intermediate

Network Traffic Analysis for Incident Response

Procedures for capturing and analyzing network traffic during security incidents.

2-4 hours5 steps9 checklist items

Summary

Guide for using network traffic analysis to support incident investigation and threat hunting.

Step-by-Step Procedure

Capture Planning

Plan network traffic capture strategy.

Actions

Identify key network segments to monitor

Ensure legal authorization for capture

Select appropriate capture tools

Plan storage for captured data

Tools

WiresharktcpdumpZeekNetwork TAP/SPAN

Traffic Capture

Capture relevant network traffic.

Actions

Start capture with appropriate filters

Monitor capture file size

Rotate files as needed

Preserve original capture files

Initial Analysis

Perform initial traffic analysis.

Actions

Review protocol statistics

Identify top talkers and connections

Look for unusual ports or protocols

Filter for specific indicators

Deep Analysis

Investigate suspicious traffic.

Actions

Follow TCP streams for suspicious connections

Extract files transferred over network

Analyze DNS queries for C2 indicators

Check for data exfiltration patterns

Documentation

Document analysis findings.

Actions

Export relevant packet captures

Document IOCs found in traffic

Create timeline of network events

Write analysis summary

Completion Checklist

Capture authorization obtained

Capture tools prepared

Traffic successfully captured

Protocol statistics reviewed

Suspicious connections identified

Streams analyzed

Files extracted (if applicable)

IOCs documented

Findings summarized

Evidence to Collect

PCAP files
Extracted files
IOC list
Analysis notes
Connection timeline

Join our community to discuss playbooks and share incident response experiences.