RSS Feed

🌎 Network Traffic

Created: 12.10.2020


Most of the devices keep some logs. As for the network-related issues are switches, routers, firewalls, IDS and IPS, web proxies, DC and authentication servers, DCHP servers and application servers.

SIEMs are log aggregators. When configured correctly, all logs and events from all systems in the enterprise flows to a centralised repository where they can then be analysed. Sometimes these SIEM analyse what’s normal and what’s not. However, they are quite costly 💰.

One can collect network artefacts from a network level or on the host.

Network-based collection

  1. Network tap - a device that’s placed between other two or more devices on the network. I presume a hub can be considered a tap.
  2. SPAN port is another option.

Host-based collection

  1. Packet sniffer (🛠️ tcpdump or Wireshark 🦈) installed on the host.
  2. Open ports
  3. EDR / Application logs/data
  4. DNS cache
  5. Browser activity

Open Connections

Ports identify services (usually, but not always).

  • System ports are forensically important 0-1023.
  • User ports 1024-49151
  • Private 49152-last

Cheatsheets for known ports here.

Private IP addresses:

  • -
  • 17x.0.0.0
  • 19x.0.0.0

Example of suspicious case: java listening on port 53 which is normally used by DNS service. FF uses 3389 port (which is for remote connections). 44999 (used for private internal connections) some strange executable.

Filter out internal addresses (they are not interesting initially). Check the remote connections. Check executables that launched these connections, and also look for port-services mismatches or unusual ports or services.

📝 Make a list of processes and connections of several clean systems for “known-good” reference.


netstat -abno

netstat -boan statistics and current tcp connections along with the exe, listening port and PID. Run netstat -a -n -o to get the list of connections and then use tasklist with the PID of interest to see information about the process.

macOS / Linux

DNS Cache


DNS names

DNS Requests

Encrypted Traffic


  • The plaintext content can be retrieved from RAM.
  • MiM


Video / Audio



[1]NSLOKUP, DIG and HOST utilities usage

Digital forensics and Incident Response, G. Johansen


  1. https://malware-traffic-analysis.net