Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 23 โ Further Reading
Network forensics rewards hands-on repetition more than almost any topic in this book โ you do not understand a uid pivot or an upload asymmetry until you have run one on a real capture. Start with one packet-analysis book and one network-security-monitoring book, then keep a practice PCAP open beside everything you read.
Foundations (๐ฌ deeper / format-level)
- Chris Sanders, Practical Packet Analysis (No Starch). The best on-ramp to Wireshark: reading headers, following streams, and reasoning about a conversation packet by packet. Everything in this chapter's "Reading a PCAP" section, expanded and drilled.
- Richard Bejtlich, The Practice of Network Security Monitoring (No Starch) and the older The Tao of Network Security Monitoring. The philosophy and practice behind the whole chapter โ why you collect metadata broadly, how flow, session, and full content fit together, and why "the network remembers what the host forgets."
- RFC 7011 (IPFIX) and the IETF
opsawgpcap / pcapng format drafts. The primary specifications behind flow records and the capture-file structure you decoded by hand. When you must defend why a field means what it means, cite the spec, not a blog.
Approachable explanations (everyone)
- Laura Chappell, Wireshark Network Analysis and the Wireshark University materials. Deep, example-driven, and the standard reference for display filters, statistics views, and Export Objects.
- Chris Greer (YouTube) and the Wireshark official docs/wiki. Short, rigorous walk-throughs of TCP behavior, retransmissions, and stream reassembly โ the fast way to make the
historystring andconn_stateintuitive. - Brad Duncan's malware-traffic-analysis.net. Free, dated, real-world PCAP exercises with answers. The single best place to practice the entire chapter on traffic that actually misbehaves.
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐ก๏ธ๐ The Zeek documentation and Zeek/Bro community resources.
conn.logfield reference, theuidjoin model, and the file-extraction framework โ the structured-logbook approach at the heart of this chapter. - ๐ก๏ธ Suricata documentation + the Emerging Threats ruleset; Snort docs. How signatures are written and why
ET POLICYis a lead class, and how to parseeve.jsonkeyed byflow_id(the spine of Case Study 2). - ๐ก๏ธ Active Countermeasures' "Cyber Threat Hunting" course and RITA. A free, focused treatment of beaconing detection โ interval analysis and the coefficient-of-variation idea, made operational.
- ๐ NetworkMiner (Netresec), Arkime, and the SiLK /
nfdumpflow toolkits. Content-centric triage, full-capture indexing at scale, and flow mining respectively โ the tools surveyed in Chapter 36 โ The Forensic Toolkit. - ๐ The U.S. DOJ Searching and Seizing Computers and Obtaining Electronic Evidence manual; an ECPA primer. For the legal/eDiscovery reader: the Wiretap Act / Pen-Trap / Stored Communications Act distinctions that decide what you may lawfully collect.
Reference (this book)
- Appendix A โ File Signatures Reference: the PCAP/PCAPNG magic numbers and header layout you decoded in the exercises.
- Appendix C โ Tool Reference: Wireshark/
tshark, Zeek, Suricata, NetworkMiner, andnfdump/SiLK side by side. - Appendix H โ Command-Line Reference:
tcpdump,dumpcap,capinfos,tshark,zeek-cut,editcap/mergecap,pcapfix, with flags. - Appendix E โ Legal Frameworks Reference: Wiretap Act, Pen-Trap, and the Stored Communications Act in detail.
- Chapter 15 โ Live Response and Triage (order of volatility), Chapter 21 โ Timeline Analysis (fusing network logs into a super-timeline), and Chapter 32 โ Malware Forensics (C2 analysis) โ the next stops for this chapter's threads.
Do, don't just read
- Run the full stack on a real PCAP. Download an exercise from malware-traffic-analysis.net, hash it (
capinfos -H), then runzeek -r cap.pcapandsuricata -r cap.pcapand pivot on one connection'suidacrossconn.log,dns.log,ssl.log, andfiles.log. You do not understand theuidjoin until you have followed one session across four logs with your own eyes. - Find a beacon and an upload. Compute the coefficient of variation of one host's DNS inter-arrivals to spot a beacon, and sort
conn.logbyorig_bytesto find the upload asymmetry. Then export an HTTP object and hash it โ the carve-from-the-wire move that restores a file and proves a transfer at once. - Break a capture, then prove it. Capture your own traffic with
-s 0, confirmincl_len == orig_len, then re-capture with a tiny snaplen and watch the payload vanish โ the truncation trap, felt once, is never forgotten.
Next: Chapter 24 โ Mobile Device Forensics: off the wire and into the pocket โ logical, file-system, and physical acquisition, and the SQLite databases and plists where phones keep a life.