This guide outlines a systematic approach to analyzing packet captures (PCAPs) for security investigation. As analysts, our goal is to identify potential security incidents, understand attack patterns, and determine the scope and impact of suspicious network activity.
Before diving into analysis, address these key questions:
- What is the time range of the capture?
- What prompted this PCAP analysis (alert, incident, routine monitoring)?
- Do we have any initial indicators or IOCs to search for?
- What is the scope of systems/networks captured?
- Are there any known compromised hosts or suspicious IPs?
First, gather high-level metrics:
- Total packet count and capture duration
- Top talkers (source/destination IPs)
- Protocol distribution
- Port distribution
- Geographic distribution of external IPs
- Unusual or unexpected protocols
- Traffic spikes or anomalies
Examine network flows:
- Map internal to external communications
- Identify long-duration connections
- Look for:
- Beaconing patterns
- Irregular timing patterns
- Abnormal data transfer volumes
- Suspicious port usage
- Connection attempts to multiple hosts
- Failed connection attempts
Analyze specific protocols:
- Check for:
- Domain generation algorithms (DGA): look for domain names with high entropy
- DNS tunneling indicators
- Suspicious TLDs
- High-volume requestors
- DNS queries with no responses
- Unusual record types
- Domain reputation checks
- Examine:
- User-Agent strings
- Request/response patterns
- File downloads
- POST request content
- Certificate information
- Unusual headers
- Command and control patterns
- Look for:
- Unauthorized file access
- Suspicious file transfers
- Brute force attempts
- Known exploits
- Administrative share access
Investigate packet contents:
- Extract files from streams
- Look for:
- Known malware signatures
- Command strings
- Encoded/encrypted data
- Script content
- Password or credential exposure
- Data exfiltration patterns
Check for common malware networking patterns:
- Command and control:
- Regular beaconing
- Encoded commands
- Known C2 protocols
- Lateral movement:
- Port scanning
- Exploitation attempts
- Credential abuse
- Data exfiltration:
- Large outbound transfers
- Unusual protocols
- Encrypted tunnels
# Basic filters
ip.addr == x.x.x.x
dns.qry.name contains "domain"
http.request.method == "POST"
tcp.flags.syn == 1 && tcp.flags.ack == 0
# Security-focused filters
http.user_agent contains "suspicious-string"
tls.handshake.type == 1
smb.cmd == 0x72
# Top talkers
tshark -r capture.pcap -q -z endpoints,ip
# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs
# Extract HTTP objects
tshark -r capture.pcap --export-objects http,./output/# Get available _paths
cut _path | sort | uniq | fuse
# Get all dns queries
_path == "dns" | cut query
# Count times a domain was queried
_path == "dns" | count() by domain:=join(split(query, ".")[-2:],".") | sort -r
# Search for files that were transfered over the network
filename!=nul | cut _path, id.orig_h, id.resp_h, mime_type, filename, md5, sha1
# Get all even on a TCP connection
uid == "<id>" | fuse
# Filters and displays smb_files, smb_mapping and DCE_RPC activity
grep(smb*,_path) OR _path=="dce_rpc"
# Displays a list of the count of unique HTTP requests including source and destination
_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c
# Displays a table showing all unique source:port:destination connections pairings
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq
# Shows the connections between hosts, sorted by data received
_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
# Displays a curated view of file data including md5 and sha1 for complete file transfers
filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1
# Displays all HTTP Post requests including the URI and HTTP status code
method=="POST" | cut ts, uid, id, method, uri, status_code
# Enumerates the classful networks for all destination IP addresses including count of connections
_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
# Shows all Suricata alert counts, grouped by category and severity
event_type=="alert" | count() by alert.severity,alert.category | sort count
# Shows all Suricata alert counts, grouped by signature
event_type=="alert" | count() by alert.signature | sort count
# Shows a list of Suricata alert categories, grouped by unique source and destination IP addresses
event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip
# Shows a list of Suricata alert signatures, grouped by unique source and destination IP addresses
event_type=="alert" | alerts := union(alert.signature) by src_ip, dest_ip
# Shows a list of Suricata alert categories, grouped by CIDR network
event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)
# Shows a list of Suricata alert signatures, grouped by CIDR network
event_type=="alert" | alerts := union(alert.signature) by network_of(dest_ip)# view help menu and all available
# commands
chx --helpchx domain alientvault example.comchx hash vthash <hash>chx ip crowdsec 8.8.8.8All commands now implement a --format option that will format the results of a search into markdown format.
Chx strive to be POSIX "compliant" in that is works with strings read from stdin and outputting to stdout. This allows commands to be chained together to shape data to the users desired format.
# Example chained workflow
cat dns_queries.json | jq -r `.[].sha1` | parallel chx hash vthash | jq -r ".data.attributes.last_analysis_results.ALYac.result"Document your findings:
- Timeline of significant events
- List of suspicious indicators
- Evidence of compromise
- Affected systems and scope
- Recommendations for response
- Supporting packet/stream excerpts
Watch for these suspicious indicators:
- Unexpected external connections
- Unusual protocol behavior
- Known malicious indicators
- Data packaging/encoding
- Irregular timing patterns
- Suspicious file transfers
- Command execution attempts
- Credential exposure
- Known exploit patterns
- Evasion techniques
- What is the initial infection vector?
- Which systems were compromised?
- What actions did the attacker take?
- Was data exfiltrated?
- Are there persistent access mechanisms?
- What is the full scope of the incident?
- Are there additional compromised systems?
- What remediation steps are needed?
- Executive Summary
- Technical Timeline
- Indicators of Compromise
- Affected Systems
- Attack Methodology
- Data Impact Assessment
- Evidence Preservation Notes
- Remediation Recommendations
- Prevention Suggestions
Remember: PCAP analysis is iterative. Start broad and drill down based on findings. Document everything and maintain chain of custody for all evidence.