Recently I mentioned I wanted to do the Malware-Traffic-Analysis.net’s Traffic Analysis Exercises to get back in to the swing of things with pcaps. Wow was that a mistake.

I went with the first / oldest exercise on the page, 2014-11-16 Traffic analysis exercise – Questions about EK traffic. It was painful. The first question was “What is the IP Address of the infected computer?” Looking at the pcap that went with it, I thought I knew the answer but wasn’t sure. So I went and looked at the walk through part of the answer sheet.

And I couldn’t understand the thought process behind the answers. I had to ask a co-worker what was going on. Why is this the answer. In this case it was find the infected machine by using the http.request filter.

I don’t read MTA enough. I usually read 1 or 2 a month, and occasionally scan the blog entries for IOCs. So not knowing the MTA working processes is a hindrance.

I’m going to try a few more, but right now I think I’m in over my head, and I can’t wait for the third edition of Practical Packet Analysis to arrive. Talking to @chrissanders88 last week, he said that MTA provided one of the samples in the book.