you never talk about network traffic itself. It was one thing to say. There's I can stop this traffic. I can block this. I can alert on this. But what about when you actually want to look at the traffic into the analysis on that as a go afterwards?
So what's the purpose? What can you get from network traffic analysis?
Well, on just on the normal kind of support operations and doting operations are keeping the network running. I understand. Never performance, like sometimes identified the greater performance. Okay, we're normally seen this much We're seeing elevated volume. Um, we're seeing that there's issues with this subject of the network of traffic's not getting through here.
Okay, Well, is it your system?
Is it the router? Maybe it's somewhere in between we looking network traffic and see if there's issues there.
Evidence of malicious activity is a very broad statement. Um, but you can find a lot of that a network traffic for an attacker to get into your network
most of the time. Say most
have to be going through the network. So somewhere on that network, the whole point of what they're doing so exploited. Therefore, there's some traffic that's there. And the good thing about this is like not opposite of what's on the hostess on the hosting. What cooking cleaner tracks into a lot of stuff to remove evidence of them being there
once a packet goes through. If it's captured,
the only way to for an attacker toe stop somebody from looking at that
is to find where it is and delete it and remove it and wipe it whatever. So pack it goes through its there.
Here's the downfall. The office decide on the response
If a packet goes through and I don't capture it, I will never see it again.
That could be the, you know, the,
the silver bullet that put says, this was the answer. This is what I needed to know. But if it goes by and you don't get it the first time, no second chance.
So that'll come into play with figuring out What do I want to capture? And how does one capture
you also have seen baseline give you establish those this what we see normally on a network, you know, when you first stand up and get things going to put a new service on our server workstation. Okay, here's the normal traffic. We see no into a baseline. I could detect anomalies off that
again. Troubleshooting communication issues. Part of that. Never performance in general,
and it helps to get a picture. And that is necessarily entire baseline. I would say about activity, but who's talking to who?
You know there's different ways to do that. Not just to analyze traffic itself, but net flow. Endpoint analysis can help you figure that out.
So what'd you expect to find?
Well, if I'm talking to Paul in the back,
Um, and there's communication between us. You can find evidence of that communication even if it's encrypted.
You know, there was communication.
You can see. You know, you may not be able to decipher it, but, you know it existed.
You could find out what protocols is running on the network. Aside from looking at a host, I could set up a sniffer and capture some traffic from the main point of land. Say okay. For some reason, we disallowed Ping wise pink. Was icmp going around?
Okay. You know, maybe something to help you find out. I can tell you what Attackers using.
I can also tell you time stamps, then also abnormal traffic host communication. I see. Normally a host
on Lee is up on the network, you know, from 9 to 5.
And then that host is having traffic in the evening. Or also they're sending out significantly Maur
data or more volume traffic going out. You can only find that too.
So it's about some tools. Um, there are many, many, many, many tools to do. Traffic analysis
paid free command line, gooey. All sorts of different ones, too, will go over. Talk about two of the really common ones. Wire shark is been around for a long time. Used to be ethereal or depending who you are. You may say it differently than that, but I go with that one.
so this conduce disc and capture traffic not in itself, its software. So you need to have a system in place to do it, but this will help you capture it in analyzed number traffic.
There's two parts to filtering, and this is true across anything you're gonna do. Packet capturing with
or analysis. There's capture, filters and display filters.
I know the difference.
Yes, After filter is gonna be What? Where shark is capturing off the line. You display filters is gonna be after the after you don't capture what you're looking at inside the cab, right?
So the capture filter, I say I only want http traffic, and I put it on the network. That's all I'll capture if all malicious traffic is on port 22. I will not get any of it because I'm only capturing Http.
Unless there's a Steve defeat packets going to port 22 I suppose,
um, with a display filter, it takes whatever you capture, it takes what you have, and it breaks it down and filters through what you're just looking at, so you can collect everything. But I finally want to look at http. I could filter that you're gonna set a capture filter which often times is ah, good thing to do,
because we'll talk about how large captures peak. Asking it,
uh, make sure you said it right the first time.
And you know what you're doing? Test it. Test it on something a similar. Never gonna test it beforehand. Because once those packets go, packets are gone.
But ideally, overall
packet filtering or capture or display filters. Reduce the amount of stuff you have to look at. Open up a peek up sometime and see all the other stuff in there. It's a mess. If you can filter that somehow, it'll help you in the long run.
So here's wire shark. It's kind of a short example or a small,
visually small example.
So is where shark has three panes. The 1st 1 the first top part list all the packets, usually in order, unless you click on some other sorting mechanism. On top is the Time Sam Source destination. You can customize all that, but that's the list of packets. The 2nd 1 actually breaks it down by layer of the O. S. I model. For the most part,
it tells you. Okay, I want to look at the I P
and the network layer. You can click on it and will say, Here's all the stuff that's in the I P header and break it down by section.
Our segment of the header on the bottom one actually shows you
the exit decimal value and using
asking as much as possible on the right.
The contents of that packet and it will highlight whatever you're actually looking at.
This one is a really common tool. It's free is really useful for helping filter the up above. Receive time Source. Source. Port of Destination.
That's your display filter. So when you go through that, you can sort everything out.
TCB Dump is a command line utility. Refuse Mac. It's on their Lennox systems. It's usually on there.
Um, I should I'll say wire. Shark also has a command line version T shark. But TCP dump does very similar things.
You can capture traffic off the wire. You said the interface. You wanna listen to me. I wanna listen to this. I want to write it to this file. I want a print to standard out where the console. You configure it a lot of different ways, but it will do the same thing. It will read packets off the wire. It'll reading files you have, and you could filter out what you want to see.
They're ah, TCP dump. You can use that in conjunction. Do a little shell scripting. You're just
decent command line usage. You can actually pass the output, the other tools. So if you have a packet, capture
Ah, peak cap of something and you want to run it against snort. You could take snore and actually read the output from TCP dump right into snore so it doesn't have to capture it alive. You can read files from it. Start also, just read a peek up to,
but it's just another utility available for analyzing. You're looking at network traffic.
very similar to an I. D. S I p s. You're gonna need something that can actually capture all the packets
If you got a 10 gigabit line somewhere and you put 100 megabits Nick on there,
odds are if there's enough traffic, you're gonna start dropping packets. You're gonna be missing things. You might see them spaces in the traffic that you're analyzing or packet sequence numbers missing a lot of things, but you end up can possibly been missing packets.
You need a computer to do it. You need something that will actually be able to process it all the same time.
deceives piece of advice anytime you're doing a printing to the screen, especially during a live capture,
uh, it takes resource is from the computer from the system.
So if you're doing live stuff like you deploy, snort, live or you're actually capturing peek at live
printing the screen, it takes a lot of power away from the computer.
So send it to a file. We'll get something else. If it's a long term thing, you don't want a pea cap print into the screen for 48 hours.
If you have 1 48 R P cap, it is gonna be miserable anywhere.
Uh, so you need the nick that is capable of doing it. If you put the sniffer in line to actually record this, you need to Nick's because it's got to go in and out
and a device to capture from your catcher from a switch router. You can put the device on a span port on the switcher rodder, or you can put it in line.
So the constance behind it. So if you're on a switch or a router,
you get a SPAN port. Okay, this pan port is can be configured to take traffic from any of the other ports or all the other ports and send it up to that one basically copies it and sent it out
really fast for a switch to do this. Um,
but as with an I D S r I p s or anything else, it only collect what passes through there if you put it on a switch.
And there's most of traffic on a switch on another side of the router, her off another port on the router, you're not gonna get it.
So you got to know where you're placing it,
and you're gonna put in this on because an incident is happening. You know, in a large organization, you gotta find a spot to put it. You may have to get authorization to get it configured to actually put it on there.
And then if you picked the wrong host or the wrong switch again traffic past, you're not getting it back.
So in line capture between two nodes
that could be in line between really anything
routed router writer, switch firewall to switch firewalled router host around her host to switch hub hub. However you want to work, it would be fun. You can put it anywhere you can sniff on a host.
You can go on your computer and threw up wire shark and just start running.
You look after anything from your host
going out back and forth.
some other tools A like a wireless card, some of them you can put in promiscuous mode. You consider all wireless traffic going around, obviously encrypted. There's different parts that you can't figure out, but,
um, but you can do it on the host can remember. Ah, host you. You're only getting what the system can see would only the nick can see. So the Knicks not going to see the whole network, is only to see traffic that's meant for it
on wireless. Again. Get a card that put in promiscuous mode. But the thing with wireless is they can actually capture all the traffic because of transmission medium.
