Introduction
If you’ve ever been a network administrator, the call you dread the most might be one you receive in the middle of the night by some panicked employee stating that a portion of your critical network has gone down. What troubleshooting options are available to provide answers to your network problem? Besides having a proactive helpdesk that can “read” the mind of your network, an important part of troubleshooting involves using a network protocol analyzer. If you’ve done your research, you realize that there are many choices on the market today that may satisfy your needs but make a dent your company’s pocket book. Plus, you have to factor in training your helpdesk on how to use this new tool and if it will provide some type of return on investment (ROI).
After conducting a thorough research of tools to analyze and troubleshoot a network, we decided to use Ethereal. Many versions such a Sniffer® Portable by Network General and Observer® by Network Instruments provided more options but were only available in “demo” versions and didn’t provide full functionality. Since we wanted to use Tcpdump as one of the tools in our network troubleshooting arsenal, it made sense to run Ethereal since it supports this type of filter.
So, what is Ethereal?
Ethereal is a network analyzer. It has the ability to read packets from a network, decipher them, and then display the results with a very intuitive GUI. According to the book Ethereal Packet Sniffing, “the most important aspects of Ethereal are as follows: that it is open source, actively maintained, and free”. After conducting thorough research, Ethereal also supports TcpDump format capture filters, supports over 700 protocols (new ones are added on a regular basis), and the tool can capture data from Ethernet, Token Ring, 802.11 Wireless, etc. For anyone interested in a command line interface (CLI) interface for Ethereal, you’re in luck since there is a CLI available called tethereal.
History of Ethereal
Ethereal is a fairly mature networking tool that was developed by Gerald Combs back in 1997, but has only been available to users since 1998. Something unique to this tool is the numerous dissectors that are available. If you’re like me, you may ask yourself, what are dissectors? According to Brockmeier, they “are what allow Ethereal to decode individual protocols and present them in readable format”. Since the code is open source, you will notice every few months that the list of supported protocols has increased due to individual contributions to Ethereal.
Don’t hesitate to bring in experts to make sure your network is configured properly. Correct assessment, however the lesson doesn’t factor in when to bring in an expert. Despite an over-reliance on technology, there needs to be a timeframe for this expert and how their analysis will support overall technological requirements.
...r these requirements I have chosen PFSense as the router, Windows 7 for the client, and a Red Hat Enterprise Linux server hosting my MediaWiki database. It was my preference that the monitoring solution be given its own VM and so I have a fourth VM running an Ubuntu base with the Opsview Atom monitoring service installed.
The SIEM is a log management system where every network device, server or workstation will send their logs for storage, correlation and analysis. The analysis will provide alerts similar to the NIDS and HIDS. In addition, the log correlation could be used to help track where and when malicious activity has occurred and on what system(s) the activity was seen. The combination of the NIDS, HIDS and SIEM will provide a good array of detection for malicious users, software or unauthorized system access.
Both Kismet and Wireshark are excellent network analyzers. Wireshark possesses a complete packet in terms of collection, visualization, and easy user interface. Kismet provides location services, is small enough to run in small sensors and can be highly mobile. Also, the server/client mode allows for multiple operators to analyze the live capture simultaneously, making it the best tool for the task. Collecting information with Kismet requires familiarization with the software, but once completed the possibilities are diverse. For example, a small single chip computer or sensor placed on a strategically located area near wireless points can locate a user in the
SPI – Stateful Packet Inspection – is a method of monitoring the state of active connections in order to determine what packets to allow access through a firewall.
SETI_web, n.d., Protocols for an ETI Signal Detection, in website of SETI Institute, accessed via: http://www.seti.org/post–detection.html
The Android Network Toolkit is very useful and effecient application tool. According to the website Hackers Online Club, "This app is capable of mapping your network, scanning for vulnerable devices or configuration issues. It is for use by the amateur security enthusiast home user to the professional penetration tester, ANTI provides many other useful features." Here are some of the features for Android Network Toolkit (ANTI): it provides an easier connection to visual sniffing, and open ports. Visual sniffing usually refer to retrieving Cookies and URLs. The ANTI application also allows the user to perform MiTM attacks, allows the user to exploit Server and Client Sides. MiTM is normally use in cryptography and computer security. MiTM is basically eavesdropping. The application also comes with password cracker which determines the security level's in a password. ANTI may also replace an image in Denial of Service attacks and demos. All of these features are parrt of the Android Network Toolkit (ANTI).
(source: white paper on MEF carrier Ethernet on delivery of private cloud services on MEF.org[12])
Although VPN is very popular in the market for networking technology, it may raise some concerns for IT managers. VPN requires an in-depth understanding of public network security issues and proper deployment precautions. The task of choosing and deploying a VPN solution is far from being simple and may require the training of workers in at least the basics...
Transport—Transmission protocol that decides how messages will be sent between RosettaNet partners (HTTP is the default protocol).
A network topology in GNS3 (Graphical Network Simulator) is used in conjunction with Backtrack 5 to demonstrate the exploit tools of Cisco. The topology consists of three routers connected to one switch which is connected to a cloud. The cloud will act as Backtrack. The network address is 192.168.6.0/24. Each router is configured with separate IP addresses in the network. Backtrack is connected to the cloud on the same Vmnet custom network. (See Figure 3-1 below).
Explain how the two important transport protocols deliver messages on behalf of the application and discuss the differences between them
User Datagram Protocol is one of the transport layer protocol which offers limited amount of service when messages are exchanged between hosts. Data is further subdivided into data grams for transmission across the hosts. UDP does not allow retransmission of the damaged or lost packets and there is no acknowledgement for the packet which has been sent. DGRAM_SOCK is the type of socket used for transmission of data.
Networks in organisation are dynamic and complex entities which can be quite challenging to configure and manage. (Kim & Feamster 2013). These corporate networks consist of multiple routers, switches, firewalls, middleboxes and a particular advantage of network management is the ability to monitor the entire business network. As all the devices are interconnected with many event occurring simultaneously, problems with once device can eventually lead and spread throughout...
Devicenet utilizes the CAN standard on the information connection layer. The base overhead needed by the CAN convention on the information connection layer enhances the Devicenet work when managing messages. The Devicenet information casing uses one and only information edge sort from the CAN convention (among other existing ones). The convention utilizes a base band width to transmit CIP messages. The Devicenet information casing arrangement is demonstrated on figure 1.4.