Home > SOC Analysis

PCAP Analysis

PCAP analysis is the process of examining captured network packets to understand communication patterns, detect malicious activity, reconstruct attacks, and validate suspicious network behaviors.
PCAP files provide raw, unfiltered data—every byte sent over the network—making them one of the most powerful sources of truth in network forensics.

This chapter explains PCAP analysis in full-scale SOC depth, including tools, workflows, indicators, decoding techniques, and practical attack reconstruction examples.

What PCAP Analysis Provides

PCAP analysis reveals:

  • Source and destination IPs

  • Ports and protocols

  • Session flows

  • DNS queries

  • HTTP requests and responses

  • TLS handshake metadata

  • File transfers

  • Credential leaks

  • C2 communication

  • Malware payload delivery

  • Lateral movement

Unlike logs, PCAPs show exact packet content, allowing analysts to reconstruct attacks byte-by-byte.

Tools Used for PCAP Analysis

SOC analysts rely on:

  • Wireshark

  • tcpdump

  • tshark

  • NetworkMiner

  • Zeek-generated PCAPs

  • Suricata captures

  • tcpflow / chaosreader

  • Brim / Arkime

  • CERT tools (Bro scripts)

Wireshark is the primary tool, but tcpdump is used for on-the-fly capture.

PCAP Analysis Workflow (SOC Standard)

Below is the structured method for PCAP investigations.

Step 1 — Identify the Objective

Analyst determines what they’re trying to find:

  • C2 traffic?

  • Malware download?

  • Data exfiltration?

  • Port scanning?

  • Lateral movement?

  • Suspicious DNS traffic?

This guides filter selection.

Step 2 — Load PCAP and Apply Filters

Wireshark filters used commonly:

Filter by IP

ip.addr == 10.0.0.5
ip.src == 185.22.113.10

Filter by Port

tcp.port == 443
udp.port == 53

Filter by Protocol

dns
http
tls
smb

Filter by Traffic Direction

tcp.flags.syn == 1
tcp.flags.ack == 0

Filtering reduces noise and focuses on relevant data.

Step 3 — Reconstruct Network Flows

Use Wireshark’s:

  • “Follow TCP Stream”

  • “Follow HTTP Stream”

  • “Follow TLS Stream”

This reconstructs the conversation between endpoints.

Example:

GET /payload.exe

or:

POST /status → beacon-like behavior

Step 4 — Identify Suspicious Indicators

SOC analysts look for:

Suspicious DNS Activity

  • Random-looking domains

  • Unusually long TXT records

  • High-frequency DNS requests

Example:

query: ajd92j9qpw.biz

Beaconing

  • Periodic small packets

  • Constant interval (30–90 seconds)

Outbound Traffic to Unknown IPs

  • Uncommon ports

  • Foreign hosting providers

HTTP Download Indicators

Content-Type: application/octet-stream
User-Agent: powershell

Credential Exposure

POST /login.php username=admin&password=plaintext

Malware C2

  • Encrypted small packets

  • Custom protocol headers

  • HTTP/S traffic with unusual URIs

Step 5 — Decode & Inspect Packet Payloads

Analysts extract:

  • Downloaded executables

  • Dropped scripts

  • Inbound payloads

  • Zip files

  • Commands sent to malware

Using:

  • “Export Objects → HTTP”

  • NetworkMiner extraction

  • Binwalk

Example:

payload.exe extracted from outbound session

Step 6 — Identify Attack Stage & Behavior

Using ATT&CK mapping:

  • Scanning (Recon)

  • Exploitation (Initial Access)

  • Payload delivery (Execution)

  • C2 (Command and Control)

  • Exfiltration

PCAP shows exactly which phase occurred.

Step 7 — Document Findings & Escalate

Include:

  • Malicious IP/domain

  • Packet evidence

  • Payload samples

  • Timeline reconstruction

Common PCAP-Based Attack Patterns

1. Malware Download

GET /update.exe
User-Agent: Mozilla/5.0 (PowerShell)

2. C2 Beaconing

Small, encrypted packets sent at fixed intervals.

3. Data Exfiltration

Large outbound POSTs:

POST /upload size=6MB

4. DNS Tunneling

TXT query with 300-byte base64 payload

5. Port Scanning

SYN packets to multiple hosts/ports.

6. Lateral Movement

SMB, RDP, WinRM, SSH traffic between internal hosts.

7. Exploit Payloads

Bursts of packets followed by immediate C2.

Real SOC PCAP Examples

Example 1 — Cobalt Strike Beacon

Small HTTPS POST every 60 seconds  
URI: /jquery-3.3.1.min

Example 2 — Phishing Delivery

HTTP download: invoice.pdf.exe
Referrer: phishing spam server

Example 3 — DNS C2

TXT record length: 200 bytes  
domain: a9ja0qpq9.biz

Example 4 — Ransomware Exfiltration

Outbound 20MB POST to /upload

Example 5 — Internal Recon

SRC=10.0.0.5 → sweeping ports 445, 3389

Intel Dump

  • PCAP analysis provides raw packet-level insight into attacks.

  • Analysts use filters, flow reconstruction, and payload extraction to identify suspicious activity.

  • PCAP helps detect malware downloads, beaconing, DNS tunneling, exfiltration, scanning, and lateral movement.

  • Tools include Wireshark, tcpdump, NetworkMiner, Zeek, and Brim.

  • PCAP evidence is essential for IR, hunting, and attack timeline reconstruction.

HOME LEARN COMMUNITY DASHBOARD