Network Archaeology

Learn how software uses network protocols, and write your own malware protocol decoder.


Tracking malware activity, malicious user activity, and accidental insiders through the network can be a challenge. Start with network analysis fundamentals and build up to more complex analysis. Dig into basic code-breaking and de-obfuscation. Finally, apply all your skills to reverse-engineer custom binary protocols with obfuscation to stay on the trail.

Inspect network traffic and log files to find evidence, malware, or behavior. Reverse engineer unknown binary protocols and dig for covert channels hidden in standard network protocols. Analyze encrypted data to extract keys.

What to expect

Network Archaeology is a self-paced lab class, with intermittent instructor lectures. Some participants may find the first dozen or so labs easy: they are encouraged to proceed through as quickly as they like. The instructors lead occasional “how-to” lectures, starting with the first lab, eventually bringing the class to the same point. Between lectures, instructors traverse the room helping people with labs.

This class is taught using Linux. The instructor will exclusively use command-line tools, to create increasingly powerful tools, but participants can make decent progress using Wireshark (local install) and Cyber Chef (web-based tool).

Each lab exercise either introduces new concepts or builds on previously presented concepts. Very few people make it through every exercise, and there is no expectation that anyone will “finish” in two days. Many Network Archaeology attendees come back to Cyber Fire to take this class a second or even third time.

Day 1

  • Hexadecimal
  • Network Protocols (HTTP, SMTP, FTP, SSL, DNS)
  • Byte structure of TCP/IP
  • Encoding schemes (Hex, Base64)
  • Examining packet captures
  • Extracting transferred data from packet captures
  • Attack techniques against weak encryption
  • Helpful tools for Network Archaeology

Day 2

  • Entropy as it relates to cryptography
  • Application-layer protocol tunneling
  • Using sequencing meta-information to reconstruct transferred information
  • Analysis and decoding of novel binary protocols with no prior knowledge
  • Attacking novel compression with no prior knowledge
  • Attacking novel weak cryptography with no prior knowledge

Who should attend?

  • Networking engineers
  • Software engineers
  • Applied mathematicians
  • System administrators
  • Site reliability engineers

Is this the right class for me?

This class is broadly interesting to anyone who wants a better understanding of the process of network packet forensic techniques. Even if you don’t intend to engage in this activity in your job, going through the instructor-led exercises will provide insight into challenges facing your organization.

Laptop Configuration

You will need a computer with a modern web browser, and a Linux command line. We recommend Ubuntu, either as your native OS, or in a virtual machine.

You should have the following packages pre-installed:

  • wireshark
  • tcpflow
  • tcpdump
  • python3
  • A C build toolchain:
    • apt install build-essential on Ubuntu / Debian / Mint
    • yum groupinstall 'Development Tools' on Red Hat / CentOS

We will not be able to help anyone configure their computer, so please arrive with a properly set up machine.

Other Operating Systems

If you really know what you’re doing, you can complete this class with MacOS or Windows. Be prepared to figure out your OS quirks on your own, however. Windows users should be prepared to write a lot of code, as our command-line recipes won’t work at all in Windows.