105 posts categorized "Forensics & Deep Packet Capture" Feed

Harvesting Metadata From Network Traffic (by Darragh Delaney)

Harvesting Metadata From Network Traffic

Every day I work on all sorts of modern and cutting edge technologies and I love learning about new stuff. I think I can trace this back to growing up on a farm, there was always something to fix or take apart. In spite of the perception that some people have of the agricultural sector, today's farms rely on huge amounts of technology and data analytics. Here in Ireland the harvest season has come to an end and we are all getting ready for the cooler temperatures of autumn.


Harvest machinery has been serviced and parked up for another year including one of my favorites, the combine harvester. I spend hours on YouTube learning about the latest models and what goes on behind the scenes. For centuries they have been a vital cog in the global food chain. The theory behind them is simple, gather raw material up front and pass it through different filters and separators which allows us to extract the valuable grain which we can then use. The basics have remained the same over the years but the size of the machines has increased as we demand more efficiency and larger harvests.

But how, you may ask how is this combine machine connected to metadata and network traffic?

Continue reading "Harvesting Metadata From Network Traffic (by Darragh Delaney)" »

DNS Traffic is always worth watching very closely (by John Brosnan )

DNS Traffic is always worth watching very closely

But it is not a good excuse to forget your anniversary!

While visiting a large ISP type customer here in the Bay area, we started to discuss the value he could get from network traffic analysis. The volumes of traffic on his network are at a scale that he even struggles with summary information like Netflow; he has so much of it, it is almost impossible to get a handle on it and see anything useful – a real big data problem. 

Network Globe_WEB

During our conversation, I mentioned that we have a number of dissectors (or application decoders as we call them) for protocols like SMB, NFS, SQL, web, DNS – ’STOP, what can you tell me about my DNS traffic, as my logs are limited’.  To be honest, I would have thought LANGuardian provided too much detail for his organization, but I guess DNS is a bit different.

Anyhow, I led on to explain that LANGuardian can:

  • Monitor DNS traffic, decode DNS replies
  • Inventory of responding DNS servers
  • Alert on rogue DNS servers
  • Review what resolutions clients receiving
  • Monitor client requests, validate DNS traffic (piggybacking)

To quote a good friend, Tim of #lovemytool ‘John, show me, don’t tell me’

Continue reading "DNS Traffic is always worth watching very closely (by John Brosnan )" »

LMTV Visibility | Every Bit, Byte and Packet (with Chris Bihary of Garland)

Garland170x200Please join +Chris Bihary, +Garland Technology CEO/Co-Founder and Jim Curtin, CEO/Co-Founder and Jin Qian, CTO/Co-Founder of CapStar Forensics to learn more about their joint solution that will be on display at this year's Sharkfest - the Wireshark Developer and User Conference.

With Garland Technology's recent product launch of its 1G Modular Packet Broker System the forensics community now has an affordable 1G packet broker that can filter, aggregate, regenerate and load balance to one or multiple monitoring tools.

In today's session we are going to discuss how this works with CapStar Forenic's platform to provide users faster MTTR and lower cost per investigation. Capstar Forensic's 'blazing fast' software tool features a fast load time and quick scans of PCAPs - allowing you to analyze complex networking and security scenarios.

To help us build our community, please share this live event with your fellow professionals on LinkedIn. For more episodes of LMTV, please visit LoveMyTool.TV.

Apple, Apple, Apple! Apple versus the United States FBI! (by The Oldcommguy®)

Apple, Apple, Apple!

The silly battle of Apple versus the United States Courts and the FBI!

In my humble opinion this has turned out to be one of Apple’s greatest marketing events in years, maybe forever.

Apple is trying to tell its users that Apple will protect their privacy from the big bad FBI and other Governmental access!

The reality is that all this should never have gotten into the news world. Apple is a U.S. company and should have been a good citizen and quietly told the FBI to send the phone and they would quietly get the information for them. This is NOT just any person’s phone – first it is the phone of a dead individual and secondly it is the phone of a terrorist and third it is the phone of a murderer that could be filled with intelligence that may help stop the next deadly attack!

This big media event is nothing but a big market show from Apple and it is getting a lot of silly attention, what for? I wonder how many people will now decide to buy Apple products, I am sure the terrorists will, but is that a good market? Apple enjoys the freedom to make billions as a U.S. company but when it came time to be a good citizen they decided to be a bunch of hypocrites and actors in a fictitious marketing event!

Bad worm w pointerApple do not be a bad worm with a Great Technology!


Continue reading "Apple, Apple, Apple! Apple versus the United States FBI! (by The Oldcommguy®)" »

When is a Packet Capture Appliance Necessary? (by Chris Greer)

This is a question that comes up in many of my Wireshark and network analysis classes. Most people are aware that laptops and server hardware have their limitations when capturing traffic, but they don't know what that limit is. 

In this video, hosted by Fluke Networks/Netscout, we demonstrate how to benchmark capture hardware. We'll look at the break point where a laptop starts dropping traffic.

You will be surprised to see how low the bandwidth needs to be in order for the laptop to capture everything.



Chris Greer Packet Pioneer Logo

Author Profile - Chris Greer is a Network Analyst for Packet Pioneer and a Certified Wireshark Network Analyst. Chris regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for several analysis vendors.

Markers and the TribeLab Trace Marker Tool (by Paul Offord)

Capturing a few million network packets is pretty easy.  Then comes the challenge of finding the problem.  Here we look at two techniques to inject markers into a trace at the moment a problem occurs.


Investigating an intermittent problem is quite challenging.  We have seen in earlier blogs that it's possible to run long-term captures with a tool such as dumpcap, or using any one of the high capacity capture units that you may have in your estate.  We can then use a tool like Wizz to pull out the traffic for a single user, but that may still leave us with several million packets.




What we need is a signpost; some sort of indication that shows where the problem occured.  One way to make life easier is to inject a marker into the trace just after the user has experienced the problem.  The marker needs to be distinctive so that we can search for it and in an enterprise environment we need to be able to do this using what we already have on the desktop.

A very simple way to generate a marker is to use a ping with a distinctive length ...

Continue reading "Markers and the TribeLab Trace Marker Tool (by Paul Offord)" »