Skillfade Logo

Tracing the Shark on the Wire

⏳ 10 min read

Table of Contents

    Cybersecurity Illustration

    The rain-hazed neon reflects off wet asphalt as I slide into the server room, cables hanging like flesh from exposed ribs of racks. Hum hums through the air, the rack’s fans slicing the darkness in pulses, flickering LEDs blinking warnings I can’t yet decipher. Somewhere in the maze of switches and routers, a shark swims through the data sea, teeth gnashing on unguarded packets, fin slicing through noise, leaving behind shredded trust and scrambling traces.

    I connect my laptop to a span port, feel the electric tang of network flow at my fingertips. The shark has taken a bite, unauthorised SSH connections, odd DNS queries, traffic flowing out encrypted when it shouldn’t. I taste the circuit board’s burnt ozone, hear distant alarms in logs. The mission: trace the shark on the wire, track its origin, understand its path, stop its feasting. I am embedded. The network is alive. And tonight, I hunt.

    Part I: Preparation , Assembling Your Tools

    Before you plunge into tracing, you need gear. Think of your ini­tial toolkit as your survival pack in the digital jungle.

    Tool Purpose
    Packet sniffer (e.g. tcpdump, Wireshark) Capture raw traffic
    Flow exporter / collector (NetFlow, sFlow) Understand macro-patterns
    Log aggregator / SIEM (Elasticsearch, Splunk, etc.) Correlate events
    Host / endpoint monitoring (auditd, OSSEC, Wazuh) Identify suspect behaviour on devices
    DNS and DHCP logs Expose masquerading or poisoned records
    Secure shell tools, VPNs for remote access Maintain secure, auditable access paths

    Before you begin you must ensure:

    • You have explicit authorisation to monitor, intercept or analyse traffic. Without this you are trespassing.
    • You're working in a segmented, test or staging environment unless you're authorised to work on production.
    • You understand your network’s baseline. Know what “normal” patterns look like.

    Part II: Detection , How to Know the Shark Is Here

    You can smell something rotten before you see the body. These are the signs.

    1. Unusual port activity
      - Port hopping (temporary opens on high-numbered ports)
      - Repeated failed connection attempts (e.g. brute-force)
      - Unexpected services running (e.g. SSH on non-standard ports)

    2. Anomalous traffic patterns
      - Spike in outbound traffic during odd hours
      - Data exfiltration attempts: large uploads over odd protocols
      - DNS tunnelling: DNS requests unusually large or frequent

    3. Endpoint anomalies
      - Processes you didn’t launch
      - New user accounts or elevated privileges
      - Unscheduled changes to certificates or SSH keys

    4. DNS, ARP, DHCP irregularities
      - Rogue DHCP leases
      - ARP spoofing or poisoning
      - DNS cache poisoning or unusual CNAME chains

    Part III: Tracing the Shark , Step-by-Step Workflow

    Below is a structured workflow to trace the source of malicious traffic. Perform in sequence, though you may iterate between steps.

    Step 1: Packet Capture at the Perimeter

    • Deploy tcpdump or equivalent at the firewall or gateway. Capture both inbound and outbound packets.
    • Use filters to reduce noise. Focus on suspect ports (e.g. unusual high ports, or ports the attacker uses).
    • Timestamp everything precisely, ensure synchronised clocks (use NTP).

    Example command:

    bash
# WARNING: Packet capture may expose sensitive data and is risky if misused.
# Use only in authorised, controlled environments.

sudo tcpdump -i eth0 port not 22 and port not 80 -w suspicious_traffic.pcap
    • Use Wireshark later to dissect payloads, flags, TCP states, retransmissions.

    Step 2: Flow Analysis

    Extract flow data from routers or switches that support NetFlow/sFlow. Look for:

    • Long sessions to external IPs
    • High volume flows during off hours
    • New peers you don’t recognise

    Use nfdump, sflowtool, or vendor tools.

    Step 3: Correlate Logs

    Collect and correlate:

    • Firewall logs (accept/deny records)
    • VPN logs (who connected from where and when)
    • SSH / RDP logs
    • DNS query logs

    If your SIEM supports it, write correlation rules:

    python
# Pseudocode for correlation in your SIEM
if firewall_event.action == "ALLOW" and
   dest_port in suspicious_ports and
   from_ip not in known_good_hosts:
    alert("Unexpected inbound port access")

    Step 4: Enumerate Endpoints

    On any host suspected:

    • Check running processes (ps, tasklist)
    • Inspect network connections (netstat -tupn, ss, Get-NetTCPConnection in PowerShell)
    • Review recent changes (SSH keys, authorised users, crontab jobs)

    PowerShell snippet:

    powershell
# WARNING: Enumerating processes or connections on endpoints may reveal sensitive information.
# Execute only on authorised machines.

Get-NetTCPConnection | Where-Object {$_.RemotePort -in 30000..60000}
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

    Step 5: Reverse DNS & Geolocation

    • Use dig, nslookup to trace reverse DNS of suspicious IPs.
    • Use geoIP databases (e.g. MaxMind) to map external IPs. Watch for ghost IPs (hosting providers known for abuse).

    Step 6: Firewall & VPN Check

    • Audit your firewall rules: look for mis-openings, shadowed rules, overly permissive ACLs.
    • Inspect VPN logs: ensure no split-tunnels are allowing bypass (i.e. traffic leaking out of VPN).
    • Confirm TLS / IPsec endpoints are pinned correctly.

    Part IV: Deep Dive Techniques & Edge Cases

    Edge cases are where sharks get clever.

    • Encrypted C2 over HTTPS
      Use TLS fingerprinting, SSL/TLS mutual authentication leaks, cipher mismatch detection. Certificate transparency logs help.

    • DNS Tunnelling
      Very small payloads in TXT or NULL records. Monitor for repeated long domain names, base-64 content. Capture and decode possible payload.

    • Steganography over HTTP
      Large multipart posts with hidden content. Use statistical analysis on payloads. Compare with known baseline images/media.

    • Proxy chaining and pivoting
      The attacker might hop through compromised hosts inside. Look for internal-to-internal flow that then exits. Use internal flow tools, switch span ports.

    Mini-Lab: Trace a Simulated Intrusion

    Set up a small network in a lab (virtual or physical). Include:

    • Firewall between internal and internet segments
    • A client that will be “compromised” (you simulate breach)
    • A DNS server

    Simulate the following:

    1. The client establishes a reverse shell on port 443 to an external IP.
    2. DNS queries from the client try to exfiltrate data (e.g. in TXT records) every few minutes.
    3. The attacker leverages a rogue DNS server to redirect some traffic.

    Your tasks:

    • Capture and analyse the traffic with tcpdump or Wireshark at perimeter.
    • Use flow export to spot odd outbound flow.
    • Correlate firewall, DNS, and host logs.
    • Identify source of reverse shell, block it at firewall, revoke rogue DNS configuration.

    Actionable Takeaways

    • Always establish baseline traffic and normal usage patterns so anomalies stand out.
    • Use layered monitoring: packet captures plus flow data plus logs. One layer misses what another catches.
    • Authorise everything you touch; insure legal and ethical boundaries are never crossed.
    • Edge-case techniques (DNS tunnelling, encrypted C2) are not theory they happen in the shadows; build detection for them.
    • Mini-labs are your rehearsal before the real hunt; the mindset matters as much as the tools.

    Tracing the Shark on the Wire: Step-by-Step Guide

    Aim

    To enable you to trace, capture and analyse network traffic (“the shark on the wire”) using real packet capture tools so you can uncover hidden communications, reconstruct data streams and investigate forensic artefacts.

    Learning Outcomes

    After completing this guide you will be able to:
    - Install and configure packet-capture tools such as Wireshark or tcpdump.
    - Capture live network traffic and save it in standard formats (.pcap, .pcapng).
    - Apply capture and display filters to isolate meaningful streams or protocols.
    - Follow TCP or UDP streams to reconstruct data exchanges.
    - Extract embedded or encoded data (for example base64) from streams or packet payloads.
    - Recognise common capture pitfalls such as encrypted content or missing packets and deal with them.

    Prerequisites

    You will need:
    - A computer running Linux, Windows or macOS with administrative privileges.
    - Wireshark installed (or alternativley use tcpdump / tshark) (se.com).
    - Basic understanding of TCP/IP, UDP, IPv4 (or IPv6), ports, protocols.
    - Knowledge of shell commands or Python for scripting & data extraction.
    - Access to a network where capturing traffic is permitted (for example via port-mirroring, sniffing or local capture).

    Step-by-Step Instructions

    1. Install and verify capture tools
      - On Linux: 
    bash
     sudo apt-update
     sudo apt-install wireshark tshark tcpdump
    • On Windows: download installer from Wireshark official site, ensure WinPcap or Npcap is included.
    • Confirm you can run in promiscuous mode. (howik.com)
    1. Begin a fresh capture
      - Open Wireshark, select the active network interface.
      - Start capturing (click shark-fin icon) or use:
    bash
     sudo tcpdump -i eth0 -w capture.pcap
    • Perform the activity or generate traffic you want to trace (visit websites, run application, etc.).
    1. Stop and save the capture
      - In Wireshark, press red square, then File → Save As (.pcapng or .pcap).
      - If using tcpdump:
    bash
     sudo pkill tcpdump
    • Ensure file is saved securely for analysis.
    1. Use capture and display filters to isolate relevant traffic
      - Capture filter examples (tcpdump / Wireshark capture filter): 
    text
     port 80 or port 443
     host 192.168.1.10
    • Display filters in Wireshark: 
    text
     http && ip.src == 192.168.1.10
     udp && udp.port == 53

    1. Follow individual streams to reconstruct communication
      - In Wireshark use Analyse → Follow → TCP Stream or UDP Stream.
      - Identify which stream carries useful data. Streams often numbered, e.g. tcp.stream == 6.
      - View raw payloads , sometimes there’s hidden or encoded content. (medium.com)

    2. Extract embedded or encoded data
      - Once you have the payload, extract data using shell or Python. For example, if payload contains base64 flag:

    bash
     echo "bDNhcm5fdzF0aF8yazFsbGZhZDMK" | base64 --decode
    • With Python, you might parse packets:
    python
     from scapy.all import rdpcap
     packets = rdpcap('capture.pcap')
     for pkt in packets:
         if pkt.haslayer('TCP') and pkt['TCP'].dport == 80:
             data = bytes(pkt['TCP'].payload)
             if b'FLAG{' in data:
                 print(data)

    1. Deal with encryption or missing data
      - If traffic is encrypted (TLS, HTTPS), you may see only handshake and opaque payloads. Cannot read content unless you have decryption keys.
      - Use server/client sides where possible, or configure reverse proxies or instrumentation to log plaintext.
      - For missing packets: ensure correct interface, sufficient permissions, proper tap or mirrored port. (reddit.com)

    2. Document findings clearly
      - Note timestamps, source IPs, ports, protocol versions.
      - Save filters used and stream IDs.
      - Capture screenshots or export raw payloads if needed.

    This practical path will equip you to trace network “sharks” prowling on the wire, uncover hidden communications and apply forensic-grade analysis to packet data.

    When you trace the shark on the wire you sharpen both your tools and your senses, you become part of the sea you swim in. And sometimes you taste salt-water fear, but you also find clarity in the flicker of LEDs.