All network analyzers/sniffers have the ability to capture data from network. But most of them only do some simple statistics then throw pages of numbers to the users. Especially in a big network with heavy traffic, network administrators have to figure out a network problem even a simple one.
The Security Analysis is a perfect example. The Security Analysis is an analysis profile which has the power to detect the following network anomalies and attacks:
-
ARP attack
-
Worm activity
-
DoS attack
-
TCP port scanning
-
Suspicious conversation
Review a Checklist of Analysis Tasks
There are a large number of tasks which a Security Analyst should perform. These tasks can be considered proactive or reactive.
Proactive methods include BASELINING network communications to learn the current status of the network and application performance. It can also be used to spot network problems before they are felt by the network users.
For example, identifying the cause of packet loss before it becomes excessive and affects network communications helps avoid problems before they are even noticed.
Reactive analysis techniques are employed after a complaint about network performance has been reported or when network issues are suspected. Sadly, reactive analysis is more common.
The following lists some of the analysis tasks that can be performed using Wireshark:
-
Find the top talkers on the network
-
Identify the protocols and applications in use
-
Determine the average packets per second rate and bytes per second rate of an application or all network traffic on a link
-
List all hosts communicating
-
Learn the packet lengths used by a data transfer application
-
Recognize the most common connection problems
-
Spot delays between client requests due to slow processing
-
Locate misconfigured hosts
-
Detect network or host congestion that is slowing down file transfers
-
Identify asynchronous traffic prioritization
-
Graph HTTP flows to examine website referrals rates
-
Identify unusual scanning traffic on the network
-
Quickly identify HTTP error responses indicating client and server problems
-
Quickly identify VoIP error responses indicating client, server or global errors
-
Build graphs to compare traffic behavior
-
Graph application throughput and compare to overall link traffic seen
-
Identify applications that do not encrypt traffic
-
Play back VoIP conversations to hear the effects of various network problems on network traffic
-
Perform passive operating system and application use detection
-
Spot unusual protocols and unrecognized port number usage on the network
-
Examine the startup process of hosts and applications on the network
-
Identify average and unacceptable service response times (SRT)
-
Graph intervals of periodic packet generation applications or protocols
Networks vary greatly in the traffic seen. The number and type of network analysis tasks
you can perform depends on your network traffic characteristics.
I hope this reference checklist, will help you in reviewing the analysis task which you may have to perform.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM