student@hack3rs:~$ cat pcap-http-tls-investigation-lab.md
PCAP Investigation Lab: DNS + TCP + TLS + HTTP (Beginner Case Study)
Learn to reconstruct a session from DNS resolution through TCP/TLS/HTTP using packet evidence, field extraction, and disciplined note-taking.
prerequisites
- $Use only systems and networks you own or are explicitly authorized to test.
- $Basic familiarity with networking and logs.
- $Willingness to document evidence and assumptions.
1. Case Study Goal
This lab teaches a core defender skill: reconstructing what happened on the wire and explaining it clearly. You will map one session across DNS, TCP handshake behavior, TLS negotiation, and HTTP requests/responses.
Use a sample PCAP or lab capture. The objective is not to find malware. The objective is to learn how to prove normal and abnormal behavior using packet evidence.
Write down the questions first: which host initiated, which names resolved, whether the TCP handshake completed, whether TLS negotiated, and what HTTP path or status codes appeared.
2. Workflow: Scope -> Extract -> Inspect -> Explain
Start with TShark summaries to identify protocols and timing. Then extract DNS names and TLS SNI/certificate clues. Finally use Wireshark for deep inspection of streams, retransmissions, and request/response sequence.
As you work, note capture location and blind spots. Packet evidence is powerful, but only for traffic visible at the collection point. This is a core habit for trustworthy analysis.
End by writing a short timeline: DNS query, DNS response, TCP handshake, TLS handshake, HTTP request, HTTP response, plus any retries/errors.
3. How This Transfers to Real Incidents
This exact workflow supports phishing triage, suspicious callback validation, troubleshooting TLS failures, and verifying whether an IDS alert matches real protocol behavior.
The key transferable skill is not the tool syntax. It is the ability to move from raw packets to a defendable narrative with timestamps and evidence.
Repeat the same lab with a successful session and a failed session so you learn the difference between normal failure modes and suspicious anomalies.
pcap-lab-checklist
- $Identify source/destination hosts and time window.
- $Extract DNS and TLS metadata with TShark.
- $Inspect the relevant stream(s) in Wireshark.
- $Document normal vs anomaly clues.
- $Write a timeline and confidence-backed conclusion.
how-to-workflow
- Define the packet-analysis questions (DNS, TCP, TLS, HTTP sequence and outcomes).
- Scope the capture by host and time window.
- Use TShark to summarize protocols and extract DNS/TLS metadata.
- Use Wireshark to inspect relevant streams and verify sequence details.
- Write a timeline from DNS resolution through HTTP response.
- Document normal vs anomaly clues and a confidence-backed conclusion.