Phase 4: Network Forensics

# Capture to file with rotation (100MB per file, max 10)
tcpdump -i eth0 -w capture-%Y%m%d-%H%M.pcap -C 100 -W 10

# Capture specific traffic
tcpdump -i eth0 'port 443 and host 10.50.1.20' -w ise-traffic.pcap

# Ring buffer capture (continuous, overwrite oldest)
tcpdump -i eth0 -w ring.pcap -C 50 -W 20 -Z root

# Read pcap with display filter
tshark -r capture.pcap -Y 'http.request'

# Extract specific fields (like Wireshark columns)
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst -e http.host -e http.request.uri

# DNS queries
tshark -r capture.pcap -Y 'dns.flags.response == 0' -T fields -e dns.qry.name | sort -u

# TLS handshake analysis (SNI extraction)
tshark -r capture.pcap -Y 'tls.handshake.type == 1' -T fields -e tls.handshake.extensions_server_name

# Statistics — protocol hierarchy
tshark -r capture.pcap -q -z io,phs

# Conversation statistics
tshark -r capture.pcap -q -z conv,tcp

# Reconstruct TCP streams
tcpflow -r capture.pcap -o /output/sessions/

# Extract HTTP objects (files transferred)
tshark -r capture.pcap --export-objects http,/output/http-objects/

# Follow specific TCP stream
tshark -r capture.pcap -q -z follow,tcp,ascii,0

# Pattern matching on packet payloads
ngrep -I capture.pcap -q 'password|login|auth'

# Detect beaconing (regular interval connections)
tshark -r capture.pcap -T fields -e frame.time_delta_displayed -e ip.dst | \
  awk '$1 > 0 {printf "%.1f %s\n", $1, $2}' | sort | uniq -c | sort -rn | head -20

# Unusual ports
tshark -r capture.pcap -T fields -e tcp.dstport | sort | uniq -c | sort -rn | head -20

# Large data transfers
tshark -r capture.pcap -q -z conv,tcp | sort -t'>' -k5 -rn | head -10

# DNS tunneling detection (long subdomain names)
tshark -r capture.pcap -Y 'dns.qry.name' -T fields -e dns.qry.name | \
  awk '{if(length($0) > 60) print length($0), $0}' | sort -rn