HP Data Protection Products-including tape drives, high-capacity tape libraries and disk-based systems-can grow with your company to protect all your critical data.
 Internet.com ISP-Planet
Search ISP-Planet


Search internet.com
internet.com

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce
Partner With Us
Online Universities
Promote Your Website
Memory
Promotional Golf
Televisions
Web Design
Hurricane Shutters
Online Education
Compare Prices
Memory Upgrades
Boat Donations
Imprinted Gifts
KVM Switch over IP
Logo Design
ISP Technology

 

General

Security Tools for the Budget Conscious ISP, Part III: Analysis and Forensics

In the conclusion of this series, we look at tools that will help you analyze network traffic so that you can understand any unusual network behaviors.

by Lisa Phifer
VP Core Competence, Inc.
[February 6, 2004]
Email a colleague

As described in Part 1 and Part 2 of this article, a comprehensive ISP security toolbox includes a wide variety of network and system security programs, ranging from vulnerability assessment and audit to traffic analysis and forensics. In Part 3, we cover these last two categories, listing several commercial products and freely-available tools, and using examples to illustrate what these tools have to offer.

Traffic Capture and Analysis Tools
Most ISPs are familiar with utilities that capture and decode LAN traffic for network trouble-shooting and performance analysis. But these same utilities can also meet security needs like ad hoc traffic analysis during attacks and supplying input to network intrusion detection and network forensics systems.

Many OS and third-party tools can capture LAN traffic, filtering packets and recording them in common capture file formats. Protocol analyzers parse live or previously-captured packets to decode them for visual inspection—for example, breaking a captured FTP GET packet into Ethernet, IP, TCP, and FTP protocol field names, lengths, and values, displayed in hex or ASCII format.

Many analyzers use captured traffic to generate summary statistics graphs and reports, multi-layer network maps, and problem, performance, or security alerts. For example, analyzers may watch for badly-formed/too-long/too-short packets, known-malicious packet sequences (e.g., TearDrop attack), or spikes in traffic (e.g., TCP SYN floods). Some products can accept captured traffic simultaneously from several sources (e.g., multiple NICs, remote network probes or "packet grabbers"), and some can relay captured packets to upstream systems.

If you're looking for software that can help you analyze your own network's traffic, here's a far-from-exhaustive list of commercial capture utilities and protocol analyzers:

Commercial analyzers tend to offer more extensive graphical reporting, protocol decoding, expert analysis, and system integration. But if your budget is tight, here are some no-cost traffic capture and analysis tools:

  • Elixar AirTraf is an open source wireless LAN traffic capture and analysis tool for Linux systems that have been equipped with Cisco Aironet, Linksys WPC11, ORiNOCO or another supported 802.11 adapter.

  • Ethereal is a very popular freely-available LAN analyzer that runs on most OS platforms, including *NIX and Windows. Ethereal can read capture files or use libpcap or WinPCap to grab live traffic from wired or wireless LANs. Captured packets can be browsed, filtered, expanded, or displayed as TCP session streams. To view sample Ethereal output, click here.

  • Kismet is an open source wireless LAN packet capture and intrusion detection tool that runs on Linux and Linux-ARM systems, sniffing traffic from various sources, including local Prism2 adapters and remote Network Chemistry sensors.

  • Network Chemistry Packetyzer is a freely-available Windows user interface extension to Ethereal. Packetyzer presents Ethereal information in friendly GUI, accumulates network statistics, and identifies nearby wireless networks. To view sample Packetyzer output, click here.

  • Ngrep is an open source network capture filter command line utility that compiles on Win32 and most *NIX platforms. This utility can quickly extract interesting packets from larger capture files, in much the same way that grep is used to find interesting lines in a text file.

  • Ntop is a portable open source utility, based on libpcap, that uses an embedded Web server to display network statistics through any Web browser. Ntop can run on Win32 and *NIX platforms. To view sample Ntop output, click here.

  • Tcpdump is a widely-used open source *NIX command line utility that listens to a network interface, watches for packet headers that match a filter expression, and saves matching packets to a file or displays them.

  • Tethereal is the text-mode command line version of Ethereal (above).

  • WinDump is Windows 95/98/NT/2000/XP port of tcpdump. This packet capture command line utility is available in source and executable formats. To view sample WinDump output, click here.

.

Security Tools for the Budget Conscious ISP, Part III:
Analysis and Forensics

 

 

ISP News
IDC: Microsoft's Yahoo Deal Could be a Big Hit
Ballmer Fills in 'Software-Plus-Services' Plan
Report: Enterprise Search Will Top $1 Billion by 2010

More >


ISP Glossary
Find an ISP Term

Newsletters!
ISP-Planet Weekly


Best of ISP-Planet

 

Feedback


Advertising inquiry? Click here!

ISP-Planet's RSS feed



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES