Adjust capture parameters and deployment locations as needed to provide more fidelity.

 Adjust capture parameters and deployment locations as needed to provide more fidelity.

Baseline

 

·         A statistical profile of a certain performance metric - network device or application utilization, response time, or volume for example

 

Baselining Methods and Techniques

 

·         Top to Bottom Network Monitoring
2. Application Monitoring
3. Detailed Packet Analysis
4. Continuous Traffic Capture
5. Threshold Alarms
6. Packet Analysis Methodology

 

Top to Bottom Network Monitoring

 

·         High level holistic (summary) perspective in order to quickly pinpoint trouble spots. Provides very general information that lacks depth.

 

Application Monitoring

 

·         Identifies those applications consuming network resources.

 

Application Monitoring Types

 

·         Well Known
2. Web Based
3. Complex
4. Custom
5. Unknown

 

Well Known

 

·         Recognition of well known applications, such as web browsing (HTTP), email traffic (SMTP, POP), or multimedia traffic (RTP,SIP). Covers the well known ports (1-1024)

 

Web Based

 

·         Many critical client-server applications such as file transfer and mail are migrating towards a web based model, using HTTP or HTTPS as a transport mechanism. Anything coming off the web.

 

Complex

·         One application that uses a range of TCP ports for communications or they encapsulate higher-level applications. One application doing multiple things.

 

Custom

 

·         Proprietary applications that are used in a network

 

Unknown

 

·         Anything else that is not identified by the other 4 monitoring techniques.

 

Detailed Packet Analysis

 

·         Allows the security specialist to identify the specific code being used in the attack and develop a security response to prevent future occurrences.

 

Continuous Traffic Capture

 

·         A means to continuously capture and store a complete packet by packet network traffic audit trail for several days. Goes hand in hand with Detailed Packet Analysis.

 

Threshold Alarms

 

·         Can be used as an indicator to possible network abuse, can be set based upon the network baseline previously developed.

 

Packet Analysis Methodology

 

·         Plan
2. Deploy
3. Capture
4. Analyze
5. Refine

 

Plan

 

·         What are you trying to identify, show, or prove by using packet analysis?

 

Deploy

 

·         Where do you need to place the application software/hardware for optimum capture?

 

Capture

 

·         Process raw data into useable format and decide best way to filter/display data for analysis.

 

Analyze

 

·         Determine if captured traffic identifies, shows, or proves your original thesis.

 

Refine

 

·         Adjust capture parameters and deployment locations as needed to provide more fidelity.

 

Two Protocol Categories

 

·         Binary
2. Textual

 

 

Binary

 

·         Transmit commands and data as binary information (EX: IP and DHCP)

 

Textual

 

·         Transmit commands and data in an easily read textual format (HTTP, HTTPS, SMTP, POP, IMAP)

 

Ethernet Header

 

·         First 14 bytes of an Ethernet frame and contains necessary data for host to host communications using hardware (MAC) addresses.

 

Target MAC Address

 

·         6 Bytes. Destination MAC Address. It is the 1st 6 Bytes.

 

Source MAC Address

 

·         6 Bytes. Source MAC Address. It is the 2nd 6 Bytes.

 

Next Protocol Type

 

·         2 Bytes. Identifies the next protocol expected in the following protocol header.

 

08 00

 

·         IPv4

 

08 06

 

·         ARP

 

86 DD

 

·         IPv6

 

5DC Hex

 

·         1500 Decimal

 

1500 Decimal

 

·         5DC Hex

 

Wireshark Filter Format

 

·         header.field (operator) value