Embedded Files
Why Every SOC Analyst Needs to Master the Wire
Introduction
Introduction
If you have spent any time studying defensive cybersecurity or working in a SOC environment, you have probably come across the phrase "packets never lie." It sounds like something you would stitch onto a needlepoint and hang in a server room, but there is a lot of truth in it. Endpoint logs can be manipulated. Attackers with sufficient access and skill can alter, delete, or obfuscate artefacts on a compromised system. But if they want to communicate (receive commands from a C2 server, exfiltrate data, move laterally through your network), they have to talk on the wire - network. And when they do, a well-placed sensor will catch it.
Network Traffic Analysis (NTA) is one of the most valuable skills a SOC analyst can develop. In a HackTheBox survey of 400 cybersecurity professionals, NTA ranked as the second most important skill for SOC analysts, sitting just behind incident handling processes. That tracks with my own experience: the ability to pick up a PCAP, orientate yourself quickly, and extract meaningful indicators from raw traffic is the kind of practical skill that separates analysts who triage alerts from analysts who actually understand what happened.
This post covers what NTA is, why it matters to defensive security operations, the core tools and concepts you need to get started, and where it fits in the broader SOC workflow.
What is Network Traffic Analysis?
What is Network Traffic Analysis?
At its core, NTA is the process of monitoring, capturing, and analysing data packets as they flow across a network, with the goal of identifying malicious activity, anomalies, or misconfigurations. Think of it as a combination of surveillance and forensics for your network infrastructure.
NTA is not a single tool or technique. It is a discipline that draws on packet capture, protocol analysis, flow monitoring, behavioural analytics, and threat intelligence to build a picture of what is happening on the wire. Depending on the context, NTA might mean reviewing a PCAP from a suspected C2 beaconing alert, hunting for lateral movement in Zeek logs, or analysing flow data for signs of bulk data exfiltration.
Modern NTA solutions have evolved significantly from the days of manually running tcpdump and eyeballing output. Today, platforms like Security Onion combine full packet capture, Zeek for network metadata extraction, Suricata for signature-based detection, and Elasticsearch for log aggregation and search. The underlying principle, however, has not changed: collect traffic at strategic points on the network, analyse it for signs of threats, and act on what you find.
Why NTA Matters to Defensive Cybersecurity
Why NTA Matters to Defensive Cybersecurity
Attackers Must Communicate
Attackers Must Communicate
This is the fundamental reason NTA is so effective. Regardless of how stealthy an attacker is on the endpoint (rootkits, fileless malware, timestomping, log manipulation, etc.), the moment they need to receive a command, exfiltrate data, or move to another host, they have to generate network traffic. That traffic leaves a trace. Unlike endpoint artefacts, network evidence cannot be retroactively removed by the attacker after the fact. If you have a sensor in place and you captured the traffic, that evidence exists regardless of what the attacker does to the compromised host later.
Endpoint Visibility Has Limits
Endpoint Visibility Has Limits
Endpoint Detection and Response (EDR) tools are excellent and should absolutely be part of any mature security stack. But they only see what is happening on managed, enrolled devices. Unmanaged devices, IoT equipment, rogue machines, network appliances, and legacy systems that cannot run an agent are invisible to EDR. NTA covers these gaps; it monitors all traffic regardless of whether the device has an agent installed.
Reduced Dwell Time
Reduced Dwell Time
Dwell time (the period between initial compromise and detection) remains one of the most critical metrics in incident response. The longer an attacker operates undetected, the more damage they can cause and the harder the recovery becomes. NTA enables earlier detection by identifying suspicious traffic patterns, C2 communications, and lateral movement that might not yet have triggered endpoint alerts. Continuous traffic monitoring means that even subtle, slow-moving threats leave patterns that can be identified through behavioural analysis.
Ground Truth for Incident Response
Ground Truth for Incident Response
When an incident does occur, network traffic is often the most reliable source of ground truth. It provides empirical evidence of when the attack began, and the delivery of malware on the wire gives you a timestamp that cannot be manipulated by the attacker. It tells you which hosts communicated, what data moved where, and in what direction. Endpoint forensics can tell you what happened on a system; network forensics tells you 'what' data left the building and when.
In most incident response scenarios, it is more important to understand what data was exfiltrated from a compromised system than it is to determine how the attacker performed specific actions on the system. NTA is what answers the exfiltration question.
Core Concepts Every Analyst Needs to Understand
Core Concepts Every Analyst Needs to Understand
Packets, Flows, and Sessions
Packets, Flows, and Sessions
A packet is the fundamental unit of data on a network; it contains header information (source/destination IPs, protocol, port numbers, flags) and a payload (the actual data being transmitted). Full packet capture gives you complete visibility, including (unencrypted) payload contents, which is invaluable for forensic analysis and artefact extraction.
A flow (or NetFlow record) is a high-level summary of a network conversation; it tells you which two hosts communicated, on which protocol and port, for how long, and how many bytes were exchanged. Flow data is far less storage-intensive than full packet capture and scales well for large networks, making it useful for continuous monitoring and anomaly detection. The trade-off is that you lose payload visibility.
A session is the complete exchange between two endpoints, from connection establishment to termination. Understanding session context is important for identifying long-lived connections, asymmetric data volumes (higher upload vs download - exfiltration), and beaconing patterns.
The OSI and TCP/IP Models
The OSI and TCP/IP Models
Understanding these models determines what you look for at each layer of a packet capture. The TCP/IP model's four layers map to practical analysis tasks:
• Network Access (Layer 2): ARP spoofing, MAC flooding, VLAN hopping
• Internet (Layer 3): IP header anomalies, ICMP tunnelling, TTL manipulation
• Transport (Layer 4): TCP flag abuse, port scanning, beaconing patterns, UDP tunnelling
• Application (Layer 7): HTTP/S traffic, DNS anomalies, SMB lateral movement, TLS fingerprinting
Most attacks leave indicators at multiple layers simultaneously. A good NTA workflow examines traffic from Layer 2 through Layer 7, correlating findings across layers to build the complete picture.
Packet Capture vs Flow Monitoring
Packet Capture vs Flow Monitoring
In practice, most mature SOC environments use both, flow data for continuous monitoring and alerting at scale, with full packet capture retained at network chokepoints for investigation and forensics when an incident is confirmed.
The Core NTA Toolkit
The Core NTA Toolkit
You do not need an expensive commercial platform to start developing NTA skills. The following tools cover the full analysis workflow and are either free or open source.
tcpdump is the workhorse of command-line packet capture. It uses BPF (Berkeley Packet Filter) syntax for filtering, is available on virtually every Linux and Unix system, and is essential for quick captures and scripted analysis. If you are working in a SOC environment, you will almost certainly use tcpdump to capture traffic on a sensor or server when a full GUI is not available.
Wireshark is the industry-standard graphical packet analyser. Its strength is in deep protocol dissection, stream reassembly, and visual analysis. Following a TCP stream, extracting transferred files, and inspecting TLS certificate details are all straightforward operations. The CLI equivalent, tshark, enables the same functionality from the command line and is invaluable for scripted or automated analysis.
Zeek sits between a packet analyser and an IDS. Rather than giving you raw packets, Zeek processes traffic and generates structured log files, conn.log, dns.log, http.log, ssl.log, and files.log, that are far more efficient to analyse at scale. Zeek is widely deployed in enterprise SOC environments and is the backbone of platforms like Security Onion.
Suricata is a high-performance network IDS/IPS engine that supports signature-based detection. In a SOC context, Suricata handles the automated alerting layer; your job as an analyst is to investigate the alerts it generates using the tools above.
Where NTA Fits in the SOC Workflow
Where NTA Fits in the SOC Workflow
NTA is not a standalone activity; it integrates across multiple phases of the SOC and incident response workflow:
Alert triage: When an IDS alert fires, NTA is how you determine whether it is a true positive. Pulling the PCAP context around the alert and examining the full session gives you the evidence needed to make a confident determination.
