Back to Blog

Why PCAPs Matter for Incident Response

When you are under a DDoS attack and contact your upstream provider or ISP for mitigation, the first thing they will ask for is evidence. Specifically, they want to see the attack traffic so they can configure appropriate filters on their edge routers. A well-prepared PCAP file is the fastest way to get your provider to act, and a poorly prepared one can delay mitigation by hours.

The challenge is that most engineers do not have a packet capture running when an attack begins. By the time you SSH into the server and start tcpdump, the link may already be saturated and you cannot reach the machine. This is the problem Flowtriq's pre-attack PCAP buffer solves: it continuously maintains a rolling 500-packet buffer in memory, so when detection triggers, the capture already includes packets from before the attack crossed the detection threshold.

Anatomy of an Attack PCAP

Flowtriq generates standard pcap-ng format files that can be opened in Wireshark, tshark, or any compatible tool. A typical attack PCAP from Flowtriq contains three phases:

Phase 1: Pre-Attack Baseline (packets 1-100)

These packets were captured before the detection threshold was crossed. They show what normal traffic looks like on this interface, which gives your ISP context about the server's legitimate traffic patterns. This is valuable because it helps them write filter rules that block attack traffic without disrupting your real users.

Phase 2: Attack Onset (packets 100-300)

This is where the attack traffic begins mixing with legitimate traffic. Examining this transition is often the most informative part of the capture because it reveals the attack's signature most clearly. You can see the exact moment when anomalous packets first appear and how their rate increases.

Phase 3: Full Attack (packets 300-500)

By this point, attack traffic typically dominates the capture. These packets give you statistical confidence about the attack's characteristics: source port distribution, packet sizes, TTL values, and payload patterns.

Reading the PCAP: What to Look For

When you open a Flowtriq attack PCAP, focus on these key fields to characterize the attack:

Source IP Distribution

Run a quick tshark analysis to see how many unique source IPs are present:

$ tshark -r attack.pcap -T fields -e ip.src | sort -u | wc -l
847

A high number of unique sources (hundreds to thousands) with traffic concentrated on a single destination IP is the hallmark of a DDoS attack. If the sources are all on port 53, 123, or 11211, you are looking at an amplification attack using DNS, NTP, or memcached reflectors respectively.

Packet Size Distribution

The size of attack packets varies by attack type and is useful for identification:

$ tshark -r attack.pcap -T fields -e frame.len | sort -n | uniq -c | sort -rn | head -5
  312 1500
   89 1400
   42 60
   31 54
   26 128

A preponderance of maximum-size (1500 byte) packets suggests amplification traffic. Small packets (40-60 bytes) with SYN flags indicate a SYN flood. A mix of sizes is common in multi-vector attacks.

Protocol Breakdown

$ tshark -r attack.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:

eth                          frames:500 bytes:612400
  ip                         frames:500 bytes:612400
    udp                      frames:467 bytes:598200
    tcp                      frames:33 bytes:14200
===================================================================

In this example, 93% of traffic is UDP, which immediately identifies this as a volumetric UDP-based attack. Your ISP can use this to implement protocol-level rate limiting while more specific filters are prepared.

TTL Analysis

TTL (Time to Live) values reveal how many network hops the traffic traversed. In amplification attacks, different reflectors are at different network distances, producing a wide TTL distribution. In a botnet attack, you might see clustering around specific TTL values corresponding to common operating system defaults (64 for Linux, 128 for Windows, 255 for network devices).

$ tshark -r attack.pcap -T fields -e ip.ttl | sort -n | uniq -c | sort -rn | head -5
  112 49
   98 52
   87 47
   64 56
   42 44

TTL values in the 44-56 range suggest reflectors that started with TTL 64 and traversed 8-20 hops. This is consistent with amplification from servers across the internet, not a localized botnet.

What to Send Your ISP

When you contact your upstream provider, include the following in your initial message to minimize back-and-forth:

  1. The PCAP file (Flowtriq provides a direct download link in every alert notification)
  2. Your target IP address and the approximate attack start time (UTC)
  3. A one-line summary of the attack type: "UDP amplification from source port 11211 (memcached), ~850 unique sources, ~1.2 Gbps estimated bandwidth"
  4. Your requested action: null-route the target IP, apply a UDP rate-limit, or enable scrubbing

Flowtriq's alert emails include a pre-formatted incident summary with all of these details. You can forward the alert directly to your ISP's abuse or NOC team and attach the PCAP.

What PCAPs Cannot Tell You

Packet captures are powerful forensic tools, but they have important limitations:

  • Spoofed source IPs are not the attacker. In amplification attacks, the source IPs belong to the reflectors, not the attacker. In direct floods with IP spoofing, the sources are entirely fabricated. Do not waste time trying to trace or block individual source IPs from the PCAP.
  • Capture at the host misses dropped traffic. If the attack has already saturated your network link, the PCAP captured at the host only shows packets that made it through. The actual attack volume may be significantly higher than what the capture suggests.
  • Payload inspection is unreliable for encrypted traffic. If the attack uses HTTPS or other encrypted protocols, the PCAP will show the TLS handshake but not the application-layer payload. You can still analyze connection patterns and timing, but content-based filtering requires TLS termination.
  • Short captures may miss attack variations. A 500-packet capture is excellent for initial characterization but may not reveal attack pattern changes. Flowtriq optionally supports extended captures (up to 10,000 packets) on higher-tier plans for longer-duration analysis.

Pro tip: Always check if your ISP has a specific format or size requirement for PCAP submissions. Some providers limit attachments to 10 MB. Flowtriq's captures are typically under 1 MB, well within these limits.

Automating the Workflow

For teams that want to minimize manual steps during an incident, Flowtriq's API exposes PCAP files programmatically. You can build integrations that automatically attach the PCAP to your incident ticket in PagerDuty, Jira, or any system that accepts file uploads via API. Combined with Flowtriq's webhook alerts, this means the full evidence package can be assembled and sent to your ISP without any human intervention.

PCAP forensics is available on all Flowtriq plans starting at $9.99/mo per node. The 500-packet rolling buffer is always on, and no configuration is required. Start your free trial to see it in action.

Back to Blog

Related Articles

Attack Analysis

Detecting memcached amplification before it hits 1 Tbps

What the traffic looks like at the packet level and how Flowtriq catches it.
Integrations

PagerDuty escalation policies for DDoS incidents

Set up severity-based escalation so the right people get paged at the right time.
Mitigations

iptables rules to survive a SYN flood

Emergency firewall rules that buy you time while upstream mitigation kicks in.