{"id":11707,"date":"2025-02-25T11:25:43","date_gmt":"2025-02-25T11:25:43","guid":{"rendered":"\/cybersecurity-blog\/?p=11707"},"modified":"2025-04-09T14:04:47","modified_gmt":"2025-04-09T14:04:47","slug":"network-traffic-analysis-in-linux","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/","title":{"rendered":"Malware Traffic Analysis in Linux: Hands-on Guide with Examples"},"content":{"rendered":"\n<p>Network traffic analysis is one of the most effective ways to detect and investigate malware infections. By analyzing communication patterns, researchers and security teams can uncover signs of malicious activity, such as command-and-control (C2) connections, data exfiltration, or DDoS attacks.&nbsp;<\/p>\n\n\n\n<p>In this guide, we&#8217;ll explore how traffic analysis helps detect malware, the key tools used for this purpose, and real-world examples of Linux malware analyzed in <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Traffic Analysis Helps Detect Malware&nbsp;<\/h2>\n\n\n\n<p>Some types of malware rely on network communication to receive commands, exfiltrate stolen data, spread across systems, or launch attacks. That\u2019s why network traffic analysis is one of the most effective ways to detect and investigate malware infections.&nbsp;<\/p>\n\n\n\n<p>By looking at how data flows in and out of a system, you can reveal a variety of malicious activities that might otherwise go unnoticed.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Distributed Denial-of-Service (DDoS) Attacks&nbsp;<\/h3>\n\n\n\n<p>Some malware turns infected devices into zombies within a <a href=\"https:\/\/any.run\/malware-trends\/botnet\" target=\"_blank\" rel=\"noreferrer noopener\">botnet<\/a>, instructing them to flood a target server with requests. This can cause service disruptions, slow down websites, or even take entire networks offline.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Signs in network traffic<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Unusually high volumes of outgoing traffic<\/li>\n      <li>Sudden bursts of connections to multiple IPs<\/li>\n      <li>Large numbers of SYN packets<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Command and Control (C2) Communication&nbsp;<\/h3>\n\n\n\n<p>Many malware strains, from trojans to ransomware, rely on C2 servers to receive instructions from attackers. These communications can include downloading additional payloads, executing commands, or transmitting stolen data.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Signs in network traffic<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Repeated communication with suspicious or newly registered domains<\/li>\n      <li>Encrypted traffic over unusual ports<\/li>\n      <li>Beaconing patterns<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">3. Data Exfiltration &amp; Credential Theft&nbsp;<\/h3>\n\n\n\n<p>Some malware is designed to steal sensitive data, such as login credentials, financial information, or intellectual property. This data is often encrypted and sent to an attacker-controlled server.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Signs in network traffic<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Outbound traffic to unknown foreign IPs<\/li>\n      <li>Unusual spikes in file transfer protocols (FTP, SFTP)\u00a0<\/li>\n      <li>Large volumes of outbound DNS queries<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">4. Exploitation Attempts &amp; Lateral Movement&nbsp;<\/h3>\n\n\n\n<p>Advanced malware doesn\u2019t just infect one machine. It looks for vulnerabilities to move laterally across a network, escalating privileges and compromising more devices.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Signs in network traffic<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Repeated login attempts from a single source (brute-force attacks)<\/li>\n      <li>SMB traffic spikes<\/li>\n      <li>Use of internal IP scanning tools like Nmap<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">5. Malware Download &amp; Dropper Activity&nbsp;<\/h3>\n\n\n\n<p>Many infections start with a simple download: malware that acts as a dropper, pulling additional payloads from the internet.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Signs in network traffic<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Downloads from unusual or newly registered domains<\/li>\n      <li>Traffic to known malware-hosting services<\/li>\n      <li>Execution of PowerShell or wget\/curl commands from unknown sources<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h2 class=\"wp-block-heading\">What Tools to Use for Traffic Analysis&nbsp;<\/h2>\n\n\n\n<p>Various tools help security professionals inspect network traffic and identify suspicious activities. Here are some of the most widely used ones:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Malware Sandboxes&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-1024x586.png\" alt=\"\" class=\"wp-image-11713\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-1536x879.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-2048x1172.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image-6-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Real-time network analysis inside ANY.RUN Linux VM<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>A dynamic analysis environment like <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> allows users to observe malware behavior, including network communications, in a controlled setting. The sandbox logs network requests, DNS queries, and protocol usage, making it easier to detect malicious patterns.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze Linux and Windows threats inside the safe and secure <span class=\"highlight\">ANY.RUN Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=linux_traffic_analysis&#038;utm_term=250225&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Wireshark&nbsp;<\/h3>\n\n\n\n<p>A powerful packet analysis tool that enables deep inspection of network activity. Analysts use it to capture live traffic or examine PCAP files for suspicious network behavior.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tcpdump&nbsp;<\/h3>\n\n\n\n<p>A command-line tool for packet capturing and analysis. It provides a lightweight method to monitor network traffic directly from Linux terminals. With tcpdump, analysts can capture packets that flow through a network interface, apply filters to focus on specific traffic, and save captures for later analysis.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">mitmproxy&nbsp;<\/h3>\n\n\n\n<p>An interactive, SSL-capable proxy for analyzing and modifying HTTP\/HTTPS traffic in real time. It\u2019s useful for inspecting malicious web traffic generated by malware.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing Linux Malware Traffic with a Sandbox&nbsp;<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s Interactive Sandbox<\/strong><\/a> provides a real-time, dynamic analysis environment that helps researchers and security teams uncover malicious network activities associated with Linux malware.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s discover how ANY.RUN can make Linux malware traffic analysis more effective:&nbsp;<\/p>\n\n\n\n<p><strong>Real-time network monitoring: <\/strong>Observe <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">malware&#8217;s network behavior live<\/a> and view outbound HTTP, HTTPS, and DNS traffic, detect hardcoded C2 servers, and spot encrypted connections on unusual ports.&nbsp;<\/p>\n\n\n\n<p><strong>Interactive analysis: <\/strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/interactive-malware-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Engage with the infected environment<\/a> to trigger malware behaviors, bypassing sandbox evasion tactics and uncovering hidden threats.&nbsp;<\/p>\n\n\n\n<p><strong>Packet capture (PCAP) export: <\/strong>Capture and export all network traffic for deeper analysis in Wireshark or other packet inspection tools.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-1024x571.png\" alt=\"\" class=\"wp-image-11716\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-1024x571.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5-740x413.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image2-5.png 1044w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata-driven threat detection inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Suricata-driven threat detection: <\/strong>The sandbox automatically <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\">flags malicious network behavior<\/a>, including botnet communications, exploit attempts, and data exfiltration.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"250\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-1024x250.png\" alt=\"\" class=\"wp-image-11718\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-1024x250.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-300x73.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-768x188.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-1536x376.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-370x90.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3-740x181.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image3-3.png 1906w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Network activity displayed inside ANY.RUN Linux sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Faster investigations: <\/strong>Reduce time spent on manual traffic analysis with live, actionable insights and automated reporting.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Linux Malware Analyzed in ANY.RUN Sandbox&nbsp;<\/h2>\n\n\n\n<p>To demonstrate the power of ANY.RUN&#8217;s Linux Sandbox for malware traffic analysis, let&#8217;s examine three real-world Linux malware cases:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 1: Gafgyt (BASHLITE) &#8211; Massive DDoS Attack&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/gafgyt\" target=\"_blank\" rel=\"noreferrer noopener\">Gafgyt<\/a>, also known as BASHLITE, is a notorious Linux botnet malware that infects IoT devices and servers to launch DDoS attacks.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/89a07536-df9a-42f0-90fc-69aaf3e468c0\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with Gafgyt<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-1024x587.png\" alt=\"\" class=\"wp-image-11721\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-1536x880.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-2048x1173.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagec-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Gafgyt malware analyzed inside ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After examining it inside ANY.RUN\u2019s sandbox, we can see that the malware hijacked the VM, turning it into a botnet. It then attempted to establish connections with over 700 different IP addresses, flooding the network with malicious traffic.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"252\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-1024x252.png\" alt=\"\" class=\"wp-image-11724\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-1024x252.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-300x74.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-768x189.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-1536x378.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-370x91.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged-740x182.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imaged.png 1912w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Network connections observed inside ANY.RUN Linux VM<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The malware established connections with botnet C2 servers, triggering a Suricata alert due to suspicious network behavior.&nbsp;&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry advanced malware analysis firsthand with <span class=\"highlight\">ANY.RUN&#8217;s Enterprise plan<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=linux_traffic_analysis&#038;utm_term=250225&#038;utm_content=linktodemo\" target=\"_blank\" rel=\"noopener\">\nAccess all features with free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>You can observe this detection in the &#8220;Threats&#8221; section under Network Activity Analysis in ANY.RUN:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-1024x552.png\" alt=\"\" class=\"wp-image-11726\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-1024x552.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-1536x829.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1-740x399.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image6-1.png 1546w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule triggered by Gafgyt malware<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN provides a PCAP export feature, allowing you to analyze captured network traffic in Wireshark or other specialized tools by exporting the packet capture file for deeper inspection and threat analysis.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"251\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-1024x251.png\" alt=\"\" class=\"wp-image-11728\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-1024x251.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-300x74.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-768x188.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-1536x376.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-370x91.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1-740x181.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image7-1.png 1918w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>PCAP export feature for deeper analysis<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Case 2: Mirai &#8211; Detecting Malicious Network Behavior&nbsp;&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/mirai\" target=\"_blank\" rel=\"noreferrer noopener\">Mirai<\/a> is a notorious Linux-based malware that primarily targets IoT devices, such as routers, cameras, and other connected systems. It infects devices by exploiting weak or default credentials, turning them into botnet nodes used for large-scale DDoS attacks.&nbsp;<\/p>\n\n\n\n<p>Once infected, these compromised devices begin scanning the internet for other vulnerable systems to expand the botnet.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/48c08364-d150-44b6-8f1c-c1b3879ba746\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with Mirai attack<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-1024x587.png\" alt=\"\" class=\"wp-image-11732\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-2048x1174.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image8-3-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Mirai malware detected by ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this analysis session, we observe a Mirai attack within a controlled environment using ANY.RUN\u2019s Interactive Sandbox.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The malware\u2019s behavior was automatically detected, as it triggered a Suricata rule, confirming its presence through network traffic analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The session shows how Mirai communicates, spreads, and attempts to establish connections with remote servers.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-1024x554.png\" alt=\"\" class=\"wp-image-11735\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-1024x554.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-768x415.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-1536x831.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2-740x400.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/image9-2.png 1546w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule triggered by Mirai malware<\/em>&nbsp;&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Case 3: Exploit &#8211; Behavioral Detection in Network Traffic&nbsp;<\/h3>\n\n\n\n<p>Exploits are a common attack vector used by threat actors to gain initial access to Linux systems. These attacks take advantage of system vulnerabilities, often unpatched software or misconfigurations, to execute malicious payloads, escalate privileges, or establish persistence.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Once inside, attackers can deploy additional malware, steal sensitive data, or take full control of the compromised machine.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/a0725b45-6ee2-43dc-8c3b-cb8c373aa084\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with Exploit<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-1024x587.png\" alt=\"\" class=\"wp-image-11737\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-2048x1175.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imagea-1-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Exploit detected by ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this analysis session, you can observe the exploit in a controlled environment as it attempts to manipulate system processes.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>As you can see, the exploit was automatically flagged by Suricata, providing clear evidence of an active attack.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-1024x571.png\" alt=\"\" class=\"wp-image-11739\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-1024x571.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb-740x412.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/imageb.png 1048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule triggered by Exploit<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Why Businesses &amp; Security Teams Should Use ANY.RUN for Linux Malware Detection&nbsp;<\/h2>\n\n\n\n<p>By examining network traffic inside ANY.RUN\u2019s Linux Sandbox, businesses and security teams can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect threats faster<\/strong>: Real-time analysis exposes malware behavior instantly.&nbsp;<\/li>\n\n\n\n<li><strong>Reduce investigation time<\/strong>: Automated Suricata alerts streamline detection.&nbsp;<\/li>\n\n\n\n<li><strong>Improve network security<\/strong>: Identify and block malicious traffic before it spreads.&nbsp;<\/li>\n\n\n\n<li><strong>Get deeper insights<\/strong>: PCAP exports and interactive analysis allow teams to get deeper insights.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_traffic_analysis&amp;utm_term=250225&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial of ANY.RUN&#8217;s services \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Network traffic analysis is one of the most effective ways to detect and investigate malware infections. By analyzing communication patterns, researchers and security teams can uncover signs of malicious activity, such as command-and-control (C2) connections, data exfiltration, or DDoS attacks.&nbsp; In this guide, we&#8217;ll explore how traffic analysis helps detect malware, the key tools used [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":11777,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,15,34,40],"class_list":["post-11707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malware Traffic Analysis in Linux: Hands-on Guide with Examples - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn to identify and analyze Linux cyber threats by their network traffic activities and see how you can speed up detection with ANY.RUN.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Malware Traffic Analysis in Linux: Hands-on Guide with Examples\",\"datePublished\":\"2025-02-25T11:25:43+00:00\",\"dateModified\":\"2025-04-09T14:04:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\"},\"wordCount\":1478,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\",\"name\":\"Malware Traffic Analysis in Linux: Hands-on Guide with Examples - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-02-25T11:25:43+00:00\",\"dateModified\":\"2025-04-09T14:04:47+00:00\",\"description\":\"Learn to identify and analyze Linux cyber threats by their network traffic activities and see how you can speed up detection with ANY.RUN.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware Traffic Analysis in Linux: Hands-on Guide with Examples\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Traffic Analysis in Linux: Hands-on Guide with Examples - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn to identify and analyze Linux cyber threats by their network traffic activities and see how you can speed up detection with ANY.RUN.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Malware Traffic Analysis in Linux: Hands-on Guide with Examples","datePublished":"2025-02-25T11:25:43+00:00","dateModified":"2025-04-09T14:04:47+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/"},"wordCount":1478,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/","url":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/","name":"Malware Traffic Analysis in Linux: Hands-on Guide with Examples - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-02-25T11:25:43+00:00","dateModified":"2025-04-09T14:04:47+00:00","description":"Learn to identify and analyze Linux cyber threats by their network traffic activities and see how you can speed up detection with ANY.RUN.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Malware Traffic Analysis in Linux: Hands-on Guide with Examples"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11707"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=11707"}],"version-history":[{"count":51,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11707\/revisions"}],"predecessor-version":[{"id":12723,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11707\/revisions\/12723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/11777"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=11707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=11707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=11707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}