4.7 Identify key elements in an intrusion from a given PCAP file
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
When analyzing network traffic using a PCAP file (packet capture), one of the key elements you need to identify in any potential intrusion is the source address.
1. What is a Source Address?
- A source address is the IP address of the device that sent the data captured in the network traffic.
- Every packet in a network has a source IP and a destination IP:
- Source IP: Who sent the packet.
- Destination IP: Who is supposed to receive the packet.
Think of it like sending an email:
- Source: Your email address (sender).
- Destination: The recipient’s email address.
In network monitoring, the source address tells you where the traffic came from.
2. Why is Source Address Important in Intrusion Detection?
When investigating a potential attack or suspicious activity, the source address helps you:
- Identify the attacker: If the source address is outside your network or known to be malicious, that’s a red flag.
- Trace the activity: Helps you see which system initiated suspicious packets.
- Filter or block traffic: If the source is malicious, you can create firewall or IDS rules to prevent further intrusion.
- Correlate events: You can compare the source address with logs from other systems (firewalls, routers, SIEM) to understand the attack path.
3. How to Find the Source Address in a PCAP File
PCAP files store network traffic captured by tools like Wireshark or tcpdump.
Steps to identify the source address in Wireshark:
- Open the PCAP file in Wireshark.
- Look at the “Source” column in the packet list. This shows the IP address that sent each packet.
- Click on a packet to see more details in the Packet Details pane:
- Expand Internet Protocol (IP) → You’ll see:
Source: 192.168.1.10(example)Destination: 10.0.0.5(example)
- Expand Internet Protocol (IP) → You’ll see:
Tip: Focus on unusual or external IP addresses — those are often the source of attacks.
4. IT Examples of Source Address in Real Scenarios
Here are some IT-focused examples your students can relate to:
- Internal malware infection: If an internal host (192.168.1.15) suddenly starts sending a lot of packets to an unknown external IP (203.0.113.25), the source address identifies which infected computer is sending traffic.
- Brute-force attack: Repeated login attempts coming from 198.51.100.42 — the source IP tells security teams which remote system is attacking the login server.
- Data exfiltration: Files being sent to an external IP. The source IP helps you identify which server is leaking sensitive data.
5. Things to Remember for the Exam
- Always identify source vs. destination: Don’t confuse them.
- Look for unusual sources: Internal IPs sending unexpected traffic, or unknown external IPs.
- Source can be spoofed: Attackers can fake IPs, so combine this with other evidence like MAC addresses, TCP flags, and protocols.
- Context matters: Not every unknown source is malicious; check against threat intelligence lists and internal policies.
✅ Quick Exam Tip
When a question gives a PCAP and asks “Identify the source address of the intrusion”:
- Open the PCAP in Wireshark.
- Filter suspicious traffic:
- Example filters:
http,ftp,smtp, ortcp.port == 22.
- Example filters:
- Check the Source column for unusual IPs.
- Verify the source by checking packet details (protocols, ports, timing).
In short:
The source address is the IP of the device sending suspicious traffic. Identifying it is crucial for knowing who started an attack, tracking the activity, and responding appropriately.
