NETS1032

Capturing Data from a network

Introduction

This module provides some conceptual and practical information on processes, tools, and considerations for doing captures of network traffic, commonly called sniffing the network.

Learning Objectives

At the end of this module, students will:

• Identify the effects of network implementation on the potential for capturing network traffic
• Learn the most common usage of tools for capturing interesting traffic from the network
• Demonstrate using network traffic tools to identify and capture desired network traffic or prove the absence of it

These objectives are in support of Learning Outcomes 1, 2, 3, 4, and 5 in the Course Outline.

To do List

• Read through the presentation
• Watch the recorded video of the presentation found in the general chat of the Microsoft Team for this course if you did not attend the class when it was presented
• Review the lesson materials linked below
• Perform the learning activities as described below
• Do the quiz found under Tests on Blackboard for this topic

Lesson Material

• Network Capture Presentation
• See Blackboard for any available prerecorded video of this presentation under Weekly Learning
• Links from the presentation
  • tcpdump capture tool
  • Packetlife tcpdump cheat sheet
  • wireshark capture and analysis tool
  • Using snort for packet capture, part of the Snort Cookbook

Learning Activity

Watch the videos from the presentation, as well as the videos listed under additional resources. Briefly review the materials available at the other websites listed under Additional Resources. Do the Network Capture Activity.

Additional Resources

Videos

• Introduction to tcpdump by David Mahler
• Intro to Wireshark: Basics + Packet Analysis! by SinnohStarly - Ross Teixeira

Software Tools for live forensic analysis

• tcpdump tutorial
• snort IDS and packet logger
• tcpflow capture tool
• Network Miner NFAT and related tools
• xplico NFAT
• capanalysis NFAT

General resources

• Packetlife website with many good TCP/IP resources
• Analyzing Network Traffic With Basic Linux Tools - SANS tutorial
• Paper with examples of using snort to find network traffic of interest
• Network Forensics Analysis Article discussing netintercept design considerations
• Network Storage Forensics Article
• Advanced - Live decryption of encrypted network transactions
• Slide show from Andrew McNicol with tips and examples of using tcpdump for malware hunting
• The DFIR Report blog on patreon, excellent reviews and resources from forensic analysis of real-world attacks - not free
• Decrypting your own HTTPS traffic with wireshark

Graded Activity

This activity is not marked. There is nothing to screenshot or submit for this activity.

Quiz

The quiz is found on Blackboard under Assignments and Tests.

Test

There is no separate test for this topic. The quiz will count for your testing mark in this topic.

Summary

In this module, you have been introduced to working with live memory investigations and capturewd memory images. You should have:

• Learned to identify the effects of network implementation on the potential for capturing network traffic
• Learned the most common usage of tools for capturing interesting traffic from the network
• Demonstrated using network traffic tools to identify and capture desired network traffic or prove the absence of it

Completing the quiz will provide you with a measure of your knowledge in these areas. For the next class you should have your computing environment available with access to both Linux and Windows.