Lisa Bock reviews the importance of baselining the network, using Wireshark or Tshark, and use the baselines for forecasting, planning, optimization, tuning, and troubleshooting.
- [Narrator] Today's networks face numerous threats, such as malware, denial of service, port scanning, covert channels, and data exfiltration. Every year, hackers release millions of new virus signatures. Unknown signatures and polymorphic viruses can escape detection. Yahoo gets the top spot on the list of security breaches. As of 2016, hackers obtained over a billion accounts.
In 2017, Equifax revealed a data breach that compromised the personal information of 143 million Americans. The fact is, in nearly 7% of the cases, the breach goes undiscovered for more than a year. That is why network traffic analysis at the packet level is necessary, as it can identify many different threats and attacks that could remain unnoticed by antivirus and antimalware software.
It's essential to understand what your network looks like when it's healthy so you can determine if it's sick. That is what baselining is all about. A baseline is a snapshot of network traffic during a particular window of time using Wireshark or Tshark. Characteristics can include utilization, network protocols, and latency issues. The network team can use the baselines for forecasting and planning, along with optimization, tuning, and troubleshooting.
Although you may be tempted to do a large capture, Wireshark has size limitations on effectively analyzing a packet capture. I generally suggest you limit your capture to around 1,000 packets. That way you can have a consistent size when comparing. When you do your first baseline, the entire process might take a while. That is mainly because you'll need a procedure for gathering and a repository for storing the captures.
The baseline process goes through several stages: plan, capture, analyze, and save. First plan by making a network map and list all of the subnetworks that you want to baseline. You also should include VoIP VLANS. That's mainly because VoIP traffic is much more sensitive to latency, jitter, and packet loss than typical network applications.
And it's common that you will be troubleshooting your VoIP traffic more often to ensure quality of service. Then you'll capture the network traffic. Now the goal, when possible, is to tap into the network so that you're able to view all of the traffic. Take a moment and document how you did the capture, where, what time of day it was, and what equipment you used during capture. The key is to be as consistent as possible so you compare apples to apples.
Then you'll want to analyze the capture. Once it's captured, take a quick look and see if anything stands out as unusual or suspicious. Finally, log your captures. Have a location and format to document your findings. You can use either a spreadsheet or a database. You'll want a consistent and searchable format so you can reference them later. It's important to baseline your network using Wireshark or Tshark so you can use the baselines for forecasting and planning, along with optimization, tuning, and troubleshooting.
- Trends in cyberattacks
- Preventing system compromise
- Analyzing packets
- Using Wireshark
- Creating firewall rules
- Baselining a network
- Using capture filters
- Using a ring buffer
- Handling OSI layer attacks
- Identifying attack signatures
- Using VirusTotal
- Handling unwanted TOR activity