In order to identify anomalous or malicious traffic in a network, it’s necessary to first understand what’s normal. This module discusses the fundamentals of networking, including the OSI model, the differences between TCP, UDP and ICMP and their intended uses, and the purposes of common high-level protocols like HTTP and SMTP.

Wireshark is probably the most commonly used tool for network traffic analysis and will be used throughout this learning path. This module introduces some of the useful features of Wireshark and shows what the protocols discussed in the previous course look like in practice and how the various layers work together to make networking possible.

Wireshark is probably the most popular tool for network traffic analysis. However, it is not the only one available. This module provides an introduction to some alternatives to Wireshark, covering some of the most useful and unique features of Terminal Shark (Wireshark’s command-line equivalent), CloudShark and NetworkMiner.

A common use of network traffic analysis is for performing incident response activities. The purpose of these actions is to extract useful intelligence from network captures that can help to inform the rest of the investigation. This module demonstrates how to extract certain types of useful data from a network capture file.

An organization can be attacked over the network in a variety of different ways. However, some methods are more common than others. In this module, you will see what scanning, data exfiltration, DDoS attacks and attacks against IoT devices look like in a network capture in a series of demonstrations.

Different types of incident response investigations lend themselves to network-based analysis to different degrees. This module consists of a series of demonstrations where analysis of network traffic is used to infer information about different types of malware, including remote access Trojans (RATs), fileless malware, network worms and multi-stage infections.

In order to investigate a network traffic capture, it is first necessary to capture it. This module discusses methods and considerations for data collection of network traffic. Topics include considerations for deployment of monitoring appliances and the use of virtualization and deception for data collection.

Having access to network traffic data is of very limited value without the ability to analyze it. In this module, you will learn about connection-based analysis, statistical analysis and event-based analysis, their relative pros and cons for different monitoring situations, and tools and techniques for performing them effectively.

In this project, you will need to apply your knowledge and use common network traffic analysis tools to solve multiple challenges. Each challenge involves examining a network traffic capture file containing evidence of malicious activity, such as malware infection, data exfiltration and C2 (command-and-control) communications. You’ll need to find leaked credentials, analyze an attempted DDoS attack, extract files from captures and even more.