Back to binalyze.com

Network Capture

Overview

Evidence: Network Capture Description: Captures live network traffic in PCAP format and/or network flow data Category: Network Platform: Windows Short Name: N/A (Enabled via -nc flag) Is Parsed: No - Raw PCAP and flow data Sent to Investigation Hub: Yes Collect File(s): No

Background

Live network capture records all network packets entering and leaving the system during a specified time period. This provides detailed visibility into network communications including protocol analysis, payload data, and traffic patterns.

Network capture can be performed in two modes:

  • PCAP format: Full packet capture for detailed analysis

  • Network Flow: Connection metadata without full payload

Data Collected

Field
Description
Example

Type

Capture type

Pcap

Name

File name

capture.pcap

FilePath

Path to capture file

NetworkCapture/capture.pcap

FileSize

Size of capture file

104857600

Collection Method

This collector:

  • Uses NetFilter driver for packet capture

  • Captures for user-specified duration (in seconds)

  • Supports two capture modes:

    • PCAP format (--pcap flag)

    • Network Flow format (--network-flow flag)

  • Reports progress during capture duration

  • Stops capture after specified time

The capture is activated via command line parameters:

  • --network-capture <duration> or -nc <duration>

  • --pcap or -pcap for PCAP format

  • --network-flow or -nf for flow data

Usage

Live network capture provides real-time visibility into network communications and active threats. Investigators use this data to capture C2 communications in real-time, analyze malware network protocols, detect data exfiltration in progress, identify lateral movement traffic, capture credentials sent over network, reconstruct network-based attacks, and perform protocol analysis of suspicious traffic.

Known Limitations

  • Requires NetFilter driver

  • Capture duration must be specified in advance

  • Large captures consume significant storage

  • High network traffic can create very large files

  • SSL/TLS encrypted traffic shows only metadata

  • Impact on system performance during high traffic

Notes

Network capture should be time-limited to avoid excessive storage usage. For long-term monitoring, use network flow mode instead of full PCAP. Encrypted traffic requires additional analysis techniques.

PreviousNetwork AdaptersNextNetwork Shares

Last updated

Was this helpful?