Network Traffic Analysis
Learn to read network packet captures to identify suspicious activity.
Packet Capture Challenge
The table below shows a capture of network traffic. Click on the rows you believe represent suspicious activity, then click "Check Answers" to see your results.
| No. | Time | Source | Destination | Protocol | Length | Info |
|---|---|---|---|---|---|---|
| 1 | 0.000000 | 192.168.1.101 | 172.217.14.238 | TCP | 74 | 49886 → 443 [SYN] |
| 2 | 0.031132 | 172.217.14.238 | 192.168.1.101 | TCP | 74 | 443 → 49886 [SYN, ACK] |
| 3 | 0.031198 | 192.168.1.101 | 172.217.14.238 | TCP | 66 | 49886 → 443 [ACK] |
| 4 | 0.125432 | 192.168.1.101 | 172.217.14.238 | TLSv1.2 | 583 | Client Hello |
| 5 | 0.215498 | 10.0.0.5 | 10.0.0.255 | UDP | 550 | Port: 138 > 138 |
| 6 | 0.301234 | 172.217.14.238 | 192.168.1.101 | TLSv1.2 | 1400 | Server Hello, Certificate |
| 7 | 0.405876 | 192.168.1.105 | 8.8.8.8 | ICMP | 98 | Echo (ping) request |
| 8 | 0.512345 | 192.168.1.102 | 192.168.1.1 | FTP | 60 | Request: USER anonymous |