SBN

Network traffic analysis for IR: Network mapping for incident response

Introduction to network mapping

The concept of network mapping is not a new one. Creating network maps in the design phase of a network and updating them throughout its life cycle is a crucial component of network architecture and cybersecurity. Understanding the potential connection paths through the network is necessary for debugging issues in the network and implementing network segmentation (which is necessary for compliance with many certifications, regulations and standards).

While the entire network map is useful for understanding the overall structure of the network, network mapping can also be useful for incident response. Humans tend to process information much better as visualizations rather than lists of data. It is much easier to understand traffic flows throughout the network in a diagram rather than a list of connection flows.

Network maps are useful for more than describing the network architecture for planning, upgrades and security reviews. A partial network map describing the communications flow between certain machines of interest can be invaluable during an incident response investigation, and a high-level visual representation of an incident can be an extremely useful tool.

Simple network visualization with PcapViz

There are several different tools available for network visualization, but an easy-to-use, no-frills one is PcapViz, which is available on GitHub. The tool is implemented as a Python script that can be run from the command line and uses graphviz to produce simple visualizations of network flows. It can process data in the packet capture file format used by tools like Wireshark (.pcap or .cap).

PcapViz will generate mappings at layers 2 (Data Link), 3 (Network) and 4 (Transport) of the OSI model. The syntax is simple. A request to generate a Layer 3 mapping is:

python <path to PcapViz directory>/main.py –layer3 -i infile.pcap -o mapping.png

The network maps (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/cP4GO5D3SOs/