Home > Digital Forensics

Capturing Traffic (PCAP)

Capturing network traffic is the foundation of network forensics. Investigators rely on packet captures (PCAP files) to analyze communication between systems, detect intrusions, identify malware activity, and reconstruct attacker behavior. A proper capture ensures that no critical packets are missed and that the data collected is admissible and useful for forensic analysis.

This chapter explains how traffic capture works, where to capture it, tools used to generate PCAP files, and best practices for collecting high-quality forensic evidence.

What Is a PCAP?

A PCAP (Packet Capture) is a file that stores raw network packets exactly as they appear on the wire.
It contains:

  • Source IP / destination IP

  • Ports & protocols

  • Packet payloads

  • Timestamps

  • Flags (SYN, ACK, FIN)

  • Application-layer data (HTTP, DNS, SMTP, etc.)

PCAPs allow investigators to replay and analyze traffic long after the event.

Why Capturing Traffic Matters

Capturing traffic enables investigators to:

  • Detect intrusions, scanning, and exploit attempts

  • Identify C2 (command-and-control) communication

  • Reconstruct sessions and conversations

  • Analyze malware downloads or exfiltration

  • Determine attacker IP addresses

  • Investigate insider threats

  • Validate firewall/IDS alerts

Even a few seconds of traffic capture can contain crucial evidence.

Where to Capture Network Traffic

Different capture points provide different visibility.

1. On the Endpoint (Host-Based Capture)

Tools run locally on a workstation, server, or compromised machine.

Pros:

  • Full visibility of encrypted traffic before TLS encryption (if captured using hooks)

  • Captures malware’s direct communication

  • Easy to deploy

Cons:

  • Attacker may tamper with tools

  • High CPU usage on busy systems

2. On the Network (Switch/Router/Tap Capture)

Capturing from network infrastructure using:

  • Port Mirroring (SPAN)

  • Network TAPs

  • IDS devices (Suricata, Snort)

Pros:

  • Cannot be easily tampered with

  • Great for long-term monitoring

Cons:

  • Encrypted traffic harder to analyze

  • Might miss endpoint-only communication

3. Cloud Environments

Cloud providers support flow logs or packet mirroring:

  • AWS VPC Traffic Mirroring

  • Azure Network Watcher

  • Google Cloud Packet Mirroring

Capturing in the cloud requires understanding virtual network paths.

Tools for Capturing Traffic (PCAP)

1. tcpdump (CLI Capture Tool)

Most widely used command-line packet capture tool.

Example capture:

tcpdump -i eth0 -w capture.pcap

Capture only TCP traffic:

tcpdump -i eth0 tcp -w tcp-only.pcap

Filter for specific IP:

tcpdump host 192.168.1.10 -w host.pcap

2. Wireshark

GUI-based packet analyzer with powerful filters.

Wireshark captures:

  • Full packet contents

  • SSL/TLS handshakes

  • DNS queries

  • Application traffic

Filters example:

http
ip.addr == 10.0.0.5
tcp.port == 443

3. Tshark (Wireshark CLI)

Command-line version of Wireshark.

Example:

tshark -i eth0 -w traffic.pcap

4. Dumpcap

Captures packets more reliably under heavy load.

Example:

dumpcap -i eth0 -w output.pcap

5. Suricata / Snort

IDS/IPS tools that can also export PCAPs.

Suricata capture mode:

suricata -i eth0 -l /pcap/output/

6. Network TAP Devices

Hardware taps provide passive, reliable, uninterruptible capture.

Used in:

  • SOCs

  • Incident response centers

  • High-throughput networks

PCAP Capture Filters

Filters prevent collecting unnecessary data and reduce file size.

Capture only DNS

udp port 53

Capture only HTTP

tcp port 80

Capture only a single host

host 192.168.1.100

Capture traffic to a specific network

net 10.0.0.0/24

Capture packets larger than 100 bytes

greater 100

Filters help avoid massive, unmanageable captures.

Best Practices for Forensic Traffic Capture

1. Capture full packets, not truncated packets

Avoid losing payload data.

2. Use lossless capture tools

Dumpcap, hardware taps, and Suricata are best.

3. Sync time with NTP

Accurate timestamps are essential for timeline correlation.

4. Store PCAPs securely & hash them

Compute SHA256 after capture:

sha256sum capture.pcap

5. Capture both inbound and outbound traffic

Inbound threats often come through exposed services.
Outbound threats reveal C2 or exfiltration.

6. Log metadata separately

Document:

  • Interface used

  • Filters applied

  • Start & stop timestamps

  • Tool version

7. Avoid capturing in high load on endpoints

Endpoint capture may impact performance.

What PCAPs Reveal During Forensics

PCAPs allow reconstruction of:

  • Malware downloads

  • Reverse shell sessions

  • DNS tunneling

  • Data exfiltration

  • Lateral movement

  • Exploit attempts (SQLi, RCE)

  • Suspicious encrypted traffic patterns

  • Beaconing behavior

  • Attack timelines

PCAPs remain one of the most powerful digital evidence sources.

Intel Dump

  • Traffic capture (PCAP) is essential for network forensics, enabling reconstruction of attacks, malware communication, and data exfiltration.

  • Capture points include endpoints, network devices (SPAN/TAP), cloud environments, and IDS systems.

  • Tools like tcpdump, Wireshark, Tshark, Dumpcap, Suricata, and TAP devices create reliable packet captures.

  • Filters help refine captures to relevant traffic, reducing noise and file size.

  • Best practices include lossless captures, accurate timestamps, hashing, full packet capture, and proper documentation.

  • PCAPs reveal C2 traffic, exploits, suspicious sessions, DNS anomalies, and the entire communication footprint of an attack.

HOME COMMUNITY CAREERS DASHBOARD