Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

Advanced Packet Analysis

Max room.

Triage alerts, reassemble streams, extract files, and detect protocol abuse via Wireshark & TShark.

medium

90 min

15

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Scenario Overview

You are a analyst at Nexus Financial Group investigating a confirmed intrusion against the Finance subnet. In the previous rooms, we identified a recurring beacon on WKST-FINANCE-04 (10.14.22.88) communicating with 194.165.16.56, confirmed a 5.3 MB staging exfiltration to 185.213.154.201, and mapped the lateral movement path through WKST-IT-ADMIN-02 to the Domain Controller. The investigation so far has relied on Zeek logs and Zui queries, which told us what connections existed and how much data moved. What they could not tell us is what those sessions actually contained.

The PCAP that the Finance perimeter sensor has been storing is the final evidence source. This room teaches packet analysis as an investigative skill: every technique is introduced in the context of answering a specific question that logs alone could not answer.

Packet analysis investigation overview.

Learning Objectives

By the end of this room, you will be able to:

  • Explain the relationship between Wireshark and TShark and describe when CLI-based analysis is preferable to a GUI
  • Navigate Wireshark's protocol dissection tree to extract investigatively relevant fields
  • Follow TCP and UDP streams to reconstruct application-layer communications
  • Extract files, credentials, and other artifacts from packet captures
  • Identify exfiltration patterns, protocol tunneling, and protocol abuse in network traffic
  • Write TShark commands for field extraction, filtering, and automated evidence processing

Prerequisites

It is expected that you have gone through or explored the following rooms and topics before starting this room:

Lab Connection

Start the lab by clicking the Start Machine button at the top of this task. The VM takes approximately three minutes to load.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Lab machine
Status:Off

All evidence is preloaded:

  • The investigation PCAP for all tasks: /home/ubuntu/captures/investigation.pcap
  • Helper scripts: /home/ubuntu/scripts/
  • Threat feed and reference material: /home/ubuntu/references/

Wireshark is installed on the desktop for graphical tasks. TShark is available at the command line.

Answer the questions below

Connect to the machine and continue.