Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Networks, PCAP, & Firewall Logs

Published byLia Alberti Modified over 5 years ago

Similar presentations

Presentation on theme: "Computer Networks, PCAP, & Firewall Logs"— Presentation transcript:

1 Computer Networks, PCAP, & Firewall Logs
"I just the other day got, an internet was sent by my staff at 10 o'clock in the morning on Friday and I just got it yesterday. Why ? Because it got tangled up with all these things going on the internet commercially... They want to deliver vast amounts of information over the internet. And again, the internet is not something you just dump something on. It's not a truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and its going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material." — Senator Ted Stevens (R-Alaska) explaining how the Internet works (2006).

2 In This Lecture Homework 2 Review Network Forensics The OSI Model
TCP/IP Packet Capture Analysis Wireshark Windows Firewall Logs

3 Networking Forensics These days it seems everything is networked.
Correlation with network activity gives the examiner a more complete picture of events. Many events of interest occur over the network - initial intrusion, development of attack, collection of information, exfiltration of data, etc.

4 Network Data Collection
Data forms and the amount of information they retain: Full Packet Capture: 100% Packet String Data: 4% Sessions 0.1% Statistics ??? Logs ???

5 Network Data Collection
Full traffic logs give us the most complete dataset More data is good for forensics But costs time and resources to store large amounts of data. The data strings themselves are only a small part of the full traffic. Requires less space for storage. Easier and cheaper to store for long periods.

6 The OSI Model Open Systems Interconnection Model
Conceptual Framework to describe the functions of a networking or telecommunication systems Uses 7 layers (like Dante’s Inferno) to provide a visual description of the system’s functioning.

7 OSI Model Physical Electro-magnetic and optical transmission of data.
The hardware layer. Ex: Ethernet Data Link Node-to-node data transfer between directly connected nodes. Encodes and decodes electrical signals into bits. Media Access Control (MAC)

8 OSI Model Network Routing of network traffic across nodes.
Creates logical paths between nodes. IP & IPv6 operate at this layer.

9 OSI Model Transport Coordination of data transfer between end systems and hosts. Logical connection between two machines. Transparent data transfer between end systems. TCP/UDP TCP/UDP port numbers operate on this level

10 OSI Model Session Establishment, management, and termination of connections between applications. Presentation Area independent of data representation at the application layer Preparation or translation of application format to network format or vice versa. Encryption and decryption of data Ex: ASCII, JPEG, MPEG

11 OSI Model Application Supports application, apps, and end-user processes. Closest to the end user Ex: Telnet, FTP, HTTP Mnemonic: “Please Do Not Throw Sausage Pizza Away”

12 Internet Protocol Primary communication protocol for relaying datagrams across network boundaries and essentially establishes the Internet. Delivers packets from the source host to the destination host using an IP address. IPv4 is the dominant protocol of the internet. Succeeded by IPv6.

13 IPv4 Uses a 32-bit address space.
Addresses are typically represented as four octets expressed in decimal numbers and delineated with periods. Ex: , Routers forward packets from network to network and perform network address translation

14 IPv4 Network address translation
Most commonly hides an entire private address space behind a single IP address in another, usually public address space. Performs a one-to-one mapping of IP address and TCP/UDP port number in one address space to IP address and port number in the other address space

15 Full Packet Capture The ideal situation from an analysts perspective is having a full dump of the network traffic. Collection requires setup before the incident The most common format for capturing network traffic is the PCAP format. Most popular network forensics tools are built on the libpcap library, including tcpdump and wireshark.

16 tcpdump Tool used to collect and analyze network packets.
Idea for analysis of individual packets. tcpdump -nnr dump.pcap - read a previously recorded pcap file. tcpdump -nnvvvr dump.pcap - more verbose output Allows use of filters Supports BPF (Berkeley Packet Filter) syntax for defining filters. tcpdump -nnr dump.pcap tcp dst port 80 - filters only TCP packets sent to port 80. -w flag writes filtered data to file: tcpdump-nnr dump.pcap ‘tcp dst port 80’ -w 80_tcp_dump.pcap. If you want to use multiple filters, must define filter file first: tcpdump -nnr dump.pcap -F filter.bpf

17 tshark Console version of Wireshark with similar functionality as tcpdump. Flags: -r - read pcap file. -v - output additional information. -x - display packets in hex and ASCII formats -f - filter -R - recording and read -z - generate statistics HTTP, tree - displays statistics from HTTP requests and responses SMB, srt - displays statistics relating to SMB commands. tshark -r dump.pcap -R ‘udp && dst.port == 53’ - Read pcap file for DNS traffic. tshark -r dump.pcap -z http, tree - View statistics on HTTP traffic.

