• To analyze packets effectively, it’s essential to grasp how

data flows across networks.
• Packet Journey Through OSI Layers:
• The journey begins at the Application Layer, where
data is generated (e.g., a web request).
• It is then encapsulated with headers at each
subsequent layer, including Transport Layer
(TCP/UDP) and Network Layer (IP).
• At the Data Link Layer, the packet is prepared for
transmission over the physical medium.
 Components of Packet Analysis
2. Understanding the Flow of
Data in Networks

Fragmentation and Reassembly:

• Large data packets may be fragmented into smaller
packets to fit the network's Maximum Transmission
Unit (MTU).
• Sequence numbers in headers help reassemble the
fragments at the destination.
Routing:
• Packets travel across multiple routers to reach their
destination. Each router analyzes the header and
forwards the packet accordingly.
 Components of Packet Analysis
2. Understanding the Flow of
Data in Networks

• Packet Lifecycle in Analysis:

• Capture: Tools like Wireshark capture packets as
they traverse the network.
• Inspection: An analyst examines the header and
payload for anomalies.
• Interpretation: The findings guide actions such
as blocking malicious traffic or mitigating attacks.
 Components of Packet Analysis
2. Understanding the Flow of
Data in Networks

• Importance of Understanding Packet

Components:
1. Troubleshooting: Identifying issues like packet
loss, latency, or misconfigurations.
2. Security: Detecting tampered headers or
malicious payloads.
3. Reconstruction: Reassembling fragmented
packets to analyze the full data exchange.
 Packet Capturing
Techniques

• Introduction to Packet Capturing:

Packet capturing is the process of intercepting and
recording network traffic to analyze the data
packets exchanged between devices. It is a critical
first step in network forensics and packet analysis,
enabling investigators to monitor, diagnose, and
secure network communications.
 Packet Capturing
Techniques

 Active Packet Capture:

• Active packet capturing involves injecting traffic into the
network or interacting with network devices to capture
specific data packets.
• This method is more intrusive and is often used in controlled
environments or during testing scenarios.
• Key Characteristics:
• Requires interaction with the network.
• Can affect network performance if not done carefully.
• Examples: Network performance testing tools like Iperf.
Comparison: Iperf vs. Other Tools

Wiresh Speedt
Feature Iperf Ping ark est-cli
Bandwidth
✅ ❌ ❌ ✅
Testing
Packet Loss ✅ (UDP) ❌ ✅ ❌
Protocol ✅
❌ ✅ ❌
Flexibility (TCP/UDP)
Comple
Ease of Use Moderate Easy Easy
x
 Packet Capturing
Techniques

 Active Packet Capture:

• Use Cases:
• Simulating attacks to analyze how the network
reacts.
• Testing new configurations or devices in a lab
environment.
 Packet Capturing
Techniques

• Passive Packet Capture:

• Passive capturing involves monitoring and recording traffic
without altering it. This method is non-intrusive and ideal for
live networks.
• Key Characteristics:
• Does not interfere with network operations.
• Relies on capturing data from a span port or network tap.
• Examples: Tools like Wireshark or tcpdump.
• Use Cases:
• Monitoring live traffic for signs of malicious activities.
• Troubleshooting issues in production environments.
 Packet Capturing
Techniques

Advantages: Safe for production networks, minimal

impact on performance.
Limitations: Cannot test how a network responds to
injected traffic or simulated scenarios.
 Packet Capturing Techniques
2- Inline Capture Tools

2. Inline Capture Tools

• Inline packet capture tools are devices or software
that sit directly in the path of network traffic and
capture all data passing through. They provide
real-time visibility into the network.
 Packet Capturing Techniques
2- Inline Capture Tools

• Examples of Inline Capture Tools:Network

Taps:
• Hardware devices installed directly into the
network to duplicate traffic to a monitoring tool.
• Pros: Non-intrusive, high reliability, supports
full-duplex traffic capture.
• Use Case: Continuous monitoring in secure
environments.
 Packet Capturing Techniques
2-Inline Capture Tools

• Port Mirroring (SPAN Ports):Configuring a

network switch to send copies of traffic from one or
more ports to a monitoring tool.
• Pros: Cost-effective and widely used.
• Cons: Can overload switches with heavy traffic,
leading to dropped packets.
• Use Case: Monitoring traffic in enterprise networks.
 Packet Capturing Techniques
2-Inline Capture Tools

• Software-Based Inline Tools:Virtual appliances

or software installed on routers or firewalls to
capture traffic.
• Example: Inline mode in intrusion
detection/prevention systems (IDS/IPS).
Packet Capturing Comparison of
Methods and
Techniques Tools:

Active Passive
Feature Inline Tools
Capture Capture

Minimal if
Network Potential No
configured
Impact interference interference
well

Use in
Productio Rare Common Common
n

Setup
Medium to
Complexit Medium Low
High
y

Traffic injection Wireshark, Taps, SPAN,

Examples
tools tcpdump IDS systems
Best Practices in Packet
Capturing:

1. In advance Planning : Identify the purpose and scope

of capturing to minimize unnecessary data collection.
2. Use Dedicated Capture Points: Use network taps or
SPAN ports to ensure reliability.
3. Optimize Filters: Configure capture tools to focus on
specific traffic, reducing storage needs and processing
time.
4. Protect Captured Data: Ensure that captured packets
are stored securely to maintain confidentiality and
integrity.
 Introduction to Wireshark
1. What is Wireshark?

Wireshark is a powerful,
open-source network
protocol analyzer widely
used by cybersecurity
professionals, network
administrators, and forensic
investigators. It captures
and visualizes network
traffic in real-time, allowing
for detailed packet
inspection.
 Introduction to Wireshark

Real-time traffic capture and analysis.

Key Supports a wide range of protocols (e.g., TCP, UDP, HTTP, DNS).
Features: Customizable filters for precise packet selection.
Options to save and export captured traffic for later analysis.

It simplifies the complex process of packet analysis with a user-

Why Use friendly graphical interface.
Wireshark Useful in troubleshooting network issues, detecting anomalies, and
? investigating security incidents.
 2. Overview of
Wireshark's Interface

• When you launch Wireshark, the interface is divided into several sections to
facilitate easy navigation and analysis:
• Menu Bar:
• Provides access to file operations, configuration settings, and analysis
tools.
• Includes options for saving captures, applying filters, and exporting
data.
• Toolbar:
• Quick access to common functions like starting/stopping captures,
opening files, and managing filters.
• Capture Interface List:
• Displays available network interfaces for capturing traffic (e.g., Ethernet,
Wi-Fi).
• Users select the interface they want to monitor.
 2. Overview of
Wireshark's Interface

•Packet List Pane:

•Shows a summary of all captured packets in a tabular format.
•Columns include timestamps, source and destination addresses, protocols, and
packet information.
•Packet Details Pane:
•Displays detailed information about the selected packet.
•Organized by protocol layers, such as Ethernet, IP, TCP/UDP, and application data.
•Packet Bytes Pane:
•Shows the raw hexadecimal and ASCII data of the selected packet.
•Useful for low-level analysis or inspecting encoded payloads.
3. Setting Up Wireshark
for Packet Analysis

• Step 1: Download and Install Wireshark:

• Wireshark is available for Windows, macOS, and Linux.
• Download it from the official website (
https://www.wireshark.org) and follow the installation
instructions.
• Step 2: Select the Network Interface:
• Launch Wireshark and choose the appropriate network
interface to monitor.
• For example, select the Ethernet or Wi-Fi interface
depending on your network connection.
3. Setting Up Wireshark
for Packet Analysis

•Step 3: Start Capturing:

•Click the Start Capturing Packets button or double-click the selected interface.
•Wireshark will begin capturing live traffic.
•Step 4: Use Filters to Narrow Down Results:
•Apply display filters to focus on specific traffic types (e.g., HTTP, DNS, or IP).
•Example filters:
•http – Shows only HTTP traffic.
•ip.addr == 192.168.1.1 – Displays packets related to a specific IP
address.
•tcp.port == 443 – Focuses on traffic using a specific port (e.g.,
HTTPS).
3. Setting Up Wireshark
for Packet Analysis

•Step 5: Analyze Captured Packets:

•Inspect individual packets by selecting them from the Packet
List pane.
•Use the Packet Details pane to examine protocol layers and
payload data.
•Step 6: Save Captures for Further Analysis:
•Save your capture data using the .pcap file format for later
review or sharing with colleagues
 Tips for Effective Use of
Wireshark:

1.Work with Filters:

•Mastering filters can significantly speed up analysis and improve accuracy.
•Combine filters (e.g., http && ip.src == 10.0.0.1) for more specific results.
2.Enable Promiscuous Mode:
•Allows Wireshark to capture all packets on the network segment, not just those
addressed to your device.
3.Learn Shortcuts:
•Keyboard shortcuts can improve efficiency when working with large data sets.
4.Secure Capture Data:
•Always encrypt and store captured data securely to maintain confidentiality.