Network Trace Analysis - patterndiagnostics.com · Network Trace Analysis . Dmitry Vostokov ....

Network Trace Analysis

Dmitry Vostokov Software Diagnostics Services

Version 1.0

Facebook LinkedIn Twitter

Wireshark Hark Listen (to) “Hark! There’s the big bombardment.” Speak in one’s ear; whisper

Shorter Oxford English Dictionary

Hark back (idiom) To return to a previous point, as in a narrative

http://www.thefreedictionary.com/hark

Prerequisites Interest in software diagnostics,

troubleshooting, debugging and network trace analysis

Experience in network trace analysis using Wireshark or Network Monitor

Why? A common diagnostics language

Network diagnostics as software diagnostics

Software Diagnostics A discipline studying abnormal software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using pattern-driven, systemic and pattern-based analysis methodologies.

Diagnostics Pattern

A common recurrent identifiable problem together with a set of recommendations and possible solutions to apply in a specific context.

Pattern Orientation

Pattern-driven Finding patterns in software artefacts Using checklists and pattern catalogs

Pattern-based Pattern catalog evolution Catalog packaging and delivery

Catalog Classification By abstraction

Meta-patterns

By artifact type

Software Log* Memory Dump Network Trace*

By story type

Problem Description Software Disruption UI Problem

By intention

Malware

Traces and Logs

Trace and Log Patterns

Software Narrative

A temporal sequence of events related to software execution.

Software Trace

A sequence of formatted messages Arranged by time A narrative story

Network Trace

A sequence of formatted packets as trace messages

Arranged by time A narrative story

Network Trace Analysis

Software Trace Analysis Patterns

Network Trace Analysis Patterns

Capture Tool Placing Sniffer placing Process Monitor placing

Trace Maps Network map

Deployment architecture map

Name Resolution MAC -> IP and IP -> DNS

PID -> process name

Trace Presentation

Full Trace (Story, Fable, Fabula)

Trace 1 (Plot, Sujet)

Trace Presentation

A (Discourse)

Trace Presentation

B (Discourse)

Trace Presentation

C (Discourse)

Minimal Trace Graphs

Time# Src Dst Time Message

Pattern-Driven Analysis

Logs Checklists Patterns Action

Pattern-Based Analysis

Software Trace

New Pattern

Discovery

Pattern Catalog

Pattern Classification

Vocabulary Error Trace as a Whole Large Scale Activity Message Block Trace Set

Reference and Course

Catalog from Software Diagnostics Library

Software Trace Analysis Patterns

Free reference graphical slides

Accelerated-Windows-Software-Trace-Analysis-Public.pdf

Training course*

Accelerated Windows Software Trace Analysis

* Available as a full color paperback book, PDF book, on SkillsSoft Books 24x7. Recording is available for all book formats

Selected Patterns

Master Trace

Normal network capture

Pattern Category Trace Set

Message Current

Packets/s

10.100

10.200

10.100

12.100

J1 > J2

Pattern Category Trace as a Whole

Message Density

D1 > D2

Characteristic Block

D1 < D2 L1 > L2

Pattern Category Large Scale

Example

Thread of Activity

Pattern Category Activity Time

# Src Dst Time Message

Adjoint Thread

Filtered by: Source Destination Protocol Message Expression

No Activity

We messages from other servers but only see our own traffic

Pattern Category Activity

Discontinuity

Dialog

Conversation between 2 endpoints

Significant Event

Time Reference feature in Wireshark

Pattern Category Message

Marked Messages

Marked Packets feature in Wireshark

Annotated messages: session initialization [+] session tear-off [-] port A activity [+] port B activity [-] protocol C used [-] address D used [-] [+] activity is present in a trace [-] activity is undetected or not present

Pattern Category Message

Partition

Connection initiation (Prologue) and termination (Epilogue)

