Exercises: Network Monitoring and Traffic Analysis
These exercises build the practical reflexes of a network defender: reading telemetry at the right altitude, spotting beaconing and exfiltration in flows and logs, and designing visibility that actually covers the traffic you need. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/design). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before reading one.
All IPs are documentation ranges (10.0.0.0/8, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24)
and all logs are illustrative (Tier 3). Work in your own notebook or a private lab.
Part A — Concepts and vocabulary ⭐
1.† Define, in one sentence each, packet capture (PCAP), Zeek, NetFlow/IPFIX, and network detection and response (NDR). Then write one sentence placing all four in relation to one another.
2. Explain the difference between full packet capture and flow data along three axes: what each keeps, how long you can retain it, and one question each is uniquely suited to answer.
3. "Encryption hides the payload, not the metadata." List five pieces of information a defender can still extract from a fully encrypted TLS connection, and name one attacker behavior each could reveal.
4.† Define a network baseline and explain why almost every network detection is, at bottom, a comparison against one. Give one example of a baseline question for a server and one for a workstation.
5. Match each tool/altitude — Wireshark, Zeek, NetFlow — to the metaphor from Figure 10.1 (microscope, street map, satellite census) and justify each match in a phrase.
6. Distinguish a SPAN port from a network tap. Give one situation where you would insist on a tap and explain the consequence of using SPAN there instead.
7.† Why are raw packet captures generally not forwarded into a SIEM while Zeek logs and flow records are? What stays behind, and how is it retrieved when needed?
Part B — Analyze this telemetry ⭐⭐
8.† Read the flow records. You are handed this flow export from Meridian's collector (times UTC;
documentation IPs; bytes are per-flow totals, →out means internal→external):
start proto src_ip:port dst_ip:port packets bytes dir
02:00:11.0 TCP 10.20.4.55:51002 192.0.2.80:443 14 2190 →out
03:00:09.4 TCP 10.20.4.55:51188 192.0.2.80:443 14 2184 →out
04:00:13.1 TCP 10.20.4.55:51405 192.0.2.80:443 15 2201 →out
05:00:10.7 TCP 10.20.4.55:51610 192.0.2.80:443 14 2188 →out
06:00:12.2 TCP 10.20.4.55:51844 192.0.2.80:443 14 2192 →out
(a) What attacker behavior does this most likely represent? (b) Which two fields carry the signal, and what is suspicious about each? (c) Why did this evade the endpoint agent and the firewall? (d) Name one control or detection that would have caught it.
9. Read the Zeek conn.log. (Fields: id.orig_h id.resp_h id.resp_p service duration orig_bytes
resp_bytes conn_state.)
10.20.7.31 10.20.7.40 445 - 0.03 290 0 S0
10.20.7.31 10.20.7.41 445 - 0.03 290 0 S0
10.20.7.31 10.20.7.42 445 - 0.02 290 0 S0
10.20.7.31 10.20.7.43 445 - 0.03 290 0 S0
10.20.7.31 10.20.7.44 445 - 0.02 290 0 S0
... (37 more, all 10.20.7.31 -> 10.20.7.x:445 in 90 seconds) ...
(a) What is 10.20.7.31 doing? (b) What do the destination port and the S0 state (SYN sent, no reply)
tell you? (c) Is this north-south or east-west traffic, and why does that matter for which sensor saw
it? (d) Why would a perimeter firewall miss this entirely?
10.† Find the exfil. From Statistics → Conversations on a capture, a host shows: sent 7.8 GB,
received 142 MB, to a single external IP over four hours, on port 443. The same host's baseline outbound
is ~150 MB/day. (a) What does the byte asymmetry indicate? (b) Compute roughly how many times its daily
baseline this transfer represents. (c) The traffic is encrypted HTTPS to a destination with a clean
reputation — explain why it is still detectable. (d) Name the pktflow.py function that surfaces this.
11. DNS that isn't browsing. A host issues 4,000 DNS queries in ten minutes, all for subdomains of
one domain, each label a long random-looking string like q7f3k9x2m1.data.example. (a) What covert use
of DNS does this suggest? (b) Which Zeek log would you pivot to, and what would you measure? (c) Connect
this to a defense from Chapter 9. (d) Why might volume-based exfiltration detection on bytes alone miss
this?
12.† The jittered beacon. Two hosts each contact one external IP repeatedly. Host A's connection
gaps (seconds) are [3600, 3600, 3601, 3599, 3600]; Host B's are [3200, 4100, 2900, 4500, 3300],
which average ~3,600 but vary widely. (a) Which is more likely a beacon, and what statistic decides it?
(b) Both average one hour — why does the average not settle it? (c) What is the attacker doing in Host
B's case, and what data-retention choice helps you catch even a heavily jittered beacon over time?
13. Sensor blind spot. A SOC runs Zeek beautifully but its only sensor is a tap on the internet uplink. It cannot catch lateral movement. (a) Diagnose the problem in terms of coverage, not tooling. (b) State the fix. (c) Which earlier figure/Threshold Concept does this illustrate?
