Section 23.225 Network and Flow Analysis

Question 1

Full Packet Capture (FPC)

Answer 1

Captures entire packets, including headers and payloads

Takes up lots of storage space so you need to be selective at times

Question 2

Flow Analysis

Answer 2

Focuses on recording metadata and statistics about network traffic, saving storage space

■ Doesn’t include the actual content, just the metadata

■ Rapidly generates visualisations to map network connections, traffic types and session volumes

Flow analysis rapidly generates visualisations to map network connections, traffic types and session volumes

Question 3

Flow Collector

Answer 3

Records metadata and statistics about network traffic

■ Collects information about the following…
● Type of traffic
● Protocol used
● Data volume

■ Allows for efficient data storage and reduces processing overhead

Question 4

Metadata vs. Contents

Answer 4

Flow analysis provides metadata about data, not the actual content

■ Metadata includes details about traffic types and volumes

■ No information about the content of conversations or messages sent

Question 5

Data Storage and Querying

Answer 5

Flow analysis information is stored in a database

■ Data can be queried and used to generate reports and graphs

■ Flow analysis identifies trends, patterns, and anomalies in network traffic

Question 6

NetFlow

Answer 6

Cisco-developed protocol for reporting network flow information

■ Also known as IPFIX (IP Flow Information Export)

■ Defines traffic flows based on shared characteristics (e.g., source and destination IP)

Question 7

Data collected by NetFlow

Answer 7

● Network protocol interface
● IP version and type
● Source and destination
● IP addresses
● Source and destination ports
● Type of service used

Question 8

Use of NetFlow Data

Answer 8

● NetFlow data is analyzed visually using various tools

● Tools like SolarWinds display NetFlow data, highlighting flows

● Data can be used to identify traffic patterns and anomalies

Question 9

Zeek

Answer 9

Hybrid tool for network monitoring

■ Monitors traffic like NetFlow but logs full packet captures based on interest

■ Filters or signatures trigger full packet capture to analyze specific data

■ Normalises data for easy import into other tools for visualization and analysis

Question 10

MRTG (Multi Router Traffic Grapher)

Answer 10

Creates graphs displaying network traffic flows through routers and switches

■ Uses SNMP (Simple Network Management Protocol) to gather data

■ Helps identify traffic patterns and anomalies by visualizing data transfer volumes

Question 11

Analysing Traffic Spikes

Answer 11

Traffic spikes can indicate anomalies

■ Investigate the cause of traffic spikes

■ Spike analysis may reveal issues like malware infection or unauthorised data transfer

Question 12

Incident Investigation

Answer 12

Suspicious spikes may require setting up network sniffers

■ Analyze packet capture data and flow analysis to identify indicators of
compromise

■ Investigate further to understand the nature of anomalies