Beaconing
Definition
Periodic outbound connections from a compromised host to a command-and-control server, typically at regular intervals. The regularity of the interval, measured in seconds or minutes, distinguishes malware beaconing from human browsing patterns and is detectable through timing analysis of connection logs.
Related terms
- Artefact carving
- Extracting embedded content from raw data by locating known file signatures (magic bytes) at byte boundaries. In PCAP analysis, this means reassembling...
- Display filter
- A Wireshark filter expression applied to an already-captured PCAP file to show only packets matching specified criteria. Display filters do not delete...
- DNS tunnelling
- Encoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks...
- Network flow (NetFlow/IPFIX)
- A summary record of a network conversation, storing source IP, destination IP, source port, destination port, protocol, byte count, and timestamps, without...
- Packet capture (PCAP)
- The interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed...
- PCAP
- Packet capture file. The standard format for storing captured network frames, originally defined by the libpcap library. Each record contains the raw...
- Port number
- A 16-bit integer in the TCP or UDP header that identifies the application-layer service at each endpoint. Well-known ports are assigned by...
- Protocol dissector
- A software component in a packet analyser that recognises a specific protocol and parses its header fields into named, readable values. Wireshark...
- Stream reassembly
- The process of collecting all the TCP segments belonging to a single connection and reordering them by sequence number to reconstruct the...
- TCP three-way handshake
- The connection establishment sequence in TCP: the client sends SYN, the server responds SYN-ACK, and the client completes with ACK. The timestamps...
Explained in these topics
- Network Protocols and Traffic InterpretationPeriodic outbound connections from a compromised host to a command-and-control server, typically at regular intervals. The regularity of the interval, measured...
- Traffic Analysis and Protocol DissectionA traffic pattern in which a host contacts the same remote endpoint at regular intervals. Associated with command-and-control communication by malware, which c...