Presentation is loading. Please wait.

Presentation is loading. Please wait.

Determining Topology from a Capture File

Published byToby McKenzie Modified over 6 years ago

Similar presentations

Presentation on theme: "Determining Topology from a Capture File"— Presentation transcript:

1 Determining Topology from a Capture File
Wednesday 15th June 2016 Chris Bidwell Network Engineer

2 L1-4 Reminder 4 Transport Proxies Load balancers Firewalls TCP UDP 3
Network Router L3 Switch IP ICMP IGMP 2 Data-Link Switch (Ethernet) MAC address VLAN tags LACP 1 Physical

3 L2 Analysis Ethernet, MAC to MAC
Broadcast domains split on bridges and L3 boundaries We can see all broadcasts from our neighbours in the network, e.g. ARP, DHCP … and determine their type/vendor based on MAC OUI Spanning-tree Link-Layer Discovery Protocols CoS markings for prioritised treatment in VLANs

4 L3 Analysis IP to IP TTL controls how far packets can go
Monotonic decrement across L3 routers OS-specific defaults can be identified with a little guesswork ICMP can inform of routing, access-control and link properties Redirects to optimise forwarding from hosts Unreachables: filtering, lack of route etc. DSCP for QoS treatment

5 L4 Analysis TCP, UDP etc. 5-tuple: sIP+dIP+proto+sprt+dprt
Port numbers frequently indicate application Some identify OS or device function Ephemeral range can further ID the OS Load balancers Proxies

6 Capture Scenarios Content Source Size Visibility
Single flow or fragment: One to one Application-generated Firewall IPS/IDS event KB-MB L3, L4+ Multiple 5-tuples: One to many Client Server Tap/SPAN MB L2+ Many to many MB-GB

7 We Can Only See What’s There
Capture technique & location: App, Tap, SPAN Capture hardware/resource limitation: NIC buffering, disk IO performance Filtering: ACL, BPF, anonymisation Segmentation: private VLAN, WLAN isolation Connectivity: link or device failures

8 … And Sometimes Folks Lie And Hide
Not everything you see can be trusted… Deliberate misinformation from sysadmins Sanitisation efforts usually strip or replace identifying information Can reduce the effectiveness of analysis ... Or highlight where some more work is required

9 So What Can We See? “It depends”. With enough capture time and no filtering, you may see: Some elements of physical interconnects Manufacturer and OS information for visible nodes VLAN assignment, QoS implementation clues Local IP addressing scheme Gateway quantity and functionality Possible tunnelling, filtering, proxying or load-balancing DNS, application or device discovery info

10 *.pcap

11 The Topology… sort of.

12 The Topology

13 FIN

Download ppt "Determining Topology from a Capture File"

Similar presentations

Introduction into VXLAN Russian IPv6 day June 6 th, 2012 Frank Laforsch Systems Engineer, EMEA

Introduction into VXLAN Russian IPv6 day June 6 th, 2012 Frank Laforsch Systems Engineer, EMEA
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.

Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
1 K. Salah Module 4.0: Network Components Repeater Hub NIC Bridges Switches Routers VLANs.

1 K. Salah Module 4.0: Network Components Repeater Hub NIC Bridges Switches Routers VLANs.
Course 301 – Secured Network Deployment and IPSec VPN

Course 301 – Secured Network Deployment and IPSec VPN
Networking Components

Networking Components
CECS 474 Computer Network Interoperability Tracy Bradley Maples, Ph.D. Computer Engineering & Computer Science Cal ifornia State University, Long Beach.

CECS 474 Computer Network Interoperability Tracy Bradley Maples, Ph.D. Computer Engineering & Computer Science Cal ifornia State University, Long Beach.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE00378-1.

Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE
Network Layer – Subnetting and Control Protocols Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing,

Network Layer – Subnetting and Control Protocols Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing,
Connectivity Capability Features TOSCA. Aspects of Connectivity GenericIP Connectivity Resolvability: ARP: IP/MAC DNS: Name/IP MDNS: Netconf Routing/bridging/tunneling:

Connectivity Capability Features TOSCA. Aspects of Connectivity GenericIP Connectivity Resolvability: ARP: IP/MAC DNS: Name/IP MDNS: Netconf Routing/bridging/tunneling:
Networks LANS,. FastPoll True Questions Answer A for True and B for False A wireless infrastructure network uses a centralized broadcasting device, such.

Networks LANS,. FastPoll True Questions Answer A for True and B for False A wireless infrastructure network uses a centralized broadcasting device, such.
Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.

Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.

Similar presentations

Ads by Google