Traffic analysis for incident response (IR): How to use traffic analysis for Wireshark
Introduction
Traffic analysis is the process of monitoring network protocols and the data that streams through them within a network. In this article, we’ll discuss how you can use Wireshark for network traffic analysis. We’ll also discuss how you can use various filtering methods to capture specific data packets and how different graphs visualize the traffic streams.
Please note that we shall be jumping straight into the use of Wireshark and will assume your ability to install and run the tool.
Importance of network traffic analysis
There are many things that can go wrong within a network. In order for us to understand what we are dealing with and to troubleshoot the problem, we make use of packet analyzers such as Wireshark in order to perform network analysis. Using Wireshark, we’re able to:
- Analyze problems within the network by assessing the packets as traffic runs through the network
- Detect malicious traffic from malware or network intrusions from unauthorized or malicious individuals/parties
- Determine which machines and resources to isolate from the network due to the traffic coming from them
- Determine network statistics by filtering network packets based on your requirements
- Determine systems within the network that are heavy on bandwidth consumption
How to use Wireshark for packet analysis and filtering
Wireshark allows us to capture raw data which is then presented in a human-readable format, making it possible for you to understand the flow of traffic within the network.
Before we can begin capturing packets for analysis, we need to take into account the types of devices available on the network and the traffic they emit. We should first understand the type of traffic we are interested in collecting before we begin packet sniffing. We’ll first need to answer the following questions:
- Does your network card support promiscuous mode?
- Promiscuous mode (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/MY5JFjGDqgE/
