That’s where network traffic captures can be extremely valuable sources of data. Regardless of the type of incident, many incidents will involve a network component to some degree. Many incidents will involve a network component of some kind-a system gets infected by something downloaded from the Internet and then the infection spreads to other systems on the network, an intruder gains access to a system and controls it, or a bot gets onto a system and reaches out to a command-and-control server to await commands. While we’re discussing network traffic captures, I’ll mention here where these captures fit into the overall incident response picture. Wireshark provides the capability to do similar analysis with UDP and SSL packets. For example, you can reconstruct Web pages seen by a user, emails, botnet command-and-control communications, or unencrypted instant messaging exchanges. This can be very useful in isolating a single communication, as well as in reconstructing a conversation. Wireshark will follow the stream and completely reassemble the contents of the TCP communications. To do this, with a network capture loaded into Wireshark, click Analyze in the menu bar and choose Follow TCP Stream from the drop-down menu. One of the capabilities of Wireshark that I have found to be extremely useful is its ability to completely reassemble TCP streams. Figure 9.5 illustrates an excerpt of the GUI for Wireshark.įigure 9.5 Excerpt of Wireshark v1.0.3 GUI
Wireshark will not only allow you to capture network traffic (based on the network interface you choose) but also allow you to analyze network traffic captures. Both tools are freely available and extremely valuable to the responder’s toolkit.Īt the time of this writing, Wireshark Version 1.0.3 was available for the Windows platform.
Two popular network packet capture and analysis tools for Windows are Wireshark ( and NetworkMiner ( ). Regardless of whether you capture network traffic yourself, work with on-site IT staff to ensure that network traffic is captured, or receive network traffic captures as data from someone else, you may be faced with the opportunity to capture and analyze network traffic. Another incident response activity that you may encounter is capturing and analyzing network traffic captures.
0 kommentar(er)
