However, as a security professional, there are two important reasons to sniff network traffic.
Anyone who uses a tool like Wireshark without first obtaining the necessary permissions may quickly find themselves in hot water legally. Before anyone uses Wireshark, an organization should ensure that it has a clearly defined privacy policy that spells out the rights of individuals using its network, grants permission to sniff traffic for security and troubleshooting issues, and states the organization's policy requirements for obtaining, analyzing and retaining network traffic dumps. Thank you Brad.The phrase "sniff the network" may conjure Orwellian visions of a Big Brother network administrator reading people's private email messages. I have been inspired by Brad Duncan’s work at Malware-Traffic-Analysis over the past 6 years and recommend you follow him on Twitter I have borrowed heavily from his Wireshark setup. The next section looks at configuring Wireshark to show the key fields in http, https, dns, windows smb and authentication traffic.
Quickly finding the http response and the content-type are key. For example in http traffic the host and user-agent fields and the request itself are important. Network flows can be best understood by looking at particular fields. There are hundreds of Alerts to investigate, so … Analysts need to be quick! Typically you have 30 seconds to decide whether the Alert is a true positive (investigate further) or a false positive (something has been flagged as malicious when it’s not).
When investigating network traffic, you need to be able to find suspicious / malicious indicators very quickly. Because of the many plates Analysts have to keep spinning, they are only able to spend 25% of their time (on average) on real-time monitoring and triage. Analysts spend their time on 12 broad activities. I have worked in different Security Operation Centres (SOC) in different industries and I see Wireshark being used all the time but … the default Wireshark layout and view is not efficient for Cyber investigations!īased on the interesting, and in my opinion accurate, “ Voice of the Analyst Study” report by the Cyentia Institute in 2017. Wireshark is heavily used by Security Analysts and Information Security professionals on a regular basis. Simply, Wireshark is a great tool for network analysis and it is used by IT professionals all around the world. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.” “Wireshark is the world’s foremost and widely-used network protocol analyzer.
0 kommentar(er)
