Sign In
In this module

NF0.5 The Toolchain Overview

8 hours · Module 0 · Free
What you already know

You've used Wireshark. You may have heard of Zeek and Suricata. This sub doesn't teach you how to use these tools — that's what modules NF1 through NF14 do. What it does is map each tool to its role in the investigation methodology, so you understand when to reach for each one and why.

Operational Objective

The network forensics toolchain has more tools than most practitioners realize, and the temptation is to start with the one you already know — usually Wireshark. That's like starting every endpoint investigation by opening regedit: it's useful for specific tasks but wrong as a general-purpose starting point. Each tool in the NF toolchain has a specific role in the investigation methodology, and using the right tool at the right step is what makes network investigations efficient.

This sub maps each tool to its role, shows where it fits in the six-step methodology, and clarifies the relationship between tools that overlap (Zeek and Suricata, Wireshark and tshark, zeek-cut and jq).

Deliverable: The six core tools in the NF investigation toolchain — Zeek, Suricata, Wireshark/tshark, zeek-cut, Arkime, and NetworkMiner — with each tool's primary role, methodology step, and relationship to other tools.

Estimated completion: 25 minutes
TOOLCHAIN MAPPED TO INVESTIGATION METHODOLOGY Step 1-2: Scope + Identify Zeek + zeek-cut / jq Query conn.log, dns.log, ssl.log — find sessions of interest Suricata Check alerts — did anything match a known-bad signature? Step 3: Correlate Community ID — links Zeek + Suricata for same session Pivot between tools: Suricata alert → Zeek conn.log → dns.log → ssl.log → endpoint telemetry Step 4: Reconstruct Wireshark / tshark Packet-level analysis of specific sessions from PCAP NetworkMiner File and object extraction from PCAP captures Arkime Enterprise PCAP indexing and search at scale

Figure NF0.5 — The NF toolchain mapped to the investigation methodology. Steps 1-2 use Zeek metadata and Suricata alerts. Step 3 uses Community ID to correlate across tools. Step 4 uses Wireshark, NetworkMiner, and Arkime for packet-level reconstruction.

Zeek — The Investigation Foundation

Zeek produces the structured metadata logs that you'll query in every investigation. If you learn one network forensics tool, learn Zeek.

Zeek observes network traffic on a sensor interface and produces structured logs — one log file per protocol, with fields organized for querying. You deploy Zeek once, and it continuously generates the evidence you'll need for every future investigation. The output isn't alerts or dashboards. It's data — structured, queryable, storable data that answers investigation questions.

In the methodology, Zeek is the tool for Steps 1-3. You query conn.log to find connections of interest, dns.log to find domain resolutions, ssl.log to fingerprint TLS sessions, http.log to examine web traffic, and files.log to inventory file transfers. You query with command-line tools: zeek-cut extracts specific fields from Zeek's tab-separated log format, grep and awk filter and process, and jq handles JSON-format logs.

Zeek's protocol parsing depth is what makes it superior to NetFlow for investigation. NetFlow tells you a 5-tuple connection existed. Zeek tells you the connection existed AND the HTTP user-agent was "rclone/v1.62.2" AND the TLS certificate was self-signed AND the DNS query preceding it resolved to an IP first seen yesterday. That context is what turns a connection record into an investigation lead.

Module NF1 walks through Zeek deployment. Every subsequent module uses Zeek logs as the primary investigation data source.

Suricata — Signature Detection

Suricata tells you when known-bad patterns appear in your traffic. It's fast and specific — but blind to anything it doesn't have a rule for.

Suricata inspects network traffic against a library of rules and fires alerts when traffic matches. The Emerging Threats (ET Open) community ruleset covers thousands of known threats — malware families, C2 frameworks, exploit kits, and attack tools. You can write custom rules for your environment: specific domains, internal network patterns, or organization-specific indicators.

In the methodology, Suricata is a parallel input to Step 2 (Identify). While you're querying Zeek logs for connections of interest, you also check Suricata alerts for the same scope window. Suricata may flag sessions that look normal in conn.log but match a known malicious signature — a Cobalt Strike beacon that uses legitimate-looking HTTPS, for example, fires a Suricata alert based on the TLS fingerprint rather than the connection metadata.

The Suricata-Zeek relationship is complementary. Suricata says "this traffic is bad." Zeek says "here's everything about the session." You need both because Suricata alone can't tell you what else happened in the same connection, and Zeek alone can't tell you whether a connection matches a known threat signature.

Community ID is the bridge. Both tools generate a Community ID hash for every flow, calculated from the same 5-tuple. When Suricata fires alert SID 2025927 on Community ID 1:abc123, you find that same Community ID in Zeek's conn.log, dns.log, and ssl.log for full context.

Module NF1 covers Suricata deployment alongside Zeek. Module NF8 covers rule writing and tuning.

Wireshark and tshark — Packet Analysis

Wireshark is the tool you already know. In this course, it's used for Step 4 (Reconstruct) — targeted analysis of specific sessions, not general-purpose browsing of traffic.

Wireshark provides interactive, graphical packet analysis with protocol dissectors for hundreds of protocols. tshark is its command-line counterpart — same dissection engine, scriptable output. Both read PCAP files and display packets with full protocol decoding.

In the methodology, Wireshark appears at Step 4. By the time you open Wireshark, you've already identified the sessions of interest from Zeek metadata (Steps 1-2) and correlated across tools (Step 3). You open a PCAP file filtered to a specific conversation — not the full capture. This targeted approach is what makes Wireshark effective for forensics rather than frustrating.

The practical workflow: identify a suspicious conn.log entry → note the 5-tuple and timestamp → filter the PCAP file to that conversation using tshark or editcap → open the filtered PCAP in Wireshark → examine the protocol-level detail. Modules NF3-NF7 teach this workflow for each protocol.

tshark is often faster than Wireshark for specific extraction tasks. Extracting all HTTP user-agent strings from a PCAP, listing all TLS certificates, or computing statistics on connection durations — these are one-line tshark commands that would require manual navigation in the GUI.

zeek-cut and jq — Log Processing

These are the query tools that make Zeek data usable. zeek-cut handles Zeek's native tab-separated format. jq handles JSON output.

zeek-cut extracts specific columns from Zeek's tab-separated log files. A typical query looks like:

cat conn.log | zeek-cut ts id.orig_h id.resp_h id.resp_p duration orig_bytes resp_bytes | grep "203.0.113.88"

This extracts timestamp, source IP, destination IP, destination port, duration, and byte counts for all connections to a specific IP. zeek-cut handles Zeek's header format and outputs clean, pipeable data.

jq serves the same purpose for JSON-formatted Zeek logs. Many organizations configure Zeek to output JSON (for SIEM ingestion), and jq provides the field extraction and filtering that zeek-cut provides for the native format. The queries are structurally similar but syntactically different.

Both tools compose with standard Unix utilities — grep, awk, sort, uniq, head, tail, wc. The investigation query patterns you'll use throughout this course are combinations of zeek-cut (or jq) with Unix pipes. Module NF1 establishes the query patterns.

Arkime — Enterprise PCAP at Scale

Arkime (formerly Moloch) is the tool for when your PCAP data exceeds what Wireshark can handle — terabytes of captures that need indexing, searching, and retention management.

Arkime captures full network traffic, indexes it in Elasticsearch, and provides a web-based interface for searching, session reconstruction, and file extraction. It solves the PCAP-at-scale problem: when you have weeks of full-packet capture across multiple sensors, Arkime makes it searchable.

In the methodology, Arkime is an alternative to Wireshark/tshark at Step 4 — for environments where the PCAP volume requires enterprise tooling. You search for sessions by IP, port, protocol, or content, and Arkime returns the matching packets from potentially terabytes of stored captures.

Arkime is covered in depth in NF13 (NSM Architecture for Production). In the early modules of this course, you'll use Wireshark/tshark directly against PCAP files from the lab packs.

NetworkMiner — Object Extraction

NetworkMiner pulls files, images, certificates, and other objects out of PCAP captures. It answers the question: what was transferred in this session?

NetworkMiner reads a PCAP file and extracts objects transferred over network protocols — HTTP downloads, email attachments, SMB file transfers, DNS responses, TLS certificates. It presents the extracted objects in a GUI organized by host, file type, and protocol.

In the methodology, NetworkMiner is used at Step 4 when the investigation requires knowing what was transferred, not just that a transfer occurred. Zeek's files.log tells you a file was observed in network traffic. NetworkMiner extracts the actual file for analysis — hash it against threat intelligence, submit it to a sandbox, or examine its contents.

NetworkMiner is covered in NF4 (HTTP/HTTPS analysis) and NF12 (Network Evidence in IR).

Guided Procedure — Map Your Existing Skills to the Toolchain
Step 1. List the network analysis tools you've used before.
Expected output: Most practitioners list Wireshark and possibly tcpdump. Some list Suricata or Snort from IDS deployment experience. Few list Zeek or Arkime unless they've worked in an NSM-mature environment.
If you've only used Wireshark: That's the typical starting point. This course will teach you Zeek and Suricata as investigation tools — not just deployment tools — which is where the methodology's power comes from.
Step 2. For each tool you've used, identify which methodology step it served.
Expected output: Wireshark usually serves Step 4 (Reconstruct). tcpdump usually serves data acquisition (before Step 1). If you haven't used Zeek, Steps 1-3 of your previous investigations either used endpoint data or manual packet browsing — both slower than structured metadata queries.
If you used Wireshark for everything: That's the pattern this course fixes. Wireshark is excellent for Step 4 but inefficient for Steps 1-3. The shift from "open PCAP and browse" to "query metadata, then examine targeted PCAP" is the biggest efficiency gain in network investigation.
Step 3. Identify which tools are new to you and which modules cover them.
Expected output: Zeek (NF1 for deployment, used in every module from NF2 onward), Suricata (NF1 for deployment, NF8 for rule writing), zeek-cut/jq (NF1 for basics, every module for practice), Arkime (NF13), NetworkMiner (NF4, NF12). Focus your attention on the tools that are new.
If all tools are new: That's expected and fine. NF1 builds the sensor with Zeek and Suricata installed. The early modules (NF2-NF4) introduce each tool gradually with guided examples before the protocol-specific modules (NF5-NF7) require independent use.
Decision point

Your organization wants to deploy network forensics capability. The IT team proposes deploying Wireshark on a dedicated capture workstation with a SPAN port from the core switch. The security team proposes deploying a Zeek and Suricata sensor on the same SPAN port.

