analyzing-network-traffic-for-incidents

# Analyzing Network Traffic for Incidents ## When to Use - SIEM alerts on anomalous network traffic patterns requiring deeper investigation - C2 beaconing is suspected and needs confirmation through packet-level analysis - Data exfiltration volume or destination must be quantified from network evidence - Lateral movement between systems needs to be traced through network connections - An IDS/IPS alert requires packet-level validation to confirm or dismiss **Do not use** for host-based forensic analysis (process execution, file system artifacts); use endpoint forensics tools instead. ## Prerequisites - Full packet capture (PCAP) infrastructure or on-demand capture capability (network tap, SPAN port) - Wireshark installed on the analysis workstation with appropriate display filters knowledge - Zeek (formerly Bro) deployed for network metadata generation (conn.log, dns.log, http.log, ssl.log) - NetFlow/IPFIX collection from network devices for traffic flow analysis - Network architecture diagram showing VLAN layout, firewall placement, and monitoring points - Threat intelligence feeds for correlating observed network indicators ## Workflow ### Step 1: Capture or Acquire Network Traffic Obtain the relevant traffic data for the investigation: **Live Capture (if incident is active):** ```bash # Capture on specific interface filtering by host tcpdump -i eth0 -w capture.pcap host 10.1.5.42 # Capture C2 traffic to specific external IP tcpdump -i eth0 -w c2_traffic.pcap host ...