No Longer Your Parents' Protocol Analyzer!

By Jim Thor – WildPackets Professional Services

Times have changed all around us, and they keep on changing. One thing that hasn’t really changed is the view many people have about Protocol Analyzers and the function they play in today’s networks. Historically, Protocol Analyzers were used in cases where nothing else worked. They were a break/fix tool, meaning that they were generally only used to find and fix ‘broken’ network or system issues. And usually, possibly many hours after an issue arose, is when the protocol analyzer would be taken out of a cabinet and put to use (more as a last resort then an active participant in the troubleshooting process). Not to say that the break/fix use of an Analyzer is a bad thing (it is often the only way to see the truth), as that is still one of the core competencies of a protocol analyzer. Another issue encountered by only using a Protocol Analyzer once in a while to fix an issue or problem is that it substantially lowers the proficiency scale for the use of the tool. If you only use it once or twice a month or even less, it is very hard to become proficient with it and its features, and therefore, the longer it will take to find and solve your issues. Not to mention that once you are more familiar with the analyzer, you will be able to take advantage of some of the more automated features like triggering, alarming, and reporting.

So let’s briefly compare what we are going to be talking about, Protocol Analyzers, with some of the other technologies that are used today to help manage the network. The two most common technologies in this arena are probably Netflow and SNMP. As these are both helpful and very useful in the right scenarios, they both are limited and have significant deficiencies when compared to a Protocol Analyzer. Netflow’s major deficiency is that it is a sampling technique. As this may be okay for a high level view, it does not give you a completely accurate representation of the network, nor does it give you any detail if you wish to dig deeper. SNMPs major deficiency is that it is either a polling technology or an alert technology (using traps). Once again, this isn’t detail oriented, and you can only get information during a polling period or when a trap is generated. And, SNMP has a certain amount of items in the tree that it watches and reports on, not everything and anything that is happening on the network. This is where Protocol Analyzers shine. They show you everything that is on the network, unless you choose otherwise. They will report or notify you on anything you ask them to, often down to the bit. Not sampled, not on a time schedule, and not only when bad events happen.

The Need
So, as I started off saying, times have changed. In the current world of Protocol Analysis, the tools have become much more than just a way to see the packets and the details of what is in those packets. Often I speak to people that tell me that if no one is complaining, then the network is good. Let’s face it, if a tree falls in the woods and you don’t hear it, does it mean nothing was damaged? Today, a protocol analyzer will help tell you about the past, as well as the potential for future issues or trends. The other feature of a good analyzer is the visualizations that will help to provide proof to others as to where the problem is or isn’t. This is a huge factor in today’s network environments, and the fact is, that networks consistently get blamed for issues even when the issue is not related to the network. Being able to quickly and effectively show visualizations of the network and its performance will make you look like a ROCKSTAR. And this is where we are going to focus the rest of this paper, using Protocol Analyzers in the year 2009 and beyond.

So, let’s start off with a very simple scenario, and grow from there. I am guessing we all have at least one computer at home, maybe more. And in many cases that system may stay on 24×7, just in case you need to jump on the web for some reason in the middle of the night. That system is surely connected to the Internet, and all the good and bad that is lurking, all the time. Do you know what that system is doing after you go to sleep? Do you know if your system is one of the bots (robots) on a BotNet (group of robots) that is used to send ME spam at all hours of the night? Or, do you know if your system has a piece of malware that is capturing your keystrokes and sending them to a bad person somewhere in the world? Maybe it doesn’t, but can you be sure? Yes you can, but only with a Protocol Analyzer. This is seeing what your ‘expected behavior’ is and knowing what is normal and what is not.

The term ‘expected behavior’ is a term that’s meaning is slightly different depending on who you ask. People often think of expected behavior as always being good traffic, meaning that expected behavior of a network would be when everything is running perfectly. Not so. Expected behavior is just what is currently happening on the network, regardless of whether it is good or bad. Think of it as known vs. unknown traffic. In this case of protocol analysis, we need to have baselines (which is our expected behavior). If we are going to use the protocol analyzer as a tool to build our baselines, we have just overcome the first hurdle to good proactive network management. And, if we know our expected behavior, it is much easier to see that something has changed, and that change is usually what you are interested in when finding issues or oddities on your network, at home or at work.

So, let’s get back to our scenario with your computer at your home. Do you have a baseline? Do you know your expected behavior? Unfortunately, probably not. But that is your home network, and may not have the importance to you of an enterprise network. That may be true, but always remember that most networks are connected to the Internet, and therefore, connected to one another. Any issue you have at home could certainly be causing problems for your enterprise network, especially if you VPN into the office from your home network.

