Security Operations Center — Practical Lab Documentation By Saravanan | GitHub | LinkedIn
This is a fully isolated, controlled lab environment. No real systems weretargeted. All simulations performed on personal VMs for educational purposes only.
Lab 03 focuses on network traffic analysis — the core skill of every SOC analyst. Using Wireshark on Kali Linux, multiple types of suspicious traffic were generated against Windows 10 and captured for analysis. This lab simulates how a SOC analyst identifies malicious network patterns including port scans, ping sweeps and C2 connection attempts.
| Component | Details |
|---|---|
| Hypervisor | VMware Workstation Pro 25H2 |
| Attacker Machine | Kali Linux 2025.4 (amd64) |
| Defender / Target | Windows 10 x64 |
| Network Type | VMware LAN Segment — Isolated (testpractice) |
| Attacker IP | 192.168.20.11 (Static) |
| Target IP | 192.168.20.10 (Static) |
| Internet Access | None - Fully Air Gapped |
| Attack Tool | Wireshark |
| Target Packets Captured | 1,066 Packets |
| Protocols Detected | TCP,UDP |
bash Nmap -A -sV 192.168.20.10 Aggressive scan combining service detection, OS detection and default scripts against all ports on Windows 10.
Nmap -sn 192.168.20.0/24 Scans entire subnet to discover all live hosts — simulates attacker mapping the network.
Nc -nv 192.168.20.10 445 Simulates Command and Control malware connecting to SMB port 445 — exactly how real malware beacons to attacker infrastructure.
Nmap -sU –top-ports 20 192.168.20.10 Scans top 20 UDP ports — generates different traffic pattern compared to TCP scans.
| Metric | Value |
|---|---|
| Total Packets Captured | 1,066 packets |
| Packets Dropped | 0 (0.0%) |
| Capture Interface | eth0 |
| Source IP (Attacker) | 192.168.20.11 |
| Destination IP (Target) | 192.168.20.10 |
| Capture File | lab03-malware-traffic-analysis.pcapng |
| Protocols Identified | TCP, UDP |
| Filter | Purpose | What It Revealed |
|---|---|---|
| ip.addr == 192.168.20.10 | All traffic to Win10 | Full attack traffic visible |
| tcp.flags.syn == 1 and tcp.flags.ack == 0 | TCP SYN packets only | Port scan pattern identified |
| icmp | Ping traffic | Network discovery traffic |
| tcp.port == 445 | SMB port traffic | Netcat C2 connection attempt |
| udp | UDP scan traffic | UDP port scan pattern |
| Attack Type | Protocol | Pattern Identified | SOC Alert Level |
|---|---|---|---|
| Aggressive Nmap Scan | TCP | Rapid SYN packets to all ports | HIGH |
| Ping Sweep | ICMP | Sequential ICMP echo requests | MEDIUM |
| Netcat C2 Attempt | TCP | Direct connection to port 445 | HIGH |
| UDP Port Scan | UDP | 104 UDP conversations detected | MEDIUM |
| Protocol | Significance |
|---|---|
| TCP | Port scanning and service connections |
| UDP | UDP port scan — top 20 ports probed |
| IOC Type | Value | Significance |
|---|---|---|
| Source IP | 192.168.20.11 | Kali Linux — Attacker |
| Target IP | 192.168.20.10 | Windows 10 — Victim |
| Total Packets | 1,066 | High volume in short time |
| TCP SYN Pattern | Multiple SYN packets | Classic port scan |
| UDP Conversations | 104 UDP probes | UDP port scan detected |
| Port 445 Access | Direct SMB connection | C2 simulation attempt |
| Tool Identified | Nmap and Netcat | Visible in packet headers |
| Date | 2026-03-16 | Attack timestamp |
| Lab | Kill Chain Stage | MITRE ATT&CK | Action |
|---|---|---|---|
| Lab 01 | Reconnaissance | T1046 — Network Service Discovery | Nmap found ports 135, 139, 445 |
| Lab 02 | Exploitation | T1110 — Brute Force | Metasploit attacked port 445 |
| Lab 03 | Reconnaissance + C2 | T1046 + T1071 | Traffic analysis of all attack types |
TCP SYN Pattern — Rapid SYN packets to multiple ports is the classic Nmap signature.
SIEM triggers on 10+ SYN packets per second from same IP UDP Scan Detected — 104 UDP conversations found — attackers use UDP to find DNS port 53 and SNMP port 161 Netcat C2 Pattern — Direct connection to port 445 simulates malware beaconing to C2 server.
Full Log Visibility — Every packet captured with source IP and timestamp.
Event ID 4625 Generated — New failed logins confirmed cross-lab attack chain.
• How to capture and analyze live network traffic using Wireshark.
• How to identify port scan patterns from TCP SYN flags.
• How to use Wireshark filters to isolate specific attack traffic.
• How UDP scans differ from TCP scans in packet capture.
• How Netcat simulates C2 communication patterns.
• How all 3 labs connect as a complete Cyber Kill Chain.
• How MITRE ATT&CK maps to real network traffic.
Saravanan — transitioning from Food Technology into Cybersecurity with a focus on SOC Analysis and Blue Team operations. This lab is part of my Mini SOC Home Lab series documenting hands-on learning.
- LinkedIn: linkedin.com/in/saravanan-cyber
- Email: career.entrydesk@gmail.com
- Location: Thiruvallur, Tamil Nadu, India
"In network forensics, every packet tells a story. A good SOC analyst reads them all."
✅ If this lab helped you, give it a star!