student@hack3rs:~$ cat pcap-http-tls-investigation-lab.md
PCAP Investigation Lab: DNS + TCP + TLS + HTTP (Beginner Case Study)
Learn to reconstruct a session from DNS resolution through TCP/TLS/HTTP using packet evidence, field extraction, and disciplined note-taking.
prerequisites
- $Use only systems and networks you own or are explicitly authorized to test.
- $Basic familiarity with networking and logs.
- $Willingness to document evidence and assumptions.
1. Case Study Goal
Reconstructing what happened on the wire and explaining it clearly is a core defender skill. In this lab, you trace one session across DNS resolution, the TCP handshake, TLS negotiation, and HTTP request and response.
Use a sample pcap or a capture from your own lab. The objective is not to find malware. It is to prove normal and abnormal behavior using packet evidence and explain your reasoning.
Write your questions down before opening the pcap: which host initiated the connection, which names resolved, did the TCP handshake complete, did TLS negotiate successfully, and what HTTP path or status codes appeared. Answering those questions in order is the analysis workflow.
2. Workflow: Scope, Extract, Inspect, Explain
Start with TShark to identify what protocols are present and get a timing overview. Then extract DNS query names and TLS SNI fields. Then open Wireshark to inspect the relevant streams, check retransmissions, and follow the HTTP request and response sequence.
Note your capture point and its blind spots. Packet evidence is only valid for traffic visible at the collection point. Missing context from an encrypted segment or a different network path is important to acknowledge, not ignore.
End the lab by writing a short timeline: DNS query, DNS response, TCP handshake, TLS handshake, HTTP request, HTTP response, any retries or errors. A timeline turns raw packets into a defensible narrative.
3. How This Transfers to Real Work
This workflow supports phishing investigations, suspicious callback validation, TLS failure troubleshooting, and verifying whether an IDS alert matches real protocol behavior. The session reconstruction skill is reused constantly.
The transferable habit is moving from raw packets to a clear narrative with timestamps and evidence — not memorizing display filter syntax.
Repeat the lab with a successful session and a failed session side by side. Seeing the difference between a clean TLS handshake and one that fails at certificate validation, or a complete TCP stream versus a reset, makes the normal baseline concrete.
pcap-lab-checklist
- $Identify source and destination hosts and the time window before filtering.
- $Extract DNS query names and TLS SNI fields with TShark.
- $Follow the relevant TCP stream in Wireshark and note the HTTP exchange.
- $Record any anomalies: retransmissions, resets, unexpected status codes, certificate issues.
- $Write a session timeline and a confidence-backed conclusion.
how-to-workflow
- Define the packet-analysis questions (DNS, TCP, TLS, HTTP sequence and outcomes).
- Scope the capture by host and time window.
- Use TShark to summarize protocols and extract DNS/TLS metadata.
- Use Wireshark to inspect relevant streams and verify sequence details.
- Write a timeline from DNS resolution through HTTP response.
- Document normal vs anomaly clues and a confidence-backed conclusion.