Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
From promiscuous mode and SPAN ports to BPF capture filters, NetFlow, JA3/JA3S fingerprints and honeynets, with the CERT-In CCMP reporting clock and Indian SOC playbook in mind.
A modern Indian data centre or a state SOC pushes north of a hundred gigabits a second of east-west traffic on a normal Tuesday, and the examiner who is asked to reconstruct an intrusion has to decide what to capture, where to capture it, and what filter to draw before the buffer rolls. Get any one of those wrong and the artefact is either missing or unreadable. Live packet capture is the loudest of the network forensics disciplines, but it sits on top of three quieter ones: capture-point planning (tap, SPAN port, monitor-mode radio), file-format choice (classic PCAP versus PCAPng with secrets blocks), and storage architecture (rotating PCAP rings, flow records, indexed Zeek logs).
This topic walks through capture hardware, the BPF and Wireshark filter languages, the five-tuple and TCP flag reading that every junior analyst is asked at interview, NetFlow and IPFIX flow analysis, deep packet inspection with nDPI and Cisco NBAR, JA3/JA3S fingerprinting for encrypted traffic, honeypot and honeynet deployments under the Indian Honeynet Project, and the CERT-In Cyber Crisis Management Plan reporting clock that determines how fast a SOC has to escalate. We close with the evidence-collection routine for routers and switches, because the most common gap in Indian network-forensic reports is the missing show run snapshot from the edge router that would have proved the suspect packets transited the suspect interface.
If the capture point is wrong, no filter saves you.
A packet capture is only as honest as the point at which the packets are copied. The four common capture points are the host NIC in promiscuous mode, a switch SPAN (also called mirror) port, a passive network tap, and an inline tap on an IDS/IPS path. Each has a known failure mode that the analyst needs to declare in the report.
A switched LAN does not deliver other hosts' frames to a random port. Setting a NIC promiscuous on a port that the switch is not mirroring captures the host's own traffic plus broadcast and multicast, and nothing else. The junior-analyst error is to plug a laptop into a free port on the access switch, enable promiscuous mode in Wireshark, and conclude that the LAN is quiet. The fix is either a SPAN configuration on the switch or a tap on the uplink.
| Capture point | What it sees | Failure mode | When to use |
|---|---|---|---|
| Host NIC, promiscuous | Frames to/from the host plus broadcast/multicast on a switched LAN; everything on a hub. | Misses peer-to-peer LAN traffic; CPU bound at high rate. | Endpoint forensics, single-host triage. |
| Switch SPAN / mirror port | Frames on the mirrored VLAN or ports, as configured. | Drops frames silently when the SPAN port is oversubscribed; misses errored frames on most platforms. | Long-running site capture where the switch has the capacity. |
GUI for explanation, CLI for production, Zeek for the haystack.
The Indian SOC toolkit is largely open source. Wireshark is the GUI of record, and almost every Indian cyber-forensics syllabus (NFSU Gandhinagar, CFSL Hyderabad, MHA training) builds on it. Underneath Wireshark sits libpcap on Linux and macOS or Npcap on Windows; the same library backs tcpdump, tshark and dumpcap.
tcpdump -i eth0 -w out.pcap -s 0 -G 600 -W 12 rotates a one-hour ring of twelve files. Production captures should always use rotation; a single ever-growing file is a hostage to disk space.-T fields -e <fieldname>.-A and -B flags slice by time range; useful for tendering only the relevant window into court.One block type that did not exist a decade ago changes how TLS evidence reaches court.
The classic PCAP file format (libpcap, 1990s vintage) is simple: a global header followed by per-packet records, each with a timestamp, captured length, original length and packet bytes. One link-layer type per file, no annotations, no comments, no per-interface metadata. The format is small, fast and brittle.
PCAPng (PCAP Next Generation) is block-structured. Each block has a type, a length, a body and a length trailer. The relevant blocks for the forensic analyst are:
The Decryption Secrets Block matters more than any other change. Before it, an analyst who wanted to decrypt a TLS session in Wireshark had to ship a sidecar keylog file alongside the PCAP and pray that both reached court together. With a DSB the keys travel inside the PCAPng, hashable as one artefact, certifiable under Section 63 BSA as one electronic record. Wireshark since 3.0 reads and writes DSB; tshark can inject keys with editcap --inject-secrets tls,keylog.txt in.pcapng out.pcapng.
Every packet question reduces to who, to whom, how, with what flags.
The five-tuple is the smallest unit of network identity that the analyst quotes in a report: source IP, destination IP, source port, destination port, and the L4 protocol number. Two packets with the same five-tuple belong to the same conversation; the same five-tuple swapped (src and dst exchanged) is the return half of the same conversation. Wireshark's Conversations dialog and tshark's -z conv,ip and -z conv,tcp aggregate by five-tuple and quote bytes and packets each way.
TCP flag analysis is the next reading skill. The six classic flags carry meaning that the analyst reads at a glance.
| Flag | Meaning | Healthy use | Anomaly to flag |
|---|---|---|---|
| SYN | Synchronise sequence numbers, opening a connection. | First packet of every TCP handshake. | A SYN flood (many SYNs from random sources, no ACKs) is a denial-of-service signature. |
| SYN-ACK | Server's reply to SYN. | Second packet of handshake. | Many SYN-ACKs to addresses the host never SYNed to: backscatter from a SYN-flood with spoofed sources elsewhere. |
| ACK | Acknowledge received data up to seq. | Every data segment carries ACK once the connection is up. |
When the payload is encrypted, fingerprint the handshake.
A network IDS (Snort, Suricata, Zeek) sits inline or on a SPAN and matches traffic against a rule set. Snort rules and Suricata rules share most of the syntax: an action, a header (protocol, src, sport, direction, dst, dport) and a body of options (content, pcre, flowbits, classtype, sid, rev).
A simplified rule that flags a common SQLMap user-agent reads:
alert http any any -> $HTTP_SERVERS any (msg:"SQLMap probe via User-Agent"; flow:to_server,established; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:1000101; rev:1;)
Rule categories that an Indian SOC actively tunes include exploit-kit (Fallout, RIG, Underminer), malware-callback (Cobalt Strike default profiles, Sliver C2, AsyncRAT), scan (Nmap fingerprint, masscan), policy-violation (Tor traffic, BitTorrent on a corporate VLAN), and web-application-attack (SQL injection, XSS, command injection, path traversal). The Emerging Threats Open rule set, ET Pro, and the Snort VRT community set are the three feeds most SOCs combine.
SQL injection detection in HTTP traffic is a payload-pattern problem at the IDS layer and a behavioural problem at the WAF and DB-log layer. The classic SQL injection patterns the IDS matches include single quote followed by OR followed by digit-equals-digit (' OR 1=1), UNION SELECT, INFORMATION_SCHEMA.TABLES, and the SQLMap-specific shape of a probe request (a long parameter value with quote, semicolon, comment marker --). The cross-link to the broader attack catalogue is the Network Attacks topic which walks the SQL injection, XSS and ARP poisoning attack chains end to end.
Deep Packet Inspection (DPI) goes beyond IDS pattern matching to classify the application generating the traffic. nDPI (open source from ntop) and Cisco NBAR (proprietary, IOS) maintain protocol signatures for thousands of applications, classifying by combinations of port, payload heuristic, TLS SNI, and timing. DPI answers questions like "is this UDP/443 stream QUIC, WireGuard, or DNS over QUIC", which port-only analysis cannot.
Encrypted traffic forces a different style of analysis. Without the keys (no DSB, no key log, no MITM with a trusted CA on the endpoint), the analyst cannot read the body. What is still visible is the TLS handshake: the Client Hello carries the TLS version, cipher suites in the offered order, extensions in the offered order, supported elliptic curves and EC point formats. The MD5 hash of these ordered fields is the JA3 fingerprint of the client. The server's reply (Server Hello) hashes the same way to a JA3S fingerprint.
When the PCAP rolls, the flow records and SIEM are what survives.
NetFlow (Cisco), IPFIX (IETF standard, NetFlow v10 in practice), sFlow (Inmon, packet-sampling), and jFlow (Juniper) are flow record protocols. A router or switch with flow export enabled emits one UDP datagram per finished flow to a collector, summarising the conversation. Fields commonly present include src IP, dst IP, src port, dst port, protocol, ToS, ingress interface, byte count, packet count, start time, end time, and TCP flags ORed across the life of the flow.
