Analyzing Network Traffic of Malware

When to Use

• Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
• Identifying the C2 protocol structure for writing network detection signatures
• Determining what data the malware exfiltrates and to which external infrastructure
• Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
• Creating Suricata/Snort signatures based on observed malware network patterns

Do not use for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.

Prerequisites