Most attacks move over a network. If you do not understand the protocols, you will miss the indicators. This room covers networking from a security perspective.
Everything on the internet runs over TCP/IP. Understanding the model means understanding where attacks happen and what forensic evidence each layer leaves behind.
The layers that matter most for security work: Network (IP addresses, routing), Transport (TCP/UDP ports, connection state), and Application (HTTP, DNS, TLS · the protocols attackers actually abuse).
# TCP three-way handshake
Client → SYN → Server
Client ← SYN-ACK ← Server
Client → ACK → Server
# Connection established
# A SYN flood attack sends millions of SYNs without completing the handshake
# A half-open scan (nmap -sS) uses this to fingerprint systems without full connectionsDNS is one of the most abused protocols in security. Attackers use it for C2 communication (DNS tunneling), data exfiltration, and command-and-control beaconing · because DNS is almost always allowed outbound and rarely monitored.
# DNS query types to monitor:
# A · hostname to IPv4
# AAAA · hostname to IPv6
# TXT · arbitrary text (used for DNS tunneling and exfil)
# MX · mail servers
# CNAME · aliases (watch for fast-flux domains)
# Signs of DNS tunneling:
# - Unusually long subdomains (data encoded in the query)
# - High query volume to a single domain
# - TXT record queries to unusual domains
# - Queries with random-looking subdomainsHTTP is the protocol most malware uses for C2 because it blends in with normal web traffic. Understanding the request/response structure lets you spot malicious traffic in proxy logs.
Key indicators in HTTP logs: unusual User-Agent strings, base64 in URL parameters, POSTs to unusual endpoints, beaconing behavior (requests at regular intervals), and large HTTP responses to small requests (C2 staging).
Wireshark is the standard tool for packet capture analysis. These are the filters I use constantly:
# Filter by protocol
http
dns
tcp
udp
# Filter by IP
ip.addr == 192.168.1.100
ip.src == 10.0.0.1
# Find suspicious DNS (long subdomains = possible tunneling)
dns.qry.name matches "^[a-z0-9]{30,}"
# Find cleartext credentials (HTTP Basic auth)
http.authorization
# Find large data transfers
tcp.len > 10000
# Follow a TCP stream: Right-click packet → Follow → TCP StreamNetwork segmentation limits the blast radius of a breach. If an attacker compromises one segment, proper segmentation stops them from moving laterally to everything else.
The principle: separate systems by trust level and function. User workstations shouldn't be able to talk directly to database servers. IoT devices shouldn't be on the same segment as production systems. Servers should be in their own VLAN.
An IDS (Intrusion Detection System) monitors network traffic and alerts on suspicious patterns. An IPS (Intrusion Prevention System) does the same but also blocks the traffic automatically.
Signature-based detection works like AV · it matches known-bad patterns. Anomaly-based detection establishes a baseline of normal traffic and alerts on deviations. Both have blind spots; the most effective deployments use both.
SMB (445) · File sharing. Used heavily in lateral movement (EternalBlue, pass-the-hash)
RDP (3389) · Remote desktop. Brute-forced constantly. Never expose to internet.
SSH (22) · Secure shell. Key-based auth only. Monitor for unusual login times/locations.
FTP (21) · Cleartext. Should not exist in modern environments.
Telnet (23) · Cleartext. Should not exist anywhere, ever.
SNMP (161) · Network management. Default community strings are public/private. Always change.
LDAP (389) · Active Directory queries. Used in many AD enumeration attacks.
WinRM (5985/5986) · Windows Remote Management. Used heavily in post-exploitation.The attacks you'll encounter most in real environments: