Fundamentals of Network Traffic Analysis using FireEye Network Forensics

This course covers the fundamentals of network flow analysis, session analysis, application metadata analysis, and reconstruction of data from full content utilizing the FireEye Packet Capture (PX Series) and Investigation Analysis (IA Series) appliances.

Hands-on activities include using both PX and IA to perform search queries and filtering, as well as following alerts from integrated FireEye appliances.

Learning Objectives

After completing this course, learners should be able to:

  • Describe the deployment of PX and IA in the context of FireEye products and services that may be part of the environment used for network traffic monitoring and analysis.
  • Define connection, packet, and session data in context of network traffic analysis.
  • Perform network traffic analysis using the PX and IA.
  • Reconstruct files or artifacts from full network packet data from resulting session data events using PX and IA.
  • Follow threat alerts from integrated FireEye systems (EX, NX,HX, PX) and intelligence feeds (FireEye Threat Intelligence and other) that aid in the breach investigation and hunting processes.

 Instructor-Led Training

Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.

Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.

Who Should Attend

Network security professionals and incident responders who must work with FireEye Packet Capture and Investigation Analysis appliances to analyze cyber threats through packet data.


1 day


A working understanding of networking and network security, the Windows operating system, file system, registry, and use of the command line interface (CLI).

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

  1. PX and IA Appliance Overview
    • What is PX and IA and their purpose
    • PX Hardware ports
    • PX storage considerations
    • Basic PX/IA components
  2. Network Traffic Analysis Environment
    • Network core deployment
    • Network edge deployment
    • PX with NX deployment
    • PX with IA deployment
    • PX and IA relationship
    • IA distributed deployment
    • PX and IA and FireEye integrations
    • Customizing IA dashboards
    • Setting up lists
    • Query lists
  3. Network Traffic Analysis with PX
    • Traffic flow analysis
    • Connections
    • Searching with BPF and XPF
    • The Web UI
    • Filter Builder
    • Packet analysis
    • Data flow in the OSI model
    • TCP/IP Protocol Suite model
    • PX Session data
    • Storing searches
    • Uploading pcap files
    • Pivot to PX
  4. Searching and Filtering with IA
    • IA query tools
    • Constructing queries
    • Search types
    • Grouping
    • Escaping special characters
    • Regular expressions
    • Subnet searches
    • What is metadata?
    • IA metadata and networking models
    • Analyzing metadata
    • Query results
    • Visualizing metadata
    • Stacking metadata
    • Working with metadata filters
    • Reports for scheduled queries
    • Pivot to PX
  5. Reconstructing Network Data
    • Network reconstruction
    • Data reconstruction on PX
    • Downloading a reconstructed file
    • Reconstructing packet data in IA
    • Follow the stream
    • Carving a file from steam data
    • Applying encoder/decoder chains
    • Reconstructing HTML, Email, artifacts
  6. Threat Alerts and Intelligence
    • Network Threat hunting
    • FireEye alerts
    • IA alerts Web UI
    • Filtering alerts
    • Alerts tools for investigation
    • Generating a query from an alert
    • Working with rulesets
    • Threat intelligence
    • Threat intelligence alerts on IA/PX
    • The Mandiant Attack Lifecycle
Scroll to Top