Network Protocols and Traffic Interpretation

The TCP/IP model organises network communication into four layers: link, internet, transport, and application. Each layer adds its own header to the data being transmitted, and each header contains fields that matter to investigators. Understanding which layer holds which information prevents the common mistake of looking for an answer in the wrong header.

The IP Time to Live (TTL) field deserves particular attention. Each router along a path decrements the TTL by one; when it reaches zero the packet is dropped and an ICMP Time Exceeded message is sent back to the source. Investigators use TTL values observed at the capture point to estimate how many hops the packet has traversed. An attacker spoofing a source IP cannot control the TTL that reaches the capture point, so an unexpectedly low TTL on traffic claiming to originate from a local subnet is a red flag.

MAC addresses operate only within a single network segment. They are not preserved end-to-end across routed networks. This limits their value in wide-area investigations but makes them useful in local-network investigations: the MAC address of the device that connected to a switch port can identify the specific machine, and ARP tables can map MACs to IPs at the time of the incident.

TCP is a stateful protocol. A connection moves through defined states from establishment to teardown, and each state transition leaves a record in packet captures and in the connection tables maintained by operating systems and firewalls. Investigators read these states to reconstruct what happened and when.

The TCP header contains six control flags: URG, ACK, PSH, RST, SYN, and FIN. Of these, SYN, ACK, RST, and FIN are the most frequently significant in investigations. A SYN with no reply indicates the destination port is filtered. A SYN followed immediately by RST indicates the port is closed. A SYN followed by SYN-ACK and then ACK indicates a successful connection. A stream of SYN packets from one source to many destination ports with no follow-through is a port scan.

TCP sequence numbers are 32-bit counters that track bytes transferred in each direction. In a legitimate connection, sequence numbers increment predictably. Session hijacking attempts involve an attacker injecting packets with forged sequence numbers that fall within the expected window. Detecting this requires comparing observed sequence numbers against what the connection state table predicts. Modern operating systems use randomised initial sequence numbers (ISNs) to make blind hijacking harder, but the technique was historically exploited and sequence number analysis remains part of post-incident review.

A CLOSE_WAIT state that persists for hours indicates a connection where the remote side has sent FIN but the local application has not responded. Large numbers of connections in TIME_WAIT or SYN_RECEIVED states are indicators of specific attack types: TIME_WAIT accumulation can result from rapid connection cycling, and SYN_RECEIVED accumulation is the signature of a SYN flood denial-of-service attack.

HTTP is the primary application-layer protocol for web traffic and the most common channel for both legitimate user activity and attack traffic. An HTTP request consists of a method line (GET, POST, PUT, DELETE, and others), a set of headers, and an optional body. An HTTP response consists of a status line, response headers, and the response body. Each part carries information that investigators use to reconstruct user activity and attacker behaviour.

The most investigatively significant HTTP request headers are: Host (the intended virtual host), User-Agent (the client software, which attackers often set to mimic browsers or leave as a tool signature), Referer (the URL from which the request originated, useful for reconstructing navigation paths), and Authorization or Cookie (which carry credentials or session tokens). Response headers such as Set-Cookie and Location (for redirects) are equally important: tracking cookies can link multiple sessions to the same actor, and redirect chains can reveal infrastructure used in phishing or traffic distribution.

HTTPS encrypts the HTTP payload using TLS, so the request headers and body are not visible in a packet capture without a decryption key or a proxy performing TLS inspection. However, several fields remain visible even in encrypted traffic: the destination IP address, the destination port, the TLS Server Name Indication (SNI) extension in the ClientHello message, and the certificate presented by the server. SNI reveals the domain name the client intended to connect to even when the payload is encrypted. Certificate analysis can reveal self-signed certificates used by malware command-and-control servers, expired certificates, and certificates with suspicious subject names.

Email moves through multiple mail transfer agents (MTAs) from sender to recipient. Each MTA prepends a Received header to the message that records the hostname of the server, the IP address of the system it accepted the connection from, and a timestamp. Reading these headers from bottom to top (oldest first) traces the message's path from its point of origin to the recipient's mailbox.

The From and Reply-To headers are supplied by the sending client and can be forged. The Received chain cannot be forged from the outside: each MTA adds its own Received header and the recipient's mail server adds the final one. The first Received header (lowest in the stack) contains the IP address that connected to the first MTA in the chain. That IP is the closest thing to the sender's actual origin, though it may be a VPN, proxy, or compromised relay rather than the attacker's own address.

