If you administer a network of any kind you can be certain that sooner or later it will become a target of an attack. However, you are capable of eliminating, or at least significantly reducing any chances of its success. This is led to by many ways: from disabling services through firewalls to IDSes; still, it may just turn out that the most important issue here is the ability of distinguishing traffic of "good" and "bad" packets.

Pcap is one of the most commonly used libraries for coding network traffic. It offers extremely fine-grained access to individual ISO/OSI layers. Its other advantage is its availability for many different operating systems (more about it in hakin9 5/2005 no. 14, in the article by Konrad Malewski titled Full Control, or Low-level Access to the Network) and programming languages.

A Hammer, a Screwdriver, a sniffer – or, Analysis Tools

It simply won't do to consider network analysis without tools which will make our life much easier. Let us begin with sniffers.

Ethereal

Ethereal is one of the best-known network analysis tools. It offers many features which are of high use during an analysis. The two dominating characteristics of this projects are: storing network traffic in various container format and a graphical user interface. Although the latter is not exactly necessary for analysis, it is a nice addition which makes work easier.

Tcpdump

Tcpdump is another, very good sniffer. It is by the authors who wrote the Pcap library. The program can work with several unofficial front-ends, it has however been designed primarily to be used directly from the command line (the shell) of the system.

Our Armaments

Ahead you will find a list of programs and scripts which we'll be using while analysing network traffic:

• capinfos (a part of the ethereal suite)

• tcpdstat,

• zonk.pl (a simple script for network administrators – written by the author of the article),

• a handful of custom scripts.

Listing 1. Verifying authenticity of two files (aut.sh)

#!/bin/sh
 if [ -z $2 ]; then
 echo "Usage: $0 authentic_file file_for_check";

exit
 if

 md5sum $1 | cut -c1-32 > /tmp/f1.cksum
 md5sum $2 | cut -c1-32 > /tmp/f2.cksum
 sha1sum $1 | cut -c1-40 >> /tmp/f1.cksum
 sha1sum $2 | cut -c1-40 >> /tmp/f2.cksum

 res=`/usr/bin/cmp /tmp/f1.cksum /tmp/f2.cksum`

 
if [ -z "$res" ]; then
 echo "File is authentic"
 else

 echo "File is not authentic"
 fi
 rm /tmp/f1.cksum /tmp/f2.cksum

Warranty of Authenticity

If the results of a conducted analysis are to serve as evidence against the attacker, it is important for us to prove the authenticity of the file network traffic has been logged in, as well as the one our analysis has been based on.

It is important for the original file, the one which will serve as primary evidence, to have the time stamp as close to the intrusion time as possible. In order to ensure this one ought to copy the traffic log file to a separate directory set read-only permissions on both the file and the directory. We do it the following way:

mkdir ~/analyze

cp ./traffic.cap ~/analyze

chmod 444 ~/analyze/traffic.cap ~/analyze/

Once we have obtained a protected copy our evidence will be based on, we must also prove its authenticity; we will be helped here the simple script from Listing 1.

This script can also become useful to prove authenticity of the intercepted traffic. It will be even more convincing to store similar checksums for the intercepted traffic.

Listing 2. Output of capinfo

$ capinfo traffic.cap
 1    File name: traffic.cap
 2    File type: libpcap (tcpdump, Ethereal, etc.)
 3    Number of packets: 1194
 4    File size: 93506 bytes
 5    Data size: 213308 bytes
 6    Capture duration: 342.141581 seconds
 7    Start time: Thu Jun 23 14:55:18 2005
 8    End time: Thu Jun 23 15:01:01 2005
 9    Data rate: 623.45 bytes/s
 10    Data rate: 4987.60 bits/s
 11    Average packet size: 178.65 bytes

Network Analysis

Let us now proceed to our primary task, that is – analysis of intercepted network traffic. In order to perform such an analysis one must gather basic information about intercepted traffic. For that we shall use capinfo, which is a part of the ethereal suite.

Let's have a closer look at Listing 2 and think about what kind of information we will obtain thanks to capinfo.

We ignore the first line, as it only contains the file name. The second contains information about the format of the file. In this case, the file has been in pcap format. Another, also quite popular system for storing network traffic is Microsoft Network Monitor x.x, where x.x is the version of the library; the most widespread one is version 2.x. These are of course by no means the only formats for storing network traffic in files.

The following line of (3) the output lists the number of packets which "flowed" through our network while sniffing. Next, we have got the size of the file (4) and the amount of data our recorded traffic consists of (5). These are followed consecutively by: the exact duration of sniffing (6), date and time of the beginning (7) and the end (8) of sniffing, average data flow in bytes (9) and bits (10) per second, whereas the final line (11) shows us the average size of a packet.

A d v e r t i s e m e n t