Post on 15-Jul-2015
Methodology
Passive Approach Does not increase the traffic on the network Measures traffic in real time Lowest implementation costs Non-proprietary Independent from hardware vendor No escape Non-obtrusive.
Passive Monitoring Key Points
Highly secure compared to SNMP and RMON
Provides the highest detail of monitoring In practice, all network problems can be discovered
and solved using passive packet sniffer technology. Stealth nature cannot be detected by other tools.
To whom is it useful?
useful to… Network Administrators Application Developers Network Auditors Students. Everyday “Joe” who would like to know
what is happening in his network
Display in real time: General traffic information Total network traffic and bandwidth utilization Graph for utilization and distribution
Detailed breakdown of packets, raw and decoded with optional filtering
Decode major protocols and sub-protocols
Highly secure compared to SNMP and RMON
Unique Features…
Abnormal or Suspicious Activities Monitoring Intrusion Monitoring Bandwidth Monitoring Critical Node Monitoring Application Monitoring Data Forensic (Packet Analysis) Real time / offline Analysis. Network Anomaly Detection. Top Usage.
Common Usage
Bandwidth monitoring
Network Usage Statistic (General)
Critical node monitoring
Network Usage Statistic (Single)
Critical node monitoring
Network Trace (Single)
Intelligent Address Book
Critical node monitoring
Protocol Monitoring
Network Charts (Protocol Distribution -> Network Layer and IP-based)
Application Monitoring
Network Charts (Protocol Distribution -> Application Layer Distribution)
Packet Analysis
Network Analyzer (Capture and Decode)
Packet AnalysisFiltering
Reporting Toolkit Interface
Daily, Weekly, Monthly ReportingControl Window
Sample Report
Network analysis fundamentalsEthernet
A network card is an Ethernet adapter
Each Ethernet adapter is globally assigned a unique hardware address.
It’s a 48-bit binary number generally written as 12 hexadecimal digits
Ex: (00:e0:30:3f:21:b6)
MAC addresses are used for data communication on a network Unicast Multicast Broadcast The destination address of all 1s
(ff:ff:ff:ff:ff:ff in hexadecimal)
Ethernet II Frame
Network analysis fundamentalsHubs
A hub is a device that runs at the physical layer of the OSI model and allows Ethernet networks to be easily expanded.
When devices are connected to a hub, they hear everything that the other devices attached to the hub are sending, whether the data is destined for them or not.
Network analysis fundamentals
Bridges and switches are both intelligent devices that divide a network into collision domains to improve performance.
A collision domain is defined as a single CSMA/CD network in which there will be a collision if two stations attached to the system transmit at the same time.
Switches and Bridging
Deployment
A Technician’s Tool Kit for Troubleshooting: a laptop with j-Portable Some straight-through and cross-over cables a mini-hub
For Constant Monitoring A dedicated monitoring machine installed with j-
enterprise Dedicated hub / mirrored switch for monitoring
The point to plug in the monitoring machine depends on what we want to monitor.
LAN Monitoring
“Over the wire” monitoring
Monitoring network applications with j-Portable
correct placement to capture specific communication
Further steps to be taken will be based on these questions:
What do we want to monitor? Where do we want to monitor? What do we want to look for?
Things to monitor
To monitor network applications/software
To monitor performance of the network
To analyze network data & issues
To detect security breaches
Scenario: You are developing a client server application. You need to troubleshoot it. Did the packets actually get transmitted by the client to the server?
Scenario: You have installed a web based application server.Is the traffic to/from it as it should be?
Use Capture Decode to see actual traffic, use Netrace to see actual connections
Common Cases
2. How we can monitor network performance ?
Scenario:You have a network gateway and would like to monitor and know the percentage of utilization of your
Internet access traffic.
Use Network Statistics to view actual usage statistics, use Graph to view distributions by protocols.
For history, use Reporting Tool.
Bandwidth utilization, use Node Monitor
Common Cases…
3. How to perform analysis of network data?
Scenario: A worm is existent in your network
Scenario: ARP poisoning is being actively done on the local network
Capture and Decode to look for abnormal traffic. Pinpoint of the culprit can be done based on the
Address Book data.
Common Cases…
4. When can I use tools to analyze network issues?
Scenario: A user complains “the network is slow”
Use Statistical View to see if the network is congested,
use Capture and Decode to view traffic and
to pinpoint sources of problem.
Common Cases…
5. How can I gain better network security?
Scenario: An outsider is trying to scan machines on my network.
Netrace will tell me the sources and destinations of those scans.
Common Cases…
6. How can I optimize my network with j-Portable?
Scenario: Your newly installed network printer is running AppleTalk and IPX but no one else is using it.
Scenario: One of your routers is running unneeded IGMP or BGP protocols
j-Portable:
Use Capture & Decode and view network traffic,
Filter for single address. Look for unneeded traffic.
Make the needed adjustments on those devices.
Common Cases…
1. ARP storm detection
Problem Detection …..
Monitor each host for certain time. Each host should send a reasonable amount of
ARP packet to resolve its IP address. The host is sending an ARP storm, if it
continuously send ARP requests to certain IPs or even to a range of IPs. ( broadcast normally)
3. Worm detection
Problem Detection …..
AV maintain a DB of all known worm signatures. The moment av start the capturing process, it will sniff
each packet and apply all filters on these packets. The decoder will decode each of the captured and
filtered traffic. The dissector will extract the payload depend on the
traffic type. The payload then are matched to the DB of signatures. If the match return 1, then worm detected.