Network Traffic Analysis for Incident Response Learning Path

Learn about network traffic analysis tools and techniques.

14 hours, 22 minutes

Quick facts

About this learning path

  • courses

    100% online

  • Duration

    14 hours, 22 minutes

  • Assessment


About Network Traffic Analysis for Incident Response

Learn about the tools and techniques used for analyzing traffic passing over the network. This learning path covers identification and analysis of benign and malicious traffic, examples and case studies of extracting intelligence from traffic data, considerations when building a network monitoring program, and techniques for collecting and analyzing traffic data.



Network Traffic Analysis for Incident Response Skill Assessment

Assessment - 51 questions

Introduction to Network Traffic Analysis

Course - 00:42:00

Start out on this learning path by taking a look at what network traffic analysis is and some of its major applications. This course describes network traffic analysis and discusses its applications for monitoring the functionality of networked systems and performing incident response investigations.
Fundamentals of Networking

Course - 00:57:00

In order to identify anomalous or malicious traffic in a network, it’s necessary to first understand what’s normal. This course discusses the fundamentals of networking, including the OSI model, the differences between TCP, UDP and ICMP and their intended uses, and the purposes of common high-level protocols like HTTP and SMTP.
Hands-On Traffic Analysis in Wireshark

Course - 01:45:00

Wireshark is probably the most commonly used tool for network traffic analysis and will be used throughout this learning path. This course introduces some of the useful features of Wireshark and shows what the protocols discussed in the previous course look like in practice and how the various layers work together to make networking possible.
Alternatives to Wireshark

Course - 00:32:00

Wireshark is probably the most popular tool for network traffic analysis. However, it is not the only one available. This course provides an introduction to some alternatives to Wireshark, covering some of the most useful and unique features of Terminal Shark (Wireshark’s command-line equivalent), CloudShark and NetworkMiner.
Network Traffic Intelligence Collection

Course - 01:44:00

A common use of network traffic analysis is for performing incident response activities. The purpose of these actions is to extract useful intelligence from network captures that can help to inform the rest of the investigation. This course demonstrates how to extract certain types of useful data from a network capture file.
Common Network Threats

Course - 01:23:00

An organization can be attacked over the network in a variety of different ways. However, some methods are more common than others. In this course, you will see what scanning, data exfiltration, DDoS attacks and attacks against IoT devices look like in a network capture in a series of demonstrations.
Traffic Analysis Case Studies

Course - 01:06:00

Different types of incident response investigations lend themselves to network-based analysis to different degrees. This course consists of a series of demonstrations where analysis of network traffic is used to infer information about different types of malware, including remote access Trojans (RATs), fileless malware, network worms and multi-stage infections.
Data Collection for Network Traffic Analysis

Course - 01:00:00

In order to investigate a network traffic capture, it is first necessary to capture it. This course discusses methods and considerations for data collection of network traffic. Topics include considerations for deployment of monitoring appliances and the use of virtualization and deception for data collection.
Data Analysis for Network Traffic Analysis

Course - 02:22:00

Having access to network traffic data is of very limited value without the ability to analyze it. In this course, you will learn about connection-based analysis, statistical analysis and event-based analysis, their relative pros and cons for different monitoring situations, and tools and techniques for performing them effectively.

Meet the author

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • All-Source Analyst
  • Mission Assessment Specialist
  • Exploitation Analyst

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

Plans & pricing

Infosec Skills Personal

$299 / year

  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo