Common Tools for

Packet Analysis
1-Introduction
to Packet
Analysis Tools
•Packet analysis tools
capture, inspect, and
analyze network traffic
to help identify and
resolve issues or detect
malicious activities.
These tools vary in
functionality, from basic
packet capture to
advanced intrusion
detection, and can be
tailored to specific tasks.
2. Overview
of Common
Tools
•1. tcpdump
• What It Is:
• A command-line packet
capture tool available on
Linux/Unix systems.
• Lightweight and efficient for
capturing live traffic and
filtering packets based on
criteria.
• Key Features:
• Supports Berkeley Packet
Filter (BPF) syntax for precise
filtering.
• Captures packets to a file
(.pcap) for later analysis with
other tools like Wireshark.
 When to Use:

• Network Debugging: Quickly analyze live traffic during

troubleshooting.
• Data Collection: Capture raw traffic for later inspection
with GUI-based tools.
2. • Scripted Analysis: Use in scripts for automated packet
collection and filtering.

Overview Example Command:

of Common
Tools bash

Copy code

tcpdump -i eth0 'tcp port 80'

Captures HTTP traffic on the eth0 interface.

 What It Is:
• The command-line version of
Wireshark.
• Offers detailed packet analysis
similar to Wireshark but without a
graphical interface.
2. Tshark Key Features:
• Reads and writes .pcap files.
• Provides detailed decoding of
protocols and packet contents.
• Supports Wireshark-style filters for
granular packet selection.
 When to Use:
• Detailed Analysis Without GUI: Ideal for environments
where a GUI is unavailable.
• Automated Reporting: Use in scripts to extract specific
packet details.
• Compatibility with Wireshark: Process or filter captures
before analyzing them in Wireshark.

Example Command:
2. Tshark bash

Copy code
tshark -r capture.pcap -Y 'http.request.method
== "GET"'
Filters HTTP GET requests from a .pcap file.
3. Snort

• What It Is:
• An open-source intrusion detection and prevention system (IDS/IPS).
• Analyzes packets in real time to detect known threats using signature-based rules.
• Key Features:
• Alerts on suspicious traffic based on custom or community-developed rules.
• Can operate in three modes:
• Sniffer Mode: Reads and displays network traffic.
• Packet Logger Mode: Saves packets to files.
• IDS Mode: Detects and alerts on malicious patterns.
3. Snort

• When to Use:
• In-Depth Analysis: Investigating complex network issues or
reconstructing events.
• Learning and Demonstration: Intuitive GUI makes it ideal for
training.
• Packet Decoding: Analyze raw packets to understand protocol
behavior.
• Example Use:
• Load a .pcap file captured by tcpdump for detailed inspection.
5. Zeek (formerly Bro)

• What It Is:
• A network analysis framework that converts raw packets into detailed logs and metadata.
• Key Features:
• Focuses on metadata rather than payloads for privacy-conscious analysis.
• Detects anomalies and performs behavioral analysis.
• Supports scripting for custom monitoring.
• When to Use:
• Incident Response: Analyze metadata for signs of compromise.
• Large-Scale Networks: Efficiently handles high traffic volumes.
• Policy Enforcement: Monitor for deviations from expected behavior.
6. Suricata

• What It Is:
• A high-performance IDS/IPS and network security monitoring engine.
• Key Features:
• Multi-threaded for faster processing.
• Performs deep packet inspection (DPI) and application-layer analysis.
• Integrates with tools like Kibana for visualization.
• When to Use:
• Advanced Threat Detection: Identify both known and unknown threats with DPI.
• Integration with SIEM: Combine with Elastic or Splunk for centralized threat management.
• Real-Time Blocking: Use IPS mode to prevent malicious traffic.
 3. When to Use Each Tool

Tool Best Use Cases Strengths

tcpdump Quick live traffic capture and filtering. Lightweight, precise, scriptable.
Command-line packet analysis, scripting,
Tshark Detailed decoding, Wireshark-compatible.
and filtering.
Real-time intrusion detection and Signature-based detection, community
Snort
prevention. rules.
GUI-based detailed packet analysis and
Wireshark Intuitive interface, protocol decoding.
visualization.
Large-scale traffic metadata analysis and
Zeek Metadata focus, efficient logging.
anomaly detection.
Multi-threaded DPI, threat detection, and
Suricata High performance, SIEM integration.
IPS.
4. Tips for Using Packet
Analysis Tools Effectively
• Start Simple:
• Use tcpdump or Tshark for basic captures before escalating to advanced tools.
• Combine Tools:
• Capture with tcpdump, analyze with Wireshark, and correlate with Snort or
Zeek.
• Use Filters:
• Apply filters to focus on relevant traffic, saving time and resources.
• Integrate with Automation:
• Automate repetitive tasks with scripting or SIEM integration.
Advanced Wireshark
Techniques
1. Introduction to Advanced
Wireshark Features

•
Wireshark is a powerful packet analysis tool, and its advanced
features enable users to extract deeper insights from network
traffic. By using filters, coloring rules, and export
functionalities, analysts can enhance their workflow, focus on
critical data, and share findings efficiently.
2. Filters in Wireshark

•Filters are one of Wireshark's most valuable features, allowing users to isolate specific packets based
on criteria like protocols, IP addresses, ports, or packet content.
• Display Filters:
• Refine which packets are shown in the Wireshark interface.
• Examples:
• ip.addr == 192.168.1.1: Displays packets involving the IP 192.168.1.1.
• tcp.port == 80: Displays HTTP traffic.
• http.request.method == "GET": Displays only HTTP GET requests.
• dns && (dns.qry.name contains "example.com"): Filters DNS queries for the domain
example.com.
Filters
• Applied when capturing traffic to limit the packets saved.
• Examples:
• host 192.168.1.1: Captures packets to or from a specific IP address.
• port 443: Captures only HTTPS traffic.
• net 10.0.0.0/24: Captures packets from a specific subnet.
• Tips for Using Filters:
• Combine filters using logical operators:
• &&: AND (e.g., tcp && ip.addr == 192.168.1.1).
• ||: OR (e.g., tcp || udp).
• !: NOT (e.g., !arp excludes ARP packets).
• Use Wireshark’s autocomplete feature to find filter syntax.
3. Coloring Rules for Enhanced
Analysis

•Coloring rules in Wireshark help highlight packets of • Examples:

interest, making it easier to spot patterns or anomalies in
large data sets. • Highlight all DNS traffic in blue: dns.
• Default Coloring Rules: • Mark all packets to a specific IP in
• Wireshark includes predefined coloring rules for yellow: ip.dst == 192.168.1.1.
common protocols.
• Example: HTTP traffic might be highlighted in green, • Highlight retransmissions in red:
while TCP retransmissions are red. tcp.analysis.retransmission.
• Custom Coloring Rules: • Benefits:
• Analysts can create custom rules for specific needs.
• Steps to Create:
• Quickly identify packets requiring
• Go to View > Coloring Rules.
attention.
• Click + to add a new rule. • Visually group related traffic for easier
• Define a filter expression and assign a color. analysis.
4. Saving and Exporting
Results

•Wireshark allows users to save and export captured data for further analysis or sharing.
• Saving Packet Captures:
• Save entire packet captures in .pcap or .pcapng format.
• Steps:
• Go to File > Save As.
• Choose the file name and format.
• Use Case: Share captures with colleagues or analyze them later in other tools (e.g., Snort, Zeek).
• Exporting Filtered Results:
• Export only selected or filtered packets to focus on specific data.
• Steps:
• Apply a display filter.
• Go to File > Export Specified Packets.
• Choose to save all displayed packets or only marked packets.
• Use Case: Create smaller capture files for targeted analysis.
 Exporting Packet
Summaries:

Export packet summaries in plain text, CSV, or XML formats for reporting.

Steps:
• Apply a display filter.
• Go to File > Export Packet Dissections > As CSV/XML/Plain Text.
• Choose the fields to include in the export.
Use Case: Generate reports with selected packet details for presentations or
documentation.
  Reconstructing Packet Streams:

Reconstruct and save application-layer data (e.g., HTTP requests,

files).
Steps:
1.Right-click a packet and select Follow > TCP Stream.
2.View the reconstructed session and save it if needed.

Use Case: Analyze file downloads or malicious payloads.

5. Practical Applications of
Advanced Techniques
• Incident Response:
• Use filters to isolate attack traffic (e.g., DDoS, malware C2 communication).
• Save relevant packets and share them with the security team for investigation.
• Network Troubleshooting:
• Highlight retransmissions or duplicate packets using coloring rules.
• Export filtered captures to share with the network engineering team.
• Performance Analysis:
• Filter for slow TCP handshakes or large data transfers.
• Export summaries to document network performance metrics.
6. Best Practices for
Advanced Wireshark Use
• Plan Filters Ahead:
• Decide on relevant capture filters before collecting data to reduce file size and
focus analysis.
• Organize Coloring Rules:
• Use consistent colors for similar traffic types across captures.
• Automate Repetitive Tasks:
• Save commonly used filters and coloring rules for quick access.
• Document Findings:
• Annotate packets using Wireshark’s Comments feature for better collaboration.