A network traffic analysis lab built to demonstrate core SOC analyst skills: passive packet capture, baseline profiling, protocol analysis, malicious traffic detection, and incident reporting.
| Component | Details |
|---|---|
| Platform | PnetLab Open Edition (KVM) |
| Linux Endpoint | Alpine Linux — 192.168.200.10 |
| Windows Endpoint | Windows 10 — 192.168.200.20 |
| Virtual Switch | Cisco IOU L2 |
| Analysis Host | Arch Linux (Wireshark + tcpdump) |
| Capture Bridge | PnetLab VM — 192.168.122.217 |
Note: The lab subnet was reconfigured from
192.168.100.0/24to192.168.200.0/24during Phase 3 to resolve an IP conflict with an external Wi-Fi network.
| Phase | Description | Status |
|---|---|---|
| Phase 1 — Environment Setup | Lab topology, VM configuration, capture pipeline | ✅ Complete |
| Phase 2 — Baseline Traffic Capture | Normal traffic generation and capture | ✅ Complete |
| Phase 3 — Protocol Deep Dive | 8 protocols captured and analyzed: ARP, ICMP, DNS, DHCP, HTTP, FTP, SSH, Traceroute | ✅ Complete |
| Phase 4 — Malicious Traffic Simulation | Attack simulation and capture | ⏳ Next |
| Phase 5 — Comparative Analysis | Baseline vs malicious comparison | ⏳ Pending |
| Phase 6 — Reporting | SOC-style incident report | ⏳ Pending |
| File | Phase | Description |
|---|---|---|
| baseline.pcap.gz | Phase 2 | Full baseline session — 27,370 packets |
| phase3_arp.pcapng | Phase 3 | ARP Request/Reply capture |
| phase3_icmp.pcapng | Phase 3 | ICMP Echo Request/Reply capture |
| phase3_dns.pcap | Phase 3 | DNS Query/Response capture |
| phase3_dhcp.pcapng | Phase 3 | DHCP DORA sequence capture |
| phase3_http.pcap | Phase 3 | HTTP GET/Response plaintext capture |
| phase3_ftp.pcap | Phase 3 | FTP control channel — credentials in plaintext |
| phase3_ssh.pcapng | Phase 3 | SSH encrypted session capture |
| phase3_traceroute.pcap | Phase 3 | ICMP TTL path discovery capture |
