CSX Packet Analysis Course

Leverage packets to characterize networks, devices, and people!

Difficulty: Beginner

CSF Domain: Identify


Price represents the non member rate.

Buy now


The Cybersecurity Nexus (CSX) Packet Analysis Course (CPAC) provides students an understanding of packet and protocol analysis. Students will work with real network traffic captures in real environments and will analyze different communication types and their components. Upon completion, students will be able to passively analyze packet captures and create network topologies and device characterizations – valuable traits in the cybersecurity field.

Continuing Professional Education (CPE) Credit Count: 16


Lesson What is Packet Analysis?

  • Gain familiarization with the OSI model
  • Understand the role of packets in online communications
  • Identify when the application of packets is appropriate
  • Understand the basic composition of a packet

Lesson Tools of the Trade

  • Understand the basics of tapping the network
  • Understand the options available for packet analysis software
  • Demonstrate a basic understanding of Wireshark and its capabilities

Lesson Common Protocols

  • Understand the definition of protocol
  • Understand the definition of port
  • Understand specific protocols which help conduct packet analysis
  • Identify which protocols are helpful for device characterization
  • Identify which protocols are helpful for network mapping

Lesson Data Manipulation

  • Understand where to find packets
  • Understand how to capture packets in Wireshark
  • Understand how to filter certain types of data

Lab/Instructional Protocol Parsing

Students will leverage Wireshark to identify basic information from a packet capture.

Lab/Instructional ARP Analysis

Students will leverage Wireshark to identify dissect and understand ARP packets.

Lab/Instructional Initial Connection

Students will leverage Wireshark to identify dissect and understand the type of network activity associated with Internet Control Messaging Protocol (ICMP) and traceroute activity.

Lesson Device Characterization

  • Understand what types of devices emit packets
  • What unique identifiers those devices have
  • How to find those unique emitters in a packet collection
  • How to characterize those devices

Lab/Instructional Interesting Searches

Students will learn how to conduct packet analysis to identify the types of searches which devices are executing on their network.

Lab/Challenge Additional Pets

Based on what students have learned, thus far, they are challenged to conduct preliminary analysis on a provided packet capture in order to ascertain information about the device and individual using it.

Lab/Instructional GET Request and Response Dissection

Understanding the user-agent affiliated with devices allow analysts to assess what kind of devices are on their network of responsibility. This course will show students how to properly evaluate a user-agent and characterize a system. Additionally, it will illustrate how to gain contextual information from GET Requests and server responses.

Lab/Challenge Nefarious Employee

Using the skills learned thus far in the course, students will characterize the traffic and device of a potentially nefarious employee, suspected of selling company secrets.

Lab/Instructional Playing Around

This lab leverages all of the Wireshark filters and methods presented in the course thus far to show a student how to characterize network traffic and an individual on the network.

Lesson Wireless Packets

  • Understand the wireless medium on a basic level
  • Understand how to collect wireless packets
  • Understand how to analyze wireless packets

Lab/Instructional Probe Request Analysis

This lab leverages demonstrates how to analyze a probe request. Students learn what key information can be pulled out of a probe request about a device and a wireless network.

Lab/Challenge Beacon Analysis

This lab leverages requires students to leverage the skills and filters learned in the probe request lab and use them to analyze a captured beacon packet.

Lesson Network Topology

  • Understand how to map networks based off packet collection
  • Corroborate dataflow and protocol usage
  • Create a visual network map of the collected data

Lab/Instructional Network Topology

Understanding how to create a network map from a provided packet capture is important for individuals desiring to gain a better understanding of a network, but are prohibited from disrupting the network by introducing packets into the medium.

Lab/Instructional Wireless Network Topology

Using the skills you have learned so far, create a network topology (netmap) of the network in the provided packet capture. Successful completion of the lab will demonstrate the comprehension of all labs up to this point.

Lesson Threat Analysis

  • Understand specific threats against a network
  • Comprehend unique traits inherent to defined threats
  • Understand how to identify specific threats via packet analysis

Lab/Instructional Blaster Worm Analysis

Understanding how systems become infected and recognizing affiliated packets is an important skill for incident responders and IT personnel. In this lab, students will analyze a Blaster worm infection's affiliated packets.

Lesson Mobile Analysis

  • Identify mobile devices via packet analysis
  • Identify mobile apps via packet analysis
  • Understand how these systems are inherently vulnerable
  • Identify methods through which they may be exploited

Lab/Challenge Rouge AP and Mobile Analysis

Students will identify and characterize the rouge access point that is connected to a network of responsibility. They will also assess the traffic on the access point to determine what type of device is using it and what that device is doing.

Lesson Brining it All Together

  • Device Characterization
  • Mobile Identification
  • Netmapping
  • Wireless Assessment
  • Attack Recognition

Lab/Challenge Complete Netmap and Device Characterization

Students will leverage all of the skills learned in this course to provide in-depth analysis of a provided capture. Final submissions will include a complete network topology and a fully characterized device.