Epilogue

Prologue

Inter-Correlation

Several packet sniffers at once

Internal and external views

Process Monitor log + network trace

Pattern Category Trace Set

Circular Trace

ProblemRepro

Split Trace

Pattern Category Trace Set Time

# Src Dst Time Message # PID TID Time Message # PID TID Time Message

Paratext Info column in Wireshark

Frames

OSI, TCP/IP Layers

Pattern Category Large Scale

Visibility Limit Visibility window for sniffing

sniffer

Incomplete History Packet loss

Missing ACK

Possible New Patterns

Full Trace (promiscuous mode)

Embedded Message (PDU chain, protocol data unit, packet)

Ordered Message (TCP/IP sequence numbers)

Illegal Message (sniffed with illegally obtained privileges)

Dual Trace (in / out, duplex)

Network Trace Analysis - patterndiagnostics.com · Network Trace Analysis . Dmitry Vostokov ....

Documents

Transcript of Network Trace Analysis - patterndiagnostics.com · Network Trace Analysis . Dmitry Vostokov ....

TRACE™ 700 Family Installation Guidesoftware.trane.com/CDS/TRACEFamilyInstall.pdf · TRACE™ 700 Family Installation Guide TRACE 700 Standalone TRACE 700 Network System Analyzer™

Pattern-Driven Software DiagnosticsPattern-Driven Software Diagnostics . Dmitry Vostokov . Memory Dump Analysis Services . Version 1.0

Trace Decay Trace decay The theory suggests that learning causes a physical change in the neural network…

Mac OS X - Software Diagnostics · PDF fileMac OS X . Core Dump Analysis . Dmitry Vostokov . Software Diagnostics Services . Version 2.0

Pattern-Driven Software Problem Solving · Pattern-Driven Software Problem Solving Presenter: Dmitry Vostokov Memory Dump Analysis Services. Prerequisites Experience in software troubleshooting

TRACe LoRa-MQTTTAKING THE LoRa™ NETWORK FOR A RIDE Designed for vehicles (Train, Metro, Tram, and Buses), the TRACe LoRa-MQTT embeds a LPWAN (Low Power Wide Area Network) LoRa™

A Solar-powered, TDMA Distributed Wireless Network for Trace-gas Monitoring

Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Memory Dump Analysis Anthology · 2020-07-21 · Memory Dump Analysis Anthology Volume 3 Revised Edition Dmitry Vostokov Software Diagnostics Institute OpenTask

A public research testbed for assimilating remote sensing ...acmg.seas.harvard.edu/presentations/aqast/nov2011/... · •Iowa AgClimate network •Soil Climate Analysis Network –Trace

Windows Debugging, Disassembling, Reversing · Windows Debugging, Disassembling, Reversing Practical Foundations: Training Course Dmitry Vostokov Software Diagnostics Services

X-Trace: A Pervasive Network Tracing Framework

Procedure for taking DNA - TRACE network

Trace Decay Trace decay The theory suggests that learning causes a physical change in the neural network of the memory system, creating a memory trace.

Call Trace & Network Parameter Collection Proceduresdocshare04.docshare.tips/files/30625/306251658.pdf · Call Trace & Network Parameter Collection Procedures ... Call Trace & Network

X-Trace: A Pervasive Network Tracing Frameworkcs.brown.edu/~rfonseca/pubs/xtr-nsdi07.pdfX-Trace: A Pervasive Network Tracing Framework Rodrigo Fonseca George Porter Randy H. Katz Scott

Invoice track and trace network innopay

Effects of network trace sampling methods on … · Effects of network trace sampling methods on privacy and utility metrics ... or \elephant" ows [16]. Speci c ow ... Mai et al.

X-Trace: A Pervasive Network Tracing Frameworkframework called X-Trace. A user or operator invokes X-Trace when initiating an application task (e.g., a web request), by inserting X-Trace

System IP for 64bit Systems - armtechforum.com.cn · trace Off-chip trace Self-hosted trace ... SGSN Storage Array Network Controller ... System_IP_for_64bit_Systems Author: