This is a static archive of our old Q&A Site. Please post any new questions and answers at

Pcap analysis


Just another Pcap, is there anything malicious with this or is it normal traffic?

asked 23 Oct '17, 09:59

subb148's gravatar image

accept rate: 0%

One Answer:


Based on your other question I get a definite feeling this is a homework assignment.

Having said that, as an educational opportunity, if you right-click on the TCP stream and select "follow TCP stream" you can see that most of this trace is an ASCII terminal application where a user is issuing Linux commands. They are as follows, and can be ignored (unless a person logging into that server and issuing these commands is nefarious):

ls -la cd .. ls cd selinux ls ls -la

For the rest of it, you have a unicast DHCP request (looks non-evil), and ARP traffic (where the replies don't contradict each other at least). So, nothing "scanny" happening there, and nothing that particularly strikes me as malicious on the face of it.

answered 23 Oct '17, 22:14

Quadratic's gravatar image

accept rate: 13%