93 posts categorized "Deep Packet Inspection" Feed

TCP Fundamentals: Analyzing TCP Resets (RST) (by Chris Greer)

Are TCP resets bad?

TCP RST reset bad or good

Wireshark can sure make them look that way. After all, bold red lines rarely highlight something positive. But like many things TCP, the good-or-bad factor of resets just depends on when they happen and how they are affecting end users.

There are a two common ways that a TCP connection can be torn down. I like to call these the polite way (FIN) and the talk-to-the-hand way (Reset). Tearing down TCP connections is a good thing as long as it is not actively in use, or won’t be needed in the very near future. We want each side of the conversation to open up the resources for other connections rather than maintaining idle ones in an active state.

In most cases, we want to see FINs tear down a connection rather than resets. However there are some examples of normal behavior where a reset is sent rather than a FIN.

Here are a few questions to answer about resets when they appear in a trace file. 

Continue reading "TCP Fundamentals: Analyzing TCP Resets (RST) (by Chris Greer)" »


Analyzing TCP Segmentation Offload (TSO) with Wireshark (by Paul Offord)

Most modern PCs and servers have powerful network interface chip sets that can provides TCP/IP functionality that cuts the load on the host machine.  The most common of these functions is TCP Segmentation Offload (TSO).  In this short article we use Wireshark to discover how TSO affects our interpretation of network traces.

 

Tso_with_flows

 

A program running in a PC or server may make a single call to the TCP/IP stack to send, say, 5 KB of data.  The TCP/IP stack, which is a software driver within the operating system, must repackage the 5 KB so that it can be sent in multiple packets.  This operation is called segmentation and it consumes CPU cycles.  Additionally, the TCP/IP stack must handle issues such as retransmissions.

A network interface chip set that provides TSO allows the host TCP/IP stack to send a single 5 KB segment.  The network interface chip set then re-segments the data into, say, three packets with a TCP Length of 1,460 bytes and one of 798 bytes, making 5 KB in total.  This can all appear to be very confusing in a network trace, especially as the packets received may not be aggregated in a similar manner.

In the following short video ...

Continue reading "Analyzing TCP Segmentation Offload (TSO) with Wireshark (by Paul Offord)" »


DNS Traffic is always worth watching very closely (by John Brosnan )

DNS Traffic is always worth watching very closely

But it is not a good excuse to forget your anniversary!

While visiting a large ISP type customer here in the Bay area, we started to discuss the value he could get from network traffic analysis. The volumes of traffic on his network are at a scale that he even struggles with summary information like Netflow; he has so much of it, it is almost impossible to get a handle on it and see anything useful – a real big data problem. 

Network Globe_WEB

During our conversation, I mentioned that we have a number of dissectors (or application decoders as we call them) for protocols like SMB, NFS, SQL, web, DNS – ’STOP, what can you tell me about my DNS traffic, as my logs are limited’.  To be honest, I would have thought LANGuardian provided too much detail for his organization, but I guess DNS is a bit different.

Anyhow, I led on to explain that LANGuardian can:

  • Monitor DNS traffic, decode DNS replies
  • Inventory of responding DNS servers
  • Alert on rogue DNS servers
  • Review what resolutions clients receiving
  • Monitor client requests, validate DNS traffic (piggybacking)

To quote a good friend, Tim of #lovemytool ‘John, show me, don’t tell me’

Continue reading "DNS Traffic is always worth watching very closely (by John Brosnan )" »


What is Network Metadata? (by Morgan Doyle)

What is Network Metadata?

The human view in Network Visualization!

Network Metadata is human readable data that describes your network traffic. It is generated and consumed by network traffic monitoring systems to analyse and report on network and user activity. This type of continuous monitoring is concerned with users, the apps they use and the data they access. It is generally not used for monitoring the health of the network fabric and attached devices.

Metadata the human view

The graphic below depicts some of the available technologies for continuous network traffic monitoring and how they relate to each other in terms of the information provided and the cost and complexity of implementation.

One on network metadata

Network Metadata is used to fill the gap between the “not-enough-detail” SNMP switch port counters and “too-much-complexity, too expensive” full packet capture systems.

Continue reading "What is Network Metadata? (by Morgan Doyle)" »


Monitoring network file stores by analysing network traffic! (by Darragh Delaney)

Monitoring network file stores by analysing network traffic!

Network based file stores have been around for quite some time now and they continue to be a popular way to share data within organizations. While cloud based services such as Dropbox and Office 365 are popular, network based file stores will be around for a long time.

There are many reasons why organizations choose to store their data locally on their network. For many, it comes down to the security risks of storing confidential data outside of their networks. For others, it is the convenience of locally stored data which can be easily accessed and it won’t go offline if Internet connectivity is lost.

See your network

However, network based file stores have become the number one target for Ransomware attacks. All it takes is for one infected client to encrypt all data on network file shares. For this very reason alone,  it is vital that you have some level of visibility as to what is happening on your network file stores. From my own experience, I know of three approaches:

  1. Agent\client based software solutions
  2. Native logging on file server
  3. Network traffic analysis

I am not going into any detail on the agent\client options as they are very vendor specific and I don’t know of any that does not impact on file server performance.

Continue reading "Monitoring network file stores by analysing network traffic! (by Darragh Delaney)" »