Weekly Network Knowledge Challenge QUIZ from The Network Heroes! (From:ProfiTAP)

or the next 14 weeks the Network Heroes will be asking you the challenge questions.

See if you can answer all 14, correctly!!!

Click here - for the ProfiTAP website Every Monday for the Latest Question! - Click here!

This weeks question is from Phil Shade!

Phillip D. Shade is the founder of Merlion’s Keep Consulting, a
professional services company specializing in Network and Forensics
Analysis. 

Certified instructor for a number of advanced Network Training
academies including Wireshark University, Global Knowledge, Sniffer
University, and Planet-3 Wireless Academy.

THE ENEMY INSIDE THE GATES – A GUIDE TO USING OPEN SOURCE TOOLS FOR NETWORK FORENSICS ANALYSIS in Wireshark Master – Network Forensics and Security

Continue reading "Weekly Network Knowledge Challenge QUIZ from The Network Heroes! (From:ProfiTAP)" »


Beware the Lizard (by Paul W Smith)

Geico Lizard with Brain

 "I’ve experienced many terrible things in my life, a few of which actually happened."

– Mark Twain

A man driving his luxury car late at night becomes lost and slowly realizes that he is in a very bad part of town.  When his car breaks down, the tension mounts.  He is approached by a group of gang members, one of whom is brandishing a handgun.  The tow truck he has called arrives, but as its driver confronts the gunman, the outcome is unclear. 

This is the opening scene from the 1991 film “Grand Canyon.”  It sticks in my mind more than a quarter century later because of the artful way it resonates with the wide-ranging fears that engulf us.  Some of those cause the all-too-familiar knot in the stomach, while others we hardly notice.

If you’ve ever wondered why you’re afraid of so many things, don’t panic.  We are all hard-wired for fear courtesy of a small portion of the brain known as the amygdala.  Scientists blame this chunk of grey-matter for emotional responses like fear, anxiety and aggression.  If you are a caveman who fears a rustle in the bushes that could be a sabretooth tiger, this is a good thing.  When you are an office worker afraid to open an urgent email from your boss, not so much.

Continue reading "Beware the Lizard (by Paul W Smith)" »


Sharkfest 2018 - TCP Fundamentals Part 2 (by Chris Greer)

Greetings packet-people!

This is the second session on TCP Fundamentals that was delivered at Sharkfest US in June. However, consider this a sneak peek for my session at Sharkfest Europe 2018 in Vienna Austria. Hope to see you there. 

If you missed the first session, you can find it here

 

Author Profile - Chris Greer is a Chief Packet Head for Packet Pioneer LLC and a Wireshark Network Analyst. Chris regularly assists companies around the world in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for Wireshark and several packet analysis vendors. 

Chris Greer Packet Pioneer Logo


Network Security Countermeasures and Solutions -"Things You Must Do, First" (by Andrew A. Vladimirov)

Before even planning, not to mention budgeting and starting to implement any countermeasures, it is necessary to have a clear picture of what do we actually defend against, as well as what is it that we are defending. Unfortunately, in over 15 years of my experience in information security this is rarely the case. More often than not, decisions on security safeguards depend on anything (ranging from vendor relationships and discount offers to aggressive security solutions marketing and relevant media hype of the year) but the actual risks faced and attacker strategies employed.

So, a question of “how effective/modern/popular the proposed safeguard (whatever it might be) is?” is blatantly wrong (and yet remains a very common question from the IT side).

There must be, of course, an implemented security baseline (including, at least, strong password policy enforced, antimalware on all Windows and MacOS hosts, SPAM filter, stateful or proxy perimetre firewall, reasonable network separation rather one nightmarish flat network with everything on VLAN1 still seen in numerous SME’s, some user security awareness training, and hard drive encryption on mobile hosts taken off site including BYOD). However, everything else is subject to discussion. 

The question “does it address the real risks we face according to their criticality” is the right one, but it requires approaching information security as a form of risk management it is, which is often not the case. So, it's a question of overall strategy, then tactics, and not “which particular gun is more powerful/we fancy more”. I’m deliberately using military analogies here as 8 years ago we did a book that approaches information security through a military strategy framework, the second edition came 4 years ago, and despite all technical change it is as relevant now as it was then.

 

Continue reading "Network Security Countermeasures and Solutions -"Things You Must Do, First" (by Andrew A. Vladimirov)" »


When A Simple SPAN Port Is Enough (by Timothy Schmidt)

When A Simple SPAN Port Is Enough

Header image - when a simple SPAN port is enough

The two most common ways to access and replicate data within your network are TAP and SPAN technology. A Test Access Point (TAP) is a hardware device that copies all of your network data. SPAN or Switch Port Analyzer are mirroring ports within a switch that copies specific data as a best effort with no guarantees.

Network TAPs are always the industry's best practice but in a few specific and limited situations when a SPAN port suffices. When monitoring products are looking for low bandwidth application layer events like “conversation or connection analysis,” “application flows,” and applications where real time, dropped packets and knowing real delta times are not important. SPAN could also be used in a remote location that doesn’t justify a permanent deployment, offering temporary access for limited troubleshooting.

In these specific situations when a SPAN port perfectly suffices, you likely need a way to aggregate a few SPAN lines together and send that combined network traffic out to one or more sets of tools or appliances. When these situations arise, think simplicity.

 

Continue reading "When A Simple SPAN Port Is Enough (by Timothy Schmidt)" »


How TCP Works – The Timestamp Option (by Chris Greer)

TCP Timestamp TSval TSecr

In the TCP handshake, you may see an option called timestamps, shortly followed by scary-looking “TSval” and "TSecr" numbers. What are those values and how can you interpret them? Let’s dig.

What is a TCP Timestamp? 

The timestamps option in TCP enables the endpoints to keep a current measurement of the roundtrip time (RTT) of the network between them. This value helps each TCP stack to set and adjust its retransmission timer. There are other benefits, but RTT measurement is the major one.

How it works.

Each end of the connection derives a 4-byte increasing value. This value is unique to each side and has no real numerical significance. The opposite end does not care what the value is, it will simply echo it back to the original sender. The original sender can then measure the timing between the packet(s) that were sent and received with this unique value.

The value used by each end will be increased as the connection goes along. Many TCP implementations will add the measured network RTT value (in milliseconds) to the 4-byte timestamp and use this new number for the next segment to be sent.

For example, in the screenshot below, we can see both ends of the TCP connection using timestamps. Both values, the one used by the sender and receiver, have been added as columns in Wireshark to make them a little easier to see.

TCP Timestamps

The first packet has a timestamp value of 1125169296. Told you it was long and scary! But let's analyze...

Continue reading "How TCP Works – The Timestamp Option (by Chris Greer)" »