1. Introduction: Seeing What’s Really Happening on the Network
Packet analysis is one of the most important practical skills in cybersecurity. Logs and dashboards show summaries, but packets show the truth. Every attack, every request, every connection and every mistake is visible at the packet level.
When you capture packets, you are looking directly at how devices communicate: the IPs they talk to, the protocols they use, the headers they send, and sometimes even the raw data itself. This is how you detect abnormalities, debug issues, confirm attacks and understand network behavior in real detail.
Tools like Wireshark and tcpdump let you “see inside the network” instead of guessing. For cybersecurity, this visibility is essential. Without analyzing packets, you're working blind.
2. What Network Packets Contain (Headers, Data, Metadata)
Every piece of network communication is broken into packets. A packet is basically a small container with information that routers, switches and systems use to deliver data correctly.
A packet has two main parts.
Headers
These contain control information used for delivery. Examples: source IP, destination IP, ports, protocol, sequence numbers and flags. Headers tell the network how to route, track and interpret the packet.
Payload (Data)
The actual content being sent. Could be an HTTP request, DNS query, TLS handshake or any other application data.
Metadata
Extra details generated during transmission or capture. Examples: timestamps, capture size, interface name, packet length and network path information. Metadata helps analysts understand timing, patterns and context.
3. Packet Structure: Ethernet, IP, TCP/UDP Explained
A network packet is built in layers. Each layer adds its own header so the packet can travel across different parts of the network. Understanding these layers helps you read raw traffic in tools like Wireshark.
Ethernet (Layer 2)
This is the lowest visible layer in most packet captures. It includes source and destination MAC addresses. Ethernet frames operate inside local networks.
IP (Layer 3)
This layer provides addressing for moving packets across different networks. The IP header includes source IP, destination IP, TTL, protocol type and fragmentation details.
TCP or UDP (Layer 4)
This layer adds transport information.
**TCP **includes sequence numbers, acknowledgments, flags (SYN, ACK, FIN), and handles reliable delivery.
**UDP **is simpler and contains only ports and length. No reliability features.
Application Data (Layer 7)
This is the actual content like HTTP, DNS, TLS or any other protocol data. Sometimes readable in plaintext (HTTP), sometimes encrypted (HTTPS).
The packet structure always follows the same order:
Ethernet header → IP header → TCP/UDP header → Application data
4. Tools for Packet Capture: Wireshark, tcpdump, Tshark
To analyze network traffic, you need tools that can capture and inspect packets. The three most important tools in cybersecurity are Wireshark, tcpdump and Tshark. They all capture the same data but in different ways.
Wireshark
A graphical packet analysis tool. Shows packets in a readable interface with color-coding, filters and protocol details. Ideal for learning, investigating incidents and deep inspection.
tcpdump
A command-line tool for capturing packets. Lightweight, fast and commonly used on servers. Perfect for quick captures, remote troubleshooting and environments without a GUI.
Tshark
The command-line version of Wireshark. Offers advanced filtering and scripting options. Useful for automated analysis, logs, or large-scale captures.
In short:
Wireshark is best for visual analysis.
tcpdump is best for quick captures.
Tshark is best for automation and scripting.
5. How Packet Sniffing Works (Promiscuous Mode & Mirror Ports)
Packet sniffing means capturing network traffic so you can see what devices are sending and receiving. Normally, a network interface only sees packets meant for it, but sniffing tools use special methods to capture more.
Promiscuous Mode (for wired Ethernet or Wi-Fi)
Normal network card behavior: Your device only receives packets meant for its MAC address.
Promiscuous mode: Your device receives every packet the interface can see, even if it is not meant for you.
Limitations: On modern switches, this does not give you all traffic on the network, because switches isolate traffic.
You only see what reaches your port.
Monitor Mode (Wi-Fi only)
Promiscuous Mode = “see all packets addressed to this interface”
Monitor Mode = “listen to the radio waves directly”
Monitor mode lets your Wi-Fi card capture:
- Raw wireless frames
- Beacons
- Management frames
- Traffic between other devices
- Hidden networks
- Access point broadcasts
You stop being a participant in the Wi-Fi network. You turn into a radio scanner, listening to everything in the air.
Why different from promiscuous mode? Because Wi-Fi is broadcast. If you go into monitor mode, you hear all radio traffic on that channel, not just packets addressed to you.
Port Mirroring / SPAN (on switches)
On wired networks with switches, you cannot normally see other people’s traffic.
Port Mirroring (SPAN) is the solution: The switch creates a copy of traffic from one port or VLAN. The copy is sent to another port where your sniffing tool listens
Why it exists:
Switches isolate traffic, so promiscuous mode is usually useless.
SPAN is the only reliable way to see full traffic in modern wired networks.
6. Analyzing Traffic Flows (Sessions, Streams, Conversations)
When you look at raw packets, the data seems chaotic. Hundreds of packets appear one after another, and it is impossible to understand the communication by reading them individually. Traffic analysis tools solve this by grouping packets into meaningful flows. These groupings help you understand who talked to whom, how long the communication lasted, and what was exchanged.
There are three main ways Wireshark and similar tools organize traffic.
Sessions
A session represents a full connection between two endpoints. For TCP, this includes the handshake, all data packets, and the closing packets. Sessions show the lifecycle of a connection: when it started, how much data moved, and how it ended. They are great for spotting repeated failed logins, suspicious connection attempts, or unusual persistence.
Streams
A stream reconstructs the actual data exchanged inside the session. Instead of looking packet by packet, a stream shows the readable conversation: full HTTP requests, DNS messages, TLS handshakes or application data. Streams answer the question “what was actually said?” within the communication.
Conversations
A conversation is a broader view. It groups traffic by IP pairs, MAC pairs, or port pairs. Conversations help you see overall communication patterns, such as which devices are talking the most, unexpected hosts communicating, or unusual port usage.
Simple mental model
A session shows the connection’s structure.
A stream shows the connection’s content.
A conversation shows the connection’s relationships.
This layered view makes traffic analysis much easier. Instead of thousands of packets, you see organized flows that tell you the story behind the network activity. It becomes much easier to spot anomalies, suspicious communications, or misconfigurations.
7. Identifying Protocols and Services from Packet Data
When analyzing traffic, one of the first things you need to understand is what protocol is being used and which service the traffic belongs to. Every packet contains clues that reveal this, even if the data inside is encrypted.
Tools like Wireshark automatically detect protocols, but it is important to understand how to recognize them yourself.
How to identify a protocol:
Port Numbers
Many protocols use well-known ports.
Examples:
- 80 → HTTP
- 443 → HTTPS
- 53 → DNS
- 22 → SSH This is the quickest way to identify a service.
Protocol Signatures
Some protocols have unique patterns in their packets.
- DNS queries have a specific header format.
- TLS starts with a “Client Hello” handshake.
- HTTP requests start with GET, POST or HOST.
Packet Behavior
Different protocols behave differently.
- TCP has a handshake (SYN, SYN-ACK, ACK).
- UDP sends without handshake and usually appears shorter.
- DNS traffic is small and frequent.
- HTTPS traffic is encrypted and larger.
Content (when not encrypted)
If the payload is visible, you can read it.
- HTTP shows URLs and headers.
- DNS shows queries and responses.
- FTP shows commands like USER or PASS.
Service Identification
Wireshark shows a column called "Protocol," but deeper analysis comes from matching:
IP + Port + Transport protocol + Payload pattern
Security relevance:
Identifying protocols helps you detect misuse, suspicious traffic, unexpected services running on unusual ports, or covert channels. Many attacks hide inside normal-looking traffic, so knowing what traffic "should" look like is critical.
In short:
Ports help identify the service.
Headers help identify the protocol.
Traffic patterns help identify suspicious behavior.
8. Detecting Anomalies and Suspicious Traffic Patterns
Once you understand what normal traffic looks like, the next step is spotting what doesn't look normal. Suspicious traffic rarely hides perfectly. It usually shows patterns that stand out when you analyze flows, sessions and packet behavior.
Below are the most common signs analysts look for.
Unusual Ports or Unexpected Services
If a host suddenly starts communicating over odd ports (for example, 4444, 1337, high random ports), it may indicate malware, tunneling or unauthorized tools.
Traffic on ports normally blocked or unused is a warning sign.
High Volume From a Single Host
Large bursts of traffic, repeated connections, or long continuous sessions may indicate scanning, brute-force attempts or data exfiltration.
Frequent Small Packets
Bots, scanners and malware often send many tiny packets rapidly.
Normal applications usually have more balanced traffic.
Connections to Unknown or Foreign IPs
If internal systems talk to strange or unexpected external addresses, especially in unusual regions, it deserves investigation.
Repeated Failed Connections
Constant SYN attempts without completing the handshake may indicate:
- Port scanning
- A denial-of-service attempt
- A misconfigured or malicious script
DNS Anomalies
Large TXT records, long subdomains or extremely frequent DNS queries can indicate DNS tunneling or malware beaconing.
Encrypted Traffic That Should Not Be Encrypted
Example: encryption inside internal-only systems or between unexpected hosts. Sometimes used to hide malicious communication.
Plaintext Traffic That Should Be Encrypted
Example: credentials sent in clear HTTP.
A sign of misconfiguration or vulnerability.
Long-Lived Sessions
Malware often maintains persistent tunnels to command-and-control servers.
Normal user sessions usually have shorter lifetimes.
In short:
Normal traffic is predictable.
Suspicious traffic breaks patterns.
Anomalies are the first signs of compromise, misconfiguration or scanning.
9. Encryption and What You Can/Cannot See in Packets
Encryption changes what a packet looks like in traffic analysis. You still see the packet, but most of the meaningful application data is hidden. Understanding what remains visible is essential for both security monitoring and threat detection.
What you can see in encrypted traffic:
IP Addresses
You still see who is talking to whom. Encryption does not hide source or destination IPs.
Ports
You can see which service is being used (for example, port 443 for HTTPS).
Packet Size and Timing
Attackers can hide data but not timing and size. Patterns often reveal malware or tunneling.
TLS Handshake Information
Before encryption begins, TLS reveals metadata like:
- Server Name Indication (SNI)
- TLS version
- Cipher suites
- Certificate information This helps identify suspicious or outdated configurations.
Flow Behavior
Long-lived sessions, repeated patterns, abnormal traffic spikes, or unusual destinations are still fully visible even when encrypted.
What you cannot see in encrypted traffic:
Content
The actual message is hidden. No URLs, passwords, requests or responses.HTTP Headers and Body
In HTTPS, both are encrypted, except SNI during handshake.Application-Level Commands
FTP, SMTP, DNS-over-HTTPS and other encrypted protocols hide their internal commands.User Credentials
Modern encryption prevents sniffing usernames and passwords directly.
Simple summary:
Unencrypted traffic shows everything.
Encrypted traffic hides content but exposes patterns, metadata and behavior. This is why packet analysis still matters even with encryption. Most attacks reveal themselves through traffic patterns rather than raw content.
10. Practical Traffic Analysis Examples (HTTP, DNS, TLS)
To understand packet analysis, it helps to look at how common protocols appear in real captures. These examples show what you can expect to see when analyzing HTTP, DNS and TLS traffic.
HTTP (Unencrypted Web Traffic)
HTTP is fully readable in packet captures. You can see URLs, headers, cookies and even login data if the site is not using HTTPS. A GET or POST request appears clearly in the payload.
Security note: Any sensitive information in HTTP is exposed.
Example signs:
- GET /login
- POST /api/user
- Host: example.com
- User-Agent: Chrome
DNS (Domain Name Resolution)
DNS queries and responses are small and structured.
You can see which domain is being requested, record type and the IP returned. DNS often reveals malware behavior when unusual domains or high-frequency queries appear.
Example signs:
- Standard query A google.com
- Standard query response A 142.250.185.100
TLS (Encrypted Web Traffic)
TLS encrypts the content, but you can still see the handshake.
The handshake includes:
- Client Hello
- Server Hello
- Certificate
- TLS version
- Cipher suites
- SNI (server name indication) showing the domain
Once encryption begins, application data becomes unreadable, but the metadata and flow patterns remain visible.
Example signs:
- Client Hello (SNI: example.com)
- Server Hello (TLS 1.3)
- Encrypted Application Data
HTTP shows everything (good for learning, bad for security).
DNS shows where traffic is going and is often abused by malware.
TLS hides content but leaves powerful metadata for detecting threats.
11. Legal, Ethical, and Privacy Considerations in Sniffing
Packet sniffing is a powerful capability, and with that power comes serious responsibility. Capturing network traffic can expose sensitive data, private communications and internal system details. Because of this, packet analysis is tightly controlled in both legal and ethical terms.
The key rule is simple:
You are only allowed to sniff traffic that you have explicit authorization to capture.
Authorization
You need permission from the network owner. Without this, packet sniffing is illegal in almost every country.
Privacy
Even in authorized environments, analysts should avoid looking at unnecessary personal data. Many organizations mask or filter sensitive fields.
Scope
Sniff only the systems or networks defined in your assignment. Going outside the approved scope is a violation of trust and policy.
Data Handling
Captured traffic must be stored securely. Packet captures often contain credentials, tokens, internal IPs and confidential information.
Workplace Policies
Companies typically require written approval for sniffing, even for internal troubleshooting. This protects both the company and the analyst.
Legal Frameworks
Depending on your region, laws such as GDPR, HIPAA or local privacy regulations dictate how traffic data must be handled and when it can be collected.
Ethical Behavior
Just because you can see something in traffic does not mean you should. Ethical cybersecurity means respecting users, systems and privacy.
Sniffing without permission is illegal.
Sniffing with permission must still be controlled and respectful.
Privacy is always part of the security process.
12. Summary and What Comes Next (Part 5 Preview)
In this part, you saw how network traffic really looks at the packet level. We explored Ethernet, IP, TCP/UDP headers, packet capture tools, analysis techniques, encrypted vs unencrypted traffic, and how anomalies reveal security issues. This is where cybersecurity meets real data — the raw evidence of how systems communicate.
In Part 5, we move from observing traffic to actively mapping and identifying systems. You'll learn scanning, enumeration, and fingerprinting techniques, how tools like Nmap and Masscan discover services, and how attackers and defenders both use these techniques to understand network exposure.
Next: Networking for Cybersecurity (Part 5): Scanning, Enumeration & Fingerprinting
Top comments (0)