Network Protocols & Packet Fundamentals

📡 TCP/IP Model Architecture

The TCP/IP model describes how networked computers communicate. The model consists of four layers, each responsible for specific functions:

Layer 1: Link Layer (Physical & Data Link)

Responsible for physical transmission of data. Includes network interface hardware (Ethernet, WiFi), MAC addresses, and physical media. Link layer enables devices on same network segment to communicate. For forensic investigation, MAC addresses reveal which physical device originated traffic—critical for identifying attacker systems.

Layer 2: Internet Layer

IP protocol operates here. IP addresses route data across network segments and across the internet. IP headers contain source and destination addresses enabling routing to specific destination networks. Forensically significant: IP addresses reveal communication paths, identify external command-and-control servers, show lateral movement between internal systems.

Layer 3: Transport Layer

TCP and UDP protocols operate here. TCP provides reliable, ordered delivery of data via connection establishment (handshake), acknowledgment, and error recovery. UDP provides fast, connectionless delivery suitable for streaming and real-time applications. Transport layer also includes port numbers—identifying which service/application data intended for. High-numbered ports often indicate non-standard services and suspicious activity.

Layer 4: Application Layer

User applications and services operate here. HTTP web browsing, DNS domain queries, TLS encrypted communications, SMTP email, SSH remote access. Application layer protocols reveal user intentions—HTTP indicates web access, DNS indicates domain lookups, TLS indicates encrypted communications. Application-layer forensics reveals attack payloads, data exfiltration, command execution evidence.

📦 Packet Anatomy

Network data transmitted in discrete units called packets. Each packet contains header (metadata) and payload (data). Headers from multiple layers encapsulate each other—Ethernet header contains IP header which contains TCP/UDP header which contains application data. This encapsulation enables each layer to add required information without interfering with other layers.

🔍 Header vs Payload Analysis

Header Information (Always Visible)

Headers contain metadata describing packet: source/destination addresses, ports, protocol type, connection state (TCP flags). Headers visible in all packet captures regardless of encryption. Analyzing headers enables:

• Traffic Flow Identification: Which systems communicate with which (source/destination IPs and ports)
• Service Identification: Destination port reveals intended service (port 443 = HTTPS, port 53 = DNS, port 22 = SSH)
• Connection State: TCP flags show handshake progress (SYN initiates connection, ACK acknowledges, RST resets)
• Timing Analysis: Packet timestamp reveals communication timing—anomalous communication times indicate suspicious activity
• Volume Analysis: Data volume between hosts reveals exfiltration—unusual outbound volume suspicious

Payload Information (Encryption-Dependent)

Payload contains actual application data. For unencrypted protocols (HTTP, FTP, plain-text email), payload content visible in captures. For encrypted protocols (HTTPS, SSH, TLS), payload encrypted and content invisible. However, even encrypted communications reveal information through:

• Packet Sizes: Encrypted payload sizes follow patterns—HTTP request typically larger than response for commands, opposite for data responses
• Timing Patterns: Command execution reveals timing pattern—rapid succession of requests indicates automated attacks
• Certificate Information: TLS handshake includes certificate revealing service identity (website name, organization)
• Metadata in TLS: SNI (Server Name Indication) reveals destination domain even with encryption

🎯 Source/Destination Analysis Fundamentals

MAC Address Analysis

MAC (Media Access Control) address identifies physical network interface. MAC addresses are Layer 2 (Data Link) identifiers. Within local network segment, data frames addressed using MAC. MAC addresses reveal physical device on network—compromised workstation has consistent MAC regardless of IP changes. MAC analysis useful for identifying physical device involved in compromise.

IP Address Analysis

IP address identifies logical network location. Source IP shows originating system. Destination IP shows target. Internal IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) indicate company network. External IPs indicate internet destinations. Attacker activity often shows unusual external IP destinations (command-and-control servers). Lateral movement shows internal system-to-system communication.

Port Analysis

Ports identify services. Well-known ports (1-1023): port 80=HTTP, 443=HTTPS, 53=DNS, 22=SSH, 21=FTP. Registered ports (1024-49151): registered for specific services. Dynamic/private ports (49152-65535): typically clients generate dynamically. Forensically significant: high-numbered source ports typically client behavior, high-numbered destination ports unusual (non-standard services). Scanning activity shows connection attempts to many destination ports. Suspicious port combinations (internal system connecting to external IP on port 445/SMB) indicate lateral movement or data exfiltration.

📊 Traffic Baseline Establishment

What is Normal?

Enterprise network traffic varies by role, department, time of day. Sales department may have high email and Salesforce traffic. Engineering may have code repository (GitHub, GitLab) and cloud service traffic. Backup jobs generate large internal traffic during off-hours. Windows updates generate periodic Microsoft traffic. Understanding normal baseline essential for anomaly detection—investigators need to recognize what is ABNORMAL requires understanding what is normal.

Baseline Characteristics

Normal traffic exhibits patterns: regular destinations (same websites, services accessed daily), consistent protocols (employee web browsing on port 443), familiar ports (standard services), expected timing (business hour activity for business applications), known internal communications (backup servers, internal services). User baseline differs: executive accessing cloud storage = normal; file server making outbound connections = suspicious. Attacker activity disrupts baseline: unusual external IPs, non-standard ports, odd timing (3am data access), unexpected protocols.

