The document discusses various tools and methods for network security monitoring, focusing on graphical packet analysis tools like Wireshark, Xplico, and NetworkMiner. It highlights the limitations and features of each tool, as well as their specific use cases for analyzing network traffic and saved packet captures. Additionally, it reviews different NSM consoles like Sguil, Squert, Snorby, and Elsa for querying and visualizing network data.

1. CNIT 50:
Network Security Monitoring
7 Graphical Packet Analysis Tools

2. Topics
• Using Wireshark
• Using Xplico
• Examining Content with NetworkMiner

3. Wireshark

4. Wireshark Limitations
• Slow for processing large data sets
• Best to first locate traffic of interest with another tool
such as session data
• And use Wireshark on that limited data

5. Useful Wireshark Features
• Viewing lower-level Protocol Features in Detail
• Omitting Traffic to See Remnants
• Following Streams
• Setting the Protocol Decode Method with Decode
As
• Following Other Streams

6. Project 2

7. Xplico

8. Using Xplico
• Not intended for live capture, although that is
possible
• Better for analyzing saved PCAPs
• Managed via a Web browser
• By default, SO only allows access from localhost

12. Flash Often Fails

13. Reconstructed from Packets

15. NetworkMiner

16. Windows Only!
• On Linux: takes more than two hours to load the
nitroba.pcap file, which is only 55 MB
• On Windows: < 5 min.

17. Hosts

18. Messages

19. CNIT 50:
Network Security Monitoring
8 NSM Consoles

20. Topics
• An NSM-centric Look at Network Traffic
• Using Sguil
• Using Squert
• Using Snorby (Removed from SO)
• Using ELSA

21. Sguil

23. Events

24. Query

25. Like Splunk

26. Pivot to Full Content Data

27. Squert

28. Squert
• Open-source web interface for NSM data
• Written to provide access to Sguil databases via a
Web browser
• Adds visualizations and supporting information

29. Events

30. Search

31. Snorby

32. Removed from SO
• Newer open-source Web interface for NSM data
• Abandoned by its developers and removed from
SO

33. ELSA

34. ELSA: Enterprise Log
Search and Archive
• Lets you search logs for strings like Splunk
• Fully asynchronous web-based query interface
• Closely tied to Bro

35. Programs

36. Visited IPs

37. Search

38. Splunk Enterprise Security

39. Splunk Cost