You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Network forensics is the capture, recording, and analysis of network traffic to detect intrusions, reconstruct events, and gather evidence. Unlike disk and memory forensics, which examine data at rest, network forensics analyses data in motion — the packets flowing between systems.
| Use Case | Description |
|---|---|
| Intrusion detection | Identify malicious traffic that bypassed perimeter defences |
| Data exfiltration analysis | Determine what data was transmitted out of the network |
| Malware communication | Identify command-and-control (C2) traffic patterns |
| Insider threat investigation | Monitor for unauthorised data transfers or policy violations |
| Incident timeline reconstruction | Correlate network events with host-based evidence |
| Compliance monitoring | Verify adherence to network security policies |
| Approach | Data Captured | Storage Requirements | Analysis Depth |
|---|---|---|---|
| Full packet capture (FPC) | Complete packet headers and payloads | Very high (GB–TB per hour on busy networks) | Full content reconstruction; can extract files, emails, credentials |
| Flow data (NetFlow/IPFIX) | Metadata only: source/destination IP, ports, protocol, byte count, timestamps | Low (summary records) | Connection patterns; no content; good for trend analysis |
| PCAP with filters | Selected packets based on capture filters | Moderate | Targeted analysis of specific traffic |
Tip: Use flow data for broad monitoring and anomaly detection. When suspicious activity is identified, switch to full packet capture for detailed analysis.
| Tool | Description |
|---|---|
| tcpdump | Command-line packet capture tool; available on most Unix/Linux systems |
| Wireshark | GUI-based protocol analyser; supports hundreds of protocols |
| tshark | Command-line version of Wireshark |
| NetworkMiner | Network forensic analysis tool; extracts files, images, and credentials from PCAP |
| Zeek (formerly Bro) | Network security monitor; generates structured logs from network traffic |
| Moloch/Arkime | Full packet capture and indexed search system for large-scale networks |
# Capture all traffic on interface eth0, save to file
tcpdump -i eth0 -w /evidence/capture.pcap
# Capture only traffic to/from a specific IP
tcpdump -i eth0 host 192.168.1.100 -w /evidence/targeted.pcap
# Capture only HTTP traffic
tcpdump -i eth0 port 80 -w /evidence/http.pcap
# Capture with Wireshark's tshark
tshark -i eth0 -w /evidence/capture.pcap
# Read and filter a capture file
tshark -r /evidence/capture.pcap -Y "http.request.method == GET"
Wireshark provides powerful protocol analysis capabilities:
| Filter | Purpose |
|---|---|
ip.addr == 192.168.1.100 | Traffic to/from a specific IP |
tcp.port == 443 | HTTPS traffic |
http.request | HTTP requests only |
dns.qry.name contains "malicious" | DNS queries containing a keyword |
tcp.flags.syn == 1 && tcp.flags.ack == 0 | SYN packets (connection initiations) |
tcp.stream eq 5 | Follow a specific TCP stream |
frame contains "password" | Frames containing a specific string |
| Technique | Description |
|---|---|
| Follow TCP Stream | Reconstruct the full conversation between two endpoints |
| Protocol hierarchy | View the distribution of protocols in the capture |
| Expert information | Wireshark's built-in analysis of anomalies and errors |
| Export objects | Extract transferred files (HTTP, SMB, TFTP, DICOM) |
| IO graphs | Visualise traffic patterns over time |
Network logs are critical evidence sources:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.