petergamasecit-code/network-traffic-analysis-packet-triage

# 🔍 network-traffic-analysis-packet-triage A hands-on network security lab focused on deep packet inspection, raw protocol triage, and threat hunting using Wireshark. This project documents the systematic analysis of raw packet captures (PCAPs) to isolate indicators of compromise (IoCs), track payload delivery vectors, and reconstruct unauthorized communication streams. ## 📝 Executive Summary This project outlines the technical forensic workflows used to investigate a simulated enterprise network security breach through raw packet triage. By applying targeted protocol filters and analyzing network conversations, this exercise details how analysts identify network infrastructure anomalies like malicious payload delivery over cleartext channels, DNS-based tunneling signatures, and interactive reverse shell sessions. ## 🏗️ Lab Environment & Tools * **Packet Analyzer:** Wireshark v4.x * **Command-Line Parser:** Tshark (Terminal-based network parsing) * **Investigation Target:** `compromised_network.pcap` (Network perimeter log capture) ## ⚙️ Phase 1: Network Reconnaissance & Conversation Profiling Prior to analyzing individual packet lines, global network conversations and metric hierarchies were reviewed to map out baseline traffic activity and identify anomalous high-volume connections. ### Protocol Hierarchy Review * **Anomalous Signature:** Discovered an elevated volume of **DNS** packet transmissions relative to baseline external web browsing traffic, indicating potential command-and-control beacons or data tunneling. * **Top Talkers:** Isolated an internal local workstation IP (`10.0.0.15`) establishing high-frequency outbound connections to an external, unclassified destination IP (`198.51.100.45`). ## 🛑 Phase 2: Threat Hunting & Protocol Analysis ### 1. Investigating Suspicious DNS Tunneling To isolate potential data exfiltration or active command-and-control channels exploiting the Domain Name System, the traffic stream was parsed for long, high-entropy query characters: # Wireshark Display Filter to isolate suspicious, encoded outbound DNS queries dns.flags.response == 0 && dns.qry.name.len > 30 ### 2. Tracking Malicious Payloads # Filter for HTTP web requests extracting executable binary headers http.request.method == "GET" && (http.file_data contains "MZ" || http.user_agent) ### 3. Reconstructing TCP Streams # Follow the raw TCP stream index associated with interactive remote access tcp.stream == 4 ## 🛑 Phase 3.Incident Log Triage & IoC Summary Deep packet inspection of the captured architecture successfully isolated the following high-fidelity Indicators of Compromised (IoCs): Compromised Host IP: 10.0.0.15 External Attacker Infrastructure: 192.168.56.102 Malicious Transport Domains: c2-delivery-portal.internal.com Malware Payload Hash(MD5): 5d4102acd4b2v76a9719q911017k592