AoC 2022 Day 13: Packet Analysis
Packets and Packet Analysis?
The most fundamental unit of network data carried through a network is a packet. A message is transported from one host to another in little pieces, each of which is referred to as a packet. In packet analysis, prerecorded traffic files are used to extract, evaluate, and discover network patterns such connections, shares, commands, and other network events like logins and system failures.
Why Does Packet Analysis Still Matter?
Network activity is a clean, rich source of data. A valuable data source for analysis is a Packet Capture (PCAP) of network events. Traffic flow, which just provides statistics on the network traffic, might be the focus of live data collection. On the other hand, at the packet level, detailed pattern recognition and analysis of network behavior is carried out. As a result, threat identification and real-time performance troubleshooting cannot be done without packet analysis.
Today, most network-based detection mechanisms and notification systems ingest and parse packet-level information to create alerts and statistical data. Also, most red/blue/purple teaming exercises are optimized with packet-level analysis. Lastly, even encoded/encrypted network data still provides value by pointing to an odd, weird, or unexpected pattern or situation, highlighting that packet analysis still matters.
Points to consider when working with PCAPs
There are various points to consider before conducting packet analysis. The essential points are listed below.
| Point | Details |
| Network and standard protocols knowledge. | Knowledge of the network and protocol operations is a must. An analyst must know how the protocols work and which protocol provides particular information that needs to be used for analysis. Also, knowing the “normal” and “abnormal” behaviours and patterns is a big plus! |
| Familiarity with attack and defense concepts. | You can’t detect what you don’t know. An analyst must know “how the attacks are conducted” to identify “what is happening” and decide “where to look”. |
| Practical experience in analysis tools. | You can’t burn down the haystack to find a needle! An analyst must know how to use the tools to extract particular information from packet bytes. |
When the time comes to do “packet level analysis”, it might sound hard to implement the theory in practice. But creating “checklists” and “mini playbooks” will make the analysis process considerably easier. A simple process checklist for practical packet analysis is shown below.
| Required Check | Details |
| Hypothesis |
Having a hypothesis is important before starting packets.
The analyst should know what to look for before starting an analysis.
|
| Packet Statistics | Viewing the packet statistics can show the analyst the weight of the traffic in the capture file. It helps analysts see the big picture in terms of protocols, endpoints and conversations. |
| Known Services | The services used in everyday operations like web browsing, file sharing and mailing are called known services. The analyst should know which protocol is associated with which service. Sometimes adversaries use the known services for their benefit, so it is important to know what “the normal” looks like.Note: Service is a capability/application that facilitates network operations between users and applications. The protocol is a set of rules that identify the data processing and transmission over the network. |
| Unknown Services | Unknown services are potential red flags. The analyst should know how to research unknown protocols and services and quickly use them for the sake of the analysis. |
| Known patterns | Known patterns represent the analyst’s knowledge and experience. The analyst should know the most common and recent case patterns to successfully detect the anomalies at first glance. |
| Environment | The analyst has to know the nature and dynamics of the working environment. This includes IP address blocks, hostname and username structure, used services, external resources, maintenance schedules, and average traffic load. |
You will need a tool to record, view, and investigate the packets. There are a couple of tools that help users investigate traffic and packet captures. In this task, we will use Wireshark.
What is Wireshark
Wireshark is an industry-standard tool for network protocol analysis and is essential in any traffic and packet investigation.
