https://mostafa-ashour.github.io/posts/network-traffic-analysis/Recent content in Network Traffic Analysis on Ashour BlogHugoen-us<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Fri, 24 Apr 2026 01:51:12 +0300https://mostafa-ashour.github.io/posts/2026/04/detecting-network-abnormalities/Fri, 24 Apr 2026 01:51:12 +0300https://mostafa-ashour.github.io/posts/2026/04/detecting-network-abnormalities/<h1 id="fragmentation-attacks">Fragmentation Attacks</h1> <ul> <li> <p>Related PCAP File(s)—<code>nmap_frag_fw_bypass.pcapng</code>.</p> </li> <li> <p>When investigating network anomalies, start by examining the IP layer</p> </li> <li> <p>The IP layer is:</p> <ul> <li>Responsible for transferring data packets between network points (from one hop to another).</li> <li>Using source and destination IP addresses to facilitate communication between hosts (inter-hosts communication).</li> </ul> </li> <li> <p>IP addresses can be found within the IP header of each packet when analyzing network traffic.</p> </li> <li> <p>Keep in mind that the IP layer itself doesn&rsquo;t detect lost, dropped, or altered/tampered packets.</p>https://mostafa-ashour.github.io/posts/2026/04/link-layer-attacks/Fri, 24 Apr 2026 01:51:12 +0300https://mostafa-ashour.github.io/posts/2026/04/link-layer-attacks/<h1 id="arp-spoofing--abnormality-detection">ARP Spoofing &amp; Abnormality Detection</h1> <ul> <li> <p>Related PCAP File(s)—<code>ARP_Spoof.pcapng</code>.</p> </li> <li> <p>Attackers have long misused the <code>Address Resolution Protocol (ARP)</code> to carry out man-in-the-middle and denial-of-service attacks.</p> </li> <li> <p>Because of this common abuse, ARP is a key area/point to examine when analyzing network traffic, and it&rsquo;s often the first protocol we check.</p> </li> <li> <p>Many ARP attacks are broadcast to the entire network rather than targeting individual computers, which makes them easier to find using packet sniffing.</p>