Basics of Network Traffic Analysis | TryHackMe Traffic Analysis Essentials
We covered network traffic analysis essentials for the purpose of incident response and network troubleshooting. This was part of solving TryHackMe Traffic Analysis Essentials room.
Network Security
Network Security is a set of operations for protecting data, applications, devices and systems connected to the network. It is accepted as one of the significant subdomains of cyber security. It focuses on the system design, operation and management of the architecture/infrastructure to provide network accessibility, integrity, continuity and reliability. Traffic analysis (often called Network Traffic Analysis) is a subdomain of the Network Security domain, and its primary focus is investigating the network data to identify problems and anomalies.
Network Traffic Analysis
Traffic Analysis is a method of intercepting, recording/monitoring, and analyzing network data and communication patterns to detect and respond to system health issues, network anomalies, and threats. The network is a rich data source, so traffic analysis is useful for security and operational matters. The operational issues cover system availability checks and measuring performance, and the security issues cover anomaly and suspicious activity detection on the network.
- Network Sniffing and Packet Analysis (Covered in Wireshark room)
- Network Monitoring (Covered in Zeek room)
- Intrusion Detection and Prevention (Covered in Snort room)
- Network Forensics (Covered in NetworkMiner room)
- Threat Hunting (Covered in Brim room)
Flow Analysis
Collecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation.
- Advantage: Easy to collect and analyse.
- Challenge: Doesn’t provide full packet details to get the root cause of a case.
Packet Analysis
Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets.
- Advantage: Provides full packet details to get the root cause of a case.
- Challenge: Requires time and skillset to analyse.
Definition of Packet Capturing
Packet capture refers to capturing network packets transmitted over a network, and packet replay refers to sending packets back out over the
network. You can capture packets using a protocol analyzer, which is sometimes called sniffing or using a sniffer.
Promiscuous Mode
When using a protocol analyzer, you need to configure the network interface card (NIC) on the system to use promiscuous mode. Normally, a NIC uses non-promiscuous mode, and only processes packets addressed directly to its IP address. However, when you put it in promiscuous mode, it processes all packets regardless of the IP address. This allows the protocol analyzer to capture all packets that reach the NIC.
Room Answers
Room answers can be found here.
