Network Traffic, Packet, and Protocol Analysis

What’s in a network packet?

Capture entire traffic

• Inline capture

• Make a copy of the traffic (SPAN, port mirroring)

• MiTM

Receive just a summary

• Like a phone call log

• Flow: sequence of packets that share specific fields (like src and dst addresses and ports)

• Netflow, Flexible Netflow, sFlow, J-Flow, IPFIX

• Configured on networking devices (exporters)

• Flow information

Hardware:

• LAN switch

• Sniffer / TAP (Test Access Port)

  • Good: You see all traffic

  • Bad: You see all traffic

• Use it to monitor critical network assets, or at critical network access points

Software:

• Tcpdump

  • -i eth0

  • -n turn off dns resolution

  • -e turn on MAC addresses

  • -v verbose -vv -vvv

  • -w writes to file. PCAP file.

  • -r reads a file

• Wireshark

Packet analysis vs protocol analysis

• Packet analysis

  • Deep packet inspection (DPI), frame by frame

  • Headers and Contents

  • Can detect attack traces

  • File carving tools: reconstruct files from packet captures

    • Network miner

    • Suricata

    • Zeek

  • Huge data amounts

  • Encryption

  • File extraction based on headers (64B)

  • unknown protocols

• Protocol analysis

  • Protocol info: headers and some payload data

  • Detect protocol anomalies.

  • Detect unknown protocols.

  • Detect statistical anomalies.

Flow Analysis

• Full packet capture is too costly, so flows provide just a summary of data.

• Aggregation app required (can also be a SIEM, but it’s not mandatory)

• Concept introduced by Cisco with Netflow

• Pros:

  • Low resource requirements

  • No dedicated hardware required

  • Unified view among vendors

  • Great for reporting

• Cons:

  • No payload visibility

  • Cannot be reviewed/processed manually

  • (mostly) sampled (1 out of N packets)

• SolarWinds NetFlow Traffic Analyzer, ManageEngine NetFlow Analyzer, Cisco Secure Network Analytics, SiLK, Argus

• MRTG – Not really flow analysis. About the whole device.