Bird
Raised Fist0
Cybersecurityknowledge~30 mins

Network traffic analysis in Cybersecurity - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Network Traffic Analysis Basics
📖 Scenario: You are a cybersecurity analyst monitoring network traffic to identify unusual activity. You have captured some network packets and want to organize and analyze them to understand the traffic patterns.
🎯 Goal: Build a simple data structure to represent network packets, configure a filter to select specific traffic, apply the filter to extract relevant packets, and finalize the analysis setup.
📋 What You'll Learn
Create a list of dictionaries representing network packets with exact fields and values
Add a filter variable to select packets from a specific source IP
Use a list comprehension to filter packets based on the source IP
Add a final step to count the filtered packets and store the count in a variable
💡 Why This Matters
🌍 Real World
Network traffic analysis helps cybersecurity professionals monitor and detect unusual or malicious activity on a network by examining packet data.
💼 Career
Understanding how to organize and filter network packets is essential for roles like network analyst, cybersecurity analyst, and IT security specialist.
Progress0 / 4 steps
1
Create the initial network packets data
Create a list called packets containing exactly three dictionaries. Each dictionary should have these keys and values:
1. {'src_ip': '192.168.1.10', 'dest_ip': '10.0.0.5', 'protocol': 'TCP', 'size': 1500}
2. {'src_ip': '192.168.1.15', 'dest_ip': '10.0.0.8', 'protocol': 'UDP', 'size': 850}
3. {'src_ip': '10.0.0.5', 'dest_ip': '192.168.1.10', 'protocol': 'TCP', 'size': 1500}
Cybersecurity
Hint

Use a list with three dictionaries. Each dictionary must have the keys src_ip, dest_ip, protocol, and size with the exact values given.

2
Add a filter for source IP
Create a variable called filter_src_ip and set it to the string '192.168.1.10'. This will be used to select packets coming from this IP address.
Cybersecurity
Hint

Just assign the string '192.168.1.10' to the variable filter_src_ip.

3
Filter packets by source IP
Create a new list called filtered_packets using a list comprehension. It should include only those packets from packets where the src_ip matches the value in filter_src_ip.
Cybersecurity
Hint

Use a list comprehension that loops over packets and includes only packets where packet['src_ip'] == filter_src_ip.

4
Count filtered packets
Create a variable called count_filtered and set it to the number of items in filtered_packets using the len() function.
Cybersecurity
Hint

Use the len() function on filtered_packets and assign it to count_filtered.

Practice

(1/5)
1. What is the main purpose of network traffic analysis?
easy
A. To create new network devices
B. To monitor and understand data flow in a network
C. To increase the physical size of a network
D. To replace all network cables

Solution

  1. Step 1: Understand the role of network traffic analysis

    Network traffic analysis involves watching data packets moving through a network to understand how the network is used.

  2. Step 2: Identify the main goal

    The main goal is to monitor and understand data flow to keep the network safe and efficient.

  3. Final Answer:

    To monitor and understand data flow in a network -> Option B

  4. Quick Check:

    Network traffic analysis = monitor data flow [OK]
Hint: Think about what watching data packets achieves [OK]
Common Mistakes:
  • Confusing analysis with physical network building
  • Thinking it creates devices
  • Assuming it changes network size
2. Which of the following is a common tool used in network traffic analysis?
easy
A. Wireshark
B. Photoshop
C. Excel
D. WordPress

Solution

  1. Step 1: Identify tools related to network traffic

    Wireshark is a well-known tool designed to capture and analyze network packets.

  2. Step 2: Eliminate unrelated tools

    Photoshop is for images, Excel for spreadsheets, and WordPress for websites, none analyze network traffic.

  3. Final Answer:

    Wireshark -> Option A

  4. Quick Check:

    Network analysis tool = Wireshark [OK]
Hint: Pick the tool known for packet capture [OK]
Common Mistakes:
  • Choosing software unrelated to networks
  • Confusing general software with analysis tools
  • Not recognizing Wireshark
3. Consider this simplified network traffic log snippet:
Time: 10:00, Source IP: 192.168.1.5, Destination IP: 10.0.0.2, Protocol: TCP, Size: 1500 bytes
What does this entry tell you?
medium
A. A TCP packet of 1500 bytes was sent from 192.168.1.5 to 10.0.0.2 at 10:00
B. A UDP packet of 1500 bytes was sent from 10.0.0.2 to 192.168.1.5 at 10:00
C. A TCP packet of 1500 bytes was sent from 10.0.0.2 to 192.168.1.5 at 10:00
D. A TCP packet of 1500 bytes was sent from 192.168.1.5 to 10.0.0.2 at 11:00

Solution

  1. Step 1: Read the log details carefully

    The log shows a packet sent at 10:00 from source IP 192.168.1.5 to destination IP 10.0.0.2 using TCP protocol with size 1500 bytes.

  2. Step 2: Match details with options

    A TCP packet of 1500 bytes was sent from 192.168.1.5 to 10.0.0.2 at 10:00 matches all details exactly. Other options have wrong protocol, IP direction, or time.

  3. Final Answer:

    A TCP packet of 1500 bytes was sent from 192.168.1.5 to 10.0.0.2 at 10:00 -> Option A

  4. Quick Check:

    Match log details exactly = A TCP packet of 1500 bytes was sent from 192.168.1.5 to 10.0.0.2 at 10:00 [OK]
Hint: Match source, destination, protocol, and time exactly [OK]
Common Mistakes:
  • Mixing up source and destination IPs
  • Confusing TCP with UDP
  • Misreading the timestamp
4. A network analyst wrote this filter to capture only HTTP traffic:
tcp.port == 80
But it captures no packets. What is the likely error?
medium
A. The filter should be 'tcp.port != 80'
B. The filter should be 'udp.port == 80' instead
C. The filter should be 'tcp.port = 80' with one equal sign
D. The filter should use 'tcp.dstport == 80' or 'tcp.srcport == 80' instead

Solution

  1. Step 1: Understand the filter syntax

    In many network tools, 'tcp.port' alone is not a valid filter; you must specify source or destination port.

  2. Step 2: Identify correct filter usage

    Using 'tcp.dstport == 80' or 'tcp.srcport == 80' correctly filters HTTP traffic on port 80.

  3. Final Answer:

    The filter should use 'tcp.dstport == 80' or 'tcp.srcport == 80' instead -> Option D

  4. Quick Check:

    Specify source or destination port for correct filtering [OK]
Hint: Specify src or dst port, not just tcp.port [OK]
Common Mistakes:
  • Using single '=' instead of '=='
  • Filtering UDP instead of TCP
  • Using '!=' which excludes port 80
5. You want to detect unusual spikes in network traffic size over time. Which approach best applies network traffic analysis?
hard
A. Ignore packet sizes and focus on IP addresses only
B. Only capture packets during business hours
C. Capture packets continuously and analyze size trends using graphs
D. Manually check each packet without tools

Solution

  1. Step 1: Understand the goal of detecting traffic spikes

    Detecting spikes means watching how packet sizes change over time, requiring continuous data collection.

  2. Step 2: Identify the best method

    Using tools to capture packets continuously and graph size trends helps spot unusual spikes effectively.

  3. Final Answer:

    Capture packets continuously and analyze size trends using graphs -> Option C

  4. Quick Check:

    Continuous capture + trend analysis = detect spikes [OK]
Hint: Use continuous capture and graph size changes [OK]
Common Mistakes:
  • Limiting capture times reduces data accuracy
  • Ignoring packet size misses spike info
  • Manual checking is impractical for large data