Network and Flow Analysis

(OBJ .)

Full Packet Capture (FPC)

• Captures entire packets, including headers and payloads

Flow Analysis

• Focuses on recording metadata and statistics about network traffic, saving storage space
• Doesn’t include the actual content, just the metadata
• Rapidly generates visualizations to map network connections, traffic types and session volumes

Flow Collector

• Records metadata and statistics about network traffic
• Collects information about the following
  • Type of traffic
  • Protocol used
  • Data volume
• Allows for efficient data storage and reduces processing overhead

Metadata vs. Contents

• Flow analysis provides metadata about data, not the actual content
• Metadata includes details about traffic types and volumes
• No information about the content of conversations or messages sent

Data Storage and Querying

• Flow analysis information is stored in a database
• Data can be queried and used to generate reports and graphs
• Flow analysis identifies trends, patterns, and anomalies in network traffic

NetFlow

• Cisco-developed protocol for reporting network flow information
• Also known as IPFIX (IP Flow Information Export)
• Defines traffic flows based on shared characteristics (e.g., source and destination IP)
• Data collected by NetFlow
  • Network protocol interface
  • IP version and type
  • Source and destination
  • IP addresses
  • Source and destination ports
  • Type of service used
• Use of NetFlow Data
  • NetFlow data is analyzed visually using various tools
  • Tools like SolarWinds display NetFlow data, highlighting flows
  • Data can be used to identify traffic patterns and anomalies

Zeek

• Hybrid tool for network monitoring
• Monitors traffic like NetFlow but logs full packet captures based on interest
• Filters or signatures trigger full packet capture to analyze specific data
• Normalizes data for easy import into other tools for visualization and analysis

MRTG (Multi Router Traffic Grapher)

• Creates graphs displaying network traffic flows through routers and switches
• Uses SNMP (Simple Network Management Protocol) to gather data
• Helps identify traffic patterns and anomalies by visualizing data transfer volumes

Analyzing Traffic Spikes

• Traffic spikes can indicate anomalies
• Investigate the cause of traffic spikes
• Spike analysis may reveal issues like malware infection or unauthorized data transfer

Incident Investigation

• Suspicious spikes may require setting up network sniffers
• Analyze packet capture data and flow analysis to identify indicators of compromise
• Investigate further to understand the nature of anomalies