Sign In
New Course

Network Investigation Methodology for SOC Analysts, IR Practitioners, and Detection Engineers Working with PCAP, Zeek, and Suricata

Aligned to MITRE ATT&CKSigma rulesRFC 1035 / 4253Mandiant tradecraft

Network Detection and Forensics

Read the network evidence that survives when everything else is destroyed.

Capture, analyze, and investigate network traffic for security operations. DNS analysis, HTTP/HTTPS inspection, SMB protocol forensics, SSH tunneling detection, C2 beacon identification, and Suricata signature writing. Build a network security monitoring sensor, analyze packet captures for evidence of compromise, detect data exfiltration, and reconstruct attack timelines from network evidence.

Start Free — No Account Needed See Pricing
What you'll deploy
Zeek + Suricata detection pipeline deployed on your own sensor
5 full network investigation scenarios with PCAP datasets
C2 beacon detection, lateral movement tracking, and exfiltration proof
Network forensic timeline reconstruction from protocol-level evidence
NETWORK EVIDENCE — THE INVESTIGATION BACKBONE DNS microsft-verify[.]com → 203.0.113.88 (first seen 09:14:22) TLS JA3: e7d705a3... | CN=microsft-verify.com | Let's Encrypt C2 847 connections | 60s interval | 10% jitter | Cobalt Strike beacon SMB PsExec: IT03 → FIN01 → FS01 | ADMIN$ | PSEXESVC.exe deployed EXFIL 12.1 GB via rclone → Tor relay | detected in NetFlow volume Complete Attack Chain — From DNS to Exfiltration 15 modules · 5 NE investigation scenarios · Zeek + Suricata + Wireshark Reconstructed entirely from network evidence
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Capture and analyze network traffic for evidence of compromise
Detect DNS tunneling, C2 beaconing, and data exfiltration in packet captures
Write Suricata signatures for custom network detection
Reconstruct attack timelines from network evidence
Build and operate a network security monitoring sensor
Premium tier | 15 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 15 modules

Who this course is for

“The endpoint logs were wiped but we have the PCAPs.” When the attacker clears event logs and destroys disk evidence, network captures are the evidence source that survives. This course teaches you to reconstruct the attack chain from DNS, TLS, SMB, and NetFlow data — the evidence the attacker can't reach.

“I can investigate in EDR but I've never analyzed a packet capture.” SOC analysts and IR practitioners who work in Defender XDR and Sentinel but can't read a PCAP. You build the Wireshark analysis workflow for protocol-level investigation and learn to correlate network evidence with endpoint findings.

“I know C2 beacons exist but I can't detect them in traffic.” Beacon interval analysis, jitter detection, JA3 fingerprinting, DNS tunneling identification. You learn to find C2 channels from network evidence using Zeek logs, Suricata rules, and statistical analysis.

“I need to prove data left the building.” Exfiltration proof from network evidence: volume analysis, protocol anomalies, upload/download ratios, encrypted tunnel identification. The network data that proves data was stolen when endpoint forensics can't.

“I want to deploy Zeek and Suricata but I've never set up an NSM sensor.” You build the complete network security monitoring stack in your lab: Zeek for metadata and logging, Suricata for signature-based detection, deployed together on a sensor you configure and operate.

“I investigate from endpoints and identity logs but I'm missing the network perspective.” The capstone uses the same Northgate Engineering incidents as the IR and Linux IR courses. Complete all three and you investigate from endpoint, network, and identity — the three legs of the DFIR stool.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

Someone says “check the PCAPs” and you open Wireshark, see 200,000 packets, and don't know where to start.

The attacker deleted endpoint logs. Your investigation stalls because network evidence exists but nobody on the team can analyze it.

You know the attacker exfiltrated data because they said so in the ransom note. You can't prove it from evidence — not the volume, not the destination, not the protocol.

Your network monitoring is a firewall log. No PCAP, no Zeek, no Suricata. When you need network evidence, it doesn't exist.

After

You filter by protocol, follow the TCP stream, identify the C2 channel, and extract the payload. 200,000 packets become a 15-minute investigation because you know what to look for.

Endpoint logs are gone. You reconstruct the attack chain from DNS queries, TLS handshakes, SMB lateral movement, and NetFlow volumes. Network evidence is your primary source.

You prove exfiltration: 12.1 GB over rclone to a Tor relay, visible in NetFlow volume analysis, confirmed by Zeek conn.log byte counts. Evidence that survives legal scrutiny.

Zeek and Suricata running on a sensor you built. DNS, TLS, HTTP, and SMB metadata logging continuously. When the incident happens, network evidence already exists.

How the course works

Four phases build from packet fundamentals through protocol analysis to full investigation scenarios:

Phase 1
Foundations

Packet anatomy, capture methodology, Wireshark workflow, Zeek and Suricata deployment, NSM sensor architecture.

Phase 2
Protocol Analysis

DNS investigation, HTTP/HTTPS deep analysis, TLS fingerprinting (JA3), SMB forensics, SSH tunnel detection.

Phase 3
Detection & Hunting

C2 beacon detection, lateral movement tracking, exfiltration identification, Suricata rule writing, encrypted traffic analysis.

Phase 4
Investigation

5 Northgate Engineering scenarios, multi-protocol correlation, timeline reconstruction, forensic reporting, capstone investigation.

What the content looks like

This is a real Zeek query from the C2 detection module. You're analyzing conn.log to find beaconing patterns — connections that are too regular for human activity and too periodic for legitimate applications.

Zeek / Bash — From Module 10: C2 Beacon Detection
# Extract beaconing candidates from Zeek conn.log
# Group by src/dst pair, calculate interval statistics
cat conn.log | zeek-cut ts id.orig_h id.resp_h id.resp_p |
  awk '{print $2, $3, $4}' |
  sort | uniq -c | sort -rn | head -20
# Top result: 847 connections to 203.0.113.88:443
# 847 connections over 14 hours = ~60 second interval
# Consistent interval + port 443 + LE cert = C2 beacon candidate

847 connections at ~60-second intervals to a Let's Encrypt certificate on a newly registered domain. The module teaches you to identify the pattern, correlate with dns.log and ssl.log to confirm the infrastructure, and write the Suricata rule that catches the beacon automatically.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

PCAP files: All packet captures contain fictional data from the Northgate Engineering environment. No real network traffic or real incidents. All IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 2.0  |  Last updated: April 2026

v2.0 (April 2026): Full course — 15 modules (NF0–NF14) across 4 phases. Protocol analysis, detection and hunting, investigation scenarios complete.

v1.0 (April 2026): Initial release. NF0–NF4 (5 modules).

This course is actively maintained as network threat patterns evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.