Advanced
Network Analysis Techniques
Laura A.
Chappell, Sr. Protocol Analyst Protocol Analysis Institute, LLC
Table of Contents
Welcome to podbooks.com ... . . . . iii
About the Author .... . . iv
About This Pod .... . . . vi
Who Should Read This Book ... . . . . . . vii
Chapter Information .... . . . vii
List of Figures .... . . . xiv
CHAPTER 1 Statistics, Trends, Patterns and
Timestamping ... 1
Statistics ....2
Packets Per Second .... . . . . 3
Utilization (Percentage) .... . 5
Errors-per-second .... . . . . . . 8
Broadcasts ..... . 9
Multicasts ..... . 12
Packet Size Distribution - Size Does Matter! .. . . . . 12
Hosts ..... . . . . 14
Protocols ..... . 17
Alarms and Alerts .... . 19
Watch the Default Alarm Settings ... . . . 20
Setting Your Own Alarm Thresholds ... 20
False Positives .... . . . . . . . 21
False Negatives .... . . . . . . 21
Using Alarms as Triggers ...22
Notification Options .. . . . . .. . . . . . . . . 23
Trends ..... 25
Short-Term Trends .... . . . . 25
Long-Term Trends .... . . . . 27
Exporting Graphics Into a Report ... . . . 28
Patterns ....29
Request - Reply, Request - Reply (Commands) .. . 29
Request - Reply, Request - Reply (Slow File Transfer) . . .
. . . . 30
Request, Request, Request (Service Lookup) .. . . . 31
Request - Reply - Reply - Reply (Windowed File Transfer) . .
. . 32
Reply - Reply - Reply (Information Distribution) .. . . 33
Request - Request - Reply (Weird Problem) .. . . . . 34
Timestamping .... . . . . 36
Relative Timestamps .... . . 37
Delta (Interpacket) Timestamps ... . . . . 37
Absolute Timestamps .... . . 38
Chapter Quiz .... . . . . .40
Advanced Network Analysis Techniques - Chappell xi
Table of Contents
CHAPTER 2 Capture and Display Filtering . . . . . . . . 42
Filtering Overview .... . 43
Capture Filters .... . . . . . . . 44
Display Filters .... . . . . . . . . 44
Address Filters .... . . .46
Sample Address Filtering Process ... . . 46
Complex Address Filter Techniques ... . 48
Subnet Address Filters .... . 49
Protocol Filters .... . . .50
TCP/IP Protocol Filters .... . 50
IPX Protocol Filters and Definitions ... . 51
Miscellaneous Protocol Filters and Definitions .. . . . 51
Data Pattern Filters (Advanced Filters) .. . . . . . 54
The 5-Step Data Pattern Filtering Process .. . . . . . . 59
Step 1: Determine what you are interested in.
.......................... 59
Step 2: Find out the field value.
.................................................59
Step 3: Find the offset value.
.................................................... 60
Step 4: Find similar packet structures/copy a field of
interest. . 60
Step 5: Input the value you want to filter on.
............................. 60
Filtering on a Single Bit Value ... . . . . . 63
Complex Boolean Data Pattern Filter Techniques .. 65
AND (Catching Port Unreachables)
.......................................... 66
OR (Catching Non-Standard FTP Operations)
......................... 68
OR (Catching Subnet Traffic - Bidirectionally)
.......................... 70
AND NOT (Catching All Fragmented Packets)
......................... 72
Chapter Quiz .... . . . . .77
CHAPTER 3 Application Analysis .. . . . . 81
Why Analyze an Application ... . . .82
Big Money Applications .... 83
Applications From Hell .... . 83
Management From Hell .... 83
When to Perform a Complete Application Analysis . . . . . .
85
Application Analysis Procedures ...86
Step 1: Outline the application functions you want to
analyze . . 86
Step 2: Prepare the Application Analysis Form .. . . 87
Step 3: Launch your analyzer with a filter on the test
station. . . 88
1. Build a test station filter.
........................................................ 88
2. Set up the appropriate buffer size.
........................................ 89
Advanced Network Analysis Techniques - Chappell xii
Table of Contents
3. Test your filter.
...................................................................... 90
Step 4: Record starting packet count ... 90
Step 5: Launch the application ... . . . . . 90
Step 6: Record packet count (when it stops incrementing) . .
. . 91
Step 7: Execute command #1 ... . . . . . 92
Step 8: Record packet count (when it stops incrementing) . .
. . 92
Step 9: Execute command #2 and other commands in the test .
92
Step 10: View the trace file to obtain timestamps and
characteristics .... . . . . . . . 93
Sample Application Analysis: FTP File Transfer . . . . . . .
. .94
Sample Application Analysis: HTTP Web Browsing Test . 102
Chapter Three Quiz ... . . . . . . . . 109
CHAPTER 4 Manual Decoding .. . . . . . 112
When the Decodes End ... . . . . . 114
Understanding Raw Packet Formats .. . . . . . 117
Decoding the MAC Header ... . . . . . . . 118
Decoding the IP and UDP Headers ... 119
Decoding the Application Information ..120
Decoding at the Itty-Bitty Level ... . . . . 122
Bit-Level Decode of the DNS Flags Field
................................ 122
Chapter 4 Quiz .... . . 127
CHAPTER 5 The Master Analyst’s Toolkit . . . . . . . 131
Hex Editor .... . . . . . . 132
Sanitizing Trace Files .... . 133
Searching for Text Strings ... . . . . . . . 135
Converting Hex to Decimal to Binary ..137
Packet Sanitizer .... . 138
General Route Tracing Tool ... . . 140
All Purpose TCP/IP Utilities ... . . 142
Screen Capture Utility ... . . . . . 143
Advanced Network Analysis Techniques - Chappell xiii
