Sniffing and Encrypted Traffic Analysis
Understand packet capture, LAN attacks, encrypted sessions, and detection with defensive controls.
Content
Packet Capture Fundamentals and Tools
Versions:
Packet Capture Fundamentals and Tools — The Chaotic TA's Guide to Sniffing (Responsibly)
"If malware is gossip, packet capture is overhearing the room — but smarter, with timestamps and less judgement."
You just finished touring the underworld of malware families, sandbox tricks, and how modern RaaS actors try to outsmart detection. Great. Now let's step out of the lab hood and listen to the network: the same place many threats announce themselves — sometimes politely, sometimes in ALL CAPS. Packet capture is how you get the raw evidence. This chapter gives you the fundamentals and the practical toolset for capturing and making sense of both plain and encrypted traffic without melting your CPU or your ethics.
Why packet capture matters (beyond “it’s cool”)
- Forensic fidelity: Full packet captures are the canonical evidence for post-incident analysis — payloads, reassembled streams, precise timestamps. EDR logs lie sometimes; packets are the video footage.
- Detection & hunting: Malware C2 patterns, abnormal TLS fingerprints (JA3), odd DNS exchanges — many telltale signs live on the wire.
- Encrypted traffic analysis: Even with TLS/HTTPS, metadata (SNI, JA3, certificate info, timing, sizes) can reveal behaviors when payloads are opaque.
Ask yourself: what did the compromised host talk to, when, and how often? Packet capture answers that.
Capture fundamentals — the checklist you’ll actually use
Choose the capture point
- Host-based (tcpdump, WinDump) — great for endpoint correlation and precise process mapping (tie to EDR timestamps).
- Tap/span/mirrors on switches — central network view, better for cross-host correlation.
- Cloud/provider taps (VPC flow logs, packet mirroring) — use these for cloud workloads.
Set sane parameters
- Snaplen (-s): capture full packets with -s 0 when you need payloads; otherwise use 256–512 bytes for metadata-only to save space.
- Ring buffers: rotate files (dumpcap, tcpdump -C/-W or dumpcap -b) to prevent disk exhaustion.
- Timestamps: use high-resolution (often default) and consistent timezone handling for correlation with EDR/sandbox logs.
Filter early, analyze later
- Capture filters (tcpdump/libpcap) reduce disk usage: host 10.0.0.5 and port 443
- Display filters (Wireshark) are for exploration — don’t use them to lose packets.
Ethics & legality
- Only capture where you’re authorized. Intercepting third-party traffic without consent is illegal and gross.
Tools you’ll actually run at 2AM
| Task | Tool | Quick why |
|---|---|---|
| Lightweight CLI capture | tcpdump / WinDump | Ubiquitous, scriptable, great for precise filters and piping |
| GUI exploration | Wireshark | Deep protocol parsing, stream reassembly, TLS decryption support |
| Headless parsing | tshark | Wireshark’s CLI sibling — good for automation |
| High-volume capture | dumpcap, suricata pcap output, dedicated packet brokers | Minimal overhead, ring buffers |
| HTTP/S interception (lab only) | mitmproxy, Burp | For controlled TLS decryption with certs |
| Flow metadata & enrichment | Zeek (Bro), Suricata, Flow exporters | Produces logs (DNS, TLS, HTTP) that scale where PCAPs don’t |
Quick command cheatsheet (copy-paste into your terminal, with feelings)
Capture all traffic to/from host 10.0.0.5, full packets, write to file:
tcpdump -i eth0 -s 0 -w host10.pcap host 10.0.0.5
Rotate files every 100 MB (tcpdump):
tcpdump -i eth0 -s 0 -C 100 -W 10 -w capture-%03d.pcap
Headless read/filter with tshark (show TLS handshakes):
tshark -r capture.pcap -Y "tls.handshake" -T fields -e ip.src -e ip.dst -e tls.handshake.type
Decrypt browser TLS sesssions (lab only):
- export SSLKEYLOGFILE=~/tlskeys.log
- Start browser (it will log pre-master secrets)
- In Wireshark: Preferences → Protocols → TLS → (Pre)-Master-Secret log filename = ~/tlskeys.log
Works for classic TLS — not fully for QUIC/HTTP3 currently.
Encrypted traffic analysis: you don’t need plaintext to get answers
- TLS metadata: SNI, cert subject, JA3 fingerprints, TLS versions and cipher suites. JA3/JA3S fingerprints can help spot custom malware TLS stacks (in the same way a guilty sweater gives you away at a party).
- Behavioral signals: connection frequency, bytes per session, timing, DNS patterns (odd domains, algorithmic generation), unusual ports or ephemeral IPs.
- Fallback to decryption in safe labs: use SSLKEYLOGFILE, a test CA (mitmproxy/Burp), or endpoint memory for session keys — but only with authorization.
Question to ask: if we saw repeated small TLS sessions to a new domain every 20 seconds, but the certificate chain looks untrusted — what could that be? (C2 beaconing, fast-flux, or misconfigured infrastructure.)
Advanced tips & gotchas
- Capture only necessary interfaces. Mirroring everything will drown you.
- Use NTP/PTP-sync or PCAPng comments to correlate with EDR/sandbox logs.
- Watch out for TLS 1.3 and QUIC — fewer visible handshake details; rely on JA3/JA3S (when available), SNI, and flow metadata.
- Encrypted SNI (eSNI/eCH) and certificate pinning reduce observable metadata — law of diminishing returns: go back to endpoint telemetry.
Mini workflow: from suspicion to evidence
- Start host capture on suspect machine (-s 0, ring buffer).
- Collect network logs (Zeek, Suricata alerts), DNS logs, EDR timeline.
- Use Wireshark/tshark to identify suspicious connections (small repeated sessions, unknown JA3, or odd certs).
- Correlate with EDR process info and sandbox behavior from earlier modules.
- If needed, decrypt in a controlled lab (SSLKEYLOGFILE or mitmproxy with a test cert).
- Produce timeline and extract IOC (domains, IPs, JA3 fingerprints, certificate serials, file hashes).
Closing — key takeaways
- Packets are the single-source truth for what traversed your network; they complement EDR and sandbox artifacts we studied earlier.
- You can get a lot from encrypted traffic without decrypting: metadata and behavioral patterns are powerful.
- Pick the right tool for the job: tcpdump for scripts, Wireshark for deep dives, Zeek/Suricata for scaling and enrichment.
Parting mic drop: capture thoughtfully (and legally), keep your files organized, and remember — the network often whispers before threats scream. If you can tune your ears (and your captures), you'll catch the whispers early.
Version note: Next up we'll move from "what we captured" to "what it means" — TLS fingerprinting, JA3 clustering, and building signatures that don't rely on plaintext. Bring snacks.
Comments (0)
Please sign in to leave a comment.
No comments yet. Be the first to comment!