Flow records are roughly three orders of magnitude smaller than full PCAP for the same traffic, so a flow archive can hold years where a PCAP ring holds days. Top-talkers, port-pair analysis, beacon detection (small periodic flows from one internal host to one external host), and exfiltration detection (large outbound flow on an unusual port) are flow-record questions. The collectors in production Indian deployments are nfdump and SiLK on the open-source side, and Plixer Scrutinizer, Cisco Stealthwatch (now Secure Network Analytics) and ntopng on the commercial side.
Which capture-point choice on a switched Indian campus LAN sees east-west traffic between two other hosts without packet loss when the SPAN destination is congested?
| Passive tap (copper or optical) |
| Every frame including CRC errors and runts; one direction per port (a full-duplex tap presents two streams). |
| Hardware cost; needs two monitoring NICs to merge directions in software. |
| Court-grade capture where the chain of custody requires no risk of frame loss. |
| Inline tap / bypass switch | Every frame plus the ability to drop (IPS mode). | Fails open or closed by configuration; an inline failure can take the link down. | IDS/IPS deployment, not pure capture. |
| Wi-Fi monitor mode | Every 802.11 frame in range on the tuned channel, including management/control. | One channel at a time; needs supported card and channel hopping for survey use. | Wireless network forensics, rogue-AP and deauth attack detection. |
A SPAN port on an Indian campus switch (Cisco Catalyst 9300 series, Aruba CX, Juniper EX) is configured with a one-line monitor session 1 source interface ... destination interface ... pair, but the operational gotcha is that SPAN drops are silent. The Catalyst will quietly drop mirrored frames when the destination port is congested, and the only signal is a counter on show monitor session 1. A report that does not record the SPAN counters at start and end of the capture leaves a hole the defence can drive through.
Wireless monitor mode is the corresponding capture point for 802.11. The radio listens on one channel at a time; a survey capture uses channel hopping (a small daemon retunes the radio every 250 ms across the 2.4 GHz and 5 GHz channels). The drawback is that a hopping capture sees only a fraction of any given conversation, so an attack reconstruction usually pins the radio to the suspect channel after the initial survey identifies it.
The architectural rule is to capture full PCAP at the sensor for a short window (24 to 72 hours), index Zeek logs for medium term (weeks to months), and keep flow records for long term (years). An Indian Tier-3 bank SOC typically runs all three: full PCAP on a 200 TB SSD ring at the perimeter, Zeek logs into a hot Elasticsearch tier, and IPFIX flow records into a SiLK or nfdump archive.
The practical rule for Indian cases is to write PCAPng with secrets blocks when TLS decryption is in scope, write classic PCAP only when interoperability with an older toolchain demands it, and never strip the comments out of an EPB during evidence handling because the comments carry the analyst's working notes that the trial court is entitled to see.
| Bare ACKs to closed ports: ACK scan. |
| FIN | Finish, half-close. | Normal connection teardown, two FINs each direction. | FIN without prior SYN: FIN scan, exploits some stacks that respond differently to FINs. |
| RST | Reset, abort connection. | Closed-port response to a SYN; firewall drop response. | RSTs interspersed in an established stream: forged-RST injection (operator censorship; classic case Sandvine, modern case some ISP middleboxes in India). |
| PSH | Push: deliver buffered data to application immediately. | Interactive sessions (SSH typed input, IRC, web POSTs). | Beacons that always carry PSH+ACK with identical payload sizes are often command-and-control. |
| URG | Urgent pointer valid. | Almost unused in modern applications. | URG-bit toggling is a known IDS-evasion trick; flag for inspection. |
Stream reassembly is the third skill. A TCP stream is a sequence of segments with monotonically increasing sequence numbers; Wireshark's Follow Stream rebuilds the full byte stream in each direction from the segments and presents it as readable text or hex. From the rebuilt stream the analyst extracts the HTTP request, the SMB write, the FTP RETR, or the IRC line. File > Export Objects in Wireshark walks the HTTP, SMB, FTP, IMF (email) and TFTP dissectors and writes every file body the capture observed to disk, named by the URL or filename in the protocol. This is the function that recovers the malware binary that the dropper fetched, the exfiltrated CSV, or the document that the suspect uploaded.
