Methodology

Passive Approach Does not increase the traffic on the network Measures traffic in real time Lowest implementation costs Non-proprietary Independent from hardware vendor No escape Non-obtrusive.

Passive Monitoring Key Points

Highly secure compared to SNMP and RMON

Provides the highest detail of monitoring In practice, all network problems can be discovered

and solved using passive packet sniffer technology. Stealth nature cannot be detected by other tools.

To whom is it useful?

useful to… Network Administrators Application Developers Network Auditors Students. Everyday “Joe” who would like to know

what is happening in his network

Display in real time: General traffic information Total network traffic and bandwidth utilization Graph for utilization and distribution

Detailed breakdown of packets, raw and decoded with optional filtering

Decode major protocols and sub-protocols

Highly secure compared to SNMP and RMON

Unique Features…

Abnormal or Suspicious Activities Monitoring Intrusion Monitoring Bandwidth Monitoring Critical Node Monitoring Application Monitoring Data Forensic (Packet Analysis) Real time / offline Analysis. Network Anomaly Detection. Top Usage.

Common Usage

Bandwidth monitoring

Network Usage Statistic (General)

Critical node monitoring

Network Usage Statistic (Single)

Critical node monitoring

Network Trace (Single)

Intelligent Address Book

Critical node monitoring

Protocol Monitoring

Network Charts (Protocol Distribution -> Network Layer and IP-based)

Application Monitoring

Network Charts (Protocol Distribution -> Application Layer Distribution)

Packet Analysis

Network Analyzer (Capture and Decode)

Packet AnalysisFiltering

Reporting Toolkit Interface

Daily, Weekly, Monthly ReportingControl Window

Sample Report

Network analysis fundamentalsEthernet

A network card is an Ethernet adapter

Each Ethernet adapter is globally assigned a unique hardware address.

It’s a 48-bit binary number generally written as 12 hexadecimal digits

Ex: (00:e0:30:3f:21:b6)

MAC addresses are used for data communication on a network Unicast Multicast Broadcast The destination address of all 1s

(ff:ff:ff:ff:ff:ff in hexadecimal)

Ethernet II Frame

Network analysis fundamentalsHubs

A hub is a device that runs at the physical layer of the OSI model and allows Ethernet networks to be easily expanded.

When devices are connected to a hub, they hear everything that the other devices attached to the hub are sending, whether the data is destined for them or not.

Network analysis fundamentals

Bridges and switches are both intelligent devices that divide a network into collision domains to improve performance.

A collision domain is defined as a single CSMA/CD network in which there will be a collision if two stations attached to the system transmit at the same time.

Switches and Bridging

Deployment

A Technician’s Tool Kit for Troubleshooting: a laptop with j-Portable Some straight-through and cross-over cables a mini-hub

For Constant Monitoring A dedicated monitoring machine installed with j-

enterprise Dedicated hub / mirrored switch for monitoring

The point to plug in the monitoring machine depends on what we want to monitor.

LAN Monitoring

“Over the wire” monitoring

Monitoring network applications with j-Portable

correct placement to capture specific communication

Further steps to be taken will be based on these questions:

What do we want to monitor? Where do we want to monitor? What do we want to look for?

Things to monitor

To monitor network applications/software

To monitor performance of the network

To analyze network data & issues

To detect security breaches

Scenario: You are developing a client server application. You need to troubleshoot it. Did the packets actually get transmitted by the client to the server?

Scenario: You have installed a web based application server.Is the traffic to/from it as it should be?

Use Capture Decode to see actual traffic, use Netrace to see actual connections

Common Cases

2. How we can monitor network performance ?

Scenario:You have a network gateway and would like to monitor and know the percentage of utilization of your

Internet access traffic.

Use Network Statistics to view actual usage statistics, use Graph to view distributions by protocols.

For history, use Reporting Tool.

Bandwidth utilization, use Node Monitor

Common Cases…

3. How to perform analysis of network data?

Scenario: A worm is existent in your network

Scenario: ARP poisoning is being actively done on the local network

Capture and Decode to look for abnormal traffic. Pinpoint of the culprit can be done based on the

Address Book data.

Common Cases…

4. When can I use tools to analyze network issues?

Scenario: A user complains “the network is slow”

Use Statistical View to see if the network is congested,

use Capture and Decode to view traffic and

to pinpoint sources of problem.

Common Cases…

5. How can I gain better network security?

Scenario: An outsider is trying to scan machines on my network.

Netrace will tell me the sources and destinations of those scans.

Common Cases…

6. How can I optimize my network with j-Portable?

Scenario: Your newly installed network printer is running AppleTalk and IPX but no one else is using it.

Scenario: One of your routers is running unneeded IGMP or BGP protocols

j-Portable:

Use Capture & Decode and view network traffic,

Filter for single address. Look for unneeded traffic.

Make the needed adjustments on those devices.

Common Cases…

1. ARP storm detection

Problem Detection …..

Monitor each host for certain time. Each host should send a reasonable amount of

ARP packet to resolve its IP address. The host is sending an ARP storm, if it

continuously send ARP requests to certain IPs or even to a range of IPs. ( broadcast normally)

3. Worm detection

Problem Detection …..

AV maintain a DB of all known worm signatures. The moment av start the capturing process, it will sniff

each packet and apply all filters on these packets. The decoder will decode each of the captured and

filtered traffic. The dissector will extract the payload depend on the

traffic type. The payload then are matched to the DB of signatures. If the match return 1, then worm detected.