SlideShare una empresa de Scribd logo

Network traffic analysis course

TECHNOLOGY CONTROL CO.
TECHNOLOGY CONTROL CO.

Introduction to Network Traffic analysis and Network Forensics.

Tecnología
1 de 32
Descargar para leer sin conexión
Network Traffic Analysis Presented By Ahmed Elshaer Security Operation Specialist
Agenda ● Why Traffic Analysis ● TCP/IP Review ● The Protocols ● Tcpdump/Tshark Basics ● Wireshark Foundation ● Hands-On Network Forensics
Why Traffic Analysis ? ● Gain special knowledge about the network. ● Investigate and troubleshoot abnormal behavior – Abnormal packets. – Network slow performance. ● Congestion. ● Retransmission. – Unexpected traffic. – Broken applications. – Load balancer issues.
Why Traffic Analysis ? ● Network Forensics – Collecting evidence. – Incident Handling. – Tracing attacks. – Linking infected hosts. – Determining patient zero. ● Stealing Sensitive information ● Pen-testing. ● Developing IPS/IDS signatures.
How Packet Sniffer Works ● Collection – the packet sniffer collects raw binary data from the wire. ● Conversion – the captured binary data is converted into a readable form ● Analysis – the actual analysis of the captured and converted data. – The packet sniffer verifies its protocol based on that protocol’s specific features.
TCP/IP Overview: OSI Model
TCP/IP Overview: OSI Model
Network Traffic Analysis
Network Traffic Analysis ● Protocols – Ethernet – IP – TCP/UDP – DNS – DHCP – FTP – Telnet – HTTP
Ethernet Frame
IP Packet
TCP Packet
TCP session initiation/termination
TCP session initiation/termination
UDP
The Big Picture !!!
Network Traffic Analysis ● BPF Filters, what !!! – Berkley Packet Filter – A knowledge of BPF syntax is crucial as you dig deeper into networks at the packet level. – Allow you to specify exactly which packets you want to capture. – Get rid or Packets you don't want to capture – BPF is how you talk to the Network Drivers :)
Network Traffic Analysis
Network Traffic Analysis ● Command Line Tools: – TCPdump – Tshark – Dumpcap, why !!! ● Graphical Tools: – Wireshark
Network Traffic Analysis ● TCPDUMP Basics (1)
Network Traffic Analysis ● TCPDUMP Basics (2)
Network Traffic Analysis ● TCPDUMP Basics (3)
Network Traffic Analysis ● TCPDUMP Examples (1): – $sudo tcpdump -n -i eth0 -c 5 – $sudo tcpdump -n -i eth0 -c 10 -w test01.pcap – $tcpdump -n -r test01.pcap – $sudo tcpdump -n -i eth0 -c 10 - w icmp.pcap icmp – $sudo tcpdump -n -i eth0 -s 0 port 53 – $sudo tcpdump -n -i eth0 -s 0 port 53 and tcp – $sudo tcpdump -n -i eth0 -s 0 tcp port 53 – $sudo tcpdump -n -r icmp.pcap host 192.168.56.104
Network Traffic Analysis ● TCPDUMP Examples (2): – $sudo tcpdump -n -r icmp.pcap src host 10.10.5.10 – $sudo tcpdump -n -r icmp.pcap dst host 10.18.6.10 – $sudo tcpdump -n -r icmp.pcap net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap src net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap dst net 10.10.56.0 ● Bash !!! for file in ` find /pcaps/ -name '*.pcap' `; do tcpdump -r $file 'port 21' -A|grep -iE 'USER|PASS' ; done
Network Traffic Analysis ● Tshark, Advanced analysis capabilities ● Tshark = tcpdump++ ● Tshark Examples(1): – To list the interfaces ● tshark -D – To listen on interface ● tshark -i eth0 ● tshark -i 1
Network Traffic Analysis ● Tshark Example (2): ● tshark -n -i wlan0 -p -a filesize:1000 -w 1MB.pcap ● tshark -n -i 7 -c 1000 -w test01.pcap -f 'tcp port 80' ● tshark -n -i 7 -f 'port 53' ● tshark -R "ip.addr == 192.168.56.101" -r test01.pcap ● tshark -R "not arp and not (udp.port == 53)" -r test.pcap ● tshark -Y "http contains user" -r httpcap.pcap -x ● tshark -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -E header=y -r test01.pcap
Network Traffic Analysis ● Dumpcap – a network traffic dump tool – It captures packet data from a live network and writes the packets to a file. – Why should I use it !!!
Network Traffic Analysis ● Wireshark Basic Operations – Live Capture – Open PCAP File – Basic Filters – Follow TCP Stream – Time Stamps – Expert Info – Statistics
Network Traffic Analysis ● Wireshark Packet Inspection – ARP – IP – TCP – HTTP – FTP – DNS – DHCP
Network Traffic Analysis ● Wireshark Advanced Tasks – SSL Decryption – Network Forensics and File Carving ● Extract Files from FTP ● Extract Files from HTTP
Network Traffic Analysis CTF Time
References/more resources ● http://www.chrisbrenton.org/category/security/network/ ● http://packetlife.net/library/cheat-sheets/ ● Practical Packet Analysis - NoStarchPress ● http://packetlife.net/captures/ ● http://wiki.wireshark.org/SampleCaptures ● http://www.netresec.com/?page=PcapFiles ● Network Analysis Sessions By Ahemd Adel

