explaingit

will75g/soc-day18-network-traffic-analysis-wireshark-lab

Analysis updated 2026-06-24

0Audience · ops devopsComplexity · 1/5Setup · easy

TLDR

Writeup of a SOC Tier 1 lab using Wireshark to investigate a simulated NetSupport RAT beacon, with screenshots, IOCs, MITRE ATT&CK mapping, and response actions.

Mindmap

mindmap
  root((wireshark-lab))
    Inputs
      PCAP file
      Alert details
    Outputs
      Incident report
      IOC table
      MITRE mapping
    Use Cases
      SOC Tier 1 practice
      Portfolio writeup
      Wireshark training
    Tech Stack
      Wireshark
      Markdown
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study a worked example of triaging a RAT beacon alert using Wireshark display filters.

USE CASE 2

Reuse the report structure as a template for your own SOC Tier 1 lab writeups.

USE CASE 3

Practice mapping observed activity to MITRE ATT&CK technique IDs like T1219.

What is it built with?

WiresharkMarkdown

How does it compare?

will75g/soc-day18-network-traffic-analysis-wireshark-lab0xhassaan/nn-from-scratch0xzgbot/hermes-comfyui-skills
Stars000
LanguagePython
Setup difficultyeasymoderateeasy
Complexity1/54/51/5
Audienceops devopsdeveloperdesigner

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 30min

Reading-only lab, needs Wireshark installed if you want to follow along with a PCAP.

License is not stated in the available content.

In plain English

This repository is a learning exercise written up as if it were a real incident report from a security operations center. The author calls it Day 18 of a SOC Tier 1 series, and the topic is network traffic analysis using Wireshark, which is a free tool for inspecting captured network packets. The lab walks through a packet capture file as a step-by-step investigation, with screenshots at every stage. The scenario in the writeup is a remote access trojan, known as NetSupport Manager RAT, talking to an outside server. The fictional alert points the analyst at an external IP address, and the analyst then loads the packet capture in Wireshark to confirm what is going on. By filtering on that IP, the writeup shows 550 suspicious packets making HTTP POST requests to a path called /fakeurl.htm over TCP port 443, at regular intervals, which the report calls beaconing. The analyst then uses DHCP packets to figure out which machine inside the network is making those calls. The DHCP records tie the IP address to a hostname, a username, and a MAC address, so the affected device can be physically located and isolated. The report also covers DNS queries from the same host, and uses Wireshark's conversation statistics to summarize how much traffic went where, including some traffic to the domain controller that the report concludes is normal. The rest of the document is structured like a real handover artifact. There is a table of indicators of compromise, a mapping of the activity to MITRE ATT&CK technique IDs such as T1219 for remote access software, a list of SOC analyst findings, and a list of response actions like isolating the host and blocking the malicious IP at the firewall. The closing section is a short analyst insight on why packet capture analysis is a useful skill. The README does not list a license.

Copy-paste prompts

Prompt 1
Walk me through the Wireshark filters used in the WiLL75G soc-day18 lab to find the NetSupport RAT beaconing traffic.
Prompt 2
Turn the soc-day18 report structure into a reusable Markdown template for future SOC Tier 1 investigation writeups.
Prompt 3
Explain how DHCP packets in the soc-day18 lab were used to attribute the malicious IP to a specific host and user.
Prompt 4
Generate a new SOC Day 19 lab in the same style focused on DNS tunneling detection.

Frequently asked questions

What is soc-day18-network-traffic-analysis-wireshark-lab?

Writeup of a SOC Tier 1 lab using Wireshark to investigate a simulated NetSupport RAT beacon, with screenshots, IOCs, MITRE ATT&CK mapping, and response actions.

What license does soc-day18-network-traffic-analysis-wireshark-lab use?

License is not stated in the available content.

How hard is soc-day18-network-traffic-analysis-wireshark-lab to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is soc-day18-network-traffic-analysis-wireshark-lab for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.