Skip to content
Log in
Mobile & Network ForensicsmediumFree

Network Forensics: Packet Capture and Log Analysis

Published:

Questions

30

Duration

30 min

Faculty-reviewed

30

Updated

03 May 2026

Score, per-question explanations and topic breakdown shown right after you submit.

About this mock

This mock covers Network Forensics as it is actually practised — reading packet captures, parsing logs, and reconstructing what happened on the wire. Thirty medium-difficulty questions across the eight pillars a network-forensic analyst (and any FACT or NFSU MSc Cyber Forensics aspirant) must lock in: packet-capture fundamentals (tcpdump and dumpcap snaplen, BPF capture filters versus Wireshark display filters, ring buffers for continuous capture, libpcap versus PCAP-NG), the TCP/IP stack as a forensic timeline (Ethernet framing, IPv4 TTL and fragmentation, TCP flags including the FIN-versus-RST distinction, the three-way handshake, sequence numbers, and retransmissions), per-protocol artefacts (HTTP request headers, the cleartext SNI in the TLS ClientHello, DNS record types and exfiltration patterns, the SMTP envelope, FTP active versus passive, SMB on port 445, the SSH banner), flow telemetry versus full PCAP (NetFlow/IPFIX, sFlow sampling), intrusion detection (Snort/Suricata rule anatomy, Zeek protocol logs, MITRE ATT&CK lateral-movement techniques), web and proxy logs (Apache Common Log Format, IIS W3C Extended Log Format with its UTC time field), timestamp normalisation across UTC/IST/NTP-drifted endpoints, attacker techniques visible in packets (SYN scans, DNS tunnelling, JA3/JA3S TLS fingerprinting), and the Indian regulatory layer (IT Act sections 69 and 69B with the CERT-In Directions of 28 April 2022 mandating 180-day log retention within Indian jurisdiction).

It is pitched at MSc Cyber Forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET, and entry-level SOC analyst aspirants who need the network-forensics layer locked in before tackling deeper malware-traffic analysis, encrypted-payload reconstruction, and case studies. The questions assume you already know the basics of digital forensics; the medium-difficulty bar is set so that a careful read of an explanation closes the gap if you got the question wrong.

Topics covered:

  • Packet capture: tcpdump/Wireshark/dumpcap, BPF filter syntax, ring buffers, libpcap vs PCAP-NG
  • TCP/IP stack: Ethernet, IPv4 TTL/fragmentation, TCP flags, three-way handshake, retransmissions
  • Protocol artefacts: HTTP, HTTPS ClientHello SNI, DNS records and tunnelling, SMTP, FTP active/passive, SMB, SSH
  • Flow telemetry: NetFlow/IPFIX vs full PCAP, sFlow sampling
  • Intrusion detection: Snort/Suricata rule anatomy, Zeek protocol logs, MITRE ATT&CK lateral movement
  • Web/proxy logs: Apache CLF, IIS W3C Extended, NTP and UTC timestamp normalisation
  • Attacker techniques in packets: SYN scans, DNS tunnelling, JA3/JA3S TLS fingerprints
  • Indian context: IT Act sections 69 and 69B, CERT-In Directions of 28 April 2022 (180-day log retention)

Each question carries a detailed 220+ word explanation citing primary sources — Davidoff and Ham’s *Network Forensics*, the relevant RFCs (791, 959, 1035, 4253, 5321, 6066, 7011, 9293), NIST SP 800-86, the Wireshark and Snort documentation, MITRE ATT&CK, and the IT Act with the CERT-In Directions. Allow 30 minutes; the explanations are long enough to use as study notes by themselves.

Sources & references

Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.

  • RFC 791 — Internet Protocol

    Section 3.2: Discussion — Fragmentation and Reassembly

    Open source
    cited in 2 questions

  • NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response

    Section 6.4: Network Traffic Data Sources (covert channels in DNS)

    Open source
    cited in 2 questions

  • RFC 9293 — Transmission Control Protocol (TCP)

    Section 3.10: Event Processing (Connection Termination, RST handling)

    Open source
    cited in 2 questions

  • RFC 1035 — Domain Names: Implementation and Specification

    Section 3.2.2: TYPE values; RFC 3596 for AAAA

    Open source
    cited in 1 question

  • Wireshark Documentation — dumpcap(1) man page

    Section: Multiple files / Ring buffer (-b options)

    Open source
    cited in 1 question

  • RFC 7011 — Specification of the IP Flow Information Export (IPFIX) Protocol

    Section 2: Terminology; Section 3: IPFIX Documents Overview

    Open source
    cited in 1 question

  • Information Technology Act, 2000 (sections 69 and 69B) and CERT-In Directions, 28 April 2022

    Section 69 (interception, monitoring, decryption); Section 69B (traffic data); CERT-In Directions of 28-04-2022 on cyber-incident reporting and log retention

    Open source
    cited in 1 question

  • Salesforce Engineering — TLS Fingerprinting with JA3 and JA3S

    Algorithm description: ClientHello field selection and MD5 hashing

    Open source
    cited in 1 question

  • IETF — PCAP Next Generation File Format Specification (draft-tuexen-opsawg-pcapng)

    Section 4: Block Structure (Section Header, Interface Description, Enhanced Packet)

    Open source
    cited in 1 question

  • Zeek Documentation — dns.log

    Field reference and detection patterns for DNS-based exfiltration

    Open source
    cited in 1 question

  • MITRE ATT&CK Enterprise Matrix

    Tactic TA0008: Lateral Movement; Techniques T1021.002 and T1047

    Open source
    cited in 1 question

  • RFC 959 — File Transfer Protocol

    Section 3.2: Establishing Data Connections (Active vs Passive)

    Open source
    cited in 1 question

  • Zeek Documentation — Logs

    Section: Logs (conn, dns, http, ssl, ssh, smb_files, x509)

    Open source
    cited in 1 question

  • IEEE Std 802.3-2022 — Ethernet

    Clause 3: MAC Frame Structure

    cited in 1 question

  • RFC 7231 — HTTP/1.1: Semantics and Content

    Section 5.5.3 (User-Agent), 5.5.2 (Referer); RFC 6265 (Cookie)

    Open source
    cited in 1 question

  • Nmap Reference Guide

    Chapter 5: Port Scanning Techniques (SYN, Connect, FIN, NULL, Xmas)

    Open source
    cited in 1 question

  • Microsoft IIS Documentation — W3C Extended Log File Format

    Field reference and timezone (UTC) note

    Open source
    cited in 1 question

  • Apache HTTP Server Documentation — Log Files

    Section: Common Log Format and Combined Log Format

    Open source
    cited in 1 question

  • Microsoft — [MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3

    Section 1.3: Overview (transport over TCP/445)

    Open source
    cited in 1 question

  • Wireshark User’s Guide — Capture Filters

    Chapter 4: Capturing Live Network Data — BPF capture filter syntax

    Open source
    cited in 1 question

  • RFC 4253 — The Secure Shell (SSH) Transport Layer Protocol

    Section 4.2: Protocol Version Exchange

    Open source
    cited in 1 question

  • RFC 5321 — Simple Mail Transfer Protocol

    Section 3.3: Mail Transactions; Section 4.1: Command Syntax

    Open source
    cited in 1 question

  • RFC 3176 — InMon Corporation’s sFlow

    Section 4: Sampling Mechanism

    Open source
    cited in 1 question

  • Snort 3 Rule Writing Guide

    Chapter: Rule Headers and General Rule Options (msg, sid, rev, flow, content)

    Open source
    cited in 1 question

  • Davidoff, Sherri & Ham, Jonathan — Network Forensics: Tracking Hackers Through Cyberspace

    Chapter 3: Evidence Acquisition (tcpdump and libpcap snaplen behaviour)

    cited in 1 question

  • RFC 5681 — TCP Congestion Control

    Section 3.2: Fast Retransmit / Fast Recovery

    Open source
    cited in 1 question

  • RFC 6066 — Transport Layer Security (TLS) Extensions

    Section 3: Server Name Indication

    Open source
    cited in 1 question

How our mocks are built

Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.

Common questions

What does the Network Forensics: Packet Capture and Log Analysis mock cover?+

This mock covers Network Forensics as it is actually practised — reading packet captures, parsing logs, and reconstructing what happened on the wire. Thirty medium-difficulty questions across the eight pillars a network-forensic analyst (and any FACT or NFSU MSc Cyber Forensics aspirant) must lock in: packet-capture fundamentals (tcpdump and dumpcap snaplen, BPF capture filters versus Wireshark display filters, ring buffers for continuous capture, libpcap versus PCAP-NG), the TCP/IP stack as a f

How many questions and how long is the test?+

30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Free.

Who is this mock for?+

Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Mobile & Network Forensics, FACT, Digital Forensics, NET. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.

Are the questions reviewed?+

Yes — 30 of 30 questions are faculty-reviewed. Each question carries a verified source citation.

Do I need an account to take this mock?+

Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.

Browse more mocks

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account