TryHackMe Network Traffic Basics - Full Walkthrough 2025

🐧🐧🐧 This room teaches the basics of Network Traffic Analysis. Room Link: https://tryhackme.com/room/networktrafficbasics 🐧 Network Traffic Analysis (NTA) is a process that encompasses capturing, inspecting, and analyzing data as it flows in a network. Its goal is to have complete visibility and understand what is communicated inside and outside the network. It is important to stress that NTA is not a synonym for the tool Wireshark. It is more than that: It is a combination of correlating several logs, deep packet inspection, and network flow statistics with specific outlined goals (which we will discuss later on). 🐧 Knowing how to analyze network traffic is an essential skill, not only for an aspiring SOC L1 analyst but also for many other blue and red team roles. As an L1 analyst, you need to be able to navigate through the sea of network information and understand what is normal and what deviates from the baseline. 🐧 In this room, we will focus on defining network traffic analysis, why you need it, what and how you can observe network traffic, and some of the sources and flows of network traffic you need to be aware of. 🐱🐱Learning Objectives🐱🐱 📌 Know what network traffic analysis is 📌 Know what can be observed 📌 Know how to observe network traffic 📌 Know typical network traffic sources and flows 🦮 Room Tasks: 🐈 [00:00]🐧 Task 1: Introduction [02:18] 🦈 Task 2: What is the Purpose of Network Traffic Analysis? - What is the name of the technique used to smuggle C2 commands via DNS? [06:47] 🐅 Task 3: What Network Traffic Can We Observe? - Look at the HTTP example in the task and answer the following question: What is the size of the ZIP attachment included in the HTTP response? Note down the answer in bytes. - Which attack do attackers use to try to evade an IDS? - What field in the TCP header can we use to detect session hijacking? [12:06] 🐶 Task 4: Network Traffic Sources and Flows - Which category of devices generates the most traffic in a network? - Before an SMB session can be established, which service needs to be contacted first for authentication? - What does TLS stand for? [17:27] 🐐 Task 5: How Can We Observe Network Traffic? - What is the flag found in the HTTP traffic in scenario 1? The flag has the format THM{}. - What is the flag found in the DNS traffic in scenario 2? The flag has the format THM{}. [34:02] 🍁 Task 6: Conclusion ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems. #tryhackme