Classroom Public page

Week 12: Capstone and Bridge to Next Courses

1,094 words

You have traced every layer from Ethernet to TLS. You have written display filters, followed TCP streams, and worked through real CVEs in Wireshark's dissectors. This week you bring it together: a Network Snapshot of traffic you captured yourself, committed to Git, showing that you can apply the model to real network data.

Theme

The capstone is not a test of whether you can follow instructions. It is a test of whether you have internalized the model enough to apply it to unfamiliar traffic. You will capture traffic from a network you control (your home network or a class-provided lab environment), open it in Wireshark, and write a structured analysis report. You will identify the protocols present, trace at least one complete conversation for each required protocol, and find at least one thing that looks anomalous or unexpected. The report goes in a Git repository; everything you have learned about Git in FND-101 applies here.

The closing lecture maps every NET-101 skill to the downstream courses that use it. You leave week 12 knowing exactly what NET-201, PEN-101, SEC-101, and ADV-101 will demand of you.

Reading (~30 minutes)

  1. Review your own week-1 through week-11 lab outputs and reflection notes. Where were you most uncertain? Which protocol was hardest to trace?
  2. Skim the CAPSTONE.md specification file in this directory: know exactly what you are submitting and how it is graded before you start.

Lecture outline (~2 hours)

Section 1: Capstone scope and approach

  • Goal: produce a Network Snapshot report on traffic you captured (or traffic from the class-provided lab-capture scenario)
  • Required protocols to identify and trace: ARP, DHCP, DNS, at least one TCP session, at least one TLS session
  • Required anomaly: at least one thing in the capture that is different from what you would expect from a fully normal network conversation
  • Report format: Markdown; five sections; 600-1000 words total (see CAPSTONE.md for the full spec)
  • Git repository: at least 3 commits; all required files present; meaningful commit messages

Day-by-day approach:

  • Day 1: capture traffic; run Statistics > Protocol Hierarchy; write the introduction section of the report
  • Day 2: trace ARP and DHCP conversations; annotate; write sections 2-3 of the report
  • Day 3: trace DNS and TCP; write section 4; start the anomaly section
  • Day 4: trace TLS; finalize the anomaly section; write section 5 (forward pointers)
  • Day 5: revise; verify Git repo is complete; check against the capstone spec

Section 2: How to capture traffic ethically

Authorized capture only. You may only capture traffic on a network you own or have explicit permission to capture on. In practice: your home network, a class-provided virtual lab network, or a dedicated test network.

Capture tools:

  • Wireshark (GUI): capture live traffic directly in Wireshark; go to Capture > Start
  • tcpdump (command line): sudo tcpdump -i eth0 -w capture.pcap captures all traffic on interface eth0
  • tshark (command line): sudo tshark -i eth0 -w capture.pcap -- same as tcpdump but using Wireshark's engine

Filter before you capture (BPF capture filters) to limit the file size:

  • tcpdump -i eth0 -w capture.pcap port 53 or port 80 or port 443 captures only DNS + HTTP + HTTPS traffic
  • BPF filters are different from Wireshark display filters: they apply at capture time; display filters apply when viewing

Capture duration: 5-15 minutes of normal browsing activity produces a capture with all the required protocol types (ARP/DHCP at boot or reconnect, DNS for every hostname, TCP for every connection, TLS for every HTTPS).

Section 3: Closing lecture -- the map forward

Every skill you learned in NET-101 connects directly to at least one downstream course:

NET-201 (Advanced Network Analysis):

  • TCP internals (weeks 6-7) extend to QUIC analysis, congestion measurement, and packet-loss diagnostics
  • DNS deep-dive (week 8) extends to DNSSEC validation and DNS-over-HTTPS interception analysis
  • TLS analysis (week 10) extends to certificate-chain inspection, cipher-suite auditing, and TLS fingerprinting (JA3/JA3S)
  • Display filters (week 11) extend to Wireshark Lua scripting for custom dissectors

PEN-101 (Penetration Testing Foundations):

  • ARP and IP (weeks 2-3) are the foundation for ARP spoofing and man-in-the-middle attacks
  • TCP (weeks 6-7) underpins port-scanning (nmap) and service fingerprinting
  • DNS (week 8) is relevant for DNS enumeration and zone-transfer attacks
  • TLS (week 10) is relevant for certificate-based attacks and TLS downgrade

SEC-101 (Cybersecurity Principles):

  • The full protocol stack (weeks 1-10) is the foundation for understanding attack surfaces
  • NSM and display filters (week 11) are the foundation for understanding intrusion detection
  • The CVE quartet (week 10) is the foundation for vulnerability scoring and patch management

ADV-101 (Adversarial Analysis):

  • TLS and CVE quartet (week 10) connect directly to the CVE-driven analysis that ADV-101 centers on
  • Snort/Suricata rules (week 11) are the defensive side; ADV-101 teaches how to evade or analyze them from the attacker's view
  • The pcap-tools workbench (week 9) is the analysis environment used throughout ADV-101

The motto NET-101 leaves you with: every subsequent Virtus course that mentions a network expects you to be comfortable at the byte level. You are now there.

Labs (~90 minutes)

Lab 12-1: Capstone Lab (labs/lab-12-1-capstone.md) -- the lab this week is the capstone itself; see CAPSTONE.md for the full specification

Independent practice (~7 hours)

This week's independent practice is the capstone. Allocate the full 7 hours across days 2-5 of the week. See the day-by-day approach in Section 1 above.

Reflection prompts (~30 minutes)

  1. You spent 11 weeks building a model of how networks work. What was the single most surprising thing you learned -- the fact or concept that was most different from what you assumed before the course?
  2. NET-101 taught protocols in order of the TCP/IP stack: link, network, transport, application. Would learning the stack top-down (application first) have been easier or harder? What would you have missed?
  3. Every display filter you wrote is essentially a structured question about the capture. What question do you wish you could ask that you do not know how to ask yet?
  4. The CVE quartet showed four real vulnerabilities in a widely used security tool. What does that tell you about the relationship between using security tools and understanding the attacks those tools help detect?
  5. If you were designing NET-201, what would the first lab be? What protocol or technique do you most want to go deeper on?

What comes next

NET-201 (Advanced Network Analysis) picks up where this course ends: BGP routing, IPv6 in depth, Wireshark Lua scripting, TLS forensics, and large-scale pcap analysis. If your interest is offensive security, PEN-101 (Penetration Testing Foundations) starts with the TCP/IP model you now know and shows you how attackers use it. If your interest is understanding vulnerabilities at the binary level, ADV-101 (Adversarial Analysis) starts with the CVE quartet you worked through in week 10.