VoIP call decode is the loud demonstration of stream reassembly. Wireshark's Telephony menu walks the SIP signalling and the matching RTP streams; the RTP Player tab decodes G.711, G.722, GSM and AMR codecs to playable audio. A captured VoIP call from a cooperative ISP under a lawful intercept warrant is rendered as audible evidence with a few clicks, with the SIP INVITE timestamps as the timeline.
| Fingerprint | Source | Identifies | Indian SOC use case |
|---|---|---|---|
| JA3 | TLS Client Hello | Client TLS stack (browser, library, malware family). | Pin Cobalt Strike default JA3 across thousands of beacons on the perimeter SPAN; alert on any host that produces it. |
| JA3S | TLS Server Hello | Server TLS stack and configuration. | Detect malicious infrastructure even when the C2 domain rotates; the JA3S stays the same across the rotation. |
| JARM | Server, ten Client Hellos probed actively. | Server TLS stack fingerprint, broader than JA3S. | Internet-wide scans for Cobalt Strike teamservers; useful for proactive blocking after an Indian government threat advisory. |
| HASSH | SSH KexInit | SSH client/server fingerprint. | Detect a non-standard SSH client (a Mirai-like worm) hitting an exposed SSH on a state agency router. |
VPN traffic analysis applies the same fingerprinting. WireGuard sends a Noise IK handshake with characteristic packet sizes (148 bytes for handshake initiation, 92 bytes for response). OpenVPN over UDP has a recognisable opcode in the first byte of each datagram. Both, even when the payload is encrypted, present flow-record signatures (regular keepalive intervals, MTU-shaped data packets) that a NetFlow analyst can isolate. The point is that "encrypted" does not mean "invisible" at the network forensics layer.
Log correlation is the discipline that turns a flood of single-source events into a usable timeline. The classic Indian-SOC join is firewall accept events (source IP, dest IP, dest port, timestamp) against DNS query logs (which name resolved to that dest IP at that time) against Sysmon event 3 on the endpoint (which process opened the outbound socket). Splunk SPL expresses this as a transaction or a join on dest_ip plus a time window of 60 seconds. The result row reads "process powershell.exe on host HDFC-LAP-1124 made a DNS query for evil.example, resolved to 198.51.100.42, and opened TCP/443 to that address at 14:32:11 IST".
Honeypots and honeynets are the inverse strategy. Instead of filtering noise out of real traffic, deploy systems that only attackers would touch, and treat every byte as an alert. Low-interaction honeypots simulate a service: Cowrie emulates SSH and Telnet and logs every command typed by the attacker; Dionaea emulates SMB, FTP, MSSQL and lures malware to upload itself; Honeyd is the original tcp/udp simulator. High-interaction honeypots are real VMs (often Windows servers) with monitoring. The T-Pot framework from the Deutsche Telekom Honeynet Project bundles a dozen honeypots and a unified dashboard, and is the standard deployment in Indian academic honeynet projects (IIT Madras, IIIT Hyderabad, Indian Honeynet Project chapter). Honeyfiles and honeytokens are the lighter cousins: a fake credentials file in a network share, a fake row in a customer database with a unique email that pages the SOC when accessed.
Router and switch evidence collection closes the chain. The console log captures interactive commands typed at the device; the NVRAM dump preserves the startup configuration; the running configuration snapshot (show running-config) freezes the live config; show ip route, show arp, show mac address-table, show ip cef, and show interface counters preserve the live forwarding state. Memory analysis on routers (analogous to Volatility on Windows) is vendor-specific and rare; Cisco IOS XE supports request platform software process core to write a process core, and Cisco's CCAT (Cisco Compromise Assessment Tool) reads it. For the trial court, the running-config snapshot and the interface counters are the two artefacts the prosecution almost always quotes. Cross-link our Network Security topic for the full SIEM, firewall and PKI background that this section assumes.