Section D Network Intrusion Analysis

Question 1

Sniffing Tools

Answer 1

Sniffing tools or capture tools are often terminal based to minimise the processing overhead and gather
packets received on an interface, storing them in a dump file or packet capture for later analysis. Some
analyst tools incorporate sniffing tools, allowing them to ‘Live Capture’ data streams, decoding the data in
real time and presenting the results to an analyst.

Question 2

Packet Analysis Tools

Answer 2

Packet analysing tools decode and present data from either a live capture or a pre captured dump file to
an analyst. Different tools have different strengths and weaknesses. These tools can be GUI or terminal
based. Wireshark is an example of a robust and powerful packet analysis tool.

Question 3

TCPDump

Answer 3

Linux and UNix system tool (Windump is windows version)
Powerful filtering relating to capture and analysis
Useful for highly targetted capture and analysis
Wireshark uses the library within tcpdump for capture ability

Question 4

SwitchProbe

Answer 4

Used with fibre networks to
monitor
map
report
can be configured to capture
A SwitchProbe is a dedicated device used to monitor and map fibre optical network links. These devices
are typically used to alert administrators to down links and over subscribed links, however, these devices
can be configured to capture and store network traffic for future analysis.

Question 5

Wireshark

Answer 5

Live network packet capture /historical pcap file
GUI based
Filtering
Automatic protocol analysis
tshark is terminal interface of wireshark

Question 6

Filtering Captured traffic - reasons

Answer 6

reduce impact on network
reduce amount of data necessaryto analyse
storage limitations of capture dveice
typically performed at the analysis stage

Question 7

filtering captured traffic - methods

Answer 7

protocol
source
destination

Question 8

filtering considerations

Answer 8

The decision about what data to capture should be made during the scoping stage of the investigation. A
number of tools will drop packets if they cannot process them quickly enough, making it important to
attempt to filter the captured data early on.
Filtering should be guided by the investigation. Machines known to be compromised should be captured
before any currently unsuspected machines, and protocols known to be used for malicious traffic should
also be prioritised.
Analysis of the capture of a single desktop may reveal that the desktop PC is communicating with 3 other
desktops, frequently a very unusual occurrence. You would then review your capture posture to include
those machines as well.