Security analysts use packet analysis to determine whether there is anything unusual or suspicious about the traffic or discover what transpired on the network by completing a forensic investigation. To effectively discover potential problems, the security analyst must be an expert at packet analysis.

Wireshark can help the security analyst to better understand specific types of attacks so they can craft firewall rules. To hone security analysis skills, the analyst can discover and download many PCAPs on various repositories. The Honeynet project, which is found at https://www.honeynet.org, is a great place to start. Navigate to the section on challenges, which offers many examples of forensic exercises to review and learn about many common threats found on today's networks.

For example, if you go to https://www.honeynet.org/node/906, then you will see a completed challenge entitled Forensic Challenge 12 – Hiding in Plain Sight. Read the details on the challenge, which are outlined so you have a better understanding of the challenge. To strengthen your analysis skills, download the files found at the bottom of the page and work through the questions. The answers can also be found at the bottom of the page, along with other files of interest.

Security analysts feel that Wireshark is a valuable tool, as it provides valuable insight into what is happening on the network. Because of the ability to have so much insight on what is happening on the network, Wireshark is also used by hackers for reconnaissance to gather and analyze traffic—many times prior to an attack, or during an active attack, which we will discuss next.