Introduction to Network Forensics?

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. 

Learning Outcome 

  • You will be able to upload and analyse pcap file using wireshark.
  • You will be able to explain filtering techniques and interface selection.
  • You will be able to develop skills to identify patterns in network frames that indicate malicious activity.
  • You will be able to analyse network frame behavior to detect unusual or suspicious communication patterns.
  • You will be able to explore how to analyze payload data within network packets to identify sensitive information.


Kali Linux VMware/VirtualBox: https://www.kali.org/get-kali/#kali-virtual-machines

Wireshark – Pre installed within kali linux.

Analysing Network traffic for user creation activity. 

Activity 1: Obtaining details of the .pcap file

  1. Copy the folder “NetworkForensics” into the virtual machine desktop.
  2. Open wireshark.
  3. Next, click on File menu and select Open to load the “rogue.pcap”.  
  4. Under the Statistics menu, explore the following options to answer the questions below.
  • Capture File Properties
  • Protocol Hierarchy 
  • Communications 


  1. When was the pcap file captured (Answer should be in the format YY- MM – DD)?
  2. What is the version of the protocol captured within the pcap file?
  3. Which frame has 28 packets? 
  4. How many packets did address 0a:00:27:00:00:00 send to 08:00:27:fa:25:8e ?

Activity 2: Analysing frames for malicious activity.

  1. Filter the pcap file to view frames marked as data. Ensure your display column is also include “stream index” view. 
  2. Right click on the frame and select Follow -> TCP stream to search for communication in relation to user creation via remote shell access.


  1. How many “stream index” value was displayed?
  2. What is the stream index value of frame 4?
  3. Stream 1 starts at which frame?
  4. What was the date the attacker remotely accesses the system? 
  5. What is the username and password of the rogue user account created?
  6. What was the command executed by the attacker after creating a rogue account

Part 2: Simple FTP pcap challenge

  1. Open the file FTP.pcap in wireshark.
  2. Analyse the pcap and answer the following questions.


  1. What is the IP address of the FTP server
  2. State the packet numbers that contains the password?
  3. What is the username and password of the FTP Server?
  4. What date did the user attempt to access the FTP server? (Answer should be in the format YY- MM – DD