Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ€” at no additional cost to you.

Chapter 23 โ€” Further Reading

Network forensics rewards hands-on repetition more than almost any topic in this book โ€” you do not understand a uid pivot or an upload asymmetry until you have run one on a real capture. Start with one packet-analysis book and one network-security-monitoring book, then keep a practice PCAP open beside everything you read.

Foundations (๐Ÿ”ฌ deeper / format-level)

  • Chris Sanders, Practical Packet Analysis (No Starch). The best on-ramp to Wireshark: reading headers, following streams, and reasoning about a conversation packet by packet. Everything in this chapter's "Reading a PCAP" section, expanded and drilled.
  • Richard Bejtlich, The Practice of Network Security Monitoring (No Starch) and the older The Tao of Network Security Monitoring. The philosophy and practice behind the whole chapter โ€” why you collect metadata broadly, how flow, session, and full content fit together, and why "the network remembers what the host forgets."
  • RFC 7011 (IPFIX) and the IETF opsawg pcap / pcapng format drafts. The primary specifications behind flow records and the capture-file structure you decoded by hand. When you must defend why a field means what it means, cite the spec, not a blog.

Approachable explanations (everyone)

  • Laura Chappell, Wireshark Network Analysis and the Wireshark University materials. Deep, example-driven, and the standard reference for display filters, statistics views, and Export Objects.
  • Chris Greer (YouTube) and the Wireshark official docs/wiki. Short, rigorous walk-throughs of TCP behavior, retransmissions, and stream reassembly โ€” the fast way to make the history string and conn_state intuitive.
  • Brad Duncan's malware-traffic-analysis.net. Free, dated, real-world PCAP exercises with answers. The single best place to practice the entire chapter on traffic that actually misbehaves.
  • ๐Ÿ›ก๏ธ๐Ÿ” The Zeek documentation and Zeek/Bro community resources. conn.log field reference, the uid join model, and the file-extraction framework โ€” the structured-logbook approach at the heart of this chapter.
  • ๐Ÿ›ก๏ธ Suricata documentation + the Emerging Threats ruleset; Snort docs. How signatures are written and why ET POLICY is a lead class, and how to parse eve.json keyed by flow_id (the spine of Case Study 2).
  • ๐Ÿ›ก๏ธ Active Countermeasures' "Cyber Threat Hunting" course and RITA. A free, focused treatment of beaconing detection โ€” interval analysis and the coefficient-of-variation idea, made operational.
  • ๐Ÿ” NetworkMiner (Netresec), Arkime, and the SiLK / nfdump flow toolkits. Content-centric triage, full-capture indexing at scale, and flow mining respectively โ€” the tools surveyed in Chapter 36 โ€” The Forensic Toolkit.
  • ๐Ÿ“œ The U.S. DOJ Searching and Seizing Computers and Obtaining Electronic Evidence manual; an ECPA primer. For the legal/eDiscovery reader: the Wiretap Act / Pen-Trap / Stored Communications Act distinctions that decide what you may lawfully collect.

Reference (this book)

Do, don't just read

  • Run the full stack on a real PCAP. Download an exercise from malware-traffic-analysis.net, hash it (capinfos -H), then run zeek -r cap.pcap and suricata -r cap.pcap and pivot on one connection's uid across conn.log, dns.log, ssl.log, and files.log. You do not understand the uid join until you have followed one session across four logs with your own eyes.
  • Find a beacon and an upload. Compute the coefficient of variation of one host's DNS inter-arrivals to spot a beacon, and sort conn.log by orig_bytes to find the upload asymmetry. Then export an HTTP object and hash it โ€” the carve-from-the-wire move that restores a file and proves a transfer at once.
  • Break a capture, then prove it. Capture your own traffic with -s 0, confirm incl_len == orig_len, then re-capture with a tiny snaplen and watch the payload vanish โ€” the truncation trap, felt once, is never forgotten.

Next: Chapter 24 โ€” Mobile Device Forensics: off the wire and into the pocket โ€” logical, file-system, and physical acquisition, and the SQLite databases and plists where phones keep a life.