Turning FortiGate Logs and Hex Dumps Into Packet Evidence
Real investigations rarely start with a tidy PCAP. Often all you have is a firewall log or a hex dump pasted into a ticket. Here's how to turn that text into packet evidence.
Read articleOpening a big capture and scrolling from the top is how investigations stall. Here's a repeatable four-step way to get from a raw PCAP to a defensible conclusion.
Key takeaways
A medium capture holds tens of thousands of packets; a busy one holds millions. Reading it like a document — top to bottom, row by row — guarantees you drown before you find anything. Worse, it feels like progress, so you keep doing it long after it has stopped working.
The fix is not a faster scroll. It's a workflow that treats the capture as a funnel: every step should throw away packets you don't care about, so the set in front of you keeps shrinking until the answer is obvious. Four moves get you there — orient, narrow, follow, conclude.
Before you look at a single packet in detail, get the shape of the capture. You are answering three questions: who is talking, what protocols are in play, and over what time window. This takes a minute and saves an hour.
Now reduce the capture to the packets that matter. The mistake here is filtering randomly and hoping. Instead, form a hypothesis from the orientation step and filter to test it.
Good narrowing is subtractive and specific: a host, a port, a protocol, a time slice, or a combination. Each filter should be a question you're asking the data — "show me everything this host did over TLS in this ten-second window" — not a fishing expedition.
Individual packets rarely tell a story; conversations do. Once you've narrowed to a suspicious exchange, reconstruct it — follow the TCP or UDP stream so you see the request and response together instead of interleaved fragments.
This is where a capture starts to explain itself: a handshake that never completes, a redirect to somewhere unexpected, a payload that isn't what the port implies. A good tool rebuilds the conversation where the capture supports it and is honest when a stream can't be fully reconstructed — a gap you know about is far safer than a guess you don't.
A conclusion is only useful if you can defend it. Before you write anything down, make sure every claim maps to specific frames in the capture. "The host was beaconing" is an opinion; "the host sent a request to this destination every 30 seconds, frames 1042 through 1990" is evidence.
Package the finding so it stays traceable: the relevant packets, the reconstructed streams, and a short narrative that a colleague — or an auditor — can follow back to the raw data. If you can't point at the packets, you don't have a finding yet.
Don't start by reading packets. Start by summarising the capture: top talkers, protocol distribution, and the time span. That orientation tells you where to look before you inspect anything in detail, which is far faster than scrolling from the top.
Form a hypothesis from a quick overview, then filter to test it — by host, port, protocol, or time window. Each filter should answer a specific question. Narrowing with intent beats scrolling or filtering at random.
Individual packets are fragments; the story lives in the conversation. Reconstructing a TCP or UDP stream shows the request and response together, which is usually what reveals the incomplete handshake, unexpected redirect, or mismatched payload that explains the capture.