Home » Network Forensics: Packet Capture Analysis, Flow Data และ Incident Investigation
Network Forensics: Packet Capture Analysis, Flow Data และ Incident Investigation
Network Forensics: Packet Capture Analysis, Flow Data และ Incident Investigation
Network Forensics คือการเก็บ วิเคราะห์ และตรวจสอบ network traffic เพื่อสืบสวนเหตุการณ์ด้านความปลอดภัย Packet Capture Analysis ให้ deep-dive ถึงระดับ payload ของทุก packet, Flow Data (NetFlow/IPFIX) ให้ภาพรวมของ traffic patterns และ Incident Investigation ใช้ทั้ง 2 แหล่งข้อมูลร่วมกับ logs เพื่อสร้าง timeline และระบุ root cause ของ security incidents
เมื่อเกิด security breach หลักฐานสำคัญที่สุดอยู่ใน network traffic เพราะ attacker อาจลบ logs บน host ได้ แต่ไม่สามารถลบ packets ที่ถูก capture ไว้แล้วที่ network level Network forensics ตอบคำถาม: ใครเชื่อมต่อกับอะไร? ส่งข้อมูลอะไร? เมื่อไหร่? ข้อมูลรั่วไหลออกไปเท่าไหร่?
Network Evidence Types
| Evidence Type |
Detail Level |
Storage Cost |
Use Case |
| Full Packet Capture (PCAP) |
สูงสุด (payload + headers) |
สูงมาก (TB/day) |
Deep analysis, malware extraction, evidence |
| Flow Data (NetFlow/IPFIX) |
กลาง (metadata: src/dst IP, ports, bytes, duration) |
ต่ำ (GB/day) |
Traffic patterns, anomaly detection, baseline |
| DNS Logs |
กลาง (queries + responses) |
ต่ำ |
C2 detection, tunneling, domain analysis |
| Proxy/Firewall Logs |
กลาง (URLs, actions, user info) |
ต่ำ-กลาง |
Web activity, policy violations |
| IDS/IPS Alerts |
ต่ำ (triggered rules only) |
ต่ำ |
Known attack signatures |
Packet Capture Tools
| Tool |
Type |
จุดเด่น |
| Wireshark |
GUI Analyzer |
Best packet analysis GUI, dissectors สำหรับ 3000+ protocols |
| tcpdump |
CLI Capture |
Lightweight, CLI, available on all Linux/BSD systems |
| tshark |
CLI Analyzer |
Wireshark CLI version, scriptable analysis |
| NetworkMiner |
Forensic Analyzer |
Auto-extract files, images, credentials from PCAP |
| Zeek (Bro) |
Network Monitor |
Generate structured logs from traffic (conn.log, dns.log, http.log) |
| Moloch/Arkime |
Full Packet Capture System |
Large-scale PCAP storage + search + analysis |
| Suricata |
IDS/IPS + NSM |
Signature detection + protocol logging + file extraction |
Wireshark Analysis Techniques
| Technique |
Filter/Method |
Purpose |
| Follow TCP Stream |
Right-click → Follow → TCP Stream |
ดู full conversation (request + response) |
| HTTP Object Export |
File → Export Objects → HTTP |
Extract transferred files from HTTP traffic |
| DNS Query Analysis |
dns.qry.name contains “suspicious” |
หา C2 domains, DGA, tunneling |
| Conversations |
Statistics → Conversations |
ดู top talkers, unusual connections |
| Protocol Hierarchy |
Statistics → Protocol Hierarchy |
ดูสัดส่วน protocols (unusual = suspicious) |
| Expert Info |
Analyze → Expert Information |
หา errors, warnings, anomalies อัตโนมัติ |
| Display Filter |
ip.addr == 10.0.0.1 && tcp.port == 443 |
Filter traffic เฉพาะที่สนใจ |
Flow Data Analysis
| Analysis |
วิธีตรวจ |
Indicates |
| Top Talkers |
Sort by bytes → หา hosts ที่ send/receive มากผิดปกติ |
Data exfiltration, compromise |
| Long Duration Flows |
Flows ที่ duration > 24 hours |
Persistent C2 connections, tunnels |
| Beaconing |
Regular interval connections (every 60s, 300s) |
C2 beaconing (malware calling home) |
| Port Anomalies |
Unusual ports (high-numbered, non-standard) |
Backdoors, covert channels |
| Geographic Anomalies |
Connections to unexpected countries |
C2 servers, data theft to foreign IPs |
| After-hours Traffic |
Large transfers during non-business hours |
Automated exfiltration |
Incident Investigation Workflow
| Phase |
Action |
Tools |
| 1. Identification |
Alert triggers → identify affected hosts + timeframe |
SIEM, IDS alerts, flow anomaly |
| 2. Collection |
Collect PCAP, flow data, logs จาก timeframe |
Arkime, tcpdump, NetFlow collector |
| 3. Preservation |
Hash evidence files (MD5/SHA256), maintain chain of custody |
hashdeep, evidence management |
| 4. Analysis |
Analyze traffic → reconstruct events → build timeline |
Wireshark, Zeek, NetworkMiner |
| 5. Correlation |
Correlate network evidence กับ host logs, endpoint data |
SIEM, timeline tools |
| 6. Reporting |
Document findings, timeline, IOCs, recommendations |
Report templates |
Common Attack Patterns in Network Traffic
| Attack |
Network Indicators |
| C2 Communication |
Regular beaconing, DNS to suspicious domains, HTTPS to unknown IPs |
| Data Exfiltration |
Large outbound transfers, DNS tunneling (long subdomain queries), encrypted channels |
| Lateral Movement |
SMB/RPC traffic between workstations, unusual RDP, PsExec |
| Port Scanning |
Many SYN packets to sequential ports from single source |
| Brute Force |
Many failed login attempts (SSH, RDP, HTTP 401) |
| DNS Tunneling |
Abnormally long DNS queries, high DNS query volume, TXT record abuse |
PCAP Storage Architecture
| Component |
Tool |
Role |
| Capture |
Network TAP + capture server |
Full packet capture at network choke points |
| Index + Store |
Arkime (Moloch) |
Index PCAPs → searchable database (petabytes) |
| Analyze |
Zeek + Suricata |
Generate logs + alerts from live traffic |
| Visualize |
Kibana / Grafana |
Dashboards for flow data + Zeek logs |
| Retain |
Policy-based retention |
Keep 30-90 days PCAP, 1 year+ flow data |
Best Practices
| Practice |
รายละเอียด |
| Capture at choke points |
Internet edge, DC perimeter, between security zones |
| Use TAPs not SPAN |
TAPs ไม่ drop packets ไม่ affect performance (SPAN อาจ drop) |
| Timestamp accuracy |
NTP sync ทุก capture device → accurate timeline |
| Encrypt storage |
PCAP contains sensitive data → encrypt at rest |
| Baseline normal |
ต้อง know normal traffic ก่อน → จึงจะ detect abnormal |
| Retention policy |
กำหนด retention ตาม compliance + storage capacity |
| Chain of custody |
Hash + document ทุกขั้นตอน (legal evidence) |
ทิ้งท้าย: Network Forensics = Truth Lives in the Packets
Network Forensics PCAP: full packet capture (deep analysis, file extraction) — high storage cost Flow Data: metadata (traffic patterns, anomaly detection) — low storage cost Tools: Wireshark (analysis), Arkime (capture+search), Zeek (logging), Suricata (IDS) Investigation: identify → collect → preserve → analyze → correlate → report Patterns: beaconing (C2), large outbound (exfil), DNS tunneling, lateral movement Best practice: TAPs at choke points, NTP sync, baseline normal, hash evidence
อ่านเพิ่มเติมเกี่ยวกับ Network TAP vs SPAN Port และ Network Observability OpenTelemetry ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
