www.packet-level.com/resources/hpetsnotes.txt
Sessions this week: Thursday 1728 Cybercrime 1 9:30 Rm124 Thursday 1729 Cybercrime 2 2:00 Rm224 Friday 1730 Advanced Analysis 8:00a Rm124 Friday 1731 Case Studies/Security 11:00a Rm124 Remember to fill out your evaluations!
2002 hp
filename.ppt
page 1
Prerequisites
Understanding basic packet structures Understanding data flows Ability to count Ability to convert hex-decimal-binary Thorough knowledge of the protocol or application you are working on or some very good technical resources
2002 hp
1730_chappell.ppt
page 2
2002 hp
1730_chappell.ppt
page 3
Using Timestamps
Latency testing (from here to there and back again...) Interval testing (i.e., OSPF hellos, TR ring polls) The three basic timestamps: Absolute time Relative time Delta time
2002 hp
1730_chappell.ppt
page 4
Absolute Timestamp
Based on time of day (uses PC clock setting) When did that event occur? The login/logout The break-in The DoS attack The overload
2002 hp
1730_chappell.ppt
page 5
Relative Timestamp
Relative to the first packet in the trace buffer.
Time from one command until completion Used for application testing.
2002 hp
1730_chappell.ppt
page 6
Delta or Interpacket
From the end of one packet to the end of the next packet. Used for the slow network problem
REQ Roundtrip time 1 ACK RESPONSE REQ Roundtrip time 2 ACK RESPONSE
2002 hp 1730_chappell.ppt hp enterprise technical symposium page 7
2002 hp
1730_chappell.ppt
page 8
Triggered Captures
When you absolutely positively gotta go to sleep.
Trigger by date/time Trigger by alarm (i.e., utilization % exceeded) Trigger by event (packet meets filter criteria)
2002 hp
1730_chappell.ppt
page 9
Application Analysis
Filter on test host. Time processes. Define packet count requirement. Examine utilization stats for planning.
Form online at www.podbooks.com (References). From Advanced Network Analysis Techniques by Laura Chappell
2002 hp
1730_chappell.ppt
page 10
Cookie Read
See www.cookie-central.com.
2002 hp
1730_chappell.ppt
page 11
Filtering
Address-based MAC address Network address Complete or only portions of an address Protocol-based Focused on port or socket numbers Pattern-based Heres where you can really get to the nitty gritty.
2002 hp
1730_chappell.ppt
page 12
Address-Based Filtering
Have them ready Critical devices Servers Routers The bosss machine Fred
Watch DHCP-addressing!
2002 hp 1730_chappell.ppt hp enterprise technical symposium page 13
Protocol-Based Filtering
Know your Ports www.iana.org 21 - ftp 23 - telnet 25 - smtp 53 - dns 80 - http
2002 hp
1730_chappell.ppt
page 14
Pattern-Based Filtering
Know Your offsets or cheat Know your values Look for strings Should you define start and end?
2002 hp
1730_chappell.ppt
page 15
2002 hp
1730_chappell.ppt
page 16
Boolean Filters
AND OR NOT AND OR USER PASS RETR STOR NOT D.IP 10.1.2.3
2002 hp
1730_chappell.ppt
page 17
Transmitting Packets
Warnings. Legitimate uses Test vulnerabilities Recreating problems
2002 hp
1730_chappell.ppt
page 18
2002 hp
1730_chappell.ppt
page 19
Packet Sanitization
Clean IP addresses Clean usernames/passwords Clean site names
2002 hp
1730_chappell.ppt
page 20
10
2002 hp
1730_chappell.ppt
page 21
2002 hp
1730_chappell.ppt
page 22
11
Packet Conversion
Converting between analzyer formats. Use the best decodes!
2002 hp
1730_chappell.ppt
page 23
More Training/Information
Attend other analysis sessions US/Canada Roadshow (www.nuihotlabs.com) Hands-On Analysis, Troubleshooting and Cybercrime
Classes (private and public) Read the specs along side your analyzer Read books focusing on analysis and packet-level communications see www.podbooks.com Get online at www.packet-level.comjoin the mailing list
2002 hp
1730_chappell.ppt
page 24
12
blue 11 0 99 132
orange 04 255 99 0
green 04 0 107 49
red 02 226 61 40
red 04 173 33 33
green08 0 128 0
purple 04 140 0 76
blue 04 0 33 107
brown 04 107 66 49
black 0 0 0
2002 hp
filename.ppt
page 26
13