NETWORK FORENSICS — FULL PCAP INVESTIGATION
EXPERT — RECONSTRUCT AN ATTACK FROM PACKETS ALONE
PCAP · FILTERS · STREAMS · TLS · DNS · SMB · TIMELINE
Loading capture: apexlab_full_incident.pcap (1,847 packets)...

OBJECTIVES

Identify the initial exploit request
Find the webshell execution in HTTP
Identify C2 via TLS SNI analysis
Detect DNS exfiltration pattern
Identify SMB lateral movement
Measure data exfiltration volume
Build the attack timeline from packets
Submit the network forensics report
🦈
Packet Viewer
🔄
TCP Stream
📊
Statistics
⏱️
Timeline
📖
Reference
📝
Notepad
📋
Report
NET FORENSICS
Packets
Streams
Statistics
Timeline
Reference
Notepad
Report
--:--:--
PHASE 1 — PACKET ANALYSIS
MISSION BRIEF
EXPERT — NETWORK FORENSICS

FULL PCAP INVESTIGATION

FILE: apexlab_full_incident.pcap — 1,847 packets

SCENARIO

The network team captured all traffic on the APEXLAB segment during the incident window. You have only the PCAP — no logs, no endpoint data. Reconstruct the full attack chain purely from packet evidence. Every indicator of compromise must be extracted from the wire.

CHALLENGE

This is different from the introductory Wireshark lab. You will need to analyse TLS traffic (encrypted — but SNI leaks the hostname), identify protocol anomalies at the packet level, and reconstruct the timeline purely from timestamps and frame analysis.

NETWORK LAYOUT

HostIP
Web server (WEB-01)10.10.16.10
Workstation (WKSTN-016)10.10.14.22
File server10.10.15.20
DNS server10.10.14.1
Attacker185.220.101.45

TECHNIQUES

  • Right-click any packet → Follow TCP/TLS Stream
  • Filter tls.handshake.type==1 to see Client Hello SNI
  • Filter dns and dns.qry.name contains "exfil"
  • Filter smb2 for lateral movement
  • Check Statistics → Conversations for top talkers
PACKET VIEWER — apexlab_full_incident.pcap
1,847 packets | Showing all
No.
Time
Source
Destination
Proto
Info
Click a packet · Right-click → Follow Stream
Hex dump appears here
FOLLOW TCP / TLS STREAM
Stream:
Select a stream to follow the conversation...
STATISTICS
Protocol Hierarchy
Conversations
Top Talkers
ATTACK TIMELINE — FROM PACKETS
RECONSTRUCTED FROM PCAP
0 events
Right-click packets and select "Add to Timeline", or click "Add to Timeline" in the detail pane.
REFERENCE — NETWORK FORENSICS
TLS ANALYSIS WITHOUT DECRYPTION
Even encrypted TLS traffic leaks information:

Server Name Indication (SNI) — hostname in Client Hello (unencrypted) — reveals destination even for HTTPS
Certificate CN/SAN — server certificate fields visible before encryption
JA3 fingerprint — hash of TLS Client Hello parameters — identifies malware families
Packet timing and size — C2 beaconing shows regular intervals
KEY DISPLAY FILTERS
http HTTP traffic tls All TLS tls.handshake.type == 1 Client Hello (SNI visible) tls.handshake.extensions_server_name Filter by SNI dns DNS queries dns.qry.name contains "exfil" DNS with keyword smb2 SMB version 2 tcp.len > 10000 Large TCP segments ip.src == 185.220.101.45 Attacker traffic tcp.analysis.bytes_in_flight Throughput analysis
SMB LATERAL MOVEMENT IN PACKETS
SMB2 authentication sequence: NegotiateProtocol → SessionSetup (NTLM) → TreeConnect → file operations. NTLM hash visible in SessionSetup request/response. Admin share access (C$, ADMIN$) is the lateral movement indicator.
DNS EXFILTRATION SIGNATURES
Long subdomain labels (Base64 data)
Sequential queries to same parent domain
NXDOMAIN responses (data channel, not resolution)
High query rate to a single external domain
Query names longer than 50 characters
DATA EXFILTRATION DETECTION
Statistics → Conversations sorted by bytes reveals the largest data transfers. Legitimate traffic has balanced upload/download ratios. Exfiltration shows high upload bytes to an external IP that previously only received small requests.
NOTEPAD
NETWORK FORENSICS REPORT
FINDINGS — FROM PACKETS ONLY
Score: 0 / 8
Packet #0
🔄 Follow TCP/TLS Stream
⏱️ Add to Timeline
📋 Copy Info
💾 Export Packet (disabled)