Detailed Narration Script for Slides 21-

25 of SOC Analyst Training

Slide 21: tcpdump -w
The `tcpdump` command is a powerful tool for capturing network traffic. The `-w` option
allows you to write the captured packets to a file for later analysis.

The `tcpdump -w` option is used to save captured packets to a file, which can then be
analyzed using tools like Wireshark. This is useful for capturing traffic over an extended
period and for sharing the capture file with other analysts for collaborative analysis.

Example 1: Running `tcpdump -w capture.pcap` captures all network traffic and saves it to a
file named `capture.pcap`. This file can be opened in Wireshark for detailed analysis.
Example 2: Using `tcpdump -w capture.pcap -s 0` ensures that the entire packet is captured
without truncation, providing complete data for analysis.

Real-Time Scenario 1: During a suspected cyberattack, a SOC analyst uses `tcpdump -w

attack.pcap` to capture all network traffic. The capture file is then analyzed to identify the
attack vector and the affected systems.
Real-Time Scenario 2: A SOC analyst investigating intermittent network issues captures
traffic over an extended period using `tcpdump -w long_capture.pcap`. The captured file is
reviewed to identify patterns and pinpoint the root cause of the issues.

Slide 22: LAB: TCPDump

In this lab, you will practice using `tcpdump` to capture and analyze network traffic. The
hands-on experience will help you become proficient in using this essential tool.

The lab involves setting up `tcpdump` to capture network packets, saving the capture to a
file, and analyzing the captured data using tools like Wireshark. This exercise will enhance
your skills in network traffic analysis and incident response.

Example 1: Start a `tcpdump` capture using `tcpdump -i eth0 -w lab_capture.pcap` to

capture traffic on the `eth0` interface. This will save the packets to a file for later analysis.
Example 2: Use `tcpdump -r lab_capture.pcap` to read the captured file and display the
packet contents in the terminal. This helps in understanding the structure and details of
network packets.

Real-Time Scenario 1: During the lab, simulate a network attack and use `tcpdump` to
capture the traffic. Analyze the captured data to identify the attack signatures and learn
how to respond to similar incidents in a real environment.
Real-Time Scenario 2: Practice capturing and analyzing different types of network traffic,
such as HTTP, DNS, and FTP, to understand the variations in packet structure and behavior.
This will prepare you for handling diverse network scenarios in your SOC role.

Slide 23: Wireshark

Wireshark is a widely-used network protocol analyzer that provides deep inspection of
hundreds of protocols. It is an essential tool for SOC analysts for capturing and analyzing
network traffic.

Wireshark allows you to capture live network traffic and save it for offline analysis. It
provides a graphical interface to examine packet details, filter traffic, and perform various
analyses to identify issues and security threats.

Example 1: Using Wireshark, you can apply filters like `http` to display only HTTP traffic,
making it easier to analyze web traffic and identify potential issues or attacks.
Example 2: The Follow TCP Stream feature in Wireshark allows you to reconstruct and view
the complete communication between two devices, which is useful for understanding the
context of the captured traffic.

Real-Time Scenario 1: A SOC analyst uses Wireshark to analyze suspicious traffic on the
network. By applying filters and examining packet details, the analyst identifies a malware
communication channel and takes steps to block it.
Real-Time Scenario 2: During a network performance issue, a SOC analyst captures traffic
using Wireshark and analyzes it to identify bottlenecks and misconfigurations, leading to a
resolution of the performance problems.

Slide 24: Wireshark and Interfaces

Understanding how to select the correct network interface in Wireshark is crucial for
capturing the right traffic. Wireshark lists all available network interfaces on the system,
allowing you to choose the appropriate one for analysis.

When you start Wireshark, you need to select the network interface from which you want to
capture traffic. This could be a wired Ethernet interface, a wireless interface, or even a
loopback interface. Choosing the correct interface ensures that you capture relevant traffic
for your analysis.

Example 1: On a laptop with both wired and wireless connections, you need to select the
correct interface (e.g., `eth0` for wired or `wlan0` for wireless) to capture the traffic of
interest.
Example 2: For capturing traffic on a server, you might select a specific Ethernet interface
(e.g., `eth1`) that is connected to the network segment you want to monitor.
Real-Time Scenario 1: A SOC analyst troubleshooting a wireless connectivity issue selects
the `wlan0` interface in Wireshark to capture and analyze wireless traffic, helping to
identify the cause of the problem.
Real-Time Scenario 2: During a security investigation, a SOC analyst needs to capture traffic
on a specific VLAN. The analyst selects the appropriate VLAN-tagged interface in Wireshark
to capture and analyze the relevant traffic.

Slide 25: Watching the Traffic

Once you have selected the correct interface and started capturing traffic in Wireshark, you
can watch the traffic in real-time. This live view helps you monitor network activity and
identify issues as they occur.

The real-time view in Wireshark shows all captured packets as they arrive, allowing you to
see the source, destination, protocol, and other details of each packet. You can apply filters
to focus on specific traffic and use color-coding to highlight different types of packets.

Example 1: Applying a filter like `ip.addr == 192.168.1.1` displays only the traffic to and
from the specified IP address, making it easier to monitor a particular device.
Example 2: Using the `tcp.flags.syn == 1` filter shows only SYN packets, which are used to
initiate TCP connections. This helps in identifying new connection attempts.

Real-Time Scenario 1: A SOC analyst monitoring network traffic in real-time sees a spike in
SYN packets, indicating a potential SYN flood attack. The analyst takes immediate action to
mitigate the attack.
Real-Time Scenario 2: During a network performance test, a SOC analyst watches the traffic
in real-time to observe the effects of different configurations and identify any anomalies
that occur.