Learning to Dissect Packets | ISGMLUG

Welcome to our SGML and XML Resource site

Learning to Dissect Packets

For many years if you wanted to analyse the data on your network you needed expensive tools and software.  However nowadays this isn’t the case, there are now a whole host of free tools which you can use in addition or even instead of the commercial options.  It might sounds a little unnecessary to actually analyse all the packets entering your network but it can be an invaluable skill.

There is a free program you can start with called Wireshark although earlier versions were released under the name Ethereal.  This program is completely free and is easily on the level of commercial packet analyzers. It has the facility to  perform analysis on every layer of interpretation from the frame header to the protocol.   However when packets and network traffic act predictably these are perfect however sometimes attacks consist of unpredictable traffic such as crafted or malformed packets.

french IP addresses

Sometimes Network Intrusion Detection Systems can be quite simple and miss lots of attacks.  Particularly the signature based systems which need updating regularly if they are to keep up to date and detecting the latest attacks.   Many systems are not protocol aware which means that  they will be especially vulnerable to malware that is crated at the packet level.

For example one popular form of attack is by targeting DNS, and many detection systems will not detect attacks which include DNS requests.   Unless the NIDS understands the protocol properly it will not be able to stop attacks based on using the domain name system.   Unless you can understand what each packet is trying to achieve and how the protocol works in can be difficult to identify potential problems.

Most of the packet analysers will allow you to split the packets based on different protocols so that  you can learn how they work.   This feature is particularly useful to those less experienced in analysing data.  For example it can be very confusing identifying particular requests if data is not split into it’s specific protocols.  I once had to analyse a network a problem which was especially confusing because many users were using a VPN specifically when Netflix where blocking proxies which of course encrypted all the data that was being transmitted across the network including the DNS requests which were then handled by the VPN server which forwarded them.



Post a Comment

Your email address will not be published. Required fields are marked *

  • Recent Posts