Practical Network Analysis Tutorial

A million different things can go wrong with a computer network on any given day—from a simple spyware infection to a complex router configuration error—and it’s impossible to solve every problem immediately. The best we can hope for is to be fully prepared with the knowledge and tools we need to respond to these types of issues.

All network problems stem from the packet level, where even the prettiest looking applications can reveal their horrible implementations, and seemingly trustworthy protocols can prove malicious. To better understand network problems, we go to the packet level. Here, nothing is hidden from us—nothing is obscured by misleading menu structures, eye-catching graphics, or untrustworthy employees. At this level, there are no true secrets (only encrypted ones). The more we can do at the packet level, the more we can control our network and solve problems. This is the world of packet analysis.

About Ax3soft Unicorn

Unicorn network analyzer is an Ethernet network analyzer (aka. packet sniffer or protocol analyzer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing.
Unicorn network analyzer offers a summary-to-detail, intuitive, easy-to-use graphical interface that network engineers can use to rapidly analyze and troubleshoot enterprise networks, Officers of a company can use to  monitor user activity on network. it can also be used for debugging protocol implementations by aficionados that want to learn more about how network protocols work.

Chapter 1: Packet Analysis and Network Basics

What is packet analysis? How does it work? How do you do it? This chapter covers the basics of network communication and packet analysis.

Chapter 2: Tapping into the Wire

This chapter covers the different techniques you can use to place a packet sniffer on your network.

Chapter 3: Introduction to Unicorn

Here, we’ll look at the basics of Unicorn—where to get it, how to use it, what it does, why it’s great, and all of that good stuff.

Chapter 4: Working with Captured Packets

Now that you’ve been introduced to Unicorn, you’re ready to start capturing and analyzing packets. In this chapter, you’ll learn how to work with capture files, packets, and time-display formats. We’ll also cover more advanced options for capturing packets and dive into the world of filters.

Chapter 5: Advanced Unicorn Features

Once you have learned to crawl, it’s time to take off running. This chapter delves into the advanced Unicorn features, taking you under the hood to show you some of the less apparent operations.

Chapter 6:  Common Lower-layer Protocols

Whether troubleshooting latency issues, identifying malfunctioning applications, or zeroing in on security threats in order to be able to spot abnormal traffic, you must first understand normal traffic. In the next couple of chapters, you’ll learn
how normal network traffic works at the packet level. We’ll look at the most common protocols, including the workhorses TCP, UDP, and IP, and more commonly used application-layer protocols such as HTTP, DHCP, and DNS. Each protocol section has at least one associated capture file, which you can download and work with directly. This chapter will specifically focus on the lower-layer protocols found in reference to layers 1 through 4 of the OSI model. These are arguably the most important chapters in this book. Skipping the discussion would be like cooking Sunday supper without cornbread. Even if you already have a good grasp of how each protocol functions, give these chapters at least a quick read in order to review the packet structure of each.

Chapter 7:  Common Upper-layer Protocols

In this chapter, we’ll continue to examine the functions of individual protocols, as well as what they look like when viewed with Unicorn. We’ll discuss three of the most common upper-layer (layer 7) protocols: DHCP, DNS, and HTTP.

The chapter has introduced the most common protocols you will encounter when examining traffic at the application layer. In the following chapters, we’ll examine new protocols and additional features of the protocols we’ve covered here, as we explore a wide range of real scenarios. To learn more about individual protocols, read their associated RFC or have a look at The TCP/IP Guide by Charles Kozeriok (No Starch Press, 2005). Also, see the list of resources in the appendix.

Chapter 8:  Basic Real-World Scenarios

Beginning with this chapter, we’ll dig into the meat of packet analysis, as we use Unicorn to analyze real-world network problems. In the first part, we’ll analyze scenarios that you might encounter day to day as a network engineer, help desk technician, or application developer—all derived from my real-world experiences and those of my colleagues. We’ll use Unicorn to examine traffic from Twitter, Facebook, and ESPN.com to see how these common services work.

The second part of this chapter introduces a series of real-world problems. For each, I describe the situation surrounding each problem and offer the information that was available to the analyst at the time. Having laid the groundwork, we’ll turn to analysis, as I describe the method used to capture the appropriate packets and step you through the analysis process. Once analysis is complete, I offer a full solution to the problem or point you to potential solutions, along with an overview of lessons learned.

Throughout, remember that analysis is a very dynamic process, and the methods I use to analyze each scenario may not be the same ones that you might use. Everyone analyzes in different ways. The most important thing is that the end result of the analysis solves a problem or provides a learning experience. In addition, most problems discussed in this chapter can probably be solved without a packet sniffer. When I was first learning how to analyze packets I found it helpful to examine typical problems in atypical ways by using packet analysis techniques, which is why I present these scenarios to you.

Chapter 9:  Fighting a Slow Network

As a network administrator, much of your time will be spent fixing computers and services that are running slower than they should be. But just because someone says that the network is running slowly does not mean that the network is to blame.

Before you begin to tackle a slow network problem, you first need to determine whether the network is in fact running slowly. You’ll learn how to do that in this chapter.

We will begin by discussing the error-recovery and flow-control features of TCP. Then we will explore how to detect the source of slowness on a network. Finally, we will look at approaches for baselining networks and the devices and services that run on them. Once you have completed this chapter, you should be much better equipped to identify, diagnose, and troubleshoot slow networks.

TIPS Multiple techniques can be used to troubleshoot slow networks. I’ve chosen to focus this chapter primarily on TCP because most of the time it is all that you will have to work with. TCP allows you to perform passive retrospective analysis rather than generate additional traffic (as with ICMP).

Chapter 10:  Packets Analysis for Security

Although most of this book focuses on using packet analysis for network troubleshooting, a considerable amount of real-world packet analysis is done for security purposes. This could be the job of an intrusion analyst reviewing network
traffic from potential intruders, or of a forensic investigator attempting to ascertain the extent of a malware infection on a compromised host. Packet analysis for security is a big topic, suitable for an entire book. This chapter provides a taste of analyzing packets with a security focus.

In this chapter, we’ll take the viewpoint of a security practitioner, as we examine different aspects of a system compromise at the network level. We’ll cover network reconnaissance, malicious traffic redirection, and system
exploitation. Next, we’ll take on the role of an intrusion analyst, as we dissect traffic based on alerts from an intrusion-detection system (IDS), e.g. sax2. Reading this chapter will provide you with critical insight into network security, even if you are not in a security-focused role.

Further Reading

Although the tool used primarily in this book is Ax3soft Unicorn, a great deal of additional tools will come in handy when you’re performing packet analysis—whether it be for general troubleshooting, slow networks, security issues, or wireless
networks. This chapter lists some useful packet analysis tools and other packet analysis learning resources.

Appendix