4.7 Identify key elements in an intrusion from a given PCAP file
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What a Protocol Is
A protocol is a set of rules that allows computers to talk to each other.
- It defines how data is formatted, transmitted, and received.
- Each packet in a PCAP file contains a protocol that shows what kind of communication it is.
For example, a packet may use:
- HTTP – for web traffic
- DNS – for translating domain names into IP addresses
- SMTP – for sending emails
By identifying protocols, you can see if the traffic matches normal network behavior or if something unusual is happening.
2. Why Protocols Matter in Intrusion Detection
Protocols can tell us a lot about potential intrusions:
- Detecting unexpected protocols
- Example: Seeing FTP traffic on a port normally used for HTTP may indicate suspicious activity.
- Finding unusual patterns
- High volumes of ICMP (ping) traffic could be a ping flood attack.
- DNS requests to strange domains may indicate malware communicating with a C2 server.
- Identifying protocol misuse
- Attackers often use common protocols to hide their traffic, such as HTTP or HTTPS, to bypass firewalls.
- PCAP analysis helps you see if the traffic content matches the protocol (e.g., someone sending non-HTTP data over TCP port 80).
3. Common Protocols to Know for the Exam
Here’s a list of protocols you must recognize in PCAP analysis:
| Protocol | Port | Use Case | Intrusion Example |
|---|---|---|---|
| TCP | N/A | Connection-oriented communication | Used for most web, email, file transfers; check for abnormal TCP flags (SYN floods) |
| UDP | N/A | Connectionless communication | DNS tunneling, amplification attacks |
| HTTP/HTTPS | 80 / 443 | Web traffic | Malware may use HTTP/HTTPS to send data to attacker |
| DNS | 53 | Domain name resolution | Fast or abnormal queries may indicate malware or exfiltration |
| SMTP | 25 / 587 | Email sending | Used by spam or phishing attacks |
| FTP | 20 / 21 | File transfer | May transfer stolen data |
| ICMP | N/A | Ping, diagnostics | Ping flood or network reconnaissance |
| SSH | 22 | Secure remote login | Brute force attacks or unauthorized access attempts |
| Telnet | 23 | Remote login | Legacy protocol; often exploited if enabled |
| SNMP | 161/162 | Network device monitoring | Misconfigured devices can leak sensitive info |
Tip: For the exam, knowing both the protocol and its normal port is critical because intrusions often show unexpected protocol-port combinations.
4. How to Identify Protocols in a PCAP File
When you open a PCAP in Wireshark (or similar tool), protocols are displayed clearly in the Protocol column.
Steps to identify suspicious protocol usage:
- Filter by protocol
- Example:
httpordnsfilter in Wireshark.
- Example:
- Check source and destination ports
- Make sure the protocol matches the port.
- Analyze the packet payload
- Look for unusual commands, requests, or data.
Example:
- A packet shows
TCPon port 443 but the payload contains plaintext data instead of encrypted HTTPS traffic. This could indicate protocol misuse or tunneling.
5. Exam Focus: What You Must Remember
For the 200-201 CBROPS exam, remember these key points:
- Protocol identification is essential for spotting intrusions.
- Know common protocols and their ports.
- Understand normal vs. abnormal traffic patterns.
- Recognize protocol misuse or unexpected protocol-port combinations.
- Use PCAP tools like Wireshark filters to focus on suspicious protocols.
If you can identify which protocol is being used, whether it’s normal or suspicious, and what type of intrusion it may indicate, you are well-prepared for this topic on the exam.
6. Quick Memory Tip
Think of protocols as the “language” of the network:
- Normal conversations → expected protocols
- Strange language or sudden new language → possible intrusion
