Roadmap: Deep Packet Analysis & Network Forensics

1. Overview

This roadmap defines a professional-grade packet analysis capability for:

  • Network troubleshooting and diagnostics

  • Security incident investigation

  • Protocol analysis and debugging

  • Performance optimization

  • Compliance and audit evidence collection

This is DEEP packet analysis - not just "run Wireshark and look at packets." This covers:

  • Hardware network taps for passive, non-intrusive capture

  • Command-line analysis at scale (tshark, not GUI)

  • Automated analysis pipelines

  • Forensic-grade evidence handling

  • Integration with SIEM and security workflows

2. Hardware: DualComm ETAP-2003 Network Tap

2.1. Specifications

Model DualComm ETAP-2003

Type

10/100/1000Base-T Passive Network Tap

Manufacturer

www.dualcomm.com

Ports

4 (Network A, Network B, Monitor A, Monitor B)

Speed

Gigabit Ethernet

Power

Passive (no power required for 10/100), USB for Gigabit

Use Case

Non-intrusive traffic capture between two network points

2.2. Deployment Topology

Network Tap Deployment

Tap Placement Examples:

  • Between switch uplink and router (all VLAN traffic)

  • Between ISE and switch (802.1X/RADIUS analysis)

  • Between firewall and DMZ (threat hunting)

2.3. Tap Placement Scenarios

Scenario Placement Analysis Goals

802.1X Troubleshooting

Between switch and ISE

EAP exchanges, RADIUS, CoA

Firewall Analysis

Between VyOS HA and upstream

Blocked traffic, NAT issues, zone policies

Server Segmentation

Between server VLAN and core

Lateral movement detection

WAN Analysis

Between router and modem

ISP issues, DDoS detection

Wireless Debug

Between WLC and switch

CAPWAP, client roaming

3. Tool Stack

3.1. Primary Tools

Tool Purpose Key Commands

tshark

CLI packet capture and analysis

tshark -i eth0 -w capture.pcap

Wireshark

GUI deep packet inspection

For complex protocol decoding

tcpdump

Lightweight capture

tcpdump -i eth0 -w quick.pcap

nmap

Network discovery and security scanning

nmap -sV -sC -p- target

netcat (nc)

Network debugging and data transfer

nc -lvnp 4444

ss/netstat

Socket and connection analysis

ss -tulnp

iftop/nethogs

Real-time bandwidth monitoring

iftop -i eth0

3.2. Advanced Tools

Tool Purpose

zeek (Bro)

Network security monitoring framework

suricata

IDS/IPS with protocol analysis

arkime (Moloch)

Full packet capture and search

NetworkMiner

Forensic network analysis (files, images, credentials)

capinfos

Capture file statistics

editcap

Edit/split capture files

mergecap

Merge multiple captures

4. Phase 1: Capture Infrastructure Setup

4.1. Objectives

  • Deploy ETAP-2003 for non-intrusive capture

  • Configure analysis workstation with dual NICs

  • Establish capture storage (high-speed, encrypted)

  • Document evidence handling procedures

4.2. Tasks

# Task Priority

1.1

Physical tap deployment between switch and router

HIGH

1.2

Configure analysis workstation with dual NICs

HIGH

1.3

Set up high-speed capture storage (NVMe SSD)

HIGH

1.4

Create bonded interface for merged A+B capture

MEDIUM

1.5

Document tap placement procedures

MEDIUM

1.6

Establish capture file naming conventions

MEDIUM

4.3. Capture Storage Requirements

# Gigabit = ~125 MB/s theoretical max
# 1 hour of saturated gigabit = ~450 GB

# Recommended storage:
# - Minimum: 1TB NVMe SSD
# - Recommended: 2TB+ NVMe SSD
# - Archive: NAS with compression

# Encrypted storage for forensic integrity
cryptsetup luksFormat /dev/nvme0n1p1
cryptsetup open /dev/nvme0n1p1 captures
mkfs.ext4 /dev/mapper/captures
mount /dev/mapper/captures /mnt/captures

5. Phase 2: tshark Mastery

5.1. Objectives

  • Command-line capture and filtering at scale

  • Protocol-specific analysis

  • Automated capture pipelines

  • Statistics and reporting

5.2. Essential tshark Commands

5.2.1. Basic Capture

# Capture to file
tshark -i eth0 -w capture.pcap

# Capture with rotation (100MB files, keep 10)
tshark -i eth0 -b filesize:102400 -b files:10 -w capture.pcap

# Capture with duration (1 hour)
tshark -i eth0 -a duration:3600 -w hourly.pcap

# Capture specific protocol
tshark -i eth0 -f "port 1812" -w radius.pcap

5.2.2. Display Filters (Read Existing Capture)

# Filter by IP
tshark -r capture.pcap -Y "ip.addr == 10.50.1.20"

# Filter by protocol
tshark -r capture.pcap -Y "eap"
tshark -r capture.pcap -Y "radius"
tshark -r capture.pcap -Y "tls.handshake"

# Filter by TCP flags
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0"

# Filter failed authentications
tshark -r capture.pcap -Y "radius.code == 3"  # Access-Reject

5.2.3. Field Extraction

# Extract specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port

# Extract RADIUS usernames
tshark -r radius.pcap -Y "radius" -T fields -e radius.User_Name

# Extract TLS certificates
tshark -r capture.pcap -Y "tls.handshake.certificate" \
  -T fields -e x509sat.uTF8String

# Extract HTTP requests
tshark -r capture.pcap -Y "http.request" \
  -T fields -e http.host -e http.request.uri

5.2.4. Statistics

# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs

# Conversations
tshark -r capture.pcap -q -z conv,tcp

# Endpoints
tshark -r capture.pcap -q -z endpoints,ip

# HTTP requests
tshark -r capture.pcap -q -z http,tree

# Expert info (errors/warnings)
tshark -r capture.pcap -q -z expert

5.3. 802.1X/RADIUS Analysis

# Capture RADIUS traffic
tshark -i eth0 -f "port 1812 or port 1813 or port 1645 or port 1646" \
  -w radius_capture.pcap

# Filter EAP-TLS
tshark -r radius_capture.pcap -Y "eap.type == 13"

# Extract authentication results
tshark -r radius_capture.pcap -Y "radius" \
  -T fields -e frame.time -e radius.code -e radius.User_Name \
  -E header=y -E separator=,

# RADIUS codes: 1=Request, 2=Accept, 3=Reject, 11=Challenge

6. Phase 3: nmap Advanced Scanning

6.1. Objectives

  • Network discovery and inventory

  • Service enumeration

  • Vulnerability assessment

  • Scripted automation

6.2. Essential nmap Commands

# Host discovery (ping sweep)
nmap -sn 10.50.1.0/24

# Full port scan with service detection
nmap -sV -sC -p- -oA full_scan 10.50.1.0/24

# Fast scan (top 1000 ports)
nmap -F 10.50.1.0/24

# UDP scan (slow but important)
nmap -sU --top-ports 100 10.50.1.20

# Vulnerability scan
nmap --script vuln 10.50.1.20

# OS detection
nmap -O 10.50.1.20

# Aggressive scan (everything)
nmap -A -T4 10.50.1.0/24

6.3. 802.1X/NAC Evasion Testing

# Test if MAC bypass works
nmap --spoof-mac 00:11:22:33:44:55 -sn 10.50.1.1

# Test with specific vendor MAC
nmap --spoof-mac Cisco -sn 10.50.1.1

# Scan through authenticated session
# (must be on authenticated VLAN)
nmap -sV -p 22,80,443 10.50.1.0/24

7. Phase 4: netcat Network Debugging

7.1. Objectives

  • Port testing and connectivity verification

  • Data transfer and file exfiltration testing

  • Reverse shell detection testing

  • Banner grabbing

7.2. Essential netcat Commands

# Test if port is open
nc -zv 10.50.1.20 443

# Port range scan
nc -zv 10.50.1.20 1-1000

# Banner grab
echo "" | nc -v 10.50.1.20 22

# Listen on port (server)
nc -lvnp 4444

# Connect to listener (client)
nc 10.50.1.100 4444

# File transfer (receiver)
nc -lvnp 4444 > received_file

# File transfer (sender)
nc 10.50.1.100 4444 < file_to_send

# HTTP request
echo -e "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" | nc example.com 80

8. Phase 5: Forensic Analysis Workflows

8.1. Incident Response Capture

#!/bin/bash
# incident-capture.sh - Forensic-grade capture script

INCIDENT_ID="${1:-$(date +%Y%m%d_%H%M%S)}"
CAPTURE_DIR="/mnt/captures/incidents/${INCIDENT_ID}"
INTERFACE="eth0"

mkdir -p "${CAPTURE_DIR}"

# Start capture with metadata
echo "Incident: ${INCIDENT_ID}" > "${CAPTURE_DIR}/metadata.txt"
echo "Start: $(date -Iseconds)" >> "${CAPTURE_DIR}/metadata.txt"
echo "Analyst: $(whoami)" >> "${CAPTURE_DIR}/metadata.txt"
echo "Host: $(hostname)" >> "${CAPTURE_DIR}/metadata.txt"

# Capture with 100MB rotation
tshark -i "${INTERFACE}" \
  -b filesize:102400 \
  -w "${CAPTURE_DIR}/capture.pcap" \
  2>&1 | tee "${CAPTURE_DIR}/capture.log"

8.2. Automated Analysis Pipeline

#!/bin/bash
# analyze-capture.sh - Automated analysis report

CAPTURE_FILE="$1"
REPORT_DIR="$(dirname ${CAPTURE_FILE})/analysis"

mkdir -p "${REPORT_DIR}"

# Basic stats
capinfos "${CAPTURE_FILE}" > "${REPORT_DIR}/stats.txt"

# Protocol hierarchy
tshark -r "${CAPTURE_FILE}" -q -z io,phs > "${REPORT_DIR}/protocols.txt"

# Top talkers
tshark -r "${CAPTURE_FILE}" -q -z endpoints,ip > "${REPORT_DIR}/endpoints.txt"

# Conversations
tshark -r "${CAPTURE_FILE}" -q -z conv,tcp > "${REPORT_DIR}/conversations.txt"

# DNS queries
tshark -r "${CAPTURE_FILE}" -Y "dns.qry.name" \
  -T fields -e dns.qry.name | sort | uniq -c | sort -rn \
  > "${REPORT_DIR}/dns_queries.txt"

# HTTP hosts
tshark -r "${CAPTURE_FILE}" -Y "http.host" \
  -T fields -e http.host | sort | uniq -c | sort -rn \
  > "${REPORT_DIR}/http_hosts.txt"

# Expert info (errors)
tshark -r "${CAPTURE_FILE}" -q -z expert \
  > "${REPORT_DIR}/expert_info.txt"

echo "Analysis complete: ${REPORT_DIR}"

9. Phase 6: Integration with Security Workflows

9.1. SIEM Integration

  • Export tshark output to JSON for log aggregation

  • Feed nmap results to vulnerability management

  • Correlate packet captures with ISE authentication logs

9.2. Documentation Requirements

  • Chain of custody for forensic captures

  • Hash verification (SHA256) for evidence integrity

  • Timestamping with NTP-verified clocks

10. Work Applicability

This capability directly supports work requirements:

  • Incident Response: Forensic-grade capture and analysis

  • Network Troubleshooting: Deep protocol debugging

  • Security Assessments: Vulnerability scanning, penetration testing prep

  • Compliance: Evidence collection for audits

  • Training: Skills development for infosec team

Hardware tap (ETAP-2003) enables passive monitoring without network disruption.

11. Related Documentation

12. Revision History

Date Author Changes

2026-02-11

EvanusModestus

Initial roadmap creation