In previous posts we went thourgh the basic analytic process when reviewing pcap files. While it is usually quite easy to find what you are looking for using these methods, it is also true that most of the time we don’t know what we are looking for. So how do we figure out the essentials and get those anomalies which we can then dig deeper?
Tshark has different filters which can be used during the capture or when we want to carve out only the interesting bits and bytes from the capture. Let’s see how they work and how to put them in use.
In this post we take the first steps finding out what is happening in lab network. All the examples use tshark or tcpdump to dissect the data and to apply filters and other methods to gather the information we need.
I have mirrored my lab’s internal network to dedicated interface on a dedicated virtual server. This allows me to monitor all the traffic flying in and out of my lab.
As you probably know, tcpdump allows you to capture traffic, filter it and save it for later analysis.
Let’s see different ways to do capturing and analysis.
