Newbies Guide to Network Traffic Analysis for the National Cyber League Games

Network Traffic Analysis. Newbies and veterans alike fear this category. It destroys accuracy, wrecks friendships, and will eat your lunch without leaving a note. But is it really that scary?

Network Traffic Analysis (or NTA for short) is a fundamental skill. When you absolutely need to know what is going on in your network, there is no substitute for a packet capture (or pcap). This is like looking into the wires of your home and seeing the electricity flowing back and forth – but please don’t try to see (or touch) electricity, network traffic analysis is much less dangerous! I would even say that it can be fun, once you learn some basics.

Pro Tip #1: Get the right tools.

NCL is very forgiving when it comes to not requiring software downloads and commercial software – they offer a tool called CloudShark for the NTA challenges that require it. This is how you can compete with a ten-year-old laptop or a tablet; all you need to do is use the tool that is provided to you at no additional cost or hassle. I have used CloudShark to solve some challenges and it works well enough.

CloudShark is based on an open source tool called Wireshark which is an industry standard. That beings said, if you are looking to use the NCL Games to learn skills for the real world, I would recommend that you install Wireshark. It supports multiple platforms (Windows, Linux, Mac OS, etc) and is free! In addition, you can get basic training and tutorials on how to use it from the developer. Being so widely used in the industry I have found tutorials on YouTube, Lynda, Udemy, Cybrary, and included in many ethical hacker training bundles. Wireshark also has some great features that help to visualize and inspect traffic in way that make your job much easier.

Pro Tip #2. Practice!

This is where our very good tutorial (I may be biased) on Virtual Machines comes in handy. There are several places where you can download packet captures but you need to be careful. When you replay traffic, you could be injecting packets into your own network! Better to be safe, spin up a virtual machine, and load the packet captures in a safe sandbox. This is also common in industry. When an infected box is found, a packet capture is conducted, and the analysis of the machine is done in virtual space so as not to alter the forensic evidence. I recommend using kali in your virtual machine – it comes with Wireshark pre-loaded!

Pro Tip #3. Learn your anatomy.

For a Doctor to diagnose a patient, they spend years studying and learning anatomy. For these exercises, you will need to learn the anatomy of a packet. Dust off those packet charts and learn the content that is inside of a packet. Learn how to trace the packets and follow the streams. You will be doing a lot of this. Learn what “normal” traffic looks like and learn to filter it out so you are looking at what doesn’t belong.

Here are a few things to look for:

  • Look at the Source and Destination IP Address – what sites are communicating with your network? What computers on your network are they reaching out to?
  • Look at the artifacts – what has been downloaded? What information do these artifacts reveal?
  • Look at times – when was a file downloaded? When is traffic the heaviest?
  • Look at ports – are standard ports being used? Is traffic being passed on port that are insecure like FTP or Telnet?
  • Look at the packet headers – there is a lot of fingerprint information in here, that reveals which device was used, the time and duration, and whether the request was successful.

I already know all this! What else do you have for me?

Setting up your Wireshark Environment is key to saving time and improving efficiency. I have my Wireshark environment set up very similar to how Hansang Bae (presenter on SharkWeek) recommends this video.

Make sure that you reorder columns in a way that makes sense and disable columns that you do not use. I turn color marking off, and as I screen out “normal” traffic I color it differently to mark it is “good” traffic.

Another advanced tip is to use TShark – the Wireshark command line tool – in scripts and to do very detailed queries. TShark can do in one line what may take hours to filter by hand. Some very good tutorials are out there to leverage this powerful tool as well, but it can be intimidating to new competitors not used to using a lot of command-line-driven tools.

Sharks are friends, especially in the world of packet analysis. There is really nothing to be scared of!

4 thoughts on “Newbies Guide to Network Traffic Analysis for the National Cyber League Games

  1. says:

    Hi, I check your new stuff like every week.Your writing style is awesome, keep up the good work!


  2. says:

    This is really interesting, You’re a very skilled blogger.
    I have joined your rss feed and look forward to seeking more of your great post.
    Also, I’ve shared your site in my social networks!


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.