"Unless you capture the moment, it's gone!" | ||
| --Samir Datt | ||
In this chapter, you will learn to get your hands dirty by actually capturing and analyzing network traffic. We will start by understanding the network configuration that is required to capture data packets, including the concept of port mirroring, and then go on to using different software tools to capture and analyze network traffic with real-world scenarios of accessing data over the Internet and the resultant network capture.
The chapter will cover the following topics:
- Tapping into network traffic
- Packet sniffing and analysis using Wireshark
- Packet sniffing and analysis using NetworkMiner
- Case study – sniffing out an insider
As a network 007, our objective of gathering evidence can only be met if we dive into the data packets that flow across the network. To do this, we need to enhance our understanding of networks and the technology behind hubs and switches on the network.
In early networks, computers connected to each other via co-axial cables, followed by a switchover to the star topology and the use of Ethernet hubs. The following diagram shows a basic co-axial network:
The bus topology gave way to the star topology, as depicted in the following diagram:
In such a case, all the network traffic is broadcast to each and every node on the network and it is expected that the correct node will collect the traffic that is meant for it. In such a situation, if any network interface card (NIC) is in the promiscuous mode, it is able to capture any traffic that is meant for other nodes on the network. Software network sniffing tools, such as Wireshark, will automatically put the network card in the promiscuous mode to capture the data packets that travel on the network.
Today, enterprises deploy numerous switching devices on the network that divide the traffic into multiple segments. A number of these enterprise switches come with additional port(s) called Switched Port Analyzer (SPAN) ports. This is also known as a mirror port. This works in active mode. This means that it is the job of the network device to physically copy the network packets to the mirror port.
This SPAN port is designed to copy traffic (both RX and TX), which can then be analyzed by an analysis device that is attached to the network. To understand this better, we need to realize that the networks that operate at 100 Mbits or better are full duplex networks. This means that the actual maximum data flowing through a 100 Mbit connection is actually 200 Mbit (2 x 100 MBit)—100 Mbit for each direction. Thus, a network sniffing device has to cope with the traffic and copy it to the network mirror port for successful packet capturing. Now, for a device rated with 100 MBit capacity, it will only be able to handle a full duplex setup if the data traffic is at 50% capacity—what this means is that if the simultaneous data transmitted and the data received equals 100 Mbit, the mirror port will be able to handle it. Anything greater than this will result in packet losses.
In addition to this, the active aspect of this requires CPU resources. This may affect or overload the network switch, causing it to underperform its main functions.
The other alternative to the SPAN or mirror port is the network tap. A test access point (TAP) performs packet sniffing in passive mode. In such a case, network packets are copied on to the TAP ports. Usually, there are separate TAP ports for traffic from each direction, that is, a different port for TX and a different one for RX. This ensures that complete network traffic is captured.
The following diagram depicts a TAP deployed between a network switch and Internet to capture both incoming and outgoing packets:
Both of these have different inherent advantages and disadvantages, as enumerated in the following table:
|
Feature |
TAP |
SPAN |
|---|---|---|
|
Price |
Expensive |
Economical |
|
Additional Hardware |
Required |
Not required |
|
Operational Mode |
Passive |
Active with additional burden on device CPU |
|
Separate Channels for RX & TX |
Yes |
No |
|
Packet Loss |
None |
Yes—when traffic exceeds port capacity (network saturation greater than 50%) |
|
Captures Intra switch traffic |
No |
Yes |