Network Forensics: Traffic Analysis and Evidence Collection

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Network traffic does not lie. An attacker can wipe logs, timestomp files, and clear event records, but if you captured the packets, the evidence is there. Network forensics focuses on capturing, analyzing, and reconstructing network communications to understand what happened during a security incident.

PCAP Analysis Fundamentals

Full packet capture (pcap) gives you the complete picture — every byte that crossed the wire. The challenge is storage: a 1 Gbps link generates roughly 450 GB of pcap data per hour. Most organizations use a combination of full capture for critical segments and metadata-only logging (NetFlow/IPFIX) for broader visibility.

When analyzing pcap files, start with the big picture. Look at conversation statistics to identify the top talkers, unusual protocols, or connections to known-bad IP ranges. Then drill into specific sessions.

Key things to look for in pcap during an investigation:

• DNS queries to domains associated with C2 infrastructure
• HTTP/HTTPS connections with unusual User-Agent strings or beaconing patterns
• Large outbound data transfers, especially to cloud storage or uncommon destinations
• Cleartext credentials in protocols like FTP, Telnet, or HTTP Basic Auth
• Protocol anomalies — DNS over non-standard ports, ICMP tunneling, SSH on unusual ports

Wireshark for Forensic Analysis

Wireshark is the go-to tool for interactive pcap analysis. Use display filters to narrow down relevant traffic quickly:

• ip.addr == 10.0.0.50 && tcp.port == 443 — TLS traffic from a specific host
• dns.qry.name contains "suspicious" — DNS queries matching a pattern
• http.request.method == POST && http.content_length > 1000000 — large HTTP uploads
• tcp.flags.syn == 1 && tcp.flags.ack == 0 — SYN-only packets (scan detection)

The “Follow TCP Stream” and “Follow HTTP Stream” features reconstruct full application-layer conversations. For encrypted traffic, if you have the server’s private key or session keys, Wireshark can decrypt TLS sessions.

Export objects (File > Export Objects > HTTP) to extract files transferred over HTTP without manual reconstruction.

Zeek for Scalable Analysis

Zeek (formerly Bro) generates structured logs from network traffic that are far easier to search at scale than raw pcap. Where Wireshark excels at deep-diving into individual sessions, Zeek excels at finding patterns across millions of connections.

Key Zeek logs for forensic work:

• conn.log — every connection with duration, bytes transferred, and connection state
• dns.log — all DNS queries and responses
• http.log — HTTP requests with URIs, status codes, and MIME types
• files.log — files transferred over the network with hashes
• ssl.log — TLS handshake details including certificate information
• notice.log — Zeek’s own anomaly detection output

Search Zeek logs with zeek-cut for column extraction, or feed them into your SIEM for correlation with host-based events.

Traffic Reconstruction

Reconstructing the attacker’s actions from network evidence often requires combining multiple data sources. Match DNS queries with connection logs to map domain-based C2. Correlate file hashes from files.log with known malware databases. Overlay network activity timestamps with host forensic timelines to build a complete picture.

For encrypted C2 channels, you may not see the content, but the metadata still tells a story. Regular beaconing intervals, consistent packet sizes, and JA3/JA3S fingerprints of TLS clients and servers can identify malicious traffic even without decryption.

Next Steps

• Test your network analysis skills with the skills assessment
• Explore related detection topics in the skills library
• Check the salary calculator to see how forensic specialization affects compensation

Related Guides in This Series

• CSIRT and PSIRT Operations: Building Effective Response Teams — HADESS | 2026
• Incident Response Methodology: From Detection to Recovery — HADESS | 2026
• Linux Forensics: Artifacts, Logs, and Investigation Techniques — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.