2. 2Security Camp 2012
Agenda
n Basics
n What is “Network Security Analysis” ?
n How useful for your security activities?
n Who Uses Network Analyzers
n Tool Introduction
n About Wireshark
n Sniffer Positioning
n Features & Panels
n Exercise
3. 3Security Camp 2012
What is “Network Security Analysis” ?
n Important activities for incident responders
and security analyst
n Currently data just travels around your
network like a train. With a packet sniffer, get
the ability to capture the data and look inside
the packets to see what is actually moving
along the tracks.
4. 4Security Camp 2012
What is “Network Security
Analysis” ?
n Related to many security activities
n Network monitoring
n To detect on-going incident
n Network forensics:
n To find evidence in the specific incident
n Malware analysis:
n To find capability of malware such as “sending
important data to malicious servers” or “Bot
command & control”
n Process of capturing, decoding, and analyzing
network traffic
5. 5Security Camp 2012 5
Who Uses Network Analyzers
n System administrators
n Understand system problems and performance
n Intrusion detection
n Malicious individuals (intruders)
n Capture cleartext data
n Passively collect data on vulnerable protocols
n FTP, POP3, IMAP, SMATP, rlogin, HTTP, etc.
n Capture VoIP data
n Mapping the target network
n Traffic pattern discovery
n Actively break into the network (backdoor techniques)
6. 6Security Camp 2012
Network security analysis –
Flow based
n Feature
n Focus on network flow/traffic instead of each
packet
n Good approach to get high level overview or
accounting
n Tools
n Netflow / sFlow
n MRTG/RRDTool
7. 7Security Camp 2012
Network security analysis –
Packet based
n Feature
n Focus on each packet or group of packets
n Can analyze thoroughly but high cost
n Tools / Techniques
n Tcpdump
n Wireshark / tshark
8. 8Security Camp 2012
Network security analysis –
Packet based (Cont.)
n Capture packet
n Don’t use Wireshark to capture packets
n Avoid running Wireshark with root privilege
n Use more simple program instead
n E.g. tcpdump, dumpcap
n Analyze packet:
n Wireshark is the best friend for this purpose.
9. 9Security Camp 2012
Tool Introduction:
About Wireshark
n Wireshark is free and open-source tool
n Run on many OSs
n Windows / Linux / *BSD / Solaris and others
n User Interface
n GUI - Packet list / Packet details / Packet Bytes
n CUI – tshark (Command line modes)
n Many Features
n Search / Filter/ Colorize / Statistics / others
n Vulnerability: http://www.wireshark.org/security/
10. 10Security Camp 2012 10
n Decodes over 750 protocols
n Compatible with many other sniffers
n Plenty of online resources are available
n Supports command-line and GUI interfaces
n TSHARK (offers command line interface) has three
components
n Editcap
n Mergecap
n text2pcap
Tool Introduction:
About Wireshark (Cont.)
36. 36Security Camp 2012
Exercise 2:
Malware Communication Traffic
n Q1. What kind of malicious activity did this
malware do?
n Q2. What is the malicious server's IP
address?
38. 38Security Camp 2012
n Q1. Which site and which page were
defaced?
n site
n page
n Q2. Which URL looks malicious?
n Q3. Which software seemed to be the target
of this exploit?
n Q4. What kind of malicioius activity was
executed after exploit?