Getting Started with Packet Analysis

WHAT IS PACKET ANALYSIS?

Joe Abraham
IT SECURITY PROFESSIONAL

@joeabrah www.joestechinsights.com
Packet Analysis
The reading and interpretation of an individual or set of
datagrams to be used for information security or
network monitoring purposes.
Digital information is at risk!

You will be able to:

- Read datagrams from captures
- Identify exploits within datagrams
- Investigate malicious activity found
within packets.
 Review Basic Knowledge
Overview Capture Packets
Read Captures
IPv6 and Encrypted Packets
Case Study
Course Wrap Up
 Intended Audience

SOC Analyst Security Professionals

Understand information flow and Need this type of skill or have
security devices within network interest in reading captures
 Prerequisites

Linux virtual machine or

workstation Supplied course materials:

Security Onion (4.6.0) Sample packet captures

Tcpdump (4.7.4) Number and character

encoding conversion charts
Netsniff-ng (0.5.8)
Translation cheat sheets
Wireshark (2.2.0)
Character Encodings and Numbering Systems
 Base2 Numbering System

1’s and 0’s, on or off…the computer language

Also known as binary

Example: “Hello World” in ASCII format is represented by 01101000

01100101 01101100 01101100 01101111 00100000 01110111 01101111
01110010 01101100 01100100
Base10 Numbering System
Also known as the decimal system, this numbering system
represents binary in integer form. As an example, the string
00011001 is equal to the number 25!
Base16 Numbering System

Also known as “hex”

Uses numbers and letters
- Numbers 0-9
- Letters A-F

Each hex character represented by four

bits, or one nibble
Example: look at string 11000011
Uses 7 bits in a byte
Different characters
represented by bit
ASCII Character Encoding
Some printable
characters
00100001 is “!”
 Several variations of Unicode format
- Is an encoding type

First byte represents first 128 characters

- Up to four additional bytes possible
UTF-8 Used in many applications
First 128 characters are ASCII characters
- ASCII is UTF-8

Industry standard format

IDS, IPS, and SIEM
 IDS vs IPS

Intrusion Detection System (IDS) Intrusion Prevention System (IPS)

Monitors traffic for threats
Typically does not sit inline with
traffic flow
Sends alerts or takes passive actions
Uses rules to detect threats
IDS can detect on threat signature
or anomaly
Monitors traffic for threats
Typically sits inline with traffic flow
Takes passive or active mitigation action
Uses rules to detect and stop threats
IPS can detect on threat signature
or anomaly
SIEM
Security Information and Event Management; collects
and aggregates alerts and logs for event tracking,
retention, and correlation from multiple systems.
Summary What is packet analysis?
Numbering systems
Character encodings
Security tools within environment