Hi, this is Mike Danseglio and I am going to show you an advanced network monitor technique in actually taking a look at a couple of interesting traces. One much more difficult to understand than the other, but both really important for the IT professional to understand these kinds of patterns and these kinds of behaviors that they see on the network. This first trace I’m showing you, example.com6.pcap, is actually an example of network capture traffic between a host called QUARK2 and skynet.example.com and although there is a bunch of different types of traffic going on between these two –we can see ICMP, we can see TCP, some SMB traffic going on, down here we see some SAMR, then we get into a little bit of Kerberos authentication traffic, where QUARK2 is actually asking to authenticate using Kerberos v5 against the domain controller.
These are fairly normal and fairly typical kinds of behaviors, because we are not seeing just one kind of communication, we’re seeing a variety of communication where communication starts up, it works, and then it shuts down. So, we are seeing TCP sessions instantiate, we are seeing them transfer data, and then were seeing them close off, transferring files or transferring chucks of data. In this particular case of these sets of Kerberos traffic, what we are seeing is QUARK2 is asking for authentication, receiving authentication, and then moving on to communicate. That’s fairly typical and fairly normal when we look at communication on the network.
I want to compare that with an IP fragmentation attack, which is a very different look and feel. Click here and I’ve preloaded an IP fragmentation attack and we can actually see first of all that most of these packets look almost identical, very similar to each other. As we scroll we’ll see the source and destination addresses every once and a while vary, but for the most part theses addresses are identical and if we can click on one of these we can see that the traffic is reportedly going between a D-link and Cisco hosts. And network monitor is able to figure that out based on the MAC address, based on some other properties and based on some of its parsers. We can see tons of IPv4 fragments, shown down here in the description and also shown down here in the details. We don’t see sessions being instantiated, we don’t see authentication or authorization, and we don’t see any of these shutting down; just tons of very similar network traffic going between hosts.
This is very typical of a problem and in this particular case, an IP fragmentation attack, an intentional attack by a malicious attacker. However it may be malfunctioning piece of hardware, maybe this piece of Cisco hardware is actually malfunctioning or has a bad piece of firmware on it and it’s just sending the same packet out over and over again. This is the kind of behavior we are looking for when we are trying to troubleshoot a network with network monitor, this repeated, very obvious looking pattern where we just see one thing over and over again as opposed to more typical enterprise sessions where we see a variety of different traffic, where we see DHCP traffic, DNS traffic, SMB and RPC traffic that are transferring data and we see these sessions coming up and being torn down.
Hopefully this has given you an interesting first perspective into how to use network monitor in order to take a look at your network and do a really basic analysis of are thing going as planned or as expected or in a relatively normal way or should I take a look further and possibly analyze to see if I’m under attack or if I have malfunctioning or misconfigured hardware out there.