Three authentication mechanisms are used to reduce email spoofing: SPF (Sender Policy Framework) lists authorised sending IPs for a domain in DNS TXT records; DKIM (DomainKeys Identified Mail) adds a cryptographic signature to the message headers that the receiving server verifies against a public key in DNS; and DMARC (Domain-based Message Authentication, Reporting and Conformance) specifies how a receiving server should handle messages that fail SPF or DKIM and where to send reports. Investigation of phishing emails includes checking whether these mechanisms passed or failed and which part of the chain produced the failure.

IMAP (port 143 or 993 with TLS) and POP3 (port 110 or 995 with TLS) are the client-side retrieval protocols. Log analysis of IMAP connections can show when a mailbox was accessed, from which IP addresses, and how many messages were downloaded in a session. A sudden access from an unfamiliar geographic location followed by a large download is a characteristic pattern of business email compromise account takeover.

Traffic anomalies are deviations from an established baseline. Investigators detect them by comparing current or historical traffic metrics against what the network normally looks like. Three patterns appear most frequently in cyber investigations: data exfiltration, command-and-control beaconing, and brute-force credential attacks.

Data exfiltration produces unusual outbound volume from a host that normally generates little outbound traffic, transfers to external IP addresses not seen before in the network's history, or activity outside normal business hours. Exfiltration over encrypted channels such as HTTPS or DNS is designed to blend in with legitimate traffic, but volume anomalies remain visible even when payload is encrypted. An internal server that normally transfers 50 MB outbound per day and suddenly transfers 4 GB overnight warrants investigation regardless of the protocol.

Beaconing is the periodic check-in of malware to a command-and-control server. The key distinguishing feature is regularity: a compromised host making outbound HTTP or DNS connections every 60 seconds, or every 300 seconds, produces a timing histogram that looks nothing like human browsing. Tools such as RITA (Real Intelligence Threat Analytics) and commercial SIEM platforms flag regular-interval connections automatically. Investigators also look at beacon jitter: sophisticated malware adds random delay to avoid exact-interval detection, but even jittered beacons cluster tightly in a timing histogram compared to human traffic.

Brute-force attacks against SSH (port 22), RDP (port 3389), SMTP authentication, or web login forms produce high volumes of connection attempts to a single service in rapid succession. The pattern is distinctive in firewall and authentication logs: thousands of failed authentication attempts from one or a few source IPs, often cycling through common usernames. Distributed brute-force attacks spread attempts across many source IPs to evade rate limits but still produce abnormally high authentication failure rates on the target. Investigators correlate authentication logs with connection logs to distinguish distributed attacks from normal failed logins.

Network traffic analysis in a legal context requires clear authority. The legal source of that authority depends on whether the investigator is working in a law enforcement capacity or as a private incident responder, and on the jurisdiction of the network and the persons whose communications are captured.

In India, Section 69 of the Information Technology Act 2000 authorises the central or state government to direct interception, monitoring, or decryption of information transmitted through computer resources when required for national security, public order, or investigation of offences. The procedural requirements are set out in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption) Rules 2009. Evidence derived from such interception is governed by the Bharatiya Sakshya Adhiniyam 2023, which replaced the Indian Evidence Act 1872, and the BNSS 2023, which replaced the CrPC for procedural matters including search and seizure of electronic records.

In the United States, the Electronic Communications Privacy Act (ECPA) and its Stored Communications Act component govern interception and access to stored content. Live traffic interception by law enforcement requires a Title III wiretap order, a higher standard than a search warrant. Access to stored communications held by a provider follows the Stored Communications Act. The Computer Fraud and Abuse Act (CFAA) criminalises unauthorised access, which also constrains private investigators conducting network analysis on systems they do not own.

In the European Union, the ePrivacy Directive (2002/58/EC, currently under revision) restricts interception of electronic communications without consent or lawful authority. GDPR Article 6 requires a lawful basis for processing personal data, which includes IP addresses and metadata captured in logs. Cross-border investigations involving EU data must respect data minimisation principles and transfer restrictions. The Directive on Attacks Against Information Systems (2013/40/EU) harmonises criminal law on network offences across member states and supports mutual legal assistance.

Private incident responders working within an organisation's own network operate under a different authority: the organisation's consent as the network owner. This consent is typically established through acceptable use policies and employment agreements that notify users their traffic may be monitored. The scope of monitoring authority varies by jurisdiction, and investigators should confirm that the monitoring policy is current and was in force at the time of the incident before relying on internally captured traffic as evidence.