Why Packet Analysis?
3 Phases - Analysis, Conversion & Collection
How do we do it ?
Statistics - Protocol Hierarchy
Statistics - End Points & Conversations
5. • A million things can go wrong with a computer
network - from a simple spyware infection to a
complex router configuration error.
• Packet level is the most basic level where
nothing is hidden.
• Understand the network, who is on a network,
whom your computer is talking to, What is the
network usage, any suspicious
communication (DOS , botnet, Intrusion
attempt etc.)
• Find unsecured and bloated applications –
FTP sends clear text authentication data
• One phase of computer forensic - could reveal
data otherwise hidden somewhere in a 150
GB HDD.
WHY PACKET ANALYSIS?
14. NOW WHAT?
Think it like you are solving a mystery
• Where do we start?
• What questions to ask?
• What tools do we need?
• Once you have the traces - what then?
15. Capture
•Where, How, What, How long
Transfer
•Hash, split, distribute
Analyze
•IP, Protocol, Time, Delay, Duration,
pattern, graphs, charts, blah…
HOW DO WE DO IT?
19. MORE QUESTIONS BETTER ANALYSIS
• Are the servers in the same locations or different
• Same subnet, different subnet
• Any suspicion - IP Address, Application
• When did it start
• How and when did it get identified
• Why you were there – lack of resource, time, expertise
20. WHAT NOT TO DO
• Do not scroll up and down and try manually reading packets
one by one.
• Do not capture any and every traffic just for the sake of
capturing.
• Do not ASSUME. You can have thoughts, suspicions.
31. REFERENCE
• Wireshark University by Laura Chappell and Gerald Combs
• Sharkfest talks - Betty DuBois on Network Mysteries
• Securitytube.net by Vivek Ramchandran
• Picture courtesy Google. Not my property.