Collecting data from the network and its devices

The first step of any traffic analysis engine (whether security-oriented or not) is based on data collection. Let's look at some of the benefits that analytics provides to understand what kinds of data might be relevant:

Some benefits of traffic analysis:

- Monitor the traffic flow of the links, both downloading and uploading

- Check packet type, size, source, destination, and content;

- Analyze traffic for specific protocols to help identify configuration problems or unusual traffic;

- Identify any malicious or suspicious packets in the traffic;

Some techniques and protocols that allow this collection are:

1. SNMP Protocol: SNMP is an acronym for simple network management protocol. It is the standard protocol for network management and monitoring, available on most equipment, which is completely open.
2. Packet Sniffing: It allows you to capture packets on the network by putting the device interface into so-called promiscuous mode, and can provide full details of what is going on. You can analyze the values of various fields in the headers, and even their contents. Not all analyzer programs capture the entire packet; depending on your needs, this may not be necessary;
3. Traffic flow information: Generated by equipment from certain manufacturers, such as Cisco NetFlow. Netflow is a feature that can be enabled on routers and switches to collect IP traffic statistics. It is not a packet capture; it is basically a flow log. When traffic flows across an interface on a router or switch, it records information about that traffic that can be collected by a network flow analyzer. Netflow works for basic statistics, such as tracking source IP, destination IP, protocols and bandwidth;
4. WMI: An acronym for Windows Management Instrument. In other words, it is a specification for the consolidation of device and application management on a Windows Server corporate network. It is, therefore, a Microsoft solution. WMI provides users with information about the status of local or remote computer systems and can be used to collect network-related information.

Other functions of traffic analysis

Far beyond presenting latency and link throughput data, traffic analysis can perform many other functions, depending on the tool and the operating system. Let's look at some examples:

• Track specific users' activity - You can, for example, integrate Active Directory users into your analysis tool. This will help with troubleshooting and forensic analysis of the network. Need to know who is accessing streaming video?
• Identify specific threats - Identify specific threats such as Ransomware, identify the use of insecure protocols such as SMBv1 and Telnet, or even detect specific attacks on Web servers and applications such as SQL Injection, for example.
• Detect traffic that deviates from normal network standards - Through machine learning mechanisms involving neural networks or statistical analysis an analyzer can detect traffic anomalies, indicating devices or users that are sending or receiving large volumes of data intentionally or from an external DDoS attack.

Basic Traffic Analysis Tools

TCPDump and Windump

TCPDump is a command-line sniffer, a tool used to monitor the packets traversing a computer network. It displays the headers (and even the contents) of packets passing through the network interface.

tcpdump -ni eth0 src 192.168.1.5 and dst port 80

Example TCPDump command to display the packets of a connection coming from IP 192.168.1.5 to your web server (port 80).

Official download: TCPDump is available with almost all Linux distributions. For Windows, there is the equivalent, Windump, which can be downloaded from: windump.

Wireshark

Wireshark is a software program that, although free, is very powerful. It captures and analyzes network traffic, allowing the user to detect problems, correct faults, and dissect a multitude of different protocols. It is an excellent learning tool. Wireshark's features are similar to TCPDump, but with a graphical interface, more information and the possibility to use filters of various types.

Oficial Download HERE.

IPtraf

IPTraf is a command line tool that provides network statistics. It works by collecting information from UDP, TCP, and other protocol connections. During collection, it condenses and displays detailed information about your network traffic, allowing you to track what is happening on your server in real time.

Official download: is available by default on most GNU/Linux operating systems.