Intro
Network Traffic Analysis (NTA) can be described as the systematic examination of network traffic with the objective of understanding how data flows through an environment, identifying normal behavior, and detecting deviations that may indicate security threats or operational issues. By analyzing ports, protocols, and communication patterns, security professionals are able to establish a baseline for expected activity and monitor for anomalies that may signal malicious behavior.
This process is especially valuable because network traffic represents the ground truth of what is actually happening in an environment. Logs and alerts can be incomplete or misleading, but traffic captures reveal real interactions between hosts. Through continuous observation and analysis, defenders can identify threats early, investigate suspicious activity, and gain a deeper understanding of their organization’s network behavior.
Common everyday use cases of NTA include:
- Collecting real-time traffic within the network to identify emerging threats.
- Establishing a baseline of normal network communications for comparison.
- Identifying and analyzing non-standard ports, suspicious hosts, and protocol misuse.
- Detecting malware in transit, such as ransomware callbacks, exploit traffic, or abnormal beaconing patterns.
Beyond real-time monitoring, NTA is also critical during incident response investigations and proactive threat hunting activities.
Required Skills and Knowledge
Effective network traffic analysis requires a solid technical foundation across several networking and security domains. Analysts must understand how data moves across networks, how protocols encapsulate information, and how different layers of the network stack interact with each other. Without this baseline knowledge, interpreting packet captures becomes significantly more difficult.
Key skills and knowledge areas include:
- The TCP/IP stack and the OSI model
- Core networking concepts such as routing, switching, and segmentation
- Common ports and well-known protocols
- IP packet structure and sublayers
- Transport-layer encapsulation and protocol behavior
These concepts allow analysts to reason about what they are seeing in captures and distinguish legitimate behavior from suspicious or malicious activity.
Common Traffic Analysis Tools
A wide variety of tools are available to assist with network traffic analysis, ranging from lightweight command-line utilities to enterprise-scale platforms. Each tool serves a different purpose and is often most effective when used in combination with others.
| Tool | Description |
|---|---|
tcpdump | A command-line packet capture utility that uses libpcap to capture and interpret network traffic from an interface or capture file. |
TShark | A command-line packet analyzer similar to tcpdump, capable of capturing live traffic or decoding packet capture files. It is the CLI counterpart to Wireshark. |
Wireshark | A graphical network protocol analyzer that allows deep inspection of packets using a wide range of protocol dissectors. |
NGrep | A packet-matching tool similar to grep that works on network traffic and supports regular expressions and BPF syntax. |
tcpick | A command-line packet sniffer focused on tracking and reassembling TCP streams into files. |
Network Taps | Hardware devices that copy network traffic and forward it for analysis without disrupting the original flow. |
SPAN Ports | Switch configurations that mirror traffic from one or more ports to a designated monitoring port. |
Elastic Stack | A collection of tools used to ingest, search, and visualize large volumes of data, including network telemetry. |
SIEMs | Centralized platforms such as Splunk that aggregate logs and traffic data for correlation, alerting, and forensic analysis. |
BPF Syntax
Many traffic analysis tools rely on Berkeley Packet Filter (BPF) syntax to define capture and display filters. BPF provides a low-level mechanism for filtering packets directly at the data-link layer, allowing analysts to reduce noise and focus only on traffic relevant to their investigation.
By applying BPF filters at capture time, analysts can significantly reduce the volume of data collected, improving performance and making subsequent analysis more manageable. Mastery of BPF syntax is therefore a foundational skill for anyone performing network traffic analysis.
Performing Network Traffic Analysis
At a minimum, passive traffic analysis requires access to the network segment being monitored. This often means connecting to the same VLAN or using infrastructure features such as SPAN ports or network taps to obtain copies of traffic from other segments. The choice of capture location directly affects visibility and determines which traffic can be observed.
Network taps, mirrored switch ports, and router configurations allow analysts to collect traffic without interfering with normal operations. These approaches make it possible to observe traffic crossing specific links, regardless of its source or destination, enabling comprehensive analysis across network boundaries.
NTA Workflow
1. Traffic Ingestion
Once a capture location is selected, the first step is to begin ingesting traffic. If the analyst already has a hypothesis or specific indicators of interest, capture filters can be applied to limit the scope of collected data. This helps reduce unnecessary noise and storage requirements.
2. Noise Reduction Through Filtering
Traffic captured from production environments is often extremely noisy. Broadcast traffic, multicast packets, and routine background communications can obscure meaningful signals. Applying filters after capture helps remove irrelevant data and allows analysts to focus on traffic that may be related to the investigation.
3. Analyze and Explore
With noise reduced, analysts can begin exploring the remaining traffic in detail. This includes examining specific hosts, protocols, and packet attributes such as TCP flags. Key questions to consider include whether traffic is encrypted, whether users are accessing unauthorized resources, and whether unusual host-to-host communications are occurring.
4. Detect and Alert
During analysis, analysts may identify errors, failed connections, or suspicious patterns. At this stage, it is important to determine whether observed behavior is benign or potentially malicious. Intrusion Detection and Prevention Systems can assist by applying signatures and heuristics to traffic, helping to validate findings.
5. Fix and Monitor
Once an issue is identified and addressed, monitoring should continue to ensure that the problem has been fully resolved. Changes should always be validated through continued observation, as attackers may adapt or reattempt access using different techniques.
Layers 1–4
The lower layers of the OSI model focus on the transport of data between hosts. These layers handle everything from physical transmission media to logical addressing and reliable data delivery. Understanding these layers is essential for interpreting packet captures and diagnosing network issues.
PDU
A Protocol Data Unit (PDU) represents a block of data that includes both control information and encapsulated payloads from each layer of the OSI model. As data moves down the stack, each layer adds its own headers, forming the complete PDU observed on the wire.
MAC Addressing
Every physical or logical network interface has a Media Access Control (MAC) address, which is a 48-bit identifier represented in hexadecimal format. MAC addressing operates at the data-link layer and is used for host-to-host communication within a broadcast domain.
When traffic must cross a layer-three boundary, such as a router, the layer-two encapsulation is replaced. The router forwards the packet based on its IP address, updating the MAC addresses as needed for the next hop.
IP Addressing
IP addressing operates at the network layer and enables routing between networks. Unlike MAC addresses, IP addresses are logical and hierarchical, allowing scalable communication across large networks.
IPv6 Addressing Types
| Type | Description |
|---|---|
| Unicast | Identifies a single interface. |
| Anycast | Identifies multiple interfaces, with only one receiving the packet. |
| Multicast | Identifies multiple interfaces, all of which receive the packet. |
| Broadcast | Not used in IPv6; replaced by multicast. |
TCP / UDP Transport Mechanisms
TCP and UDP provide different transport mechanisms, each with distinct trade-offs. TCP prioritizes reliability and ordered delivery, while UDP prioritizes speed and simplicity.
| Feature | TCP | UDP |
|---|---|---|
| Transmission | Connection-oriented | Connectionless |
| Delivery | Reliable and ordered | Best-effort |
| Overhead | Higher | Lower |
| Speed | Slower | Faster |
TCP Three-Way Handshake
TCP establishes sessions using a three-way handshake to ensure reliable communication. This process uses control flags within the TCP header to synchronize sequence numbers and confirm readiness between client and server.
Steps
The client initiates the connection by sending a SYN packet. The server responds with a SYN-ACK, acknowledging the request and providing its own sequence information. Finally, the client sends an ACK, completing the handshake and allowing data transmission to begin.
TCP Handshake Example
This exchange ensures that both parties are ready to communicate and have agreed on session parameters before data is transferred.
TCP Session Teardown
TCP sessions are terminated using FIN and ACK flags. This orderly shutdown ensures that all data has been transmitted and acknowledged before the connection is closed, preventing data loss.
Layers 5–7
Upper-layer protocols handle application-level communication, data presentation, and session management. These layers are where user-facing services and applications operate.
HTTP
HTTP is a stateless application-layer protocol used to transfer data between clients and servers. It operates over TCP and typically uses ports 80 or 8000.