Recomendados

Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
ISP AND ITS ARCHITECTURE.
ISP AND ITS ARCHITECTURE.ISP AND ITS ARCHITECTURE.
ISP AND ITS ARCHITECTURE.
university of Gujrat, pakistan
 
Network monitoring system
Network monitoring systemNetwork monitoring system
Network monitoring system
MyPresentations Services
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
mhaviv
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
Network Miner Network forensics
Network Miner Network forensicsNetwork Miner Network forensics
Network Miner Network forensics
Sreekanth Narendran
 
Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Digital Certified Mail (PPT)
Digital Certified Mail (PPT)
Matthew Chang
 
Transport layer protocol
Transport layer protocolTransport layer protocol
Transport layer protocol
N.Jagadish Kumar
 

Recomendados

Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
ISP AND ITS ARCHITECTURE.
ISP AND ITS ARCHITECTURE.ISP AND ITS ARCHITECTURE.
ISP AND ITS ARCHITECTURE.
university of Gujrat, pakistan
 
Network monitoring system
Network monitoring systemNetwork monitoring system
Network monitoring system
MyPresentations Services
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
mhaviv
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
Network Miner Network forensics
Network Miner Network forensicsNetwork Miner Network forensics
Network Miner Network forensics
Sreekanth Narendran
 
Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Digital Certified Mail (PPT)
Digital Certified Mail (PPT)
Matthew Chang
 
Transport layer protocol
Transport layer protocolTransport layer protocol
Transport layer protocol
N.Jagadish Kumar
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
MD. SHORIFUL ISLAM
 
PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATION
Goutham Royal
 
Network Traffic Analysis With Wireshark.pptx
Network Traffic Analysis With Wireshark.pptxNetwork Traffic Analysis With Wireshark.pptx
Network Traffic Analysis With Wireshark.pptx
ArifinChowdhury2
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
talkaton
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
IntServ & DiffServ
IntServ & DiffServIntServ & DiffServ
IntServ & DiffServ
Technical Advisor at Iraqi Government
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
Hema Dhariwal
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
Hansa Nidushan
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
Congestion on computer network
Congestion on computer networkCongestion on computer network
Congestion on computer network
Disi Dc
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
amiable_indian
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
High speed lan
High speed lanHigh speed lan
High speed lan
ramya marichamy
 
Routing ppt
Routing pptRouting ppt
Routing ppt
ArpiSaxena1
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Telecommunication switching system
Telecommunication switching systemTelecommunication switching system
Telecommunication switching system
Madhumita Tamhane
 
Switching systems lecture1
Switching systems lecture1Switching systems lecture1
Switching systems lecture1
Jumaan Ally Mohamed
 

Más contenido relacionado

La actualidad más candente

PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATION
Goutham Royal
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
talkaton
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Congestion on computer network
Congestion on computer networkCongestion on computer network
Congestion on computer network
Disi Dc
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 

La actualidad más candente (20)

Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
 
PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATION
 
Network Traffic Analysis With Wireshark.pptx
Network Traffic Analysis With Wireshark.pptxNetwork Traffic Analysis With Wireshark.pptx
Network Traffic Analysis With Wireshark.pptx
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
Intruders
IntrudersIntruders
Intruders
 
NMAP
NMAPNMAP
NMAP
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
IntServ & DiffServ
IntServ & DiffServIntServ & DiffServ
IntServ & DiffServ
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
 
Congestion on computer network
Congestion on computer networkCongestion on computer network
Congestion on computer network
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
High speed lan
High speed lanHigh speed lan
High speed lan
 
Routing ppt
Routing pptRouting ppt
Routing ppt
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 

Destacado

Basic of telecommunication presentation
Basic of telecommunication presentationBasic of telecommunication presentation
Basic of telecommunication presentation
hannah05
 

Destacado (9)

Telecommunication switching system
Telecommunication switching systemTelecommunication switching system
Telecommunication switching system
 
Switching systems lecture1
Switching systems lecture1Switching systems lecture1
Switching systems lecture1
 
Switching systems lecture2
Switching systems lecture2Switching systems lecture2
Switching systems lecture2
 
Telecommunications and networks
Telecommunications and networksTelecommunications and networks
Telecommunications and networks
 
Switching systems lecture3
Switching systems lecture3Switching systems lecture3
Switching systems lecture3
 
1 Telecommunication Switching Systems And Networks
1 Telecommunication Switching Systems And Networks1 Telecommunication Switching Systems And Networks
1 Telecommunication Switching Systems And Networks
 
Traffic analysis
Traffic analysisTraffic analysis
Traffic analysis
 
Design and Simulation Microstrip patch Antenna using CST Microwave Studio
Design and Simulation Microstrip patch Antenna using CST Microwave StudioDesign and Simulation Microstrip patch Antenna using CST Microwave Studio
Design and Simulation Microstrip patch Antenna using CST Microwave Studio
 
Basic of telecommunication presentation
Basic of telecommunication presentationBasic of telecommunication presentation
Basic of telecommunication presentation
 

Similar a Network traffic analysis course

Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
Avi Networks
 

Similar a Network traffic analysis course (20)

Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdf
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoring
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump mod
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.ppt
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Day2
Day2Day2
Day2
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Network for amin
Network for aminNetwork for amin
Network for amin
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
Nmap
NmapNmap
Nmap
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Network traffic analysis course

  • 1. Network Traffic Analysis Presented By Ahmed Elshaer Security Operation Specialist
  • 2. Agenda ● Why Traffic Analysis ● TCP/IP Review ● The Protocols ● Tcpdump/Tshark Basics ● Wireshark Foundation ● Hands-On Network Forensics
  • 3. Why Traffic Analysis ? ● Gain special knowledge about the network. ● Investigate and troubleshoot abnormal behavior – Abnormal packets. – Network slow performance. ● Congestion. ● Retransmission. – Unexpected traffic. – Broken applications. – Load balancer issues.
  • 4. Why Traffic Analysis ? ● Network Forensics – Collecting evidence. – Incident Handling. – Tracing attacks. – Linking infected hosts. – Determining patient zero. ● Stealing Sensitive information ● Pen-testing. ● Developing IPS/IDS signatures.
  • 5. How Packet Sniffer Works ● Collection – the packet sniffer collects raw binary data from the wire. ● Conversion – the captured binary data is converted into a readable form ● Analysis – the actual analysis of the captured and converted data. – The packet sniffer verifies its protocol based on that protocol’s specific features.
  • 9. Network Traffic Analysis ● Protocols – Ethernet – IP – TCP/UDP – DNS – DHCP – FTP – Telnet – HTTP
  • 15. UDP
  • 17. Network Traffic Analysis ● BPF Filters, what !!! – Berkley Packet Filter – A knowledge of BPF syntax is crucial as you dig deeper into networks at the packet level. – Allow you to specify exactly which packets you want to capture. – Get rid or Packets you don't want to capture – BPF is how you talk to the Network Drivers :)
  • 19. Network Traffic Analysis ● Command Line Tools: – TCPdump – Tshark – Dumpcap, why !!! ● Graphical Tools: – Wireshark
  • 20. Network Traffic Analysis ● TCPDUMP Basics (1)
  • 21. Network Traffic Analysis ● TCPDUMP Basics (2)
  • 22. Network Traffic Analysis ● TCPDUMP Basics (3)
  • 23. Network Traffic Analysis ● TCPDUMP Examples (1): – $sudo tcpdump -n -i eth0 -c 5 – $sudo tcpdump -n -i eth0 -c 10 -w test01.pcap – $tcpdump -n -r test01.pcap – $sudo tcpdump -n -i eth0 -c 10 - w icmp.pcap icmp – $sudo tcpdump -n -i eth0 -s 0 port 53 – $sudo tcpdump -n -i eth0 -s 0 port 53 and tcp – $sudo tcpdump -n -i eth0 -s 0 tcp port 53 – $sudo tcpdump -n -r icmp.pcap host 192.168.56.104
  • 24. Network Traffic Analysis ● TCPDUMP Examples (2): – $sudo tcpdump -n -r icmp.pcap src host 10.10.5.10 – $sudo tcpdump -n -r icmp.pcap dst host 10.18.6.10 – $sudo tcpdump -n -r icmp.pcap net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap src net 10.10.56.0 – $sudo tcpdump -n -r icmp.pcap dst net 10.10.56.0 ● Bash !!! for file in ` find /pcaps/ -name '*.pcap' `; do tcpdump -r $file 'port 21' -A|grep -iE 'USER|PASS' ; done
  • 25. Network Traffic Analysis ● Tshark, Advanced analysis capabilities ● Tshark = tcpdump++ ● Tshark Examples(1): – To list the interfaces ● tshark -D – To listen on interface ● tshark -i eth0 ● tshark -i 1
  • 26. Network Traffic Analysis ● Tshark Example (2): ● tshark -n -i wlan0 -p -a filesize:1000 -w 1MB.pcap ● tshark -n -i 7 -c 1000 -w test01.pcap -f 'tcp port 80' ● tshark -n -i 7 -f 'port 53' ● tshark -R "ip.addr == 192.168.56.101" -r test01.pcap ● tshark -R "not arp and not (udp.port == 53)" -r test.pcap ● tshark -Y "http contains user" -r httpcap.pcap -x ● tshark -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -E header=y -r test01.pcap
  • 27. Network Traffic Analysis ● Dumpcap – a network traffic dump tool – It captures packet data from a live network and writes the packets to a file. – Why should I use it !!!
  • 28. Network Traffic Analysis ● Wireshark Basic Operations – Live Capture – Open PCAP File – Basic Filters – Follow TCP Stream – Time Stamps – Expert Info – Statistics
  • 29. Network Traffic Analysis ● Wireshark Packet Inspection – ARP – IP – TCP – HTTP – FTP – DNS – DHCP
  • 30. Network Traffic Analysis ● Wireshark Advanced Tasks – SSL Decryption – Network Forensics and File Carving ● Extract Files from FTP ● Extract Files from HTTP
  • 32. References/more resources ● http://www.chrisbrenton.org/category/security/network/ ● http://packetlife.net/library/cheat-sheets/ ● Practical Packet Analysis - NoStarchPress ● http://packetlife.net/captures/ ● http://wiki.wireshark.org/SampleCaptures ● http://www.netresec.com/?page=PcapFiles ● Network Analysis Sessions By Ahemd Adel