Anomaly Detection Principles

Anomalies indicate deviation from baseline. Large outbound data volume unusual for system = exfiltration. Connections to previously unknown external IPs = potential C&C. Repeated connection attempts to multiple ports = scanning. Off-hour administrative access = potential compromise. Cryptographic algorithm changes = possible man-in-middle. Anomalies don't prove compromise but justify investigation—most anomalies have legitimate explanations but some represent actual attacks.

🏢 Enterprise Network Visibility Challenges

Volume and Scale

Enterprise networks generate terabytes of traffic daily. Single proxy sees thousands of web connections per minute. Single DNS server resolves millions of queries per day. Monitoring all traffic in detail impossible due to storage and processing constraints. Solution: aggregate statistics (NetFlow) track overall patterns without storing all packets. Individual packet capture retained for shorter time (hours to days) while summaries retained long-term (months to years).

HTTPS/Encryption Ubiquity

Modern internet heavily encrypted—estimated 80%+ of traffic now uses HTTPS. Encryption prevents inspection of transferred data. Organization cannot see what user downloading over HTTPS: legitimate file or malware? Cannot detect exfiltrated data if encrypted. However, metadata remains visible: destination reveals which websites accessed, volume reveals data quantity, timing reveals behavioral patterns. Advanced investigation requires certificate analysis, DNS correlation, statistical anomaly detection.

Encrypted Internal Communications

Internal systems increasingly use encryption. SSH replaces Telnet, TLS replaces plain-text protocols. Attacker also uses encryption—malware C&C over HTTPS, data exfiltration over encrypted tunnel. Organization's encryption limits attacker visibility but also limits defender visibility. Forensic investigator relies on non-content analysis: certificate pinning verification, DNS lookups, timing patterns, behavior analysis.

Decryption and Privacy Concerns

Decrypting traffic for inspection requires intercepting encryption keys (man-in-the-middle). For employee-managed devices, organization may implement HTTPS inspection (install proxy certificate). However, privacy and legal concerns emerge—accessing employee personal traffic, customer privacy violations, compliance violations. Most organizations implement selective decryption (specific ports, specific destinations) rather than universal decryption.

🛡️ Security Operations Center Requirements

Endpoint-Only Investigation Limitations

Endpoint (workstation, server) logs show local activity: what processes ran, which files accessed, registry changes, network connections initiated. However, endpoint logs don't show: what data actually transmitted over network, where data sent, whether communication reached external system, communication volume. Attacker who deletes logs eliminates endpoint evidence. Attacker can hide traffic using encryption. Endpoint-only investigation incomplete without network correlation.

Network-Centric Detection Advantages

Network vantage point sees all traffic regardless of endpoint detection. Network sensor at organization perimeter observes all ingress/egress. Network sensor monitors internal traffic between departments. Network-based detection can identify compromised internal systems (endpoint detection might miss if endpoint antivirus disabled). Network metadata immutable—attacker cannot alter network packets retroactively (unlike endpoint logs). Network detection enables early identification before full system compromise occurs.

Complementary Investigation Approach

Best investigations correlate network and endpoint data. Network shows WHAT happened (traffic patterns, external contacts, data volume). Endpoint shows HOW happened (which process executed, which registry modified, which DLL loaded). Together they create complete picture. Network timeline shows attacker accessed external C&C at 14:32. Endpoint timeline shows attacker spawned cmd.exe at 14:31 and created registry persistence at 14:33. Combined timeline reveals attack sequence.

📡 Network Telemetry Importance

Real-Time Threat Visibility

Network telemetry enables real-time identification of compromise. Alert on unusual outbound connections enables immediate response before data exfiltration completes. Alert on scanning activity stops reconnaissance before lateral movement. Network detection enables protection before endpoint compromise detected. In sophisticated attacks, days elapse between initial compromise and endpoint detection—network telemetry enables early identification.

Incident Response Foundation

When incident declared, network telemetry provides initial investigation leads. Flow data shows which systems contacted external IPs. Packet captures show what commands executed. DNS logs show which domains accessed. These leads guide endpoint investigation—forensic team knows which systems to analyze first. Network investigation often precedes endpoint investigation—network findings direct where to look on endpoints.

Evidence Collection for Legal Proceedings

Network evidence crucial for legal cases. Packet captures show attacker commands, exfiltrated data, communication with victims. Flow data establishes attacker behavior patterns. Network evidence independent of defendant's systems—attacker cannot claim network evidence fabricated. Network timestamps prove communication timings. Network evidence often more compelling than endpoint evidence because independent verification possible through ISP records.

🔐 Data Exfiltration Detection

Identifying data exfiltration requires network visibility. Endpoint logs show file opened but not whether file sent externally. Network visibility reveals file sent to external server—exfiltration proven. Volume analysis shows quantity of data exfiltrated. Timing analysis shows exfiltration duration. External destination reveals attacker infrastructure location. Network forensics essential for assessing breach severity—is this reconnaissance (small data volume) or exfiltration (massive data volume)?

📚 Official Documentation & Standards

For deeper understanding of TCP/IP protocols and network fundamentals, consult official specifications and trusted references. These resources provide authoritative information about protocol behavior, compliance requirements, and best practices.