LAN Traffic and Performance Monitoring and Analysis

After you start using a LAN to share resources, how do you know if you are upholding your security policy? You’ll learn how to use preventive controls later in this chapter, but you should also use detective controls to validate how your users are using your LAN. Traffic and performance monitoring utilities allow you to watch the traffic flowing across your network. You can watch the traffic in real time or collect it in log files for later analysis.

There are two common types of monitoring tools available for monitoring LANs: packet sniffers and network software log files. A packet sniffer is software that ­copies ­specified packets from a network interface to an output device—generally a file. A sniffer may copy all packets or may select certain packets based on a specific filter, such as source, destination, or protocol. Because sniffers copy the actual packets from the ­network, you get to see all of the addressing and routing information as well as the contents of each message. If the message is encrypted, you won’t be able to read the contents, but you will see the encrypted data.

The other common option is to change settings in network software to create audit logging entries for certain packets. You can change configuration settings to log all traffic or just certain conditions. You should only log information you must record to avoid slowing down your network.

After you have a collection of packets, you can use packet analysis software to make sifting through the sniffer output or log files easier. Most analysis software allows you to sort and query data according to your own requirements. You can analyze packets ­originating from a specific computer or destined for a specific port, or you can analyze queries based on any of the packet’s attributes. Using monitoring and analysis tools helps verify appropriate LAN use and identify inappropriate LAN use.