SlideShare a Scribd company logo

Network traffic analysis course

TECHNOLOGY CONTROL CO., profile picture
TECHNOLOGY CONTROL CO.

This document provides an overview of network traffic analysis. It discusses why traffic analysis is useful for gaining knowledge about a network, investigating issues, and network forensics. It also summarizes the basics of TCP/IP protocols, packet sniffing tools like Wireshark and Tcpdump, and how to analyze network traffic captures for troubleshooting and security purposes. Hands-on network forensics examples are provided to demonstrate these concepts.

Technology
1 of 32
Downloaded 289 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
Most read
13
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Network Traffic Analysis Presented By Ahmed Elshaer Security Operation Specialist
Agenda ● Why Traffic Analysis ● TCP/IP Review ● The Protocols ● Tcpdump/Tshark Basics ● Wireshark Foundation ● Hands-On Network Forensics
Why Traffic Analysis ? ● Gain special knowledge about the network. ● Investigate and troubleshoot abnormal behavior – Abnormal packets. – Network slow performance. ● Congestion. ● Retransmission. – Unexpected traffic. – Broken applications. – Load balancer issues.
Why Traffic Analysis ? ● Network Forensics – Collecting evidence. – Incident Handling. – Tracing attacks. – Linking infected hosts. – Determining patient zero. ● Stealing Sensitive information ● Pen-testing. ● Developing IPS/IDS signatures.
How Packet Sniffer Works ● Collection – the packet sniffer collects raw binary data from the wire. ● Conversion – the captured binary data is converted into a readable form ● Analysis – the actual analysis of the captured and converted data. – The packet sniffer verifies its protocol based on that protocol’s specific features.
TCP/IP Overview: OSI Model
TCP/IP Overview: OSI Model
Network Traffic Analysis
Network Traffic Analysis ● Protocols – Ethernet – IP – TCP/UDP – DNS – DHCP – FTP – Telnet – HTTP
Ethernet Frame
IP Packet
TCP Packet
TCP session initiation/termination
TCP session initiation/termination
UDP
The Big Picture !!!
Network Traffic Analysis ● BPF Filters, what !!! – Berkley Packet Filter – A knowledge of BPF syntax is crucial as you dig deeper into networks at the packet level. – Allow you to specify exactly which packets you want to capture. – Get rid or Packets you don't want to capture – BPF is how you talk to the Network Drivers :)
Network Traffic Analysis
Network Traffic Analysis ● Command Line Tools: – TCPdump – Tshark – Dumpcap, why !!! ● Graphical Tools: – Wireshark
Network Traffic Analysis ● TCPDUMP Basics (1)
Network Traffic Analysis ● TCPDUMP Basics (2)
Network Traffic Analysis ● TCPDUMP Basics (3)
Network Traffic Analysis ● TCPDUMP Examples (1): – $sudo tcpdump -n -i eth0 -c 5 – $sudo tcpdump -n -i eth0 -c 10 -w test01.pcap – $tcpdump -n -r test01.pcap – $sudo tcpdump -n -i eth0 -c 10 - w icmp.pcap icmp – $sudo tcpdump -n -i eth0 -s 0 port 53 – $sudo tcpdump -n -i eth0 -s 0 port 53 and tcp – $sudo tcpdump -n -i eth0 -s 0 tcp port 53 – $sudo tcpdump -n -r icmp.pcap host 192.168.56.104
Network Traffic Analysis ● TCPDUMP Examples (2): – $sudo tcpdump -n -r icmp.pcap src host 10.10.5.10 – $sudo tcpdump -n -r icmp.pcap dst host 10.18.6.10 – $sudo tcpdump -n -r icmp.pcap net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap src net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap dst net 10.10.56.0 ● Bash !!! for file in ` find /pcaps/ -name '*.pcap' `; do tcpdump -r $file 'port 21' -A|grep -iE 'USER|PASS' ; done
Network Traffic Analysis ● Tshark, Advanced analysis capabilities ● Tshark = tcpdump++ ● Tshark Examples(1): – To list the interfaces ● tshark -D – To listen on interface ● tshark -i eth0 ● tshark -i 1
Network Traffic Analysis ● Tshark Example (2): ● tshark -n -i wlan0 -p -a filesize:1000 -w 1MB.pcap ● tshark -n -i 7 -c 1000 -w test01.pcap -f 'tcp port 80' ● tshark -n -i 7 -f 'port 53' ● tshark -R "ip.addr == 192.168.56.101" -r test01.pcap ● tshark -R "not arp and not (udp.port == 53)" -r test.pcap ● tshark -Y "http contains user" -r httpcap.pcap -x ● tshark -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -E header=y -r test01.pcap
Network Traffic Analysis ● Dumpcap – a network traffic dump tool – It captures packet data from a live network and writes the packets to a file. – Why should I use it !!!
Network Traffic Analysis ● Wireshark Basic Operations – Live Capture – Open PCAP File – Basic Filters – Follow TCP Stream – Time Stamps – Expert Info – Statistics
Network Traffic Analysis ● Wireshark Packet Inspection – ARP – IP – TCP – HTTP – FTP – DNS – DHCP
Network Traffic Analysis ● Wireshark Advanced Tasks – SSL Decryption – Network Forensics and File Carving ● Extract Files from FTP ● Extract Files from HTTP
Network Traffic Analysis CTF Time
References/more resources ● http://www.chrisbrenton.org/category/security/network/ ● http://packetlife.net/library/cheat-sheets/ ● Practical Packet Analysis - NoStarchPress ● http://packetlife.net/captures/ ● http://wiki.wireshark.org/SampleCaptures ● http://www.netresec.com/?page=PcapFiles ● Network Analysis Sessions By Ahemd Adel

More Related Content

PDF
Wireshark Traffic Analysis
David Sweigert
 
PPTX
Authentication service security
Prachi Gulihar
 
PPTX
Firewalls and packet filters
MOHIT AGARWAL
 
PDF
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Yoram Orzach
 
PPTX
Wireshark Packet Analyzer.pptx
Carlos González García, PMP®
 
PPT
Dns protocol design attacks and security
Michael Earls
 
PPT
CCNA Security 02- fundamentals of network security
Ahmed Habib
 
PPT
Wireshark Inroduction Li In
mhaviv
 
Wireshark Traffic Analysis
David Sweigert
 
Authentication service security
Prachi Gulihar
 
Firewalls and packet filters
MOHIT AGARWAL
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Yoram Orzach
 
Wireshark Packet Analyzer.pptx
Carlos González García, PMP®
 
Dns protocol design attacks and security
Michael Earls
 
CCNA Security 02- fundamentals of network security
Ahmed Habib
 
Wireshark Inroduction Li In
mhaviv
 

What's hot (20)

PPTX
Network traffic analysis with cyber security
KAMALI PRIYA P
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
PDF
VPN - Virtual Private Network
Peter R. Egli
 
PPT
Snmp
hetaljadav
 
PPTX
Packet sniffers
Kunal Thakur
 
PPT
Wireshark Basics
Yoram Orzach
 
PPTX
Software Defined Network - SDN
Venkata Naga Ravi
 
PDF
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
PPTX
Intrusion prevention system(ips)
Papun Papun
 
PPTX
Packet sniffing
Shyama Bhuvanendran
 
PPTX
Bgp protocol
Smriti Tikoo
 
PPTX
Intrusion detection system
Akhil Kumar
 
PPTX
Packet sniffers
Ravi Teja Reddy
 
PPTX
Routing algorithm
Bushra M
 
PPTX
Introduction of Iot and Logical and Physical design of iot
MayankKumar380505
 
PPT
Intrusion Detection System
Mohit Belwal
 
PPT
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
PPT
Intrusion detection system ppt
Sheetal Verma
 
PPT
Security Attacks.ppt
Zaheer720515
 
PPT
Routing
Saima Azam
 
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
VPN - Virtual Private Network
Peter R. Egli
 
Snmp
hetaljadav
 
Packet sniffers
Kunal Thakur
 
Wireshark Basics
Yoram Orzach
 
Software Defined Network - SDN
Venkata Naga Ravi
 
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
Intrusion prevention system(ips)
Papun Papun
 
Packet sniffing
Shyama Bhuvanendran
 
Bgp protocol
Smriti Tikoo
 
Intrusion detection system
Akhil Kumar
 
Packet sniffers
Ravi Teja Reddy
 
Routing algorithm
Bushra M
 
Introduction of Iot and Logical and Physical design of iot
MayankKumar380505
 
Intrusion Detection System
Mohit Belwal
 
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Intrusion detection system ppt
Sheetal Verma
 
Security Attacks.ppt
Zaheer720515
 
Routing
Saima Azam
 
Ad

Viewers also liked (9)

