Lab 10 – Packet Capture & Traffic Analysis

This lab expands your network‑level visibility by capturing and analyzing traffic from your homelab. You’ll use Wireshark for packet‑level inspection and Zeek for protocol‑level analysis and log generation.

• Outcome 1: Packet capture performed on mirrored traffic.
• Outcome 2: Wireshark used to inspect packets and identify anomalies.
• Outcome 3: Zeek deployed to generate structured logs.
• Outcome 4: PCAPs exported and prepared for SIEM ingestion.

• DL10.1: PCAP captured from mirrored traffic.
• DL10.2: Wireshark analysis completed with notes.
• DL10.3: Zeek logs generated and reviewed.
• DL10.4: PCAP and logs exported for SIEM ingestion.
• DL10.5: Documentation updated with findings.

1. SSH into your IDS/IPS VM.
2. Run a packet capture on the mirrored interface:

   sudo tcpdump -i eth1 -w capture.pcap

3. Generate traffic by browsing, pinging, or scanning from WIN10‑LAB.
4. Stop capture after 2–5 minutes.

1. Download capture.pcap to your workstation.
2. Open in Wireshark and apply filters:
   • http
   • dns
   • tcp.flags.syn==1
   • tcp.analysis.retransmission
3. Identify:
   • Suspicious DNS queries
   • Port scans
   • Malformed packets
   • Unusual traffic patterns
4. Document findings with screenshots.

1. Install Zeek on your IDS/IPS VM.
2. Run Zeek against your PCAP:

   zeek -r capture.pcap

3. Review generated logs:
   • conn.log
   • dns.log
   • http.log
   • notice.log
4. Identify anomalies or suspicious flows.

1. Upload PCAP and Zeek logs to your SIEM (if supported).
2. Tag logs with metadata for correlation.
3. Document how network events align with host‑based alerts.

• Visibility: How packet capture reveals low‑level network behavior.
• Analysis: How Wireshark and Zeek complement IDS/IPS detections.
• Correlation: How PCAP and logs enrich SIEM investigations.

With packet capture and analysis complete, you now have deep insight into network behavior. In Week 11, you’ll integrate threat intelligence feeds to enrich your detections.