Network Forensics: Hunting with Packets W/ Jonathan Ham (16 Hours)

Network Forensics: Hunting with Packets
4 Sessions – 4 Hour Classes

Instructor: Jonathan Ham

Includes: An Open Virtual Appliance (OVA) will be provided, which once extracted and booted will enable the download of the most current lab and course materials from our servers.

For those not inclined to work through the lab platform, a PDF version of the slide deck will be made available for download, which contains the walk-through of the labs as presented.

Six months of free access to the BHIS Antisyphon Cyber Range

Threat hunting is all the rage! The idea is to take the fight to Evil, rather than waiting for Evil to inform us that our assets are pwnd (and kindly cough up some Bitcoin, please). But how do we accomplish this? Unfortunately, what’s finally in vogue is still pretty vague in practice.

Generally, hunting is fundamentally about identifying and understanding our quarry, the field within which it dwells, the ways in which it can be found and positively identified, and successfully taking it out of the field. In Montana, we then typically fieldstrip it and put it in our freezers, but that’s a very specific case generally involving only elk and deer.

That’s what this course is for: understanding the mechanics behind the field, the quarry, the scopes, and the firing pins. Because let’s face it: if your quarry knows the hunt better than you, and they typically do, you’ll never succeed.

We’ll cover the TCP/IP protocol structures mechanically: what they are for, how they work, how they can be subverted, and most importantly, how to tell the difference. What is it about the way that name resolution protocols work that make them such fantastic protocols to abuse? And in so many ways? What secrets can hide in a simple TCP 3-Way Handshake? Why would I care about an ICMP type 3 code 12 message?

We’ll also cover the basics of the tools of our tradecraft, and how they work as well: libpcap, Berkeley Packet Filtering (BPF), tshark, Zeek, Snort, etc., with actual nuts and bolts. Also, we’ll review why sometimes the bolts get stripped and the nuts don’t screw on quite right.

If you’re looking at packets in hex, and you notice that a TCP acknowledgement number of 0xC0A80A64 seems sort of suspicious, then get back to work. If you’re supposed to be hunt-ing threats today, and you’re unsure why a TCP acknowledgement number of 0xC0A80A64 might seem suspicious, then register for this course.


This course will teach you the basics of hunting cyber threat actors, from sniffing the wind to tracking the predator to finding the compromise.

By analogy, this form of “hunting” is pretty much what it implies. Before any hunter can reasonably take the field, you had better be prepared by:

  • Understanding the field itself
    • What direction is the wind blowing (what’s upwind and downwind)?
    • What is the lay of the land?
    • What could either predator or prey hide effectively?
  • Understanding the quarry
    • Where will my quarry likely dwell?
    • How does my quarry behave?
    • What is my quarry hunting (it’s not dwelling there accidentally)?
    • What does it leave behind that I can find to track it effectively?
  • Understanding how your sights and weapons work
    • What can I see and not see within my scope?
    • How/where could my quarry avoid being seen?
    • How can I improve my instrumentation to give me the advantage?

These are the skills and abilities you need to have. This course will help you with that.


This course has been developed specifically with cyber network defenders (CND) in mind. If you work in any capacity of system/network maintenance and/or defense, you should consider the skills covered in this course as at least useful to your arsenal, if not critical to your ability to fight the good fight.

Blue Team:

  • If you suspect that you’re not doing/seeing all that you can, this course is for you.
  • If you’re in a position of knowing that you have exposures that aren’t being adequately addressed, this course is for you.
  • If you want some help finding a way to demonstrate any of this to others–particularly to management–this course is for you.

Red Team:

  • If you understand that your job is to help the Blue Team do better through what you can discover and help them fix, then refer to the above points. This course is for you too!
  • If you think your job is just to show how easy it is to break their things and make the lives of defenders more difficult, then please move on, as I help them understand how irrelevant you are, generally.


This course is designed to be educational for all attendees, regardless of their level of technical skill. Though it is tailored to those with at least a moderate level of network protocol (TCP/IP) familiarity, and those familiar with data structures as represented in hexadecimal notation, such a background is not required.

If you are not a network/packet geek, I promise that you will better understand the structure of network communications by the end of it, and it won’t hurt too much. Further, you’ll better understand how a lot of Evil does its stuff. And that won’t hurt at all.

If you are a network/packet geek, I promise that I’ll teach you things that you didn’t know and make you better at your game in ways you didn’t even know were possible.


A demonstration of the labs in support of the course will be provided to accommodate anyone interested in the details but without the time or inclination to work through them manually. Note that manual walk-throughs are highly recommended, but we recognize that not everyone can easily find the time, and not everyone is in a position where such exercises make good sense.

If you are a hands-on type and expecting to execute labs as presented, you should:

  • Understand the basics of workstation-level virtual machines
  • Be able to download and run a Linux VM
  • Be able to execute Linux command line commands as directed in class.

In order to complete the labs in class, students will need a hypervisor platform, preferably VMware™ Workstation Pro or Player of the most current version. Other hypervisor platforms may work but have not been tested and are not supported.

An Open Virtual Appliance (OVA) file will be provided. The requirements for the VM are as follows:

  • 64GB HDD space
  • 4GB RAM
  • 2 CPU cores
  • Bridged networking with:
    • DHCP available on the local LAN/WLAN
    • Internet connectivity via the bridged interface


    Jonathan Ham is a network forensics and defensive cyber operations expert with more than two decades in the field. Jonathan literally wrote the book on network forensics (as well as the first mainstream instruction on the topic), based on his experience advising in both the public and private sectors, from small startups to the Fortune 50, the U.S. DoD across multiple forces, and several other U.S. federal agencies. As a Principal Instructor with the SANS Institute, he has instructed hundreds of students annually on network intrusion detection, security operations, and perimeter defense.


Tues, November 2, 2021 11:00 AM – 4:00 PM ET

Wed, November 3, 2021 12:00 PM – 4:00 PM ET

Thu, November 4, 2021 12:00 PM – 4:00 PM ET

Fri, November 5, 2021 12:00 PM – 4:00 PM ET

Register to attend this course virtually in November

Join the Wild West Hackin’ Fest Discord server to stay updated on future training and webcasts: Join Our Server!