Network Analysis

Overview

Look, analyzing the network is like… it’s like a footprint. If a bad guy walks through your kitchen, he’s gonna leave a footprint. Unless he’s a ghost. Are we dealing with ghosts? Toby, shut up. We’re not dealing with ghosts.

The problem is, the network log is huge. (That’s what she said) If I go down to the warehouse and I say, ‘Hey, find me the one invoice where someone bought a single paperclip,’ Darryl is going to look at me and say, ‘Michael, there are billions of papers here.’

That’s why we need a 1. Right techinque 2. Deep networking knowledge

Description

Techinque

• Observation (Detection): Identifying a deviation from the established “baseline.” This is spotting the symptom—whether it’s a slow PC (Helpdesk) or an unusual outbound connection (SOC).
• Isolation: Separating the “signal” from the “noise.” You use tools like grep, Splunk, or Wireshark filters to remove legitimate traffic so only the suspicious activity remains.
• Validation (Confirmation): Correlating the isolated data with forensic evidence or threat intelligence to prove a security incident occurred.

Scenerios

With right technique, we can apply them to differnt scenerios:

• Network Discovery Detection - who’s here?
• MITM Detection - who’s earsdroping?
• Data Exfiltration Detection - who’s stealing data?

Extended Readings:

Here are tools we need to analyze traffics

• Bo Cyber Logbook - Log Analysis
• Bo Cyber Logbook - Wireshark
• Bo Cyber Logbook - Snort

---

Last Modified: 2025-12-27 \