Part C — Harden / design the visibility ⭐⭐–⭐⭐⭐
14.† Harden the monitoring plan. A junior engineer proposes: "Full packet capture on every link, retained for one year, shipped into the SIEM. Total visibility." List four reasons this plan fails and rewrite it into a defensible design using the three-altitude model and retention tiers.
15. Design it. Meridian wants to detect (i) C2 beaconing to the internet, (ii) data exfiltration, and (iii) lateral movement toward the data center. For each, state where a sensor must sit to see the relevant traffic and which telemetry (full PCAP, Zeek, or flow) you would rely on. Note any one gap your design does not close.
16. Tap vs SPAN decision. For each link, choose SPAN or tap and justify in a phrase: (a) the link into the cardholder data environment (CDE); (b) a low-priority guest-WiFi segment; (c) the internet uplink during an active incident when you need every packet; (d) a temporary look at one suspicious VLAN.
17. ⭐⭐⭐ Write the detection logic. In pseudocode or plain steps, specify a lateral-movement
detection over Zeek conn.log: define the window, the grouping key, the threshold, and the ports you
care about. State one source of false positives (a legitimate host that fans out) and how you would
suppress it.
18. Baseline trap. Explain the "baselining during a compromised window" pitfall and describe a procedure to build a baseline you can trust. What sanity check (independent of the learned data) would you always apply?
Part D — Respond to this ⭐⭐
19.† Triage the beacon. Your beacon_score flags host 10.20.4.55 at 0.97 with 200 daily
check-ins to 192.0.2.80:443 over three weeks. Walk through your next five investigative steps, naming
which telemetry (flow, Zeek conn.log, ssl.log, dns.log, full PCAP) you consult at each and why.
Where does this hand off to incident response (Chapter 24)?
20. Scope the breach. A confirmed-compromised host beaconed for 18 days. Your manager asks: "What did the attacker reach, and did data leave?" Describe how flow and Zeek retention let you answer, and what your answer would be if you had only 72 hours of full PCAP and no flow/Zeek history.
21. Encrypted-C2 reality. The C2 channel is TLS and you cannot read the payload. List three metadata-only lines of analysis that still let you build a strong case, and one piece of context from another data source (identity or endpoint) you would correlate in the SIEM.
Part E — Calculations ⭐⭐
22.† Beacon score by hand. For check-in gaps [600, 600, 590, 610, 600] (seconds): compute the
mean, the standard deviation, the coefficient of variation, and the resulting beacon_score
(= 1 − CV, floored at 0, rounded to 3 places). Is this beacon-like?
23. Flow storage budget. A 10 Gbps link runs busy 10 hours/day. Using ~1 flow per 50 KB and ~60 bytes per flow record, estimate (order-of-magnitude) the flow storage per day and per 13 months. Compare to the full-PCAP figure for the same link and explain what the comparison justifies.
24. Top talkers. Given flows (A→X: 2 KB), (A→X: 3 KB), (B→Y: 9 MB), (C→Z: 1 MB), (B→Y: 1 MB),
compute the per-(src,dst) totals and list the top two talkers. Which one would you investigate first as
possible exfiltration, and what baseline question would confirm or clear it?
Part F — CTF-style challenge ⭐⭐⭐
25.† The quiet exfiltrator. A host's flow history to one external IP over six days, one flow per
day: [40 MB, 38 MB, 41 MB, 39 MB, 42 MB, 40 MB], always ~midnight, always port 443. Its beacon_score
on the daily timestamps is high. Its per-hour outbound never trips the "5 GB/hour" exfil alarm. (a)
Explain how this host is both beaconing and exfiltrating while evading a volume alarm. (b) Which two
detection strategies from the chapter (one for timing, one for cumulative volume) catch it together? (c)
Why does the choice to retain flow data for 13 months rather than 7 days decide whether you ever see it?
(d) Write the one-sentence finding you would file.
Part G — Interleaved & forward-looking ⭐⭐
26. (With Chapter 7.) Classify network monitoring and a firewall block by control type (preventive/detective/corrective). Explain why defense in depth wants both, and how an IPS sits between the two categories.
27. (With Chapter 6.) Define east-west vs north-south traffic and explain, using a concrete Meridian example, why monitoring only one of them leaves a specific attacker behavior invisible.
28. (With Chapter 9.) DNS is described as "a detection goldmine." Name two attacker behaviors
visible in Zeek's dns.log and the single normal-traffic characteristic each one violates.
29. (Forward to Chapter 21.) The chapter says network telemetry is a feeder for the SIEM. Give one concrete example where a network signal that is weak on its own becomes a high-confidence detection once correlated with a second data source in the SIEM.
30. ⭐⭐⭐ Open reflection. The chapter claims "the network is ground truth." Describe one scenario where network telemetry would not be sufficient on its own — where you would need endpoint or identity data to understand what happened — and explain what that tells you about the limits of network monitoring as a single source.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately
open — bring them to a study group or your instructor. Runnable helpers for the calculation problems are
in code/exercise-solutions.py (hand-traced, never executed).