Why Packet Analysis? 3 Phases - Analysis, Conversion & Collection How do we do it ? Statistics - Protocol Hierarchy Statistics - End Points & Conversations

3. TOO BIG TO COVER
• Difficult to cover every aspect of
Network Forensic
• So many aspects, features and
possibilities
• Highly addictive 

4. TOO LONG TO COVER

5. • A million things can go wrong with a computer
network - from a simple spyware infection to a
complex router configuration error.
• Packet level is the most basic level where
nothing is hidden.
• Understand the network, who is on a network,
whom your computer is talking to, What is the
network usage, any suspicious
communication (DOS , botnet, Intrusion
attempt etc.)
• Find unsecured and bloated applications –
FTP sends clear text authentication data
• One phase of computer forensic - could reveal
data otherwise hidden somewhere in a 150
GB HDD.
WHY PACKET ANALYSIS?

6. IN DEPTH ANALYSIS

7. 3 PHASES

8. TOOLS
•Wireshark!
•Tcpdump
•Networkminer etc.
Sniffer
•Xplico etc.
Analyzer

9. PRE-REQUISITE
• Patience…

11. PRE-REQUISITE
• An inquisitive mind and
sometimes weirder is
better

12. THERE ALWAYS BE A PROBLEM TO SOLVE

13. • Being a bit
organized helps in
long run

14. NOW WHAT?
Think it like you are solving a mystery
• Where do we start?
• What questions to ask?
• What tools do we need?
• Once you have the traces - what then?

15. Capture
•Where, How, What, How long
Transfer
•Hash, split, distribute
Analyze
•IP, Protocol, Time, Delay, Duration,
pattern, graphs, charts, blah…
HOW DO WE DO IT?

16. CAPTURE
• Capture Methods
• Wired
• Mirror/Monitor/SPAN
• Taps
• Hubs
• ARP poisoning???
• Promiscuous mode
• WinPCAP/LibPCAP
• Wireless
• Rfmon/monitor mode
• AirPCap

17. WHICH INTERFACE TO CAPTURE

18. ALWAYS START WITH THE NETWORK DETAILS

19. MORE QUESTIONS BETTER ANALYSIS
• Are the servers in the same locations or different
• Same subnet, different subnet
• Any suspicion - IP Address, Application
• When did it start
• How and when did it get identified
• Why you were there – lack of resource, time, expertise

20. WHAT NOT TO DO
• Do not scroll up and down and try manually reading packets
one by one.
• Do not capture any and every traffic just for the sake of
capturing.
• Do not ASSUME. You can have thoughts, suspicions.

21. THEN WHAT DO WE DO?

22. STILL NEED REASONS!
• Capture Filters
• Display Filters
• Auto-complete
• Red – error, Green – good
• Recent usage history

23. FILTERS
• Create Filter from
Packet/field
• Multiple filter conditioning
using “and”, “or”, “not”
etc.
• Protocol Filtering

24. FOLLOW THE STREAMS
• TCP
• UDP
• APP layer
• FTP
• HTTP
• TELNET

26. RECONSTRUCT THE CRIME SCENE
• Understand the flow
• Reconstruct the files
• Identify the attacker
and victim

27. STATISTICS – PROTOCOL HIERARCHY

28. STATISTICS – END POINTS

29. STATISTICS – CONVERSATIONS

30. STATISTICS – COLORING RULES

31. REFERENCE
• Wireshark University by Laura Chappell and Gerald Combs
• Sharkfest talks - Betty DuBois on Network Mysteries
• Securitytube.net by Vivek Ramchandran
• Picture courtesy Google. Not my property.

32. 32
THANK YOU