Security Operations

Mister_Security
SecOpsweek3lesson2-packetanalysis.pptx
Home>Computer Science homework help>Security Operations

Cyber Security operations Packet analysis

Learning objectives

Can perform technical analysis of security information

Be familiar with more advanced features of Wireshark;

Be able to use Wireshark to perform traffic analysis

3

Packet analysis

Managing cyber threat

Proactive (security)

Reactive (forensics)

Active (periodically check the network)

Sniffing traffic

Troubleshooting network problems

Gather network statistics

Perform content monitoring

Intrusion detection and forensics

Gain a better understanding of protocols

Wireshark:

Capture, display, and filter data live from a network interface

Users: network administrators, developers, and security analysts

https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures

4

Demo

5

Customize views

Packet-filtering

Coloring rules

Statistics

Demo 1: Customize views

6

demo_wireshark.pcapng

- http traffic to various websites

Add/remove/hide/edit columns

Name resolution

Some key preferences settings: Allow subdissector to reassemble TCP streams;

Packet properties

Export specific packets

Demo 2: Packet-filtering

Protocol filters: e.g. arp, ip, ipv6, tcp

Application filters: e.g. bootp, dns, tftp, http, icmp

Field filters: e.g. http.host

Characteristic Filters: e.g. tcp.analysis.flags; tcp.analysis.zero_window:

7

Demo

Display filter expression

Prepare/apply as filter

Manage display filter

Follow stream

Display vs capture filter

https://wiki.wireshark.org/CaptureFilters

https://wiki.wireshark.org/DisplayFilters

Demo 3: coloring

Enable / disable coloring;

Edit coloring rules

Build a coloring rule to highlight delays

Coloring rules as a column;

Colorize a conversation

8

Give it a try yourself

Download ftp_crack101.pcapng from Canvas

Create a coloring rule to highlight FTP user names, passwords in

this color

Demo 4: Statistics

Capture file properties

Protocol hierarchy: to analyse unusual or suspicious protocols on the network

Conversations: traffic between two IP endpoints

Endpoints: traffic to and from a single IP addresses

IO graphs

Expert information

9

Give it a try yourself

Download statistics.pcapng from Canvas

Answer the following questions:

What is the highest packets-per-second value, and bits-per-second value;

How many TCP conversations are there?

How many time has “Previous segment not captured” been detected?

How many retransmissions and fast retransmission?

Tutorial export

10

Download tutorial_ftp.pcapng from Canvas

Observe the ftp conversations

Export the image you found

Exercise

11

“week 3b inclass exercise - use wireshark to analyse packet captures.docx”

30 minutes

Homework

12

Use Wireshark to observe: ethernet frames, TCP 3-way handshake, DNS, HTTP/HTTPS

Extract an Executable from a PCAP