Real-World Packet Analysis Project

# CHAPTER 20

Real-World Packet Analysis Project #

1. Introduction #

You have completed the comprehensive guide to Wireshark Basics. You have mastered the three-pane interface, navigated the OSI model from Ethernet frames to HTTP headers, isolated traffic with complex boolean filters, and tracked latency with surgical precision. Now, it is time to synthesize everything into a single, cohesive investigation. In this final capstone chapter, you will simulate the role of a Lead Network Analyst responding to a critical, multi-faceted incident. We will walk through the systematic workflow of a real-world investigation—from initial triage to payload extraction—and culminate in the generation of a professional forensic report.

2. The Investigation Scenario #

The Incident: You are the Lead Analyst at GlobalTech. A user from the Finance department (IP: 192.168.1.105) submits a frantic IT ticket: *"The internet is broken! I tried to log into the internal billing portal (billing.globaltech.local), it loaded super slowly, threw an error, and now my computer is acting weird."*

The Evidence: The automated firewall captured 60 seconds of network traffic from the user's IP during the event. You are handed the incident_001.pcapng file.

3. Phase 1: High-Level Triage #

A professional never just starts scrolling through the packet list. We start from a macro view.

1. 1. Open the PCAP.

1. 2. Check Protocol Hierarchy: Go to Statistics -> Protocol Hierarchy.

• *Observation:* You see IPv4 traffic. Under UDP, you see DNS. Under TCP, you see a large amount of HTTP traffic, and surprisingly, a significant amount of FTP (File Transfer Protocol) traffic. (Why is the finance user using FTP?)

1. 3. Check Expert Information: Go to Analyze -> Expert Information.

• *Observation:* You see a cluster of Yellow Warnings: [TCP Retransmission] and [TCP Previous segment not captured]. You also see a Warning for HTTP 404 Not Found.

4. Phase 2: Diagnosing the "Slow" Network #

The user complained the portal was slow. Let's look at the connection.

1. 1. Filter the traffic: Apply ip.addr == 192.168.1.105 && tcp.port == 80.

1. 2. Analyze TCP Health: You scroll through the connection to the billing portal. You immediately spot the Black and Red [TCP Retransmission] packets highlighted by the Expert Info.

1. 3. Check Delta Time: You locate the HTTP GET /login request. You look at the Delta Time column. The [ACK] from the server took 0.05 seconds (fast network). The HTTP 200 OK response from the server took 8.4 seconds!

• *Conclusion 1:* The network is experiencing minor packet loss, but the severe 8-second delay is definitively caused by the internal Billing Server hanging/processing slowly, not the network.

5. Phase 3: Investigating the "Error" #

The user said the portal threw an error. Let's find exactly what they did.

1. 1. Filter for HTTP Errors: Apply http.response.code >= 400.

1. 2. Locate the Error: You find an HTTP 404 Not Found response.

1. 3. Follow the Stream: You clear the filter, find the exact request leading to the 404, right-click, and select Follow -> TCP Stream.

1. 4. Read the Payload: In the red text, you see the user requested GET /admin_dashboard.html.

• *Conclusion 2:* The user mistyped the URL or tried to access a restricted page that doesn't exist. This generated the error.

6. Phase 4: Threat Hunting the "Weird" Behavior #

The user said the computer is acting weird. We noted strange FTP traffic in Phase 1. Let's investigate.

1. 1. Filter for FTP: Apply ftp.

1. 2. Analyze the Conversation: You see the Finance IP communicating with an unknown external IP address in Russia.

1. 3. Follow the Stream: Right-click the FTP packet -> Follow -> TCP Stream.

1. 4. Extract the Intelligence: In the plaintext stream window, you see the automated commands:

USER admin PASS 12345 RETR financial_records_2026.zip

• *Conclusion 3:* A malware script running in the background of the user's PC successfully authenticated to an external FTP server and exfiltrated a highly sensitive ZIP file!

7. Phase 5: Evidence Extraction and Reporting #

You must prepare the evidence for the Cybersecurity Incident Response Team (CIRT).

1. 1. Extract the Stolen Data: You need to see what was in that ZIP file. Go to File -> Export Objects -> FTP-DATA (or use TCP stream raw export). You save the financial_records_2026.zip to hand to the CIRT team.

1. 2. Export the PCAP: You apply the filter ip.addr == [The Russian IP]. You go to File -> Export Specified Packets (Displayed). You save it as malware_c2_traffic.pcapng.

The Final Incident Report:

• Incident: 001

• Root Cause of Slowness: Application-layer latency on the Billing Server (Proven via 8.4s Delta Time).

• Root Cause of Error: User generated a 404 error by requesting /admin_dashboard.html.

• Security Breach Detected: Machine 192.168.1.105 is compromised. It successfully exfiltrated a corporate ZIP file via unencrypted FTP to an unauthorized external IP.

• Action Taken: Machine isolated from network. Extracted PCAP and payload provided to CIRT.

8. Course Conclusion #

You have reached the end of Wireshark Basics – Complete Beginner to Advanced Guide. Wireshark is not just a piece of software; it is a fundamental shift in how you perceive digital infrastructure. You have transcended the Graphical User Interface of the web browser to read the literal, raw matrix of the internet.

You now possess the capability to strip away abstraction. When an application fails, you no longer have to guess; you can autopsy the TCP handshakes, dissect the DNS queries, and mathematically prove the point of failure. When an attacker attempts to hide in the noise, you can wield Display Filters, Color Rules, and Stream Reconstruction to expose their exact footprints.

Whether you are progressing toward a CompTIA Network+ certification, a career in Network Engineering, or stepping onto the frontlines of Cybersecurity, you now hold the ultimate diagnostic instrument. You are no longer a passenger on the network; you are the inspector.

Congratulations on completing the course! #