|
||
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
Security Tools for the Budget Conscious ISP, Part III: Analysis and Forensics
In the conclusion of this series, we look at tools that will help you analyze network traffic so that you can understand any unusual network behaviors.
VP Core Competence, Inc. [February 6, 2004] |
 |
As described in Part 1 and Part 2 of this article, a comprehensive ISP security toolbox includes a wide variety of network and system security programs, ranging from vulnerability assessment and audit to traffic analysis and forensics. In Part 3, we cover these last two categories, listing several commercial products and freely-available tools, and using examples to illustrate what these tools have to offer.
Traffic Capture and Analysis Tools
Most ISPs are familiar with utilities that capture and decode LAN traffic for
network trouble-shooting and performance analysis. But these same utilities
can also meet security needs like ad hoc traffic analysis during attacks and
supplying input to network intrusion detection and network forensics systems.
Many OS and third-party tools can capture LAN traffic, filtering packets and recording them in common capture file formats. Protocol analyzers parse live or previously-captured packets to decode them for visual inspection—for example, breaking a captured FTP GET packet into Ethernet, IP, TCP, and FTP protocol field names, lengths, and values, displayed in hex or ASCII format.
Many analyzers use captured traffic to generate summary statistics graphs and reports, multi-layer network maps, and problem, performance, or security alerts. For example, analyzers may watch for badly-formed/too-long/too-short packets, known-malicious packet sequences (e.g., TearDrop attack), or spikes in traffic (e.g., TCP SYN floods). Some products can accept captured traffic simultaneously from several sources (e.g., multiple NICs, remote network probes or "packet grabbers"), and some can relay captured packets to upstream systems.
If you're looking for software that can help you analyze your own network's traffic, here's a far-from-exhaustive list of commercial capture utilities and protocol analyzers:
- AirMagnet (802.11 only; see our article on this product)
- HP Nettl (included with HP-UX)
- Finisar Surveyor (formerly Shomiti)
- Microsoft Netmon (included with Windows 2000/NT Server)
- Neon Software NetMinder (Ethernet only, Mac compatible)
- Network Associates Sniffer Products
- Network Instruments Observer Suite
- Radcom WAN/LAN Protocol Analyzers
- Sandstorm LANWatch
- Sun Snoop (included with Solaris)
- Triticom LANdecoder
- WildPackets EtherPeek NX (and other "Peek" products)
Commercial analyzers tend to offer more extensive graphical reporting, protocol decoding, expert analysis, and system integration. But if your budget is tight, here are some no-cost traffic capture and analysis tools:
- Elixar
AirTraf is an open source wireless LAN traffic capture and analysis tool
for Linux systems that have been equipped with Cisco Aironet, Linksys WPC11,
ORiNOCO or another supported 802.11 adapter.
- Ethereal
is a very popular freely-available LAN analyzer that runs on most OS platforms,
including *NIX and Windows. Ethereal can read capture files or use libpcap
or WinPCap to grab live traffic from wired or wireless LANs. Captured packets
can be browsed, filtered, expanded, or displayed as TCP session streams. To
view sample Ethereal output, click here.
- Kismet
is an open source wireless LAN packet capture and intrusion detection tool
that runs on Linux and Linux-ARM systems, sniffing traffic from various sources,
including local Prism2 adapters and remote Network Chemistry sensors.
- Network
Chemistry Packetyzer is a freely-available Windows user interface extension
to Ethereal. Packetyzer presents Ethereal information in friendly GUI, accumulates
network statistics, and identifies nearby wireless networks. To view sample
Packetyzer output, click here.
- Ngrep
is an open source network capture filter command line utility that compiles
on Win32 and most *NIX platforms. This utility can quickly extract interesting
packets from larger capture files, in much the same way that grep is used
to find interesting lines in a text file.
- Ntop is
a portable open source utility, based on libpcap, that uses an embedded Web
server to display network statistics through any Web browser. Ntop can run
on Win32 and *NIX platforms. To view sample Ntop output, click here.
- Tcpdump
is a widely-used open source *NIX command line utility that listens to a network
interface, watches for packet headers that match a filter expression, and
saves matching packets to a file or displays them.
- Tethereal
is the text-mode command line version of Ethereal (above).
- WinDump is Windows 95/98/NT/2000/XP port of tcpdump. This packet capture command line utility is available in source and executable formats. To view sample WinDump output, click here.
.
|
Security
Tools for the Budget Conscious ISP, Part III:
Analysis and Forensics |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q4 2007 Top U.S. ISPs by Subscriber (Updated 04/10/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
| Solutions | ||||||
|
||||||
|
||||||
|
||||||
|
||||||