18 Wireshark Powerful GUI tool for analyzing network traffic.
GUI divided into three main parts: Upper part: List of packets By default includes packet number, timestamp, source, destination, and protocol. Middle section displays detailed information about the packet. Bottom displays individual bytes in hex or ASCII format

19 Wireshark Many useful ways to filter information from a network capture. Statistics → Conversations lets you look for interesting traffic patterns. Edit → Find Packet → String → Search in packet bytes lets you search specific strings like “flag” Analyze → Follow → TCP Stream Lets you view the contents of a specific TCP connection. May need to then carve files or otherwise decode/extract the relevant information.

20 Wireshark Many useful ways to filter information from a network capture. Timestamps Often we only care about network traffic in a very specific time window. By default wireshark displays time in seconds from start of recording. Change to date & time format with view -> time display format -> date and time of day Reference:

21 Firewall A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Traffic moving through a firewall is part of a connection A connection has two basic components Pair of IP addresses Identify each computer involved Pair of Port numbers Identify services or applications used

22 Firewall Example When connecting to there will be a log entry in my firewall log that indicates (among other things): My ip address ( ) Google’s IP Address ( at time of writing) Source port Destination Port (likely 443 because https)

23 Windows Firewall Logs File Structure Header
Static, descriptive information about the version of the log, time format, and fields available. Body Dynamic list New entries appear on the bottom Old entries removed once at maximum size. Holds data on all traffic that tries to cross the firewall. Each entry has fields depending on configuration.

24 Windows Firewall Logs Traffic Fields
date — The date field identifies the date in the format YYYY-MM- DD. time — The local time is displayed in the log file using the format HH:MM:SS. The hours are referenced in 24-hour format. action — As the firewall processes traffic, certain actions are recorded. The logged actions are DROP for dropping a connection, OPEN for opening a connection, CLOSE for closing a connection, OPEN-INBOUND for an inbound session opened to the local computer, and INFO-EVENTS-LOST for events processed by the Windows Firewall, but were not recorded in the security log.

25 Windows Firewall Logs Traffic Fields
protocol — The protocol used such as TCP, UDP, or ICMP. src-ip — Displays the source IP address (the IP address of the computer attempting to establish communication). dst-ip — Displays the destination IP address of a connection attempt.

26 Windows Firewall Logs Traffic Fields
src-port — The port number on the sending computer from which the connection was attempted. dst-port — The port to which the sending computer was trying to make a connection. size — Displays the packet size in bytes. tcpflags — Information about TCP control flags in TCP headers. tcpsyn — Displays the TCP sequence number in the packet. tcpack — Displays the TCP acknowledgement number in the packet.

27 Windows Firewall Logs Traffic Fields
tcpwin — Displays the TCP window size, in bytes, in the packet. icmptype — Information about the ICMP messages. icmpcode — Information about the ICMP messages. info — Displays an entry that depends on the type of action that occurred. path — Displays the direction of the communication. The options available are SEND, RECEIVE, FORWARD, and UNKNOWN.

28 Windows Firewall Logs Common items to search for Rejected IP addresses
Can indicate a probe and offers insight into what is being probed for. Unsuccessful logins Can indicate someone trying to gain access to critical systems. Outbound activity from internal systems Traffic not matching normal patterns and activity can indicate system compromise. Usually the victim machine calls back to attackers.

29 Windows Firewall Logs Common items to search for Source routed packets
Source routing is when the packet sender partially or completely specifies the path a packet should take through a network. Attackers use them to gain access to machines with private addresses. Any activity that doesn’t match normal activity patterns.

30 Questions?

Download ppt "Computer Networks, PCAP, & Firewall Logs"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
DISCLAIMER:  If you think you know it all, don’t shout out the answers! Go here:  game.shtml

DISCLAIMER:  If you think you know it all, don’t shout out the answers! Go here:  game.shtml
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.

Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
Internet Vulnerabilities & Criminal Activities 1.2 – 9/12/2011 Structure of Internet Communications 1.2 – 9/12/2011 Structure of Internet Communications.

Internet Vulnerabilities & Criminal Activities 1.2 – 9/12/2011 Structure of Internet Communications 1.2 – 9/12/2011 Structure of Internet Communications.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing

CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing
Chapter 9.

Chapter 9.
Presentation on Osi & TCP/IP MODEL

Presentation on Osi & TCP/IP MODEL
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
Computer Networks.  The OSI model is a framework containing seven layers that defines the protocols and devices used at each stage of the process when.

Computer Networks.  The OSI model is a framework containing seven layers that defines the protocols and devices used at each stage of the process when.
Characteristics of Communication Systems

Characteristics of Communication Systems
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.

Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
Network Services Networking for Home & Small Business.

Network Services Networking for Home & Small Business.
Unit27-networking BTEC NAT – UNIT 27 NETWORKING OSI MODEL Unit Leader:Dave Bell

Unit27-networking BTEC NAT – UNIT 27 NETWORKING OSI MODEL Unit Leader:Dave Bell
The OSI Model An ISO (International standard Organization) that covers all aspects of network communications is the Open System Interconnection (OSI) model.

The OSI Model An ISO (International standard Organization) that covers all aspects of network communications is the Open System Interconnection (OSI) model.

Similar presentations

Ads by Google