PCAP Analysis Skills
To understand your network traffic, simply join us with NSPA training course or directly pratice NSPA laboratory.
These training course would provide many useful skills from ground to top.
More than learing from NSPA training textbook, our courses use many real PCAP samples from real cyber environment which can lead our members (trainee) to face the new challenge of future.
The major different between PCAP analysis and network behaviour is that PCAP analysis look every detail of TCP/UDP packets, and network behaviour is looking for a sequence of a network traffic. For example, when visiting website, normal users would not send a 'ping' (ICMP packet) before HTTP packets. By many real cases, NSPA found that conventional network behaviour is apparent manifest between abnormal offensive behaviour traffic.
These training course would provide many useful skills from ground to top.
More than learing from NSPA training textbook, our courses use many real PCAP samples from real cyber environment which can lead our members (trainee) to face the new challenge of future.
The major different between PCAP analysis and network behaviour is that PCAP analysis look every detail of TCP/UDP packets, and network behaviour is looking for a sequence of a network traffic. For example, when visiting website, normal users would not send a 'ping' (ICMP packet) before HTTP packets. By many real cases, NSPA found that conventional network behaviour is apparent manifest between abnormal offensive behaviour traffic.
This part would include HTTP and HTTP normal behaviour of web visiting. More than regular network traffics, this part will teach IT engineers to verify the suspicious network traffics which include vulnerability scanning, WebDAV attacking, SQL-Injection, Web-Shell (Backdoor) accessing and more.
The basic skills of network packets analysis will also be discovered here. This part does not only teach the skill to analyze HTTP/HTTPS protocol but also the dubious behaviour of Web accessing. Go to detail of Analytical Skills... |
From SMTP, POP3, IMAP, SQL, SMB , HTTP, HTTPS, SSH Protocols to Android device activity.
All of general network protocols will be included in NSPA Class-C Training Course which lets trainee distinguish the behaviours between 'Real Protocol' and 'Fake Protocol' that might be used for a 'tunnel' skill to hide malware communication on HTTP or HTTPS traffic. NSPA will train you to learn how to identify those abnormal network behaviour. Go to detail of Analytical Skills... |
No matter what kind of software (hardware) be used in your network, malware might be hided in those facilities. A simple malware (ransomware), like WannaCrypto, would effect small chaos in your office. A fatal ransomware might cause a bank lost lot of money just like 2016-Bengal-Bank Event, and 2017-FEIB-SWIFT Event.
With NSPA knowledgable training course, you can be the first eyewitness to identify these malware behaviour form network PCAP packets. Especially, NSPA teach you how to figure out the infection pattern of these malware. Go to detail of Analytical Skills... |
Skill Name |
Description |
Categorize Tag (Protocol) |
IP Address Ignore Principle |
Before capturing network traffic, we must realize the purpose (target) what are we looking for. |
|
Category Orientated Principle |
All targets of network traffic to be analyzed can be categorized into some issues of network security. If it can not be categorized, that must be a new item to study, otherwise it might be an issue of security. |
|
Security Scope Principle |
Protecting a security scope which can be a network or a system is as well as to protect its security issues which contain 'CIA' metrics. These security issues can be summarized into the following items called 'STRIDE'. |
|
IP Address 0.0.0.0 Principle |
Although the 0.0.0.0 is an invalid IP address, in a DHCP environment, the 0.0.0.0 IP address are very often be captured. |
|
IP Address 127.0.0.1 Principle |
The '127.0.0.1' is represented as localhost IP address which called ‘loopback traffic’ also. |
|
Server Service Principle |
In Network Protocol, a network server is a device(host) providing TCP/UDP service. |
|
ARP Protocol Principle |
The most ARP Behavior is to ask the MAC address of an IP address of a particular host normally. |
|
IP Address Ignore Principle |
Before capturing network traffic, we must realize the purpose (target) what are we looking for. |
|
Concept of HTTP/HTTPS |
HTTP uses TCP 80 as a default service port which can be changed to any other TCP port number. |
|
HTTP/HTTPS Client Fundamental |
In a normal Web browsing session, before the HTTP/HTTPS request-response session, a DNS query-reply communication behavior will be generated. |
|
HTTP/HTTPS Server Fundamental |
An HTTP/HTTPS server should listen its service port and wait the HTTP/HTTPS request coming. |
|
HTTP Request and Response |
An HTTP client sends a method to HTTP server and the server will reply a response to client. |
|
HTTP Vulnerability Scanning |
The VAPT(Vulnerability Assessment Penetration Testing) uses the GET/POST method of HTTP to get information from a target Web. To avoid increasing traffic loading, some VAPT utilities might use HEAD/OPTION/TRACE methods to reduce HTTP Response size from the Web site. |
|
HTTP Vulnerability Scanning |
No matter what methods of VAPT(Vulnerability Assessment Penetration Testing) are used, most of the response code(status value) in HTTP services(applications) should generate large amounts of HTTP 404 unless some Web's Vulnerability is found. |
|
HTTP Client Fundamental |
Most clients' of webs should get HTTP response code in 2xx or 3xx ranges instead of 400, 401, 403, 404 or 500. |
|
HTTP Client Fundamental |
Unless uploading huge files, most clients' receiving packets should large than sending packets when clients visited webs. |
|
Header Field of Browser |
A general web browser of a normal user, (like Chrome, Edge, Safari) will send some HTTP/HTTPS fields when users visit webs. |
|
HTTPS Behavior Fundamental |
Although HTTPS sessions have be encrypted, the HTTPS/TLS handshake session keeps some information in text form. |
|
HTTPS Content Encrypted |
After HTTPS/TLS handshake, the HTTPS traffics are encrypted into unreadable form (mess text form). |
|
SQL-Injection in HTTP/HTTPS |
The parameters value kept special characters or SQL command is one of eigenvalues of SQL-Injection attacking. |
|
SQL-Injection in HTTP/HTTPS |
Since SQL-injection attacking might generate lots of incorrect response code of HTTP, the abnormal HTTP 500 phenomenon is one of symptom of SQL-injection. |
|
ARP Request Behavior |
Although ARP query (request) is the common packets on LAN, however, the enumerating IP address of ARP query is an anomalies ARP behavior. |
|
ARP Reply Behavior |
Although ARP reply (response, answering) is the common packets on LAN, however, lots ARP reply packets burst out is an anomalies ARP behavior. |
|
DNS Reply Behavior |
Although DNS reply (response, answering) is the common packets on WAN/LAN, there are still some anomalies DNS reply behavior. |
|
ICMP Request Behavior |
ICMP packets can probe network status. However, some huge numbers of ICMP request packets might affect network bandwidth called flood DDoS phenomenon. |
|
ICMP Unreachable Behavior |
For some reason, the host or port may not be connected in TCP/UDP, and they will be generated unreachable ICMP packets. However, the recurring or persistent phenomenon of ICMP unreachable packets might be infected malware specifically infected Trojan/RAT. |
|
SMTP Client Fundamental |
In a normal organization LAN, clients' computers should only connect to specific address of email service. |
|