Now, I do not want to add to the scare tactics about how dangerous the world is from a network perspective. We have many devices and technologies (Anti-virus, Firewalls, IDS/IPS, etc.) that are there to protect you, and generally they do. But, can you prove it? Yes, you can, once again with a protocol analyzer. When a bad person writes a Virus/Trojan/Worm, one of their top priorities is to try to make it so your security devices do not see or detect it. But, one thing they can’t ever do is hide the packets. If they are going to do anything on the network, they will need to send those packets. And, with a protocol analyzer, you WILL see those packets; they cannot hide or be hidden. You may not know what exactly is inside those packets all the time (as it may be encrypted), but just the fact that the packets are there is the clue that you need.

So, how do we accomplish this in 2009? The vision here is simple, and it is called Infrastructure Analysis. Basically, you know your Infrastructure, and what it should be doing. So the idea here is to ignore everything you know, and focus on what you don’t know. As an example, you know that mail traffic goes to your mail servers; DHCP Offers come only from your DHCP servers; DNS traffic to your DNS servers; exactly what nodes or networks connect to your financial systems; that your printers should generally only act as a server and never as a client; and on and on. So you take a few moments and write a filter that captures all that traffic. But wait, I said that we didn’t want to see this known traffic. We don’t, so all we need to do is ‘negate’ that filter telling the system to show me onl
y what I don’t know. What yo
u end up with is a capture that shouldn’t capture any packets (if you know your Infrastructure well!). Any time you see a packet, you know you have work to do, to either track down something or change your filter to reflect your new knowledge.
But now we need to automate this a little and with notifications, you can get notified any time something happens on the network that is outside the norm, therefore making it so you do not have to ‘watch’ the analyzer all day and night. And it should go without saying at this point, but these captures run 24x7x365, always giving you the vision of the unknown. The analyzer is no longer a tool, but much more of an application, running 24×7, analyzing your network, all its good and bad, and giving you reports so that you not only know what is happening today, but also have historical vision to what happened yesterday, last week, or last year.

Now I understand that knowing what is happening on your home network is a lot easier then knowing what is happening on an Enterprise network. But that doesn’t preclude you from needing to do this. What it means is that you will need to have a better plan and move forward a little more logically. Rather than focusing on everything you don’t know, filter out the unknown traffic and focus on the unknown about the known, if that makes sense. To clarify this a little, if the only thing you are sure of is the Mail traffic, start there. Filter on all mail traffic and ignore any traffic headed for your mail servers. What you end up with is any mail headed directly outbound, which could be at minimum a security risk or a great clue that someone may have a Trojan or Virus on their system. And then add one protocol or application at a time until such a time that you never capture another packet. That day will be the day you KNOW your network.

Enterprise Networks can add much complexity to this task, but once again, it is still a necessary to do it. As we discussed above, it may be a little slower, but with just a little time, it is easily achievable. And keep in mind, it doesn’t ever have to be complete, just better than it was yesterday, last week or last month. Every personality and/or aspect of your network that you know and understand is another step in the right direction and substantially increases your chances to fix your next problem or issue in seconds, rather than hours. And in these tough times, quicker resolution equates to less downtime, which equates to less dollars lost. That is where true ROI can be seen.

Another hurdle to the Enterprise class network is possibly due to the scope and breadth of said network. Your environment may have a national or even global presence. And I am sure many of you are thinking to yourself, “No way. My network is way too big and too complex for anything like this to help me.” And I am here to tell you; not true. With distributed analysis solutions, you can do Infrastructure Analysis anywhere in your organization. It doesn’t matter if the traffic is in the room next door to you, or across the world. The methodologies are the same; the only change is your location of vision on the network. If you have vision (analyzers) in the right places, you will see not only what you know, but also learn what you don’t know. And trust me, watching what you don’t know is often much more important.

Benefits and Summary

With an OmniPeek network analyzer and OmniEngine software probes you can watch both local and distant traffic, know expected behavior of your Wired or Wireless LANs, use Alarms and Notifications to alert you to something out of the ordinary, use Triggers to automate the starting and stopping of captures, and build reports in a variety of formats to refer to historically. And if the historical reporting isn’t enough detail, using OmniEngines will give you the capability to go back in time historically, do a forensic search and get just the packets that you are interested in, even if that interest revolves around just one bit in the packet. Now that is real power. And all of it can be done in seconds or minutes, not hours or days!

To summarize, let’s remember a few of the key points that we discussed here.

  1. Protocol Analyzers have be used 24×7 to know and understand your network.
  2. With a Infrastructure Analysis capture running, you will immediately know when something happens on your network that is outside your understanding of what should be happening, giving you the proactive upper hand to resolve the issue or problem almost immediately.
  3. With alarms and notifications you can be alerted to issues via a variety of ways, including Email, SNMP, syslog, etc. Again, this is now a proactive solution.
  4. You can do this regardless of what size your network is, whether it is wired or wireless, how many nodes or applications run on it, and where those networks are located.
  5. You can save thousands, tens of thousands or even more by applying these methodologies and techniques in your environment. In these tough times this is what is most important to us all.

Leave a Reply