Sign In
New Course

Network Investigation Methodology for SOC Analysts, IR Practitioners, and Detection Engineers Working with PCAP, Zeek, and Suricata

Aligned to MITRE ATT&CKSigma rulesRFC 1035 / 4253Mandiant tradecraft

Network Detection and Forensics

Read the network evidence that survives when everything else is destroyed.

Learn to capture, analyze, and investigate network traffic for security operations. Master DNS analysis, HTTP/HTTPS inspection, SMB protocol forensics, SSH tunneling detection, C2 beacon identification, and Suricata signature writing. Build a network security monitoring sensor, analyze packet captures for evidence of compromise, detect data exfiltration, and reconstruct attack timelines from network evidence.

Start Free — No Account Needed View Pricing
Content last updated: April 2026
NETWORK EVIDENCE — THE INVESTIGATION BACKBONE DNS microsft-verify[.]com → 203.0.113.88 (first seen 09:14:22) TLS JA3: e7d705a3... | CN=microsft-verify.com | Let's Encrypt C2 847 connections | 60s interval | 10% jitter | Cobalt Strike beacon SMB PsExec: IT03 → FIN01 → FS01 | ADMIN$ | PSEXESVC.exe deployed EXFIL 12.1 GB via rclone → Tor relay | detected in NetFlow volume Complete Attack Chain — From DNS to Exfiltration 15 modules · 5 NE investigation scenarios · Zeek + Suricata + Wireshark Reconstructed entirely from network evidence
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Capture and analyze network traffic for evidence of compromise
Detect DNS tunneling, C2 beaconing, and data exfiltration in packet captures
Write Suricata signatures for custom network detection
Reconstruct attack timelines from network evidence
Build and operate a network security monitoring sensor

The Capture-Detect-Investigate method

Every paid module runs the same operational loop. Understand the protocol. Examine normal traffic patterns. Investigate attack traffic from an NE scenario. Apply the methodology independently to a different scenario. You don't read about DNS tunnelling — you detect it in dns.log, estimate the exfiltration volume, identify the tunnelling tool, and extract the active C2 domain from the NXDOMAIN flood. Three evidence layers deep: Zeek metadata, Suricata alerts, and PCAP packet analysis.

Who this course is for

SOC analysts investigating beyond endpoint telemetry. You handle alerts from Defender XDR and Sentinel but need the network evidence that endpoint detection doesn't capture — the C2 TLS fingerprint, the DNS trail before the compromise, the exfiltration volume in NetFlow.

IR practitioners building network forensic capability. You respond to incidents and need network evidence to complement disk and memory analysis. When the endpoint evidence is gone, the network saw everything.

Detection engineers writing network-based detections. You want to build Suricata rules and Zeek scripts for protocol-level detection — not just endpoint EDR rules.

Security engineers designing NSM architecture. You're responsible for sensor placement, capture strategy, and production-scale PCAP management.

Anyone who completed the Practical IR or Linux IR courses and wants to investigate the same NE incidents from the network perspective — a fundamentally different view of attacks you already know.

The toolkit — open-source tools, real PCAP, Northgate Engineering scenarios

Network metadata: Zeek (conn.log, dns.log, ssl.log, http.log, and 20+ protocol-specific logs). Signature detection: Suricata with ET Open rulesets. Packet analysis: Wireshark, tshark, tcpdump, dumpcap. PCAP management: editcap, mergecap, capinfos. Enterprise NSM: Arkime (PCAP indexing), Security Onion (integrated platform). Object extraction: NetworkMiner. Every tool is free and open-source. You build your sensor in NF1 and use it throughout.

Why take this course

For SOC analysts and IR practitioners who need to own the network side of an investigation. You finish able to detect beaconing, tunneling, and lateral movement from network telemetry — the skill that separates "I read the EDR timeline" from "I can prove data exfiltration happened from PCAP, NetFlow, and DNS logs."

What you will be able to do

1. Build and operate a network security monitoring sensor with Zeek and Suricata — from VM setup through validation to ongoing maintenance — producing investigation-grade metadata from live traffic and PCAP files.

2. Capture, manage, and preserve PCAP evidence with forensic integrity — rolling captures, targeted investigation captures, evidence-grade handling with chain of custody documentation.

3. Investigate DNS as the primary evidence source — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, domain intelligence, and the encrypted DNS challenge.

4. Analyse HTTP/HTTPS traffic — TLS fingerprinting with JA3/JA4+, certificate analysis, file extraction from network streams, web shell detection, and AiTM proxy characterisation.

5. Track lateral movement through SMB, RDP, and SSH traffic — PsExec network signatures, WMI-over-DCOM, SSH tunnelling, and the network evidence of attacker pivoting between hosts.

6. Detect C2 communications — beacon detection, domain fronting, JA3 fingerprinting, DNS-based C2, and malleable C2 profile analysis using Cobalt Strike as the reference framework.

7. Analyse NetFlow for traffic volume anomalies — beaconing detection from flow data, exfiltration volume measurement, and egress policy validation without full-packet capture.

8. Write and tune Suricata rules for signature-based network detection, integrated with Zeek metadata for layered detection and hunting.

9. Design production NSM architecture — sensor placement, storage planning, 1–10 Gbps capture strategies, and cloud/hybrid monitoring with Arkime and Security Onion.

10. Reconstruct complete attack chains from network evidence alone — the NF14 capstone investigation uses only PCAP, Zeek logs, Suricata alerts, and NetFlow to investigate a multi-stage incident from phishing to exfiltration.

Course at a glance

Modules: 15 (NF0–NF14) across 4 phases

Estimated duration: 90+ hours (self-paced)

Format: Written content — annotated Zeek queries, SVG diagrams, worked investigation scenarios, knowledge checks

Free content: NF0–NF1 (2 modules) — no account required

Paid content: NF2–NF14 (13 modules) — Premium subscription

Lab environment: Ubuntu VM with Zeek + Suricata (built in NF1), PCAP lab packs per module

Investigation scenarios: 5 Northgate Engineering incidents, 2 cross-referencing IR, 2 cross-referencing Linux IR, 1 NF-exclusive capstone

Typical pace: ~10-18 weeks at 5 hrs/week

MITRE ATT&CK coverage: 14 techniques mapped

Built by Ridgeline Cyber

This course is written by practitioners who have conducted network forensic investigations in production — not by content writers summarising vendor documentation.

Experience spans SOC operations, incident response, detection engineering, and DFIR investigation across M365, Windows, Linux, and network environments — including real AiTM phishing investigations, ransomware response, and SSH brute force incidents that inform the NE scenarios.

The investigation scenarios in this course are grounded in that operational work. The techniques, Zeek queries, Suricata rules, and investigation patterns are drawn from real investigations, sanitised and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

Sensor VM (built in NF1): Ubuntu 24.04 LTS with Zeek and Suricata. 4 GB RAM, 40 GB disk, 2 CPU cores. VMware Workstation Pro (free), VirtualBox, or Hyper-V.

PCAP lab packs: Downloaded per module from the course lab packs page. Each pack contains Northgate Engineering scenario PCAPs for the module's investigation exercises.

No commercial tools required. Every tool in the course is free and open-source. Enterprise alternatives (Arkime, Security Onion) are covered conceptually in NF13 — the course is completable without them.

Course Syllabus

Four phases. NF0–NF1 are free — no account required.

Free Phase 1 — Foundations

NF0
The Network Evidence Landscape — Why network evidence matters when every other source is compromised. The five network evidence types (PCAP, Zeek, Suricata, NetFlow, DNS). The Capture-Detect-Investigate methodology. The NSM philosophy. Toolchain overview. Five Northgate Engineering investigation scenarios. Evidence integrity and legal context.
 NF1
Building Your NSM Sensor — Sensor architecture and deployment models. Ubuntu VM setup with NTP, prerequisites, and kernel headers. Zeek installation, configuration, and Community ID. Zeek log directory structure (20+ log files mapped). Suricata installation and ET Open rule management. Capture interfaces and BPF filters. Sensor validation. Ten reusable investigation query patterns. Sensor maintenance and monitoring.

Phase 2 — Protocol Analysis

NF2
PCAP Acquisition and Management — Forensic tcpdump (snap length, timestamp precision, buffer sizing). Three capture strategies (continuous, targeted, triggered). BPF filters for investigation. Rolling captures with file rotation. dumpcap and Wireshark capture. editcap and mergecap for PCAP management. Evidence-grade capture procedures with chain of custody. Cloud and device acquisition. The five-step PCAP analysis workflow.
 NF3
DNS: The Protocol That Sees Everything — Three DNS investigation questions (when, who, context). Zeek dns.log deep dive. Normal DNS patterns and enterprise baselines. Domain reputation and intelligence (WHOIS, VirusTotal, passive DNS, CT logs). DNS tunnelling detection (five indicators, volume estimation, tool identification). Passive DNS infrastructure clustering. DGA detection and C2 extraction. Encrypted DNS (DoH/DoT). INC-NE-2026-0227 AiTM phishing DNS trail.
 NF4
HTTP/HTTPS and Web Traffic Analysis — Zeek http.log field analysis. HTTP request/response investigation. File extraction from network streams. TLS handshake fundamentals for investigators. ssl.log certificate analysis. JA3/JA4+ TLS fingerprinting. TLS inspection architecture and tradeoffs. Web shell and web application attack traffic. INC-NE-2026-0227 HTTP/HTTPS trail — AiTM proxy redirect chain and TLS characterisation.
 NF5
SMB, RPC, and Windows Network Protocols — SMB/CIFS lateral movement. PsExec traffic patterns and the three-query detection workflow. WMI-over-DCOM two-connection pattern. RDP session analysis. Windows authentication on the wire (NTLM vs Kerberos). Pass-the-hash network signatures. Four-query lateral movement sweep. INC-NE-2026-0418 ransomware pivot chain reconstruction.
 NF6
SSH, Tunnelling, and Encrypted Channels — SSH brute force patterns. SSH tunnelling detection. Reverse shells over SSH. VPN and encrypted channel analysis. INC-NE-2026-0402 SSH brute force investigation.
 NF7
Email Protocols and Phishing Investigation — SMTP traffic analysis. Email header forensics. Phishing indicators in network data. Email exfiltration detection. SPF/DKIM/DMARC validation from DNS. INC-NE-2026-0227 phishing email delivery.

Phase 3 — Detection and Hunting

NF8
Suricata Rule Writing and Signature Detection — Suricata rule anatomy. Writing rules for specific attack patterns. Rule management and performance tuning. False positive handling. Community ID correlation with Zeek.
 NF9
C2 Detection and Beacon Analysis — Beacon detection methodology. Long connection analysis. Domain fronting. Malleable C2 profiles. DNS-based C2. Protocol tunnelling. INC-NE-2026-0418 Cobalt Strike beacon detection.
 NF10
NetFlow, IPFIX, and Traffic Analytics — NetFlow fundamentals. Traffic volume analysis. Beaconing from flow data. Data exfiltration indicators. Cloud VPC flow logs (Azure, AWS, GCP). INC-NE-2026-0418 rclone exfiltration detection.
 NF11
Network Threat Hunting — Hunting methodology applied to network data. Baseline profiling. Hunting in encrypted traffic. Automating hunts with Zeek scripts. Proactive detection of pre-ransomware staging.

Phase 4 — Investigation and Capstone

NF12
Network Evidence in Incident Response — Integrating network evidence into the IR workflow. Correlating network and endpoint timelines. Building the network investigation timeline. Evidence presentation. Legal and regulatory considerations.
 NF13
NSM Architecture for Production — Production sensor deployment. Scaling from 1 Gbps to 100 Gbps. Arkime for enterprise PCAP. Security Onion. Storage architecture. Encrypted traffic visibility. Cloud and hybrid monitoring.
 NF14
Capstone: INC-NE-2026-0830 — Multi-stage network investigation. Network evidence only — no endpoint data. Phishing → domain-fronted C2 → OAuth persistence → SMB/RDP lateral movement → DNS tunnel exfiltration. Reconstruct the complete attack chain from the wire, produce the IR report, drive the 90-day retrospective.

How to get the most from this course

Recommended pace: 1–2 modules per week, 8–14 weeks total alongside a full-time role.

Phase 1 (NF0–NF2) is sequential. The sensor build and PCAP management skills are prerequisites for everything that follows.

Phase 2 (NF3–NF7) can be reordered based on your investigation priorities — DNS first if you're investigating phishing, SMB first if you're investigating lateral movement.

Phase 3–4 (NF8–NF14) build on Phase 2 techniques. Take them in order for the best learning progression.

If you've completed Practical IR or Linux IR: The NE scenarios will be familiar from the endpoint perspective. The network view adds evidence you haven't seen before.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates.

What you get that you will not find elsewhere

This is not a Wireshark tutorial. Wireshark tutorials teach packet inspection. This course teaches network forensics and detection — how to detect beaconing, tunnelling, lateral movement, and exfiltration from network telemetry at scale.

Network as an evidence source. When EDR is evaded, when logs are cleared, when the endpoint is compromised — the network still has the evidence. This course teaches you to find it.

Multi-source network analysis. PCAP, NetFlow, DNS logs, proxy logs, Zeek, and Suricata. Not one tool — the complete network forensic toolkit.

Where this course fits

Practical IR investigates from the endpoint. This course investigates from the network — the evidence source that survives endpoint compromise.

Detection Engineering builds endpoint and cloud detections. This course builds network-layer detections — beaconing, tunnelling, exfiltration.

Recommended learning path: IR → Network Forensics. A learner can start at either.

The outcome

You start reading EDR timelines. You finish proving data exfiltration from PCAP, NetFlow, and DNS logs.

Network forensic methodology — beaconing detection, tunnel identification, lateral movement from network evidence.

Exfiltration proof — the network evidence that proves data left the building when the endpoint logs are gone.

Network detection rules — Suricata, Zeek, and KQL for network telemetry in Sentinel.

After completing this course alongside the existing Ridgeline DFIR courses, you can investigate the same incident from every evidence perspective:

Endpoint (Windows): Practical IR — registry, filesystem, event logs, memory

Endpoint (Linux): Linux IR — auth.log, /proc, containers, systemd

Memory: Applied Memory Forensics — process injection, rootkits, credentials

Identity: Entra ID Security — sign-in logs, conditional access, tokens

Network: This course — PCAP, Zeek, Suricata, DNS, TLS, NetFlow

The capstone investigations in IR, LX, and NF use the same Northgate Engineering incidents. The learner who completes all three can investigate from endpoint, network, and identity — the three legs of the DFIR stool.

Prerequisites

None required. The course builds from foundations (NF0 explains why network evidence matters, NF1 builds the sensor) through protocol analysis to advanced detection and capstone investigation.

Recommended (not required): Practical IR and/or Practical Linux IR. Learners who've completed these courses will recognise the NE incidents and can investigate the same attacks from a new evidence perspective.

Helpful background: Familiarity with Linux command line, basic networking concepts (TCP/IP, DNS, HTTP), and security operations. The course teaches the investigation methodology — it doesn't assume prior Zeek or Suricata experience.

Usage rights and disclaimer

Individual subscription: personal professional development use. Team subscription: up to 5 named users within one organisation. Content may not be redistributed, republished, or used for commercial training delivery.

The PCAP files and Zeek logs in the lab packs contain realistic but fictional data from the Northgate Engineering scenario environment. No real network traffic, no real incidents, no real organisations. All IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 2.0 (April 2026)

v1.0 (April 2026): NF0–NF4 initial release (5 modules)

v2.0 (April 2026): Full course shipped — all 15 modules NF0–NF14 live. Phase 2 protocol analysis, Phase 3 detection and hunting, and Phase 4 investigation and capstone now complete.

Premium subscribers get access to new content as it ships — no additional cost.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Distinction: 90. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.