This repository documents a professional network traffic analysis project focusing on behavioral baselining, stealth reconnaissance detection, and service exposure mapping. Using a combination of Wireshark and Nmap, this project captures the transition from nominal network operations to active threat progression.
- Deep Packet Inspection (DPI): Detailed analysis of 85,000+ protocol frames across the TCP/IP stack.
- Reconnaissance Attribution: Identifying stealth SYN scan signatures and mapping Nmap's timing templates on the wire.
- Exposure Analysis: Documenting plaintext data leakage in unencrypted HTTP streams and mapping service response headers.
- Behavioral Baselining: Establishing statistical norms for DNS, HTTPS, and local host interactions.
- Platform: Kali Linux (VMware NAT)
- Target: Local Gateway (192.168.1.1) and Localhost (127.0.0.1)
- Tools Engine: Wireshark 4.x, Nmap 7.95, Tcpdump, Curl, Apache2.
I ran the capture in four distinct phases to simulate a natural attack progression:
- Baseline: Normal web browsing (DNS/HTTPS).
- Mapping: Active connectivity checks using ICMP pings.
- Recon: Stealth SYN scan targeting 1000 ports.
- Enumeration: Successful interaction with a local Apache server on Port 80.
- /assets: CSS, JS, and all visual evidence.
- /captures: The original
.pcapcapture file for review. - index.html: The full interactive analysis report.
The biggest insight here was how clearly a "stealth" scan stands out in Wireshark when you know what filters to use. It also reminded me why HTTPS is non-negotiable—seeing plain HTTP GET requests fly past in cleartext is a huge wake-up call for network security.
Youssef Moataz
If you find this analysis helpful, please give the repo a ⭐!