The Wireshark approach gives you interactive packet analysis from day one. An analyst can open live capture or saved PCAPs and examine traffic immediately. But there's no automated metadata generation, no structured logs for querying, no signature detection, and no retention beyond manual PCAP saves.

The Zeek/Suricata approach generates structured metadata continuously from the moment it's deployed. Investigation queries are possible against months of data. Suricata fires alerts on known threats without analyst interaction. But it requires more setup (NF1 covers this) and the team needs to learn Zeek query syntax.

The right answer is the sensor. Wireshark is a tool for individual session analysis. Zeek and Suricata are an investigation infrastructure. You can always use Wireshark on PCAPs captured by the sensor, but you can't retroactively generate Zeek metadata from traffic that wasn't captured.

Compliance Myth: "We need commercial tools — open source isn't enterprise-grade"

Zeek, Suricata, Wireshark, and Arkime are all open source. They're also the tools used by SANS FOR572 ($8,780), the US Department of Defense, major financial institutions, and the incident response teams at the largest technology companies. Corelight (the commercial version of Zeek) is the most deployed network detection tool in Fortune 500 environments — and the open-source Zeek it's based on produces identical logs.

The argument for commercial tools is usually about support, management UI, and integration. Those are valid operational considerations. But the detection and investigation capability of the open-source toolchain is not inferior — it's what the commercial products are built on. This course teaches the open-source tools because they're free, they're the same tools the industry leaders use, and the skills transfer directly to commercial products if your organization deploys them later.

Next
NF0.6 — Normal vs Malicious Traffic. You know the tools. NF0.6 introduces the fundamental investigative skill — distinguishing normal network behavior from attack traffic — and the baseline thinking that makes anomaly detection possible.
Try it: Install Zeek and produce your first log

Setup. If you have a Linux VM (Ubuntu 22.04 or later), you can install Zeek now and run it against a sample PCAP. If you don't have a VM yet, skip this — NF1 builds the full sensor from scratch.

Task. Install Zeek (sudo apt install zeek on Ubuntu), download a sample PCAP from malware-traffic-analysis.net, and run zeek -r sample.pcap. Examine the generated log files — conn.log, dns.log, and any protocol-specific logs.

Expected result. Zeek generates multiple log files in the current directory. conn.log should contain one entry per connection in the PCAP. dns.log should contain DNS queries. Each log file has a header describing the columns. Run cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | sort | uniq -c | sort -rn | head to see the most common connections.

Debugging branch. If Zeek isn't in the default apt repository: add the Zeek repository following the instructions at docs.zeek.org. If zeek-cut isn't available: it's part of the zeek package but may need the full path (/opt/zeek/bin/zeek-cut). NF1 covers the full installation and configuration.

Checkpoint — before moving on
1. Name each tool in the NF toolchain and state its primary role in the investigation methodology. (§ All tool sections)
2. Explain the Zeek-Suricata relationship: what each provides that the other doesn't, and how Community ID connects them. (§ Zeek and § Suricata)
3. Describe the correct workflow for targeted PCAP analysis: identify from metadata → filter PCAP → open in Wireshark. Explain why opening the full PCAP directly is inefficient. (§ Wireshark and tshark)
Operational Artifact — Tool Selection Quick Reference

"I need to find all connections to a suspicious IP" → Zeek conn.log via zeek-cut. Not Wireshark — you'd have to filter a potentially multi-gigabyte PCAP. One-liner: cat conn.log | zeek-cut ts id.orig_h id.resp_h id.resp_p | grep "SUSPICIOUS_IP"

"I need to check if something matched a known threat signature" → Suricata EVE JSON alerts. Filter by timestamp and affected host. One-liner: jq 'select(.alert and .src_ip=="HOST_IP")' eve.json

"I need to see the TLS certificate a server presented" → Zeek ssl.log via zeek-cut. Fields: server_name, subject, issuer, ja3, ja3s. One-liner: cat ssl.log | zeek-cut server_name subject issuer ja3 | grep "DOMAIN"

"I need to extract a file that was downloaded" → NetworkMiner against the relevant PCAP, or Zeek file extraction if configured. Not Wireshark — it can export HTTP objects but NetworkMiner is more comprehensive.

"I need to examine the exact packets in a specific session" → Wireshark/tshark against a filtered PCAP. Filter first: tshark -r full.pcap -w session.pcap -Y "ip.addr==SUSPICIOUS_IP and tcp.port==PORT". Then open session.pcap in Wireshark.

"I need to search weeks of PCAP for a specific pattern" → Arkime (if deployed). Arkime indexes PCAP content for fast searching across terabytes. Without Arkime, use tshark with display filters against individual PCAP files.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

  • DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
  • Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
  • Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
  • NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
  • INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration
Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →