Packets and packet captures
Whether it's an employee sending an email or a malicious actor attempting to exfiltrate confidential data, actions that are performed on a network can be identified through examining network traffic flows.
Understanding these network communications provides valuable insight into the activities happening in a network.
This way, you can better understand what's going on in an environment and defend against potential threats.
With this in mind, let's examine how to record network traffic through packet captures.
Previously in the program, you learned that when data is sent, it's divided into packets.
Just like an addressed envelope in the mail, packets contain delivery information which is used to route it to its destination.
This information includes a sender and receiver's IP address, the type of packet that's being sent, and more.
Packets can provide lots of information about the communications happening between devices over a network.
You may also recall that a packet has multiple components.
There's the header, which includes information like the type of network protocol and port being used.
Imagine this as being the name and mailing address located on an envelope.
Network protocols are a set of rules that determine the transmission of data between devices on a network.
Ports are non-physical locations on a computer that organize data transmission between devices on a network.
The header also contains the packet's source and destination IP address.
We'll explore more information contained in the header in a later section.
Next, there's the payload, which contains the actual data that's being delivered.
This is like the content of a letter inside of an envelope.
And there's the footer, which signifies the end of the packet.
So how exactly can you observe a network packet?
Just like scents are invisible but can be smelled, packets are invisible but can be captured using tools called packet sniffers.
You may remember packet sniffers from a previous section.
A network protocol analyzer, or packet sniffer, is a tool designed to capture and analyze data traffic within a network.
As a security analyst, you'll use packet sniffers to inspect packets for indicators of compromise.
Through packet sniffing, we can grab a detailed snapshot of packets that travel over a network in the form of a packet capture.
A packet capture, or P-cap, is a file containing data packets intercepted from an interface or network.
It's sort of like intercepting an envelope in the mail.
Packet captures are incredibly useful during incident investigation.
By having access to the communications happening between devices over a network, you can observe network interactions and start to build a storyline to determine what exactly happened.
Coming up, we'll discuss the importance of packet analysis. Meet you there.