mysocialcas.blogg.se - Wireshark usage and importance

One of the biggest hindrances to analyzing packets occurs because so many things are happening simultaneously. Welcome those opportunities and force yourself to become more metacognitively aware by identifying the questions you’re trying to answer before diving into the data. You’ll learn to ask better questions as your career advances and you are exposed to a wider variety of investigation scenarios. That’s a perfect segue because I’m going to describe color coding by conversation next.

What technique should I use? I would use Wireshark to color code individual conversations to help me walk through the sequence of events.

Where should I look? This sequence occurs over HTTP so I’m interested in HTTP communication between 10.10.1.75 around the time identified in the alert.

These questions tell me what I need to know to go forward!

What led 10.10.1.75 to the landing page?.

Knowing these two things are the key to overcome being overwhelmed.įor example, consider an alert that a host on your network (10.10.1.75) communicated HTTP with a landing page (HTTP) associated with an exploit kit. If you can define what question you’re trying to answer you should be able to figure out where to look and what analysis technique to use.

The nature of data transferred between two hosts.

Something indicating where the source of network latency is.

Confirmation that an IDS signature is a true positive.

When you make the decision to look at the packets, stop and ask yourself “why?” What are you looking for? Could it be: Since you’re probably only looking for one of them, that’s a lot of truth to wade through.

While packets may not lie, they do tell thousands of truths. In packet analysis, you should always have a clear question in mind before you go about collecting packets. “ A question well stated is a problem half solved.” – Charles KetteringĮvery analysis and investigation focused class I teach revolves around this thesis, rooted in the scientific method. After that, I’ll describe the first technique: how to use Wireshark’s color coding feature to visually identify individual conversations.

In this first article, I’ll describe the mindset you should approach a large packet capture with.

Part 3: Distillation with Security Tools.

You can find later parts of this series here: This article is the first in a multi-part series that will share specific techniques for approaching large capture files. Eventually, I developed techniques for dealing with large capture files and that brought me the confidence to keep learning. This scenario scares most people away from packets completely, and it scared me for a bit too. You fire up Wireshark and start a live capture or open a capture file you’ve found on someone’s blog and the number of packets quickly climbs from hundreds to thousands. That’s how nearly everyone would describe their first experience with packet analysis.