Mastering Network Forensics: Analyzing Traffic for Anomalies

Main Point

In this article, we will discuss different types of traffic frequently used in network communication that could be misused by malicious actors to achieve their goals. When analyzing network traffic or performing network forensics, especially when using tools like Wireshark, it is crucial to focus on understanding core protocols, their structures, and how they operate. This knowledge helps us distinguish between their natural forms and potential misuse. Our focus here is on the type of traffic, not the content of the messages.

1. DHCP (Dynamic Host Configuration Protocol)

Structure:

• OPCODE: Indicates if the packet is a request or reply.
• Hardware type: Type of hardware address (e.g., Ethernet).
• Hardware length: Length of the hardware address.
• Hops: Routers that help find a DHCP server.
• Transaction ID: Unique random number for request and response.
• Seconds Elapsed: Seconds since the client first requested an address.
• Flags: Type of traffic the DHCP client can accept (unicast, broadcast).
• Client IP Address: New IP address from the Offer message.
• Your IP Address: IP address offered by the DHCP server.
• Server IP Address: DHCP server's IP address.
• Gateway IP Address: Network's default gateway IP address.
• Client Hardware Address: Client's MAC address.
• Server Host Name (optional): Server's host name.
• Boot File (optional): Boot file for use by DHCP.
• Options: Used to expand the structure of the DHCP with more features:

1. 1: Subnet mask
2. 3: Router
3. 4: Time server
4. 5: Name server
5. 6: Domain server
6. 12: Host name
7. 15: Domain name
8. 31: Router discovery
9. 50: Requested IP address
10. 53: DHCP message type
11. 54: DHCP server identifier (IP)
12. 255: End

Normal:

• Based on the BOOTP protocol, a client/server protocol.
• Transaction ID is unique for request and response.
• Natural sequence of DHCP messages (D,O,R,A).
• Discover message:Source and client IP: 0.0.0.0.Destination IP: 255.255.255.255 (broadcast).
• Offer and Ack messages:Source IP: DHCP server IP.Client IP: New IP obtained.Destination IP: 255.255.255.255 (broadcast).
• Request message:Source IP: 0.0.0.0.Client IP: New IP obtained.Destination IP: 255.255.255.255 (broadcast).
• Uses UDP on port 67 for the server and port 68 for the client.

Suspicious:

• Numerous DHCP requests from different and suspicious IP addresses (DHCP starvation) or spoofed DHCP IP addresses.

2. ARP (Address Resolution Protocol)

Structure:

• Hardware type: Type of hardware address (e.g., Ethernet).
• Protocol type: Type of protocol (IPv4 or IPv6).
• Hardware length: Length of the hardware address.
• Protocol length: Length of the IP address.
• Operation code: 1 for ARP request, 2 for ARP reply.
• Source hardware address: Sender MAC address.
• Source protocol address: Sender IP address.
• Target hardware address: Receiver MAC address.
• Target protocol address: Receiver IP address.

Normal:

• A normal ARP request typically follows a response.
• Target MAC address is FF:FF:FF:FF:FF

Suspicious:

• Numerous ARP requests in a short time (ARP sweep).
• ARP requests from suspicious IPs that appear fake (e.g., sequential IPs).
• MAC spoofing (identical MAC addresses with different IPs).
• ARP reply without ARP request (ARP spoofing using gratuitous ARP reply).

3. ICMP (Internet Control Message Protocol)

Structure:

• Type: Describes the message.
• 0: Echo reply.
• 3: Destination unreachable.
• 5: Redirect Message.
• 8: Echo Request.
• 11: Time Exceeded.
• 12: Parameter problem.
• Code: Information about the error message and type.
• Checksum: Ensures message integrity.
• Header Information: Depends on the reply type.

Normal:

• Echo request: code 0, Type 8.
• Unique random value in the data section for request and reply.

Suspicious:

• Data section used as an exfiltration channel.
• High number of sent packets (ping flood, DoS attack).
• ICMP response from external network without a corresponding request (reconnaissance).

4. TCP (Transmission Control Protocol)

Structure:

• Source port: Port number of the transmitting application.
• Destination port: Port number of the receiving application.
• Sequence number: Random value that starts the connection, incremented by transmitted bytes.
• Acknowledge number: Starts at zero, incremented by received bytes.
• Header length/TCP data offset: Length of the header.
• Control flags: Manage data flow (e.g., URG, ACK, PSH, RST, SYN, FIN).
• Window size: Number of bytes the receiver wants to receive.
• Checksum: Verifies header integrity.
• Urgent pointer: Indicates urgent data.
• Option: Optional fields for additional features.
• Data: Application data.

Normal:

• 3-way handshake (SYN, SYN/ACK, ACK).
• SYN → Seq: random number (e.g., 1), ACK=0.
• SYN/ACK → Seq: random number (e.g., 4), ACK=Seq+1+1= (2).
• ACK → Seq: ACK=2, Seq=4+1=5.
• TCP handshake between two hosts only.

Suspicious:

• High number of SYN messages in a short time (SYN scan).
• Unusual flags.
• Scanning behavior (one host to multiple ports or nodes).
• Unusual port numbers (e.g., 0 or 4444).
• IP spoofing to reset connections (TCP RST attack).
• TCP retransmission indicating potential TCP hijacking.

5. UDP (User Datagram Protocol)

Structure:

• Source port number: Port of the sender.
• Destination port number: Destination port.
• Datagram length: Total size of the header and data.
• Checksum: Error checking and integrity.
• Data: Application data.

Normal:

• Used in VoIP (Skype, Zoom), gaming, IoT services.
• Connectionless, less vulnerable than TCP.

Suspicious:

• High number of UDP packets to multiple ports (port scan).
• UDP flooding (DoS attack) with spoofed IP addresses.
• URL requests with no reply (C&C data exfiltration).

6. DNS (Domain Name System)

Structure:

• DNS ID Number: Unique number for DNS query and response.
• Query/Response (QR): Indicates if the packet is a query or response.
• OPCODE: Type of query.
• Authoritative Answers (AA): Indicates if the response is from an authoritative server.
• Truncation (TC): Indicates a truncated response.
• Recursion Desired (RD): Indicates a recursive query request.
• Recursive Available (RA): Indicates the server supports recursive queries.
• Reserved (Z): Set to 0 or used as an extension of RCode.
• Response Code (RCode): Indicates errors in the DNS response.
• Question Count: Number of entries in the Question Section.
• Answer Count: Number of entries in the Answer Section.
• Name Server Record Count: Number of records in the Authority Section.
• Additional Records Count: Number of records in the Additional Information Section.

Normal:

• Uses UDP port 53.
• DNS request and reply have the same transaction ID.
• DNS query sent to DNS server, server replies with requested record.

Suspicious:

• Numerous DNS requests with no reply or vice versa.
• Use of TCP on port 53 instead of UDP (DNS zone transfer from a suspicious IP).
• Fake DNS server or domain name.
• Unusual query size indicating data exfiltration (DNS tunneling).
• Unusual domain names (potential C&C domains).

7. HTTP (Hypertext Transfer Protocol)

Structure:

• Request/Response Line:

1. Requested method: The type of request sent to the web server (GET, POST, DELETE, PUT, HEAD).
2. HTTP version: The version of HTTP used (e.g., HTTP 1.0, HTTP 1.1).
3. Requested URL: The URL requested by the client.
4. Status code: A 3-digit code indicating the status of the response (e.g., 200, 300, 400).
5. Status phrase: A short description of the status code.

Request Header:

Contains information about the data requested from the web server, such as the format in which the data is desired. Examples include:

• Header field: Accept Value: image/jpeg
• Header field: Accept-language Value: en-us
• Header field: User-agent Value: Mozilla/4.0
• Header field: Accept-Encoding Value: {coding type}
• Header field: Accept-Ranges Value: bytes
• Header field: Connection Value: {Keep-alive/close}

Response Header:

• Provides additional information related to the response data and the server. Examples include:

• Header field: Date Value: {date and time}
• Header field: Server Value: {server OS}
• Header field: Last-Modified Value: {date and time}
• Header field: Accept-Ranges Value: bytes
• Header field: Content-Length Value: {length}
• Header field: Content-Type Value: text/html

Request Body:

• An optional part that includes data required from the client, such as input for searches, comments, feedback, etc.

Response Body:

• Contains the data requested by the client from the web server.

Normal:

• Uses TCP on port 80, 8080, or 8088.
• No encryption, data in plaintext.
• Fully Qualified Domain Name (FQDN) used.

Suspicious:

• Use of IP address instead of FQDN unless internal server.
• Encrypted data indicating potential malicious content.
• Web attack behaviors (e.g., SQLi, XSS, LFI/RFI).
• Automated tool names in user-agent strings.
• High number of HTTP requests (DoS or brute force).
• Malicious files in response payloads.
• Outbound traffic indicating data exfiltration.
• Unusual URL patterns or extensions (e.g., .exe or .zip).

8. SSL (Secure Sockets Layer)

Structure:

Handshake Protocol:

• Establishes connection between client and server.Client Hello: Defines SSL version, session ID, cipher suite.Server Hello: Defines SSL version, session ID, cipher suite.Server Certificate: Server's certificate and public key.Client Certificate: Client's certificate (if requested).Key Exchange: Public key exchange for encryption.Cipher Suite: Defines
• Alert Protocol

The alert protocol is used for reporting errors detected by the client or server. It consists of an 8-bit level and an 8-bit alert code.

• 8-bit Level: Describes the alert level (warning or fatal).

Warning (1):

• Close notify
• Bad certificate
• Unsupported certificate
• No certificate
• Certificate revoked
• Certificate expired
• Certificate unknown

Fatal (2):

• Handshake failure
• Bad record MAC
• Decompression failure
• Unexpected message
• Illegal parameters

8-bit Alert:

• This is the alert code number for the above messages.

SSL Record Protocol

The SSL record protocol is responsible for the encrypted transmission and encapsulation of data sent by higher layer protocols. It provides basic security services such as:

• Confidentiality: Ensures that data remains private and is not accessible by unauthorized parties.
• Integrity: Ensures that the data has not been altered during transmission.
• Authentication: Verifies the identity of the parties involved in the communication.

9.TLS

TLS Steps:

1. Client Hello: Sent from client to server to establish the connection and provide its parameters.
2. Server Hello: Sent from server to client to provide its parameters.Record Header: Contains the content type (Handshake), version of TLS, and length.Handshake Protocol: Contains handshake message type (Client/Server Hello) and length.Client Version: TLS version.Client Random: 32-bit random data.Session ID: ID of the session between client and server.Cipher Suites: List of supported cryptographic methods for key exchange and encryption.Compression Methods: List of supported compression methods.Extensions Lists: List of optional extensions for additional actions or features.
3. Server Certificate: Server provides its certificate containing the hostname, public key, and proof of ownership from a third party.Record Header: Contains the content type (Handshake), version of TLS, and length.Handshake Protocol: Contains handshake message type (Certificate) and certificates length.Certificates: Certificate length and the certificate sent by the server.
4. Server Key Exchange Generation: Server calculates a private/public keypair for key exchange.
5. Server Key Exchange: Server sends its public key to the client.Record Header: Contains the content type (Handshake), version of TLS, and length.Handshake Protocol: Contains handshake message type (Server Key Exchange) and length.Type of Encryption: Public key and length.
6. Server Hello Done: Server indicates it's finished with its half of the handshake.Record Header: Contains the content type (Handshake), version of TLS, and length.Handshake Protocol: Contains handshake message type (Server Hello Done) and length.
7. Client Key Exchange Generation: Client calculates a private/public keypair for key exchange.
8. Client Key Exchange: Client encrypts its private key (premaster secret) using the server's public key authenticated by the certificate and sends it to the server.Record Header: Contains the content type (Handshake), version of TLS, and length.Handshake Protocol: Contains handshake message type (Client Key Exchange) and length.Type of Encryption: Public key and length.
9. Encryption Key Calculation: Each side calculates encryption keys based on random number and public key of each side.
10. Server Application Data: Server decrypts the client private key and uses it to encrypt the data.
11. Client Application Data: Client sends the data it wants to the server.
12. Client Close Notify: Client sends an alert that it is closing the connection.

Notes:

• SSL/TLS use asymmetric and symmetric encryption.
• TLS has more than one handshake type based on its version.

10.HTTPS:

Normal:

• Uses TCP on port 443 or 8443.
• Data is encrypted.
• Domain names present its FQDN as in HTTP.

Suspicious:

• Data is not encrypted.
• No SSL/TLS handshake, which is the base of security transmission.
• SSL/TLS header should not be empty.
• Notice expired, self-signed, or untrusted certificates.
• Check for suspicious packet sizes that could indicate malware.
• Ensure the hostname matches the one in the certificate.
• Be aware of user agent behavior from unexpected locations.
• Look for spurious retransmission messages indicating ransomware attacks or zerowindow issues.
• Notice any suspicious domain names connecting on port 443 as it could be a C&C server.