Packet capture has proven itself as one of the core activities in network monitoring for all sorts of network issues: Poor Network performance, attacks (Internal or External), and network baseline.
A cyber security analyst, must be proficient in the network analysis to be an effective security analyst. If you don’t know what is present on your network, then how can you know what should not be there.
Unfortunately, trying to locate the signs of that breach within your network traffic, is like trying to find the needle in the proverbial haystack.
While a packet capture tool can detect all sorts of network traffic, it really is ineffective against encrypted traffic. So, if a protocol being used on the network is open such as telnet / ftp / http, we would be able to detect and read the packet – payload to identify the content. If the traffic in encrypted, then the payload will also be encrypted, hence it will be unreadable.
It is for this major concern that many organizations may not encrypt the traffic internally, and but encrypt the traffic as it leave the organization’s network at the perimeter. While this is a good approach, it is almost impossible to not have any encrypted traffic internally. Since all of the users of network will visit external websites, which operate with the TLS protocol or https to protect the information.
When dealing with this kind of situation, we as analysts are forced to monitor the source and destination hostnames/IP addresses to ensure that the endpoints in question in a network conversation is legitimate and expected.
During this week, we will be installing and getting familiar with the Wireshark tool. Wireshark is a GUI based packet capture tool. It is available on various operating systems. We will also discuss the strategy behind the use of wireshark in terms of capturing network traffic and the duration of the capture.