PCAP Full Packet Captures

NetworkNetwork TrafficNetwork Capture

Location

Network TAP/SPAN port capture storage or endpoint capture files (*.pcap, *.pcapng)

Description

Full packet capture files containing complete network traffic including headers and payloads for every packet traversing the monitored network segment.

Forensic Value

PCAP is the gold standard for network forensics because it contains the complete conversation, not just metadata. Analysts can reconstruct transferred files (malware downloads, exfiltrated documents), extract credentials sent in cleartext, decode C2 protocol communications, and prove exactly what data left the network. Follow-TCP-stream in Wireshark rebuilds the full application-layer dialogue between attacker infrastructure and compromised hosts.

Tools Required

WiresharktsharktcpdumpNetworkMinerArkime (Moloch)

Collection Commands

tcpdump

tcpdump -i eth0 -w capture_$(date +%Y%m%d_%H%M%S).pcap -c 1000000 -s 0

tshark

tshark -i eth0 -w capture.pcapng -b filesize:100000 -b files:10

Arkime

moloch-capture -c /etc/moloch/config.ini -r /path/to/capture.pcap --copy

MITRE ATT&CK Techniques

T1040T1071T1041T1573T1048

Used in Procedures

Generate Comprehensive Incident Report

post-incident

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical