Network Forensics: HTTP, DNS, and TLS Analysis (Beginner-Friendly Tutorial)
1. Introduction to Network Forensics
Network forensics is the process of capturing, inspecting, and analyzing network traffic to investigate security incidents. In this tutorial, we will learn how to analyze three important protocols:
-
HTTP (web traffic)
-
DNS (domain name lookups)
-
TLS (encrypted web traffic)
2. HTTP Analysis
What is HTTP?
HTTP (Hypertext Transfer Protocol) is used when you visit websites. It is not encrypted, so attackers and investigators can read everything in the request and response.
What you can find in HTTP traffic
-
Visited URLs
-
Form data (usernames, passwords in plain text)
-
File downloads and uploads
-
Cookies
-
User-Agent details
-
Server response codes (200, 404, etc.)
How to analyze HTTP traffic
-
Open the PCAP file in Wireshark.
-
In the filter bar, type:
http -
Select any HTTP packet.
Important sections to check
a) HTTP Request
-
Method (GET, POST)
-
Full URL
-
Host header
-
User-Agent
-
Cookies
Example:
GET /login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
b) HTTP Response
-
Status code (200 OK, 404 Not Found)
-
Server type
-
File contents (images, pages, etc.)
c) Reconstructing files
In Wireshark:
-
Go to File → Export Objects → HTTP
-
Download images, scripts, or malicious payloads found in traffic.
3. DNS Analysis
What is DNS?
DNS (Domain Name System) converts domain names (like google.com) into IP addresses. DNS is not encrypted, so investigators can easily see what domains were queried.
What you can find in DNS traffic
-
Domains contacted by the attacker
-
Suspicious or unusual domain names
-
Tunneling or data exfiltration through DNS
-
Malware command-and-control (C2) domains
How to analyze DNS traffic
-
Filter DNS packets:
dns -
Look for:
-
A records (IP address requests)
-
TXT records (can hide data)
-
Long or strange subdomains (possible DNS tunneling)
-
Signs of malicious DNS activity
-
Random domain names like:
ajdke83hdu3.example.com -
Very frequent DNS queries
-
DNS queries to known malicious domains
-
TXT records carrying encoded payloads
4. TLS Analysis
What is TLS?
TLS (Transport Layer Security) encrypts traffic. It protects data but makes forensic analysis harder.
You cannot directly read usernames, passwords, or URLs inside TLS.
However, you can still extract useful information.
What you can find in TLS traffic
-
Server Name Indication (SNI) → reveals which domain was visited
-
Certificate details
-
TLS versions
-
Cipher suites
-
Suspicious encrypted traffic patterns
How to analyze TLS in Wireshark
-
Filter TLS packets:
tls -
Click Client Hello packets.
Key TLS fields to check
a) SNI (Server Name Indication)
This shows the domain the user is trying to visit, even though the traffic is encrypted.
Example:
extension: server_name = www.example.com
b) Certificates
You can inspect:
-
Issuer
-
Subject
-
Certificate validity
-
Self-signed certificates (often used by malware)
c) TLS Version
Old versions like TLS 1.0 or SSLv3 are insecure and often used by malicious servers.
d) Traffic pattern analysis
Even without decrypting:
-
Long sessions may indicate data exfiltration
-
Repeated connections to unknown servers may indicate C2 traffic
5. Summary Table
| Protocol | Encrypted? | What You Can Find | Useful For |
|---|---|---|---|
| HTTP | ❌ No | URLs, logins, files, cookies | Web attacks, credential theft |
| DNS | ❌ No | Domains, IP lookups, tunneling | Malware C2, domain investigation |
| TLS | ✔️ Yes | SNI, certificates, patterns | Encrypted malware traffic, phishing |
Intel Dump
HTTP, DNS, and TLS analysis are core skills in network forensics.
-
HTTP helps you see exactly what happened.
-
DNS helps you track attacker communication.
-
TLS helps you analyze encrypted traffic behavior.
Practice these skills using sample PCAP files to understand real attack scenarios.