PCAP Traffic Hunting

Some notes that I’ve used when to identify suspicious activity searching through packet captures.

Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. Within Packet captures there are certain activties of protocols which will automatically flag it as suspicious:

ARP

  • Large amount of ARP broadcasts messages in a short amount of time
  • Identical MAC/IP Addresses
  • ARP replies without a request

ICMP

  • Large ICMP packets
  • Unusual types/codes within the ICMP packets followed by a request

TCP

  • Large amounts of SYN packets without SYN-ACK
  • Any Three-Way Handshake that isn’t completed
  • Sequence and Acknowledgement numbers that do not match
  • Single hosts to multiple ports or single host to multiple nodes

DHCP

  • Not using ports 67 and 68
  • DHCP Session that doesn’t follow the session
  • DHCP Discover > Offer > Request > Ask

DNS

  • Not using port 53
  • Traffic on port 53 that is not using UDP
  • DNS Traffic should only go to DNS Servers
  • DNS responses with no queries
  • Excessive DNS responses/queries

HTTP

  • Any traffic on port 80 should be investigated
  • Strange user agents
  • Encrypted traffic
  • Web Server that is not in FQDN format

HTTPS

  • Strange user agents
  • Unencrypted traffic
  • SSL Details are blank or contain strange information
  • Web Server that is not in FQDN format

Packet Hunting Tools:

cyber enthusiast