Network Traffic Analysis

Overview

Network traffic analysis captures and examines malware communications — C2 (command and control) callbacks, DNS queries, data exfiltration, payload downloads, and lateral movement traffic. Captured network data provides IOCs (domains, IPs, URLs, user agents) and reveals the malware's network protocol and communication patterns.

Packet Capture

tcpdump

# tcpdump
# https://www.tcpdump.org/

# Capture all traffic on an interface
sudo tcpdump -i eth0 -w capture.pcap

# Capture with verbose output and no DNS resolution
sudo tcpdump -i eth0 -nn -v

# Capture traffic from a specific host
sudo tcpdump -i eth0 host 192.168.56.10 -w malware_traffic.pcap

# Capture only DNS traffic
sudo tcpdump -i eth0 port 53 -nn

# Capture only HTTP traffic
sudo tcpdump -i eth0 port 80 or port 443 -nn

# Capture with packet content display (hex + ASCII)
sudo tcpdump -i eth0 -X -nn host 192.168.56.10

# Capture with size limit per file (rotate)
sudo tcpdump -i eth0 -w capture.pcap -C 100 -W 5

# Read back a capture file
sudo tcpdump -r capture.pcap -nn

# Filter by protocol
sudo tcpdump -i eth0 tcp -nn
sudo tcpdump -i eth0 udp -nn
sudo tcpdump -i eth0 icmp -nn

Wireshark

# Wireshark
# https://www.wireshark.org/

# Launch Wireshark GUI
wireshark

# Open a capture file
wireshark capture.pcap

Key Wireshark display filters for malware analysis:

# DNS queries
dns

# HTTP requests
http.request

# HTTP responses with specific status codes
http.response.code == 200

# TLS/SSL traffic
tls

# Traffic to/from a specific IP
ip.addr == 192.168.56.10

# TCP SYN packets (connection attempts)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# DNS queries for specific domains
dns.qry.name contains "malicious"

# HTTP POST requests (data exfiltration)
http.request.method == "POST"

# User-Agent strings
http.user_agent

# Follow a TCP stream
# Right-click a packet → Follow → TCP Stream

tshark (Command-Line Wireshark)

# Wireshark (tshark)
# https://www.wireshark.org/

# Capture live traffic
sudo tshark -i eth0 -w capture.pcap

# Read a capture file
tshark -r capture.pcap

# Extract DNS queries
tshark -r capture.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

# Extract HTTP requests (method, host, URI)
tshark -r capture.pcap -Y "http.request" -T fields \
  -e http.request.method -e http.host -e http.request.uri

# Extract HTTP user agents
tshark -r capture.pcap -Y "http.user_agent" -T fields -e http.user_agent

# Extract TLS Server Name Indication (SNI) — domains even in HTTPS
tshark -r capture.pcap -Y "tls.handshake.extensions_server_name" \
  -T fields -e tls.handshake.extensions_server_name

# Extract all IP conversations
tshark -r capture.pcap -q -z conv,ip

# Extract all TCP endpoints
tshark -r capture.pcap -q -z endpoints,tcp

# Protocol hierarchy statistics
tshark -r capture.pcap -q -z io,phs

# Export HTTP objects (downloaded files)
tshark -r capture.pcap --export-objects http,/tmp/http_objects/

# Follow a TCP stream (stream index 0)
tshark -r capture.pcap -q -z follow,tcp,ascii,0

DNS Analysis

Malware frequently uses DNS for: - Resolving C2 server domains - DNS tunneling (data exfiltration via DNS queries) - Domain Generation Algorithms (DGAs) - Fast-flux networks

# Wireshark (tshark)
# https://www.wireshark.org/

# Extract all unique DNS queries
tshark -r capture.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name \
  | sort -u

# Extract DNS query-response pairs
tshark -r capture.pcap -Y "dns" -T fields \
  -e dns.qry.name -e dns.a -e dns.resp.type

# Identify unusually long domain names (possible DNS tunneling)
tshark -r capture.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name \
  | awk '{ if (length($0) > 50) print length($0), $0 }' | sort -rn

# Count DNS queries per domain (identify beaconing)
tshark -r capture.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name \
  | sort | uniq -c | sort -rn | head -20

# Identify TXT record queries (often used for DNS tunneling)
tshark -r capture.pcap -Y "dns.qry.type == 16" -T fields -e dns.qry.name

DNS Tunneling Indicators

Indicator	Detection
Long subdomain labels (> 50 chars)	Encoded data in domain names
High volume of TXT record queries	Data exfiltration via DNS
Queries to unusual TLDs	.top, .xyz, .tk etc.
High entropy in subdomain names	Base32/Base64 encoded payloads
Single domain with many unique subdomains	DGA or tunneling

HTTP/HTTPS Analysis

# Wireshark (tshark)
# https://www.wireshark.org/

# Extract all HTTP GET requests with full URL
tshark -r capture.pcap -Y "http.request.method == GET" -T fields \
  -e http.host -e http.request.uri

# Extract all HTTP POST requests with content
tshark -r capture.pcap -Y "http.request.method == POST" -T fields \
  -e http.host -e http.request.uri -e http.file_data

# Extract downloaded file types
tshark -r capture.pcap -Y "http.response" -T fields \
  -e http.content_type | sort | uniq -c | sort -rn

# Show HTTP headers for specific requests
tshark -r capture.pcap -Y "http.request" -T fields \
  -e http.request.method -e http.host -e http.user_agent \
  -e http.content_type -e http.content_length

C2 Communication Patterns

Pattern	Description
Regular beaconing	Periodic HTTP requests at fixed intervals
Jitter	Randomized intervals to avoid detection
Long polling	Persistent connections waiting for commands
Chunked data	Large data split across multiple requests
Encoded parameters	Base64 or custom encoding in URL parameters
Cookie-based C2	Commands embedded in HTTP cookies
Custom headers	Data in non-standard HTTP headers

Extracting IOCs from Traffic

# Wireshark (tshark)
# https://www.wireshark.org/

# Extract all unique destination IPs
tshark -r capture.pcap -T fields -e ip.dst | sort -u

# Extract all unique domains (from DNS)
tshark -r capture.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name \
  | sort -u

# Extract all URLs
tshark -r capture.pcap -Y "http.request" -T fields \
  -e http.host -e http.request.uri \
  | awk '{print "http://" $1 $2}'

# Extract TLS certificate information
tshark -r capture.pcap -Y "tls.handshake.certificate" -T fields \
  -e x509ce.dNSName -e x509af.serialNumber

# Extract all unique user agents
tshark -r capture.pcap -Y "http.user_agent" -T fields \
  -e http.user_agent | sort -u

Network Artifacts to Document

Artifact	Example
C2 IP addresses	203.0.113.50:8443
C2 domains	update-service.example.com
URL paths	/api/v1/callback, /gate.php
User-Agent strings	Custom or spoofed UAs
HTTP headers	Non-standard headers used for C2
DNS queries	DGA domains, tunneling patterns
TLS certificate details	Self-signed certs, unusual issuers
Beaconing intervals	Timing patterns of callbacks
Data exfiltration	POST data, DNS TXT payloads

References

Tools

• Wireshark / tshark
• tcpdump
• NetworkMiner

Further Reading

• Wireshark Display Filter Reference