Analyzing Network Traffic of Malware When to Use - Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis - Identifying the C2 protocol structure for writing network detection signatures - Determining what data the malware exfiltrates and to which external infrastructure - Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior - Creating Suricata/Snort signatures based on observed malware network patterns Do not use for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-…