Home > Digital Forensics

Packet Analysis Basics

Packet analysis is the core activity of network forensics. Once traffic has been captured into a PCAP file, investigators analyze packets to understand communication flows, detect anomalies, identify malware activity, and reconstruct attacker actions. Packet analysis transforms raw network data into meaningful forensic intelligence.

This chapter explains how packets are structured, how to analyze them using tools like Wireshark and tcpdump, and what indicators investigators look for during forensic examination.

What Is Packet Analysis?

Packet analysis is the process of examining network packets to understand how systems communicate. Each packet contains:

  • Headers (Ethernet, IP, TCP/UDP)

  • Payload (application data)

  • Flags, sequence numbers, timestamps

Packet analysis allows investigators to inspect every layer of communication—from Ethernet frames to HTTP traffic.

Structure of a Network Packet

A typical packet includes multiple layers based on the OSI or TCP/IP model.

1. Ethernet Layer (Layer 2)

Contains:

  • Source MAC address

  • Destination MAC address

  • EtherType (protocol indicator)

Useful for:

  • Identifying device manufacturers

  • Spotting spoofed MAC addresses

2. Network Layer (IP Layer — Layer 3)

Contains:

  • Source IP

  • Destination IP

  • TTL (Time to Live)

  • IP flags

  • Fragmentation info

Used to detect:

  • IP spoofing

  • Unusual geographic origins

  • Reconnaissance scanning

3. Transport Layer (TCP/UDP — Layer 4)

TCP Header Contains:

  • Source port / destination port

  • Sequence numbers

  • Acknowledgment numbers

  • Flags (SYN, ACK, FIN, RST, PSH, URG)

  • Window size

TCP flags reveal:

  • Connection establishment (SYN, SYN/ACK)

  • Connection teardown (FIN, RST)

  • Port scanning (SYN floods, Xmas scans)

UDP Header Contains:

  • Source/destination ports

  • Payload only

Used for:

  • DNS, DHCP, NTP, VoIP

  • Malware beaconing

4. Application Layer (Layer 7)

Examples:

  • HTTP requests/responses

  • DNS queries

  • SMTP messages

  • TLS handshakes

  • FTP commands

  • Malware payloads

Application-layer inspection reveals user behavior and attacker actions.

Tools for Packet Analysis

1. Wireshark (Most Popular)

GUI tool with filtering, reconstruction, and deep packet inspection.

Examples:

Filter HTTP traffic:

http

Filter by IP:

ip.addr == 192.168.1.10

Filter by port:

tcp.port == 443

2. tcpdump (CLI Analysis Tool)

Examples:

Show DNS traffic:

tcpdump udp port 53

Show only packet headers:

tcpdump -nn

Show packet contents:

tcpdump -A -s0

3. Tshark (Wireshark CLI)

Example:

tshark -r capture.pcap

4. NetworkMiner

Used to extract:

  • Files

  • Images

  • Credentials

  • HTTP sessions

Key Concepts in Packet Analysis

1. Flow Identification

Grouping packets into flows/sessions:

  • Source IP → destination IP

  • Source port → destination port

  • Protocol

Useful for:

  • Identifying long-lived C2 connections

  • Reconstructing malware activity

2. TCP Handshake Analysis

Normal handshake:

  1. SYN

  2. SYN/ACK

  3. ACK

Abnormal patterns indicate:

  • SYN floods

  • Port scans

  • Connection spoofing

3. Reassembling Streams

Wireshark allows reassembly of:

  • TCP streams

  • HTTP conversations

  • Files transferred over protocols

  • Malware payloads

Example:
Follow → TCP Stream reveals full conversations.

4. Identifying Suspicious Traffic

Indicators include:

  • DNS requests to random domains

  • Long-duration idle connections

  • Repeated beaconing intervals

  • Outbound traffic to rare IPs

  • HTTP POST with encoded payloads

  • Connections on odd ports (4444, 9001)

  • Tor, VPN, or proxy traffic

  • TLS without SNI or with suspicious certificates

5. Detecting Malware Activity

Common signs:

C2 communication

  • Periodic beaconing

  • Small-sized, repetitive packets

Data exfiltration

  • Large outbound transfers

  • DNS tunneling patterns

  • HTTP uploads

Exploit attempts

  • SQL injection patterns

  • Shellshock payloads

  • RCE command strings

Ransomware

  • Massive SMB traffic

  • File renaming over network shares

6. Analyzing DNS Traffic

DNS is a top indicator for malware.

Look for:

  • Domains generated by DGAs

  • Long or random subdomains

  • Suspicious TXT queries

  • DNS over HTTPS (DoH) misuse

7. TLS/SSL Traffic Indicators

Even encrypted traffic reveals metadata:

  • JA3/JA3S fingerprints

  • Suspicious certificate issuers

  • Missing SNI fields

  • Unusual ciphers

Malware often uses invalid or self-signed certificates.

8. Identifying Scanning & Reconnaissance

Common patterns:

  • Sequential port sweeps

  • SYN packets without ACK

  • ICMP sweeps

  • UDP probes

These often precede exploitation.

9. Payload Extraction

From protocols:

  • HTTP downloads → extract malware binaries

  • FTP transfers → recover stolen files

  • Email attachments → reconstruct payloads

Tools:

  • Wireshark export objects

  • NetworkMiner

Best Practices for Packet Analysis

  • Always validate timestamps

  • Use filters to reduce noise

  • Identify normal traffic before hunting anomalies

  • Combine packet analysis with logs

  • Extract and hash files found in traffic

  • Avoid relying solely on IP reputation

  • Document each significant finding

Intel Dump

  • Packet analysis examines Ethernet, IP, TCP/UDP, and application-layer data to uncover forensic evidence.

  • Tools like Wireshark, tcpdump, Tshark, and NetworkMiner extract flows, reconstruct sessions, and reveal attacker communication.

  • Key activities include analyzing TCP handshakes, grouping flows, identifying suspicious DNS and TLS patterns, and detecting malware behavior such as beaconing, scanning, and data exfiltration.

  • Packet reassembly exposes HTTP sessions, downloads, C2 messages, and transmitted files.

  • Effective packet analysis correlates network findings with other forensic data to fully reconstruct intrusion events.

HOME COMMUNITY CAREERS DASHBOARD