Analyzing packet captures
A great deal of Chapter 3, Network Evidence Collection covered the various methods to obtain packet captures from a range of sources and from a variety of locations. Packet captures contain a great deal of information that is potentially valuable to incident response analysts. Some of this information includes source and destination IP addresses, domains and ports, and the content of communications between hosts. In some instances, incident response analysts are able to reconstruct actual files, such as text documents and images in these packet captures.
Note
This chapter makes references to several preconfigured packet captures which are examined. These packet captures are taken directly from the site malware-traffic-analysis.net by permission of the author. This site has a number of packet capture exercises, where incident response analysts can practice locating indicators of compromise.
Command-line tools
There are several command-line tools that can be utilized...