HTTP Methods
HTTP defines multiple methods that specify the action to be performed on a resource, including GET, POST, PUT, DELETE, and others.
HTTPS
HTTPS extends HTTP by encrypting traffic using TLS. This protects data confidentiality and integrity while maintaining the same application-layer semantics as HTTP.
FTP
FTP is an application-layer protocol used for file transfers. It operates over TCP and uses separate channels for commands and data. Due to its lack of encryption, FTP has largely been replaced by secure alternatives.
FTP Commands
Common FTP commands include USER, PASS, LIST, RETR, and QUIT, each controlling different aspects of the session.
SMB
SMB is a connection-oriented protocol widely used in Windows environments for file and resource sharing. Modern SMB operates over TCP port 445 and includes authentication and access control mechanisms.
Analysis
Traffic analysis involves a detailed examination of network events to determine their origin, impact, and significance. By breaking traffic into understandable components, analysts can identify deviations from baseline behavior and detect potential threats.
Capture Dependencies
Traffic capture can be passive or active, each with different requirements. Passive capture observes traffic without interaction, while active capture involves inline placement and deeper involvement in traffic flow.
Analysis in Practice
Descriptive Analysis
Descriptive analysis focuses on understanding what happened by summarizing observed data. It helps identify anomalies, errors, and outliers in traffic patterns.
Diagnostic Analysis
Diagnostic analysis seeks to explain why an event occurred by correlating observations and identifying causal relationships.
Predictive Analysis
Predictive analysis uses historical and current data to anticipate future events, detect emerging trends, and identify early warning signs.
Prescriptive Analysis
Prescriptive analysis determines what actions should be taken to mitigate or prevent future issues, using insights gained from prior analysis stages.
Key Components of Effective Analysis
1. Know Your Environment
Understanding the normal structure and behavior of the network is essential. Asset inventories and network maps provide critical context for interpreting traffic.
2. Location Matters
Capture location determines visibility. Placing capture tools close to the source of an issue maximizes insight and reduces ambiguity.
3. Persistence
Some threats occur infrequently and require long-term monitoring to detect. Persistence is often the difference between early detection and major incidents.
Analysis Approach
Effective analysis starts with common protocols and gradually narrows focus. By identifying patterns and anomalies, analysts can uncover hidden threats.
Analysis Approach (Step Summary)
- Start with standard protocols.
- Review remote access traffic.
- Look for recurring patterns.
- Inspect host-to-host communication.
- Ask for help when needed.
tcpdump
Fundamentals
tcpdump is a command-line packet analyzer that captures and interprets network traffic using libpcap. It provides direct visibility into packets traversing an interface.
Traffic Capture with tcpdump
tcpdump supports a wide range of options that control capture behavior, output format, and file handling.
Basic Capture Options
Common switches allow selection of interfaces, control of verbosity, and writing captures to PCAP files.
tcpdump Output
tcpdump output includes timestamps, protocol identifiers, source and destination addresses, flags, and sequence information, providing a concise summary of each packet.
Packet Filtering with tcpdump
Useful tcpdump Filters
Filters allow analysts to isolate traffic by host, network, protocol, port, or size, enabling focused analysis and efficient investigation.
Wireshark
Wireshark is a graphical network protocol analyzer capable of deep packet inspection across hundreds of protocols. It supports live capture and offline analysis.
Features and Capabilities
Wireshark provides protocol dissectors, decryption support, and extensive filtering capabilities across multiple platforms.
TShark vs. Wireshark (Terminal vs. GUI)
TShark offers Wireshark functionality via the command line, making it ideal for headless systems. Wireshark provides a rich graphical interface for interactive analysis.
Basic TShark Switches
TShark supports interface selection, filtering, capture limits, and file handling through command-line switches.
TermShark
TermShark provides a text-based user interface for packet analysis, offering a Wireshark-like experience directly in the terminal.
Reference
This article is based on my personal study notes from the Information Security Foundations track.
Full repository: https://github.com/lameiro0x/security-foundations-htb-notes