Home > SOC Analysis

Packet Analysis Basics

Packet analysis is the process of capturing, inspecting, and interpreting network packets to understand what is happening inside the network at the most granular level.
It is a core skill in Network Security Monitoring (NSM) because packets reveal exactly what was sent, received, downloaded, executed, or exfiltrated—without relying on application logs.

This chapter explains packet analysis in full-scale SOC depth, including packet structure, tools, workflows, protocols, attack patterns, and hands-on investigation techniques.

What Packet Analysis Helps You Detect

Packet analysis reveals:

  • Malware downloads

  • C2 (command-and-control) traffic

  • Data exfiltration

  • Credential theft

  • Protocol abuse

  • Reconnaissance

  • Exploitation attempts

  • Lateral movement

  • DNS tunneling

  • Web attacks (SQLi, XSS, RCE)

Packets show the raw truth of network activity.
Even if attackers evade logs, they cannot hide packet behavior.

Understanding Packet Structure (SOC View)

Every captured packet has three main components:

1. Frame (Layer 2)

Contains MAC addresses.

2. IP Header (Layer 3)

Contains:

  • Source IP

  • Destination IP

  • TTL

  • Fragmentation flags

Useful for:

  • Attribution

  • Network mapping

  • Detecting spoofing

3. Transport Header (Layer 4)

TCP

  • Flags (SYN, ACK, PSH, FIN, RST)

  • Ports

  • Sequence numbers

UDP

  • Lightweight header

  • No handshake

Useful for detecting:

  • Port scans

  • Brute force

  • Beaconing

  • Exfiltration

4. Application Layer Data (Layer 5–7)

Examples:

  • HTTP requests

  • DNS queries

  • TLS handshake

  • SMB metadata

Critical for spotting:

  • Malware payload downloads

  • Malicious URLs

  • Credential theft attempts

  • C2 communication

Tools for Packet Analysis

The most common tools are:

  • Wireshark (GUI)

  • tcpdump (CLI)

  • TShark (CLI version of Wireshark)

  • Zeek (network logs + behavior analysis)

  • Suricata (IDS + packet engine)

Packet analysis begins with pcap files or live captures.

How SOC Analysts Capture Packets

Using tcpdump

tcpdump -i eth0 -w capture.pcap

Capture specific traffic

tcpdump host 192.168.1.10 -w suspicious.pcap

Capture only HTTP

tcpdump port 80 -w http_capture.pcap

Packet capture must be targeted to avoid huge file sizes.

Packet Analysis Workflow (SOC Standard)

Below is the step-by-step workflow used in SOC investigations.

Step 1 — Identify Suspicious Traffic

Example flags:

  • Unknown external IP

  • Repeated small packets

  • Beacon-like intervals

  • DNS anomalies

  • Downloads from shady domains

  • Suspicious ports (8081, 4444, 9001)

Step 2 — Reconstruct Sessions

Wireshark:

Follow → TCP Stream

Used to view:

  • Malware download URLs

  • HTTP payloads

  • Commands sent by attackers

  • Data exfiltration

Step 3 — Analyze Headers for Patterns

TCP Flags

  • SYN flood → scan or DDoS

  • RST instantly after SYN → firewall blocking

  • PSH → data transfer

  • FIN flood → abnormal termination

Ports

  • Uncommon outbound ports

  • Reverse shell ports

  • Malware default ports

Step 4 — Analyze Application Data

HTTP

Look for:

  • Suspicious URLs

  • Payload downloads

  • Base64 strings

  • C2 endpoints

  • Injected scripts

Example:

GET /payload.exe HTTP/1.1
Host: malicious-update.net

DNS

Look for:

  • Long queries

  • TXT-based exfiltration

  • Randomized subdomains

Example:

TXT: dGhpcyBpcyBzdG9sZW4gZGF0YQ==

TLS

Check:

  • JA3/JA3S fingerprints

  • Self-signed certs

  • Newly created certs

  • Mismatched hostname

Step 5 — Identify Malware Behavior

Patterns:

  • Beaconing every 60 seconds

  • Small & repetitive HTTP POSTs

  • TLS 1.0 or custom encryption

  • Fast-flux DNS behavior

  • TOR traffic

Example C2 beacon:

POST /status HTTP/1.1
Content-Length: 125

Step 6 — Identify Exfiltration Attempts

Indicators:

  • Large outbound chunks

  • Base64 blobs

  • ZIP/tar transfers

  • DNS tunneling

  • HTTPS uploads

Example:

POST /upload size=4MB

Step 7 — Confirm Attack Timeline

Combine:

  • DNS lookup

  • Payload download

  • Process injection

  • Lateral movement

  • Exfiltration

Packet flow confirms each stage.

Common Attack Indicators in Packet Captures

1. Malware Download

HTTP GET /dropper.exe

2. Reverse Shell

TCP connection from internal → external on port 4444

3. C2 Beacon

POST /cmd?session=xyz

4. DNS Tunneling

TXT queries > 200 bytes

5. Credential Theft (Cleartext)

POST /login password=admin123

6. SMB Lateral Movement

SMB2 Session Setup Request

7. Exploit Attempts

/../../../../etc/passwd (directory traversal)

8. SQL Injection Attempts

id=1' OR '1'='1

Packet analysis exposes true attacker actions.

Example: Complete Attack Reconstruction From Packets

Here is a real-world style sequence:

  1. DNS query:

resolve sync-update.biz

  1. Malware download:

GET /payload.exe

  1. C2 communication:

POST /checkin size=200 bytes every 60s

  1. Lateral movement:

SMB2 Tree Connect | 10.0.0.5 → 10.0.0.8

  1. Data exfiltration:

POST /upload size=6MB

Packet analysis reveals the entire attack path.

Intel Dump

  • Packet analysis examines raw network packets to detect malware, C2, exfiltration, scanning, and exploitation.

  • Analysts inspect headers, sessions, payloads, flags, and timing patterns.

  • Tools include Wireshark, tcpdump, Zeek, and Suricata.

  • Workflow: capture → inspect sessions → analyze headers → decode application data → detect anomalies → reconstruct attack.

  • Key indicators: malware downloads, beaconing, DNS tunneling, suspicious ports, exfiltration, and exploit attempts.

  • Packet analysis provides the most accurate view of attacker behavior at the network level.

HOME LEARN COMMUNITY DASHBOARD