PDF
Telecommunication switching system
Madhumita Tamhane
 
PPT
Switching systems lecture1
Jumaan Ally Mohamed
 
PPT
Switching systems lecture2
Jumaan Ally Mohamed
 
PPT
Telecommunications and networks
Prof. Othman Alsalloum
 
PPT
Switching systems lecture3
Jumaan Ally Mohamed
 
PDF
1 Telecommunication Switching Systems And Networks
guestac67362
 
PPTX
Traffic analysis
Srashti Vyas
 
PDF
Design and Simulation Microstrip patch Antenna using CST Microwave Studio
Aymen Al-obaidi
 
PPTX
Basic of telecommunication presentation
hannah05
 
Telecommunication switching system
Madhumita Tamhane
 
Switching systems lecture1
Jumaan Ally Mohamed
 
Switching systems lecture2
Jumaan Ally Mohamed
 
Telecommunications and networks
Prof. Othman Alsalloum
 
Switching systems lecture3
Jumaan Ally Mohamed
 
1 Telecommunication Switching Systems And Networks
guestac67362
 
Traffic analysis
Srashti Vyas
 
Design and Simulation Microstrip patch Antenna using CST Microwave Studio
Aymen Al-obaidi
 
Basic of telecommunication presentation
hannah05
 
Ad

Similar to Network traffic analysis course (20)

PPTX
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
PPT
Traffic-Monitoring.ppt
ssuser0a05422
 
PPT
Traffic-Monitoring.ppt
Senthil Vit
 
PPT
Traffic-Monitoring.ppt
ToffeeLomerz
 
PDF
wireshark.pdf
ssuserafc27c
 
DOCX
Experiment 7 traffic analysis
nikitaa25
 
PPTX
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
PPT
Traffic monitoring
Radu Galbenu
 
PPT
an_introduction_to_network_analyzers_new.ppt
Iwan89629
 
PDF
Unit 2.3 Introduction to Cyber Security Tools and Environment.pdf
ChatanBawankar
 
PPT
Day2
Jai4uk
 
PDF
Ferramenta de análise de rede para windows e linux
RenatoAlves851496
 
PDF
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
Jessica Thompson
 
PDF
Debugging applications with network security tools
ConFoo
 
PDF
Analysis of network traffic by using packet sniffing tool wireshark
IJARIIT
 
PDF
CNIT 121: 9 Network Evidence
Sam Bowne
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
PPTX
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
OWASP Delhi
 
PDF
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
PDF
(130511) #fitalk network forensics and its role and scope
INSIGHT FORENSIC
 
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Traffic-Monitoring.ppt
ssuser0a05422
 
Traffic-Monitoring.ppt
Senthil Vit
 
Traffic-Monitoring.ppt
ToffeeLomerz
 
wireshark.pdf
ssuserafc27c
 
Experiment 7 traffic analysis
nikitaa25
 
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
Traffic monitoring
Radu Galbenu
 
an_introduction_to_network_analyzers_new.ppt
Iwan89629
 
Unit 2.3 Introduction to Cyber Security Tools and Environment.pdf
ChatanBawankar
 
Day2
Jai4uk
 
Ferramenta de análise de rede para windows e linux
RenatoAlves851496
 
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
Jessica Thompson
 
Debugging applications with network security tools
ConFoo
 
Analysis of network traffic by using packet sniffing tool wireshark
IJARIIT
 
CNIT 121: 9 Network Evidence
Sam Bowne
 
CNIT 152: 9 Network Evidence
Sam Bowne
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
OWASP Delhi
 
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
(130511) #fitalk network forensics and its role and scope
INSIGHT FORENSIC
 

Recently uploaded (20)

PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 

Network traffic analysis course

  • 1. Network Traffic Analysis Presented By Ahmed Elshaer Security Operation Specialist
  • 2. Agenda ● Why Traffic Analysis ● TCP/IP Review ● The Protocols ● Tcpdump/Tshark Basics ● Wireshark Foundation ● Hands-On Network Forensics
  • 3. Why Traffic Analysis ? ● Gain special knowledge about the network. ● Investigate and troubleshoot abnormal behavior – Abnormal packets. – Network slow performance. ● Congestion. ● Retransmission. – Unexpected traffic. – Broken applications. – Load balancer issues.
  • 4. Why Traffic Analysis ? ● Network Forensics – Collecting evidence. – Incident Handling. – Tracing attacks. – Linking infected hosts. – Determining patient zero. ● Stealing Sensitive information ● Pen-testing. ● Developing IPS/IDS signatures.
  • 5. How Packet Sniffer Works ● Collection – the packet sniffer collects raw binary data from the wire. ● Conversion – the captured binary data is converted into a readable form ● Analysis – the actual analysis of the captured and converted data. – The packet sniffer verifies its protocol based on that protocol’s specific features.
  • 9. Network Traffic Analysis ● Protocols – Ethernet – IP – TCP/UDP – DNS – DHCP – FTP – Telnet – HTTP
  • 15. UDP
  • 17. Network Traffic Analysis ● BPF Filters, what !!! – Berkley Packet Filter – A knowledge of BPF syntax is crucial as you dig deeper into networks at the packet level. – Allow you to specify exactly which packets you want to capture. – Get rid or Packets you don't want to capture – BPF is how you talk to the Network Drivers :)
  • 19. Network Traffic Analysis ● Command Line Tools: – TCPdump – Tshark – Dumpcap, why !!! ● Graphical Tools: – Wireshark
  • 20. Network Traffic Analysis ● TCPDUMP Basics (1)
  • 21. Network Traffic Analysis ● TCPDUMP Basics (2)
  • 22. Network Traffic Analysis ● TCPDUMP Basics (3)
  • 23. Network Traffic Analysis ● TCPDUMP Examples (1): – $sudo tcpdump -n -i eth0 -c 5 – $sudo tcpdump -n -i eth0 -c 10 -w test01.pcap – $tcpdump -n -r test01.pcap – $sudo tcpdump -n -i eth0 -c 10 - w icmp.pcap icmp – $sudo tcpdump -n -i eth0 -s 0 port 53 – $sudo tcpdump -n -i eth0 -s 0 port 53 and tcp – $sudo tcpdump -n -i eth0 -s 0 tcp port 53 – $sudo tcpdump -n -r icmp.pcap host 192.168.56.104
  • 24. Network Traffic Analysis ● TCPDUMP Examples (2): – $sudo tcpdump -n -r icmp.pcap src host 10.10.5.10 – $sudo tcpdump -n -r icmp.pcap dst host 10.18.6.10 – $sudo tcpdump -n -r icmp.pcap net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap src net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap dst net 10.10.56.0 ● Bash !!! for file in ` find /pcaps/ -name '*.pcap' `; do tcpdump -r $file 'port 21' -A|grep -iE 'USER|PASS' ; done
  • 25. Network Traffic Analysis ● Tshark, Advanced analysis capabilities ● Tshark = tcpdump++ ● Tshark Examples(1): – To list the interfaces ● tshark -D – To listen on interface ● tshark -i eth0 ● tshark -i 1
  • 26. Network Traffic Analysis ● Tshark Example (2): ● tshark -n -i wlan0 -p -a filesize:1000 -w 1MB.pcap ● tshark -n -i 7 -c 1000 -w test01.pcap -f 'tcp port 80' ● tshark -n -i 7 -f 'port 53' ● tshark -R "ip.addr == 192.168.56.101" -r test01.pcap ● tshark -R "not arp and not (udp.port == 53)" -r test.pcap ● tshark -Y "http contains user" -r httpcap.pcap -x ● tshark -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -E header=y -r test01.pcap
  • 27. Network Traffic Analysis ● Dumpcap – a network traffic dump tool – It captures packet data from a live network and writes the packets to a file. – Why should I use it !!!
  • 28. Network Traffic Analysis ● Wireshark Basic Operations – Live Capture – Open PCAP File – Basic Filters – Follow TCP Stream – Time Stamps – Expert Info – Statistics
  • 29. Network Traffic Analysis ● Wireshark Packet Inspection – ARP – IP – TCP – HTTP – FTP – DNS – DHCP
  • 30. Network Traffic Analysis ● Wireshark Advanced Tasks – SSL Decryption – Network Forensics and File Carving ● Extract Files from FTP ● Extract Files from HTTP
  • 32. References/more resources ● http://www.chrisbrenton.org/category/security/network/ ● http://packetlife.net/library/cheat-sheets/ ● Practical Packet Analysis - NoStarchPress ● http://packetlife.net/captures/ ● http://wiki.wireshark.org/SampleCaptures ● http://www.netresec.com/?page=PcapFiles ● Network Analysis Sessions By Ahemd Adel