With a wired network, the wire comes in
that wire is what deliver is a transmission medium for my system, so I can only connect what that can see.
Wireless environment. It's just flying through the air. If you can lock onto the signal, you can capture the traffic that's on it.
So best practices implementation. Use an NDR network data recorder that can capture it line speeds, especially
if you're gonna put it in line.
If you have a high volume segment, they're gonna put it on, make sure that that can capture at high volume.
Otherwise, you're gonna get dropped packets, missed information, and they don't come back.
And make sure you place it where you actually want to capture it
again. Put it on one switch and you want it on the other. Or there's incident intrusion happening on another. You may not get the information,
you know. Then in the network world on packet side, once they're gone, they're going. So you don't get a lot of second chances. There's a long term event you like, get stuff, but you don't get a lot of easy second chances.
So data storage, Uh,
who's worked with large pickups?
Annoyingly large peak ***. Right.
what's the longest time it's taken into apply display filter for you?
10 minutes. 10 minutes.
Well, that's gentle. How big was it?
it's like seven gig. Oh, Okay.
So, I, uh I was doing an exercise one point,
and we captured traffic at a
I kind of like Jonah, a main point in the environment,
and we end up with a 20 something big peak at
and I started the filter. I started to apply the filter
and it's at and it sat and I sat for Well, about ended up canceling because I couldn't I couldn't wait that long. I had to do something else. But it was well over an hour that it was gonna take. Just apply that filter.
Now, remember, you apply one filter now I gotta send, like Okay, well, I've narrowed it down. Now we need to narrow it down more. So there I go. I got to apply another filter Eventually. I was like, Okay, lesson learned. I need to either junkies in segments,
I should do some sort of capture filter. So I didn't collect all that information because eventually, I just did. A
time based denial of service of my own resource is that I don't have the time to do all of what I needed to do.
storage is at a premium. If you can segment them, you chunk them in some part. That be great.
You have a place to storm. They get big. I mean, your capture and all travelling across the network, you go to AA a large hub somewhere are large volume segment. It's gonna grow quick.
Find a place, archive it. You're gonna want him for a long time. Especially if you're in the middle of an incident. Archive that stuff. Keep it because you can look back on that later, after the incident is done and say OK, we figure out what happened. We made it stop. But maybe we could look back and get some more lessons learned out of this.
Ah, and secure. Um you know, I said, once it goes by, it's there. If it's captured, it's captured the adversary. An attacker can't do anything.
If you leave them sitting on a system and that system becomes compromised, no one attacker could just delete him
again. Now you don't have resources,
so not only set permissions are secure them so they can't be accessed by an attacker or people who are unauthorized moving to overheat only location. You don't want to override him.
You don't want them anything to accidentally happen to him. You want him safe secure so you can look at them at any given time.
So storing them, you know, if your segment and captures or like, you know, it's a one gig to gig per cat.
Um, getting dates and time. Don't call him. Capture one. Capture to capture three. It's gonna be really fun. We're like Well,
uh, this happened at 10 a.m. Okay. Well, I have 55 p kept files labeled one through 55.
Which one do I want? Who knows? So you open number one? Nope. That's from 9 to 9 20 Open number 29 29. 32.
It's a name that have some have some kind of
methodical process behind it. If you have more. Small inns are easier to work with. Like I said, I've worked with a 11 pea cap. Had to be over 20 to 40 gig and it took forever.
Even if I had smaller ones to work with, I could've said Okay, this peacock has information I want, but it's not the beginning of a session I'm not looking for, so I know I can move forward or backwards. You can combine them afterwards if you need to. But
realistically, smaller are easier to work with.
don't work with the original. You always have the kind of an archived original copy somewhere that you can work from, so you get multiple working off the same thing and validate that you are working on the actual peek if you need it.
And the amount we talked about the different about capture filters. If you can do full cap, full packet capture
at line speeds and you have the storage to do it all. I mean, that might be cool. You might never need to look through it, but you might. There's no no, no talent either way from the get go. Um, but
you can only keep stuffers. And realistically, you can keep stuff for so long. If you do full packet capture on a very high volume network.
Eventually, you just you're storing stuff, storing stuff, storing stuff, storing stuff, sources. Are you gonna look through it? Are you not? It might be overkill, just depending on the situation.