Recently in network forensics Category

Introducing Compass: Using Utilization Statistics for Network Forensics

By WildPackets on February 25, 2010 2:53 PM | No Comments | No TrackBacks

The holy grail of effective network troubleshooting is the ability to pinpoint issues quickly so that they can be fixed. Any approaches to better optimize this particular network analytics process mean more uptime and healthy networks over the long run.

 

Here's a suggestion - instead of loading all packets, shave off time by using utilization statistics about network traffic to provide clues that answer questions like "What happened?" "When?" "Who did it?" Only then determine what slice of time you want to perform deeper network analysis on.   

 

To this end, WildPackets is releasing Compass, a freely available interactive forensics dashboard for the OmniPeek Network Analyzer. Compass' dashboard graph (see screenshot) allows users to select specific time periods for analysis, add and remove nodes and protocols to the same graph, and compare and correlate these for different periods of time, over long periods of time.  

 

In some cases, seeing the utilization in the Compass graph for the nodes and/or protocols in question may solve the problem. Otherwise, once a slice of time has been selected, the packets for just that slice of time can be loaded into OmniPeek by hitting the "Load Packets" button.  If that slice wasn't the problem, just go back to the graph, slide the time window, and load a different slice of packets.


compass_full3.png

Three considerations for troubleshooting a flakey network connection

By WildPackets on February 3, 2010 8:49 AM | No Comments | No TrackBacks

 

Obviously, there are a number of considerations and best practices for troubleshooting a flakey network connection. That being said, here are three considerations that, in most cases, will expedite the process of identifying and pinpointing the problem and shorten the time to getting the network humming once again. 

Consideration #1: Can you record your network traffic and search though the data at the time the issue occurs?

 

This is also known as network forensics. Network forensics refers to the capture, storage and analysis of digital evidence that flows through your enterprise network. The most complete solutions record every single packet that is transmitted over your corporate networks. So, any emails, instant messages, FTP traffic or any other form of communication that takes place on the network can be reconstructed from the original transmissions. Forensics essentially allows you to reconstruct the history of your entire network.

 

With more businesses relying on the cloud for their IT infrastructure or to deliver their service/products to customers, it's crucial to be monitoring both operations and the infrastructure. While the network has become more reliable, reliance on web-based and cloud-served applications or storage has lead to more frequent outages of that infrastructure. By collecting digital evidence via a network recorder, the once laborious, time-consuming searches (including top talkers, most delays, application type, etc.) involving multiple tools and large transfers of data can be reduced to a quick, convenient search.

 

Consideration #2: Is the problem stemming from one user or many users on the same switch or segment?

 

Determining the scope the problem can point the administrator in the right direction of where to start the network analysis providing and what information is most useful determining and correcting the issue. There are several ways of determining whether or not a problem is stemming from one user or many users on the same switch. One of the more common, but least desirable ways is by monitoring the number of trouble tickets. Calls spike - most users are on the same subnet - this is a telltale sign of a possible hardware problem. A far more proactive approach is to use background analysis and monitor for conditions like non-responsive client or server, or low client-server or server to client throughput. You will quickly see if these issues are being reported for a single client, or across many clients. If for a single client, isolate this client for analysis. Determine what other network activities this client is engaged in, and examine these network flows. This will quickly shed light on the issue. If the problem is stemming from many users, is the problem isolated to a single application, or is the issue broadly affecting overall connectivity? If confined to a single application, that's the place to dig. If the issue is overall connectivity for many users, find the connectivity point common to these users and see check for hardware issues.

 

Consideration #3: Is the problem connectivity or utilization related?

Is the network traffic getting to the specified destination? Is a specific machine over-consuming its allocation of bandwidth and crippling other users connectivity while doing some action? On the utilization front, non-work related, "bandwidth sucking" download activities (music, videos, games, etc) are a common culprit. Utilization-related issues are typically intermittent in nature. One, or perhaps several, clients are over-utilizing a network segment, but that comes and goes. Even if the oversubscribing event is long in nature (like streaming video) the remaining utilization still goes up and down with normal network usage, creating intermittent periods of over-utilization. This can easily be monitored by graphing the network utilization in real-time. Connectivity-related issues are typically more binary - users either can or cannot connect to a particular network segment or a particular application. If the issue is utilization related, the next step is to determine if it is client or application driven. This is fairly easy to determine by looking at the top talkers on the network. If the top talkers are clients, drill down and see what protocols the client is using. This typically reveals the source of the problem quite readily. If the issue is connectivity related, the next step is to determine if connectivity is being affected by network congestion, or hardware problems. Network congestion is again easily seen by monitoring network utilization is real time. If not congestion, then the issue is likely to be with hardware within the user(s) connectivity path.

Tracking Down Sony's Roadmap Leaks

By WildPackets on September 25, 2009 7:44 AM | No Comments | No TrackBacks

Yikes... This week Sega exposed some of Sony's highly sensitive future plans. Information regarding Sony Playstation 3 and motion controllers discussed in a meeting with Sega were leaked in a document that made its way onto Sega's press site.

 

So, who is responsible? How did this happen? If this happened in your company how can you find out? Enter network forensics.

 

Network forensics refers to the capture, storage and analysis of digital evidence that flows through your enterprise network. The most complete solutions record every single packet that is transmitted over your corporate networks. So, any emails, instant messages, FTP traffic or any other form of communication that takes place on the network can be reconstructed from the original transmissions. It doesn't get any more accurate than that. Network Forensics essentially allows you to reconstruct the history of your entire network.

 

IT personnel utilize network forensics to analyze historical network traffic to conduct or assist in many types of investigations. A few common applications for Network Forensics include HR compliance, intermittent issues, security cyber attacks and transaction analysis. This often starts with terabytes upon terabytes of data. Some tools, like OmniPeek, allow you to analyze data at the point of capture, thus eliminating the need for large data transfers (which are typically done) that consume time and bandwidth. OmniPeek also provides simple and intuitive means to drill down into the relevant data, making easy work out of finding the needle in the multi-terabyte haystack.

 

Using network forensics, you can track down the culprit. Of course, network forensics has many uses other than hunting down perpetrators, but it can be helpful in uncovering sensitive leaks. If they're not already, Sega should be using network forensics to get to the bottom of this snafu.

 

Network Forensics Use Cases Beyond Security Attacks

By WildPackets on August 20, 2009 9:08 AM | No Comments | No TrackBacks

Network forensics is the capture, recording, and analysis of network events. Typically, network forensics' tools employ simple and complex filters to mine stored data to reveal anomalies (what caused them and what the results were on a network performance). The common perception is that network forensics is used to discover the source of security attacks. The recent denial-of-service attacks on Twitter is a recent headline example where network forensics was used to help identify the perpetrator. So while security attacks get the most attention, network forensics can be used for other problem incidents. Even beyond problem incidents, network forensics can even be used for things like business analysis. Below are three network forensics use cases, not including security attacks, for consideration.

 

1) Monitoring User Activity  

 

Social networking sites like Facebook and Twitter have been shown to sap productivity in the workplace. As a result, many organizations have user policies that prohibit, or at least curtail such activities. Recently,  the U.S. Marine Corp. banned marines from using Twitter for a year, as well as Facebook. Additionally, policies prohibiting non-work related "bandwidth sucking" download activities (music, videos, games, etc) are common. Lastly, users may not be going though a proxy server opening up the network to various malware. Network forensics allows all these "rogue" activities to be monitored revealing details as to who broke policy, what policy infraction was committed, and at what time it occurred.

 

2) Business transaction analysis

 

For transactions that take place in clear text like SQL, http request, FTP, or telnet, network forensics allows the network administrator to create the ultimate audit trail for business transactions. Not just server activity, but the business transactions enacted by clients and servers. Additionally, network forensics can serve to troubleshoot the transaction problems that server logs miss.

 

3) Pinpointing the source of intermittent performance issues 

 

On a practical level, here's where network forensics' tools really come in handy - the capturing and handling intermittent network problems, especially those problems that occurred hours or days ago. Traditional "reactive" ad hoc troubleshooting can miss patterns that indicate network problems, so network forensics can be used to catch things that were originally missed.

 

As the SANS Institute notes, "Network forensics can reveal who communicated with whom, when, how, and how often. It can uncover the low-level addresses of the systems communicating, which investigators can use to trace an action or conversation back to a physical device. The entire contents of e-mails, IM conversations, Web surfing activities and file transfers can be recovered and reconstructed to reveal the original transaction. More importantly, the protocol data that surrounded each conversation is often extremely valuable...."

 

Network forensics can be a powerful tool to unlock mysteries found within the network. Make sure you have a network forensics tool best suited for your organization's particular needs.

Preventing Cyber Attacks

By WildPackets on July 9, 2009 12:31 PM | No Comments | No TrackBacks
In the last few days, cyber attacks have infiltrated U.S. and South Korean government agencies. Some sites still remain down.

While this attack is highly sophisticated and far-reaching, it illustrates just how crucial network security is in a world where organized cyber-terrorism can bring down even the most prominent sites. Your website may not be the next target, but if it was, how would you go about protecting it?

For starters, an analysis tool that specializes in viewing and understanding what the network is doing can help. You need something that will:

   1. Analyze and characterize any attack.
   2. Apply filters to isolate malicious behavior. This will define what action is needed to mitigate the effect if an attack slips past network defense.
   3. Equip your network IT team with a powerful incident response tool that can be used in real time and visually represents attacks.

With the proper network tool -- something like a network security Swiss Army Knife -- IT personnel can zero-in on the problem and troubleshoot.

Network forensics works on analyzing historical network traffic in order to conduct investigations for security attacks. Using network forensics security teams can reconstruct the sequence of events that occur at the time of a breach and get the complete picture. The right network forensic solution in place enables IT managers and network engineers to discover and eliminate possible threats in the network and provide lawful interception capabilities when needed.

Our solution, OmniPeek, for example, helps IT personnel analyze data by capturing network traffic at key network points and minimizes traffic loads on the network that can be caused by polling devices this allows you find the data you're looking for quickly and easily. When dealing with network security breaches, time is of the essence.

We've seen quite a few network attacks - our solutions combat security vulnerabilities and our products are used by a number of government agencies. As these recent attacks demonstrate, the hackers are getting more sophisticated. It makes you wonder, if the most secure sites in the world are being compromised, what does that mean for enterprises?
« Network Analysis | Main Index | Archives | Network Managment »