Threat hunting: Proactive threat hunters use NTA to look for behavioural anomalies (long-lived connections, beaconing patterns, unusual protocol usage) that signature-based tools may have missed.
Incident response: Once a compromise is confirmed, NTA becomes a key forensic source. It provides the attack timeline, identifies the scope of lateral movement, and answers whether data was exfiltrated.
Detection engineering: Findings from NTA feed into detection rule development. A beaconing pattern identified during an investigation becomes the basis for a new Suricata rule, closing the loop from analysis to prevention.
Sensor Placement: Getting the Architecture Right
Sensor Placement: Getting the Architecture Right
Having the right tools is only part of the equation. Where you capture traffic matters as much as how you analyse it. Key considerations include:
North-south vs east-west: North-south covers traffic entering and leaving the network (internet). East-west covers internal traffic between hosts. Both are important; many organisations focus on north-south and miss lateral movement occurring entirely within the internal network.
Network TAPs vs SPAN ports: TAPs are hardware devices that passively copy traffic without affecting the monitored link. SPAN ports mirror traffic from a switch. TAPs are preferred for high-reliability environments; SPAN ports are more common due to lower cost.
VPN and NAT gateways: Sensor placement relative to these devices affects what IP addresses you see. Make a deliberate decision about which side of these gateways to monitor.
Encrypted traffic: With most internet traffic now encrypted, TLS break-and-inspect is increasingly important for full payload visibility. Where decryption is not possible, metadata analysis (JA3/JA3S fingerprinting, certificate inspection, connection timing and volume) provides a meaningful signal without plaintext access.
Developing NTA Skills
Developing NTA Skills
Like most practical security skills, NTA is best learned by doing rather than reading. The following resources are worth prioritising:
Malware-Traffic-Analysis.net (https://www.malware-traffic-analysis.net/), Wireshark (https://www.wireshark.org/resources#sample-captures), and Cris Sanders GitHub (https://github.com/chrissanders/packets): Arguably the best free resources for developing real-world NTA skills. Real PCAPs from actual malware infections with write-ups and questions.
CyberDefenders (https://cyberdefenders.org/) and BlueTeamLabs Online (https://blueteamlabs.online/): Structured challenges that simulate SOC scenarios, many of which include PCAP analysis as a core component.
Home lab platform: Create your own full enterprise NTA stack, Security Onion, tcpdump, Wireshark, Zeek, Suricata, Elasticsearch, and Kibana.
Conclusion
Conclusion
Network traffic analysis is one of those skills that compounds over time. The more patterns you see (C2 beacons, DNS tunnelling attempts, lateral movement sequences, exfiltration transfers), the faster your pattern recognition becomes and the more confident your analysis gets. It is not a skill you develop by reading about it; you develop it by sitting in front of PCAPs and working through them methodically.
The good news is that there has never been more freely available material to practice with. Between Malware-Traffic-Analysis.net, CyberDefenders, and platforms like Security Onion that put enterprise-grade tooling within reach of a home lab, the barrier to developing real NTA proficiency is lower than it has ever been.
The Blue Team section of this site covers the technical methodology for PCAP analysis in detail, from metadata orientation through to lateral movement and exfiltration detection, along with tool-specific runbooks for tcpdump, Wireshark/tshark, and Zeek. If you want to go deeper, that is the right place to start.
またな (see you later).
References
References
Photo by Kevin Horvat on Unsplash
Photo by Nina Mercado on Unsplash
What is network traffic analysis? https://www.hackthebox.com/blog/network-traffic-analysis
CyberDefenders: The Ultimate Guide to Network Traffic Analysis for SOC Analysts https://cyberdefenders.org/blog/the-ultimate-guide-to-network-traffic-analysis-for-soc-analysts/
Group-IB: What is Network Traffic Analysis (NTA): Importance and Methods https://www.group-ib.com/resources/knowledge-hub/network-traffic-analysis/
Page updated
Google Sites
Report abuse