Network packet analysis is crucial for understanding network behavior, troubleshooting issues, and identifying security threats. This guide covers essential techniques and tools for effective packet analysis.
Key areas covered:
# TCP Three-Way Handshake
Client -> Server: SYN (seq=x)
Server -> Client: SYN-ACK (seq=y, ack=x+1)
Client -> Server: ACK (seq=x+1, ack=y+1)
# Common TCP Flags
SYN - Connection initiation
ACK - Acknowledgment
FIN - Connection termination
RST - Connection reset
PSH - Push data immediately
URG - Urgent data
# TCP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+# HTTP Request
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html
Connection: keep-alive
# HTTP Response
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
Server: nginx/1.18.0
# Common HTTP Methods
GET - Retrieve resource
POST - Submit data
PUT - Update resource
DELETE - Remove resource
HEAD - Get headers only
OPTIONS- Get supported methods# Normal Web Traffic Pattern
Client -> DNS Query
DNS -> IP Resolution
Client -> TCP Handshake
Client -> HTTP Request
Server -> HTTP Response
Client/Server -> TCP Close
# Suspicious Patterns
- Excessive Failed Connections
- Unusual Port Activity
- Large Data Transfers
- Irregular Timing
- Encrypted Tunnels
- Command & Control Traffic
# Analysis Commands
# View connection attempts
tshark -r capture.pcap -Y "tcp.flags.syn==1"
# Check data volume by host
tshark -r capture.pcap -q -z ip,endpoints
# Analyze protocols
tshark -r capture.pcap -q -z io,phs# Port Scan Detection
tshark -r capture.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0"
# SQL Injection Attempts
tshark -r capture.pcap -Y "http.request.uri contains \"SELECT\""
# Brute Force Detection
tshark -r capture.pcap -Y "tcp.port==22" -T fields \
-e ip.src -e tcp.srcport | sort | uniq -c
# Malware Traffic
# Look for:
- Unusual DNS queries
- Encrypted traffic to unknown hosts
- Periodic beaconing
- Data exfiltration patterns
- Command execution sequences
# DDoS Analysis
tshark -r capture.pcap -q -z ip,dests# TLS Handshake Analysis
tshark -r capture.pcap -Y "ssl.handshake"
# Certificate Validation
tshark -r capture.pcap -Y "ssl.handshake.type==11"
# Cipher Suite Analysis
tshark -r capture.pcap -T fields \
-e ssl.handshake.ciphersuite
# SSL/TLS Versions
tshark -r capture.pcap -T fields \
-e ssl.handshake.version
# Key Exchange Methods
tshark -r capture.pcap -Y "ssl.handshake.type==2"# Latency Analysis
tshark -r capture.pcap -q -z io,stat,1,\
"COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission"
# Bandwidth Usage
tshark -r capture.pcap -q -z conv,ip
# TCP Window Size
tshark -r capture.pcap -Y "tcp.window_size < 1000"
# Application Response Time
tshark -r capture.pcap -q -z io,stat,0,\
"AVG(tcp.time_delta) tcp.time_delta"
# Network Errors
tshark -r capture.pcap -Y \
"tcp.analysis.flags && !tcp.analysis.window_update"Network packet analysis is a crucial skill for network administrators and security professionals. By understanding protocols and using the right tools, you can effectively monitor network traffic and identify security threats.
Remember to follow best practices and stay updated with the latest analysis techniques and tools.