Part 5 of 5: Capturing Network Traffic
What Is It?
Also known as “sniffing”, capturing network traffic can be either proactive or reactive depending on the application. There are many open-source and commercial tools, available for free, for a fee, or on a subscription basis. The goal is to capture the data traversing the network for the purposes of analysis and intelligence gathering and this can be done on wired or wireless networks
In a proactive sense, we capture data to understand what is happening on our network to design our security policies and systems, to improve performance, and to ensure that the systems and services we put in place work as they should.
In a reactive sense, we capture data to troubleshoot issues with applications and services, to gather intelligence during or after a cyber-security incident, and to adjust our post-incident strategy going forward. Many organisations use traffic capture in a variety of ways and in terms of a security mitigation strategy it may seem low on the priority list over sexy solutions like firewalls and threat hunting, but it can still yield some incredibly valuable information.
Where Do I Start?
The first place I would recommend starting is identifying where you will capture the data. Natural choke points are a good place to start such as firewalls or any other ingress / egress point of the network. In some cases, it can be a connection to a virtual server host if you’re after more server data than network data. Personally, I like inline passive taps, but they do require a disruption to a link to install. Span / Mirror ports are also great if you can find the right location in the network.
It’s important to locate the capture point as close to the traffic you’re trying to capture to minimise noise from other systems as it’s easy to get overwhelmed with packets until you get the filters dialled in. Some environments I have seen leave Span / Mirror port available and then it becomes a matter of simply plugging in when required and having the ability to move from point to point or even run multiple captures simultaneously.
You also want to decide what data you are capturing. Rather than trying to catch everything, it may be best to try and capture data only from priority systems and those that handle sensitive data. It takes a bit of work to get the filtering right, but you can quickly narrow it down to a network, a host, or a protocol.
So now you know what you want to capture and where to capture it from. What’s next? The tool of choice is up to you or the experts that you bring in to assist. Call me old school, but I’ve always used Wireshark. There are lots of tools to choose from… choose the one that works best for you and your needs.
How do I make It Work?
There’s not a lot to “make it work”; you’re basically tapping into something that is already working. Once you’re connected, begin to capture the data and watch your screen flood with data…. Or watch the logs fill up. You know what I mean. Once you have enough data captured (and you have enough space to keep it) you can stop the capture and move to filtering and analysing the data for your needs. This is where you may need expert assistance…. reading the data is an art form! Even more than that, looking for patterns and specific metrics can be time consuming but the people that live in this world are worth their weight in gold. Be nice to them!
Encrypted traffic is a tough one. You may not be able to see the data itself, but you may be able to get enough information based on sources and destinations. Sometimes the metadata is as good as the data itself. If you can, try to capture the data in its unencrypted format. This can be a bit challenging, so sometimes the captures available in encrypted data inspection systems is a worthwhile place to look.
Another common pitfall is not having enough storage space to keep the data captured. It would be like trying to put a fire hose into a bucket on a busy network. Be selective about what you capture and be sure you have enough storage for that capture to meet your retention objectives. That retained data may be handy if you’re looking for something specific that only occurs occasionally. Sometimes you can get away with just the metadata, which is a lot smaller. It’s like keeping the recipe off the back of the box rather than the whole box itself; you only retain what you need and discard the rest.
Ghosts in the Machine?
It can be tricky to find the right location to capture data and sometimes you won’t see all data to and from your targets, especially in a network where several data paths to systems may exist. If you feel you are missing data, be sure to capture it from multiple points to build a more complete picture. Imagine if the link you were tapped into only showed one type of traffic and you reported this back to management yet the link you hadn’t tapped into carried all the rest or even had malicious traffic on it. It wouldn’t get you very high on the Christmas card list with the boss! Take your time and be thorough and try to look at it from all angles.
Another tricky element to deal with is server to server traffic inside a virtual server environment. Thankfully there are solutions for this from some specialised vendors in this area. Be sure to consider this when looking for data capture points. It’s getting tougher in environments that are cloud-based or completely virtualised to get captures, but there is a way. We always find a way.
Be sure that you know what you are looking for and how to find it. The ability to separate the wheat from the chaff is vital when it comes to analysing captures. I often find myself looking at the same data a few times to better understand the traffic and using several filters. Use of tools to help visualise the data into graphs is also very helpful, especially when you must include it in a report, design, and presentation. Thankfully, like the capture tools, there are just as many options available.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock