Further Reading: Network Monitoring and Traffic Analysis

Curated, annotated resources to deepen this chapter. Each entry notes the learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 21.

Suggested order

  1. Install Wireshark and capture your own traffic (the lab in §10.2) — nothing teaches packet reading like seeing your own TLS handshake and SNI.
  2. Skim the Zeek documentation's "Logs" section to see what conn.log, dns.log, and ssl.log contain — the fields you will query for the rest of your career.
  3. Read a primer on NetFlow/IPFIX to understand flow records and why they scale.
  4. Browse the MITRE ATT&CK techniques for Command and Control (TA0011) and Exfiltration (TA0010) to connect the behaviors in this chapter to the adversary model of Chapter 2.

Standards & primary documents (Tier 1)

  • NIST Cybersecurity Framework (CSF) 2.0 — Detect function. 📋📜 The framework places "continuous monitoring" and "adverse event analysis" at the center of detection; this chapter builds the network half of that capability. Read the Detect outcomes to see where network monitoring fits a program.
  • NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS). 🛡️🏗️ Authoritative background on network-based detection, sensor placement, and the IDS/IPS distinction that Chapter 7 introduced and this chapter operationalizes.
  • MITRE ATT&CK — Command and Control (TA0011) and Exfiltration (TA0010). 🛡️ The adversary's playbook for the exact behaviors you detect here (beaconing, application-layer C2, exfiltration over alternative protocols including DNS). The single best map from "attacker technique" to "what to look for."
  • PCI-DSS v4.0 — network monitoring requirements. 📋📜 For regulated environments like Meridian's CDE, the standard mandates monitoring of network traffic and access; useful for grounding the why of full-fidelity taps on sensitive links.
  • RFC 7011, IPFIX Protocol Specification. 🏗️ The standard behind vendor-neutral flow export; skim to understand what a flow record formally is and how collectors receive it.
  • CIS Controls v8 — Control 13 (Network Monitoring and Defense). 📋🏗️ A concise, prioritized list of the network-monitoring safeguards an organization should implement; maps cleanly onto this chapter.

Books (Tier 1)

  • Sanders, C., Practical Packet Analysis (Wireshark). 🛡️🏗️ The standard hands-on introduction to reading packets with Wireshark; works through real captures and the filters you will use daily. The best companion to §10.2.
  • Sanders, C., & Smith, J., Applied Network Security Monitoring. 🛡️ A practitioner's guide to NSM — collection, detection, and analysis — built around the Zeek/flow/full-capture model this chapter uses. Read it to turn the concepts here into an operational practice.
  • Bejtlich, R., The Practice of Network Security Monitoring. 🛡️📋 The book that crystallized "NSM" as a discipline; strong on why network visibility matters and on the collect-detect-analyze workflow. Excellent for the mindset behind §10.1 and §10.6.
  • Collins, M., Network Security Through Data Analysis. 🛡️🏗️ Deeper on flow data, baselining, and analyzing traffic at scale — directly supports §10.4–10.5 and the pktflow.py style of analysis.

Free online & tools (Tier 1 / Tier 2)

  • Wireshark (wireshark.org) and tcpdump. 🛡️🏗️ The microscope. Free; install and use on your own traffic. Wireshark's Statistics → Conversations view is flow analysis you can try in five minutes.
  • Zeek (zeek.org) and its documentation. 🛡️🏗️ The open-source NSM platform of this chapter; the docs' log reference is a working analyst's daily companion.
  • Malware-Traffic-Analysis.net. 🛡️ A large library of constructed/teaching PCAPs with exercises — practice spotting C2, exfiltration, and malicious patterns in real-looking captures. (Tier 2: a community resource; excellent for skill-building in your own lab.)
  • SiLK / nfdump / nfcapd. 🏗️🛡️ Open-source flow collection and analysis toolkits; a practical way to experiment with NetFlow/IPFIX data and the aggregations in §10.4–10.5.
  • Security Onion. 🛡️🏗️ A free, all-in-one network-security-monitoring distribution bundling Zeek, flow tools, and a SIEM-like interface — the fastest way to stand up a learning lab for this whole chapter.

⚖️ Authorization & Ethics reminder: Packet capture and traffic analysis record other people's data. Apply these tools only to networks you own or are explicitly authorized to monitor, capture only what you need, and protect captures like the sensitive data they contain (Chapter 39). Practice on your own lab traffic or the constructed PCAPs above — never on networks you do not control.