Do I need full PCAP everywhere?

No — full PCAP at the perimeter and at sensitive segment boundaries (DC ingress, admin VLAN). Telemetry + Zeek logs everywhere else. Spin up targeted PCAP per incident.

How long should I keep PCAP?

Industry baseline: 7-30 days at perimeter, 90+ days for Zeek logs and telemetry. Regulated entities under RBI/SEBI/IRDAI may push longer. The cost-of-storage curve favours longer retention every year.

Can I use Wireshark output directly as court evidence?

Not directly — you need the §65B certificate, chain of custody, and the original capture file. Wireshark presentation is for analyst use; the underlying PCAP + integrity hashes + capture-circumstance documentation is the evidence.

How do I correlate across PCAP, logs, and EDR?

Time-bounded queries to a SIEM that ingests all sources. Splunk, Elastic, Sentinel, Chronicle. Index PCAP-derived events (via Zeek + a Splunk forwarder, or NetWitness, or Arkime). The SIEM is the unification layer; PCAP at-rest is the deep evidence when SIEM points to a moment in time.

What is JA3 and why is it useful?

JA3 is a fingerprint of the TLS Client Hello (cipher list, extensions, supported groups). Different malware families and tools produce distinctive JA3 hashes. Even with TLS, JA3 lets you identify suspect tooling. JA4 (newer) is more granular. Both are key forensic indicators for encrypted traffic. See the JA4 GitHub for the modern reference.

How do I preserve evidence during an active incident?

Snapshot affected systems (cloud snapshots, VM snapshots, disk images for physical). Capture memory before reboot. Continue PCAP/Zeek logging. Hash everything and document in a contemporaneous notebook. Avoid making changes to affected systems until evidence is captured.

Should I bring in an external IR firm?

For anything that may involve regulatory notification, criminal prosecution, or insurance claims: yes. External IR firms bring specialised tools, broader threat-actor knowledge, and credibility for regulator/insurer interactions. Pre-arrange a retainer; the time to negotiate the SOW is not during a crisis.

Network Forensics for Incident Response — PCAP Analysis, Zeek, Suricata

Read as

Last updated: May 1, 2026

Network forensics is the art of reconstructing what happened from packets and flow logs after the fact. This module is the practitioner walk-through: chain of custody, the evidence stack (PCAP + Zeek + flow + endpoint), the workflow for a compromise investigation, the most useful Wireshark + tshark + Zeek + RITA techniques, and the legal posture for evidence to hold up in Indian courts under the IT Act and DPDP context.

When an incident happens, the network is usually the only place where the full story is recorded — the endpoint can be wiped, logs can be tampered with, but packets-on-disk reflect what actually moved across the wire. Network forensics is the discipline of reconstructing the incident from that evidence. This module is the working introduction; pair with Module 2 (Wireshark fundamentals) and Module 15 (telemetry).

The forensic mindset — what we are actually trying to prove

Forensics is not just “look at the packets” — it is “answer specific questions defensibly”. Typical questions: when did the attacker first arrive? What did they reach? What did they take? How did they get in? Did they create persistence? Each question is addressed with a different lens: time-correlation across PCAP, flow logs, Zeek logs, and endpoint telemetry.

The forensic principleevery answer must be reproducible from the same evidence and resilient to challenge — by the attacker if there is later litigation, by the auditor when reviewing the post-incident report, by counsel preparing for regulatory notification. Sloppy provenance kills cases; “we think it happened around then” is not a finding. Always cite specific evidence (PCAP file + frame number, log file + timestamp + line) for every conclusion.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Network Forensics — Reading Captures Like a Detective

The forensic mindset — what we are actually trying to prove

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume