Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
Incident Response & ForensicsNetwork Forensics

Packet Capture & Analysis

35 min
lab
+60 XP

Learning Objectives

  • Capture and analyze network traffic
  • Understand packet capture methodology
  • Extract indicators from network captures

Network Forensics Fundamentals

Network forensics analyzes network traffic to detect intrusions, reconstruct attacks, and gather evidence. Unlike endpoint forensics, network analysis reveals communication patterns between systems and with external infrastructure.

Capture Methods

Full packet capture records complete packet contents. This provides maximum detail but requires significant storage. A 1 Gbps link generates over 10 TB daily.

Flow data captures metadata—source, destination, ports, bytes, packets—without content. NetFlow, IPFIX, and sFlow provide visibility at lower storage cost.

Targeted capture focuses on specific traffic: particular hosts, suspicious protocols, or traffic matching detection rules. Balances detail and storage.

Session data reconstructs application-layer conversations. HTTP requests and responses, DNS queries and answers, extracted files.

Capture Placement

Perimeter - Captures external communication. Places capture at network edge, inside the firewall.

Internal segments - Captures lateral movement invisible at the perimeter. Segment-level visibility shows internal communications.

Span ports and taps - Network taps provide passive access to traffic without introducing latency or detection risk. Port mirroring (SPAN) can substitute when taps are unavailable.

Capture Tools

tcpdump - Command-line capture for Linux/Unix. Widely available, scriptable.

Wireshark - GUI analyzer and capture tool. Excellent for interactive analysis.

Zeek (Bro) - Produces structured logs from traffic: connection logs, HTTP requests, DNS queries, extracted files. Ideal for detection and hunting.

Arkime (Moloch) - Full packet capture with indexing and search. Enables large-scale capture with efficient retrieval.

Forensic Indicators

Network analysis reveals:

Command and control - Beaconing patterns, unusual destinations, encrypted channels to suspicious infrastructure.

Data exfiltration - Large outbound transfers, DNS tunneling, traffic to file sharing services.

Lateral movement - SMB traffic between workstations, remote execution protocols, authentication patterns.

Malware communication - Characteristic protocols, user agents, and connection patterns.

Extract and analyze indicators: IP addresses, domains, URLs, user agents, file hashes from transfers.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

What network forensic tools exist?

Format: *********(9 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What tool captures live traffic?

Format: *******(7 chars)
Exact match required
📚 KnowledgeQuestion 3

What evidence exists in packets?

Format: ********(8 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What protocol is used for web traffic?

Format: ****(4 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue