15 April 2026 • Wireshark & Nmap Analysis

Network Traffic Analysis Report v3.0

Download .PCAP

ANALYST

Youssef Moataz

ENVIRONMENT

Kali Linux (VMware NAT)

DURATION

~12 Minutes

~85,000 Total Packets
~115/s Avg. Packet Rate
3 Critical Findings
High Risk Profile

1. Executive Summary

This report documents a technical analysis of network traffic captured during a simulated cyber attack. The study focused on baseline behavioral mapping and reconnaissance detection.

Patterns identified include high-volume SYN scanning, unencrypted data exchange, and service discovery on the local gateway. The findings highlight the importance of network visibility in identifying adversarial behavior early in the attack lifecycle.

2. Methodology & Timeline

Goals

  • Analyze packet-level traffic flow.
  • Differentiate between normal and suspicious patterns.
  • Model attacker behavior using Nmap.
  • Identify security gaps in local services.

Analysis Phases

0-4m: Establishing Baseline (DNS/HTTPS)
4-6m: ICMP Reachability Checks
6-9m: Reconnaissance (SYN Scan)
9-12m: Service Enumeration (HTTP)
Capture Baseline

3. Reconnaissance: Stealth SYN Scan

High Severity

Technical Indicators

Source: Kali VM
Target Gateway: 192.168.1.1
Activity: ~1.3k SYN packets

Wireshark Search

tcp.flags.syn==1 && tcp.flags.ack==0
Nmap Evidence
[ANALYST NOTE]: Target system was completely silent (no SYN-ACK/RST), confirming filtered port status. Firewall is effective at dropping unsolicited probes.

4. Exposure: Local Service Discovery

Medium Severity

Port 80 (Apache)

Successful transport-layer connection to 127.0.0.1 detected. Service is fully interactive.

Risk Assessment

Active services expand the local attack surface and should be hardened to prevent exploitation.

Service Interaction

5. Vulnerability: Cleartext Traffic

High Severity

Plaintext HTTP traffic captured. All application-layer headers and content are visible to passive monitoring tools on the network.

[NOTE]: Transition to HTTPS/TLS is required to prevent credential theft or session interception during transit.

6. SOC Analysis Mapping

Phase Evidence Observed Mapped Technique
Scanning Massive SYN packet burst T1046 (Network Scanning)
Enumeration Targeted HTTP connection T1016 (Device Discovery)
Exfiltration Risk Plaintext HTTP GET requests T1041 (Exfiltration)

7. Visual Evidence Appendix

Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence
Evidence

Recommendations

  • Enforce transport security with TLS/HTTPS.
  • Monitor network logs for abnormal SYN packet rates.
  • Update firewall to log and alert on dropped recon probes.
  • Restrict access to local management/dev services.

Tools Used

Wireshark 4.x • Nmap 7.95 • Tcpdump • Curl • Apache2