From the course: Wireshark: Malware and Forensics
Baseline your network - Wireshark Tutorial
From the course: Wireshark: Malware and Forensics
Baseline your network
- [Narrator] Today's networks face numerous threats, such as malware, denial of service, port scanning, covert channels, and data exfiltration. Every year, hackers release millions of new virus signatures. Unknown signatures and polymorphic viruses can escape detection. Yahoo gets the top spot on the list of security breaches. As of 2016, hackers obtained over a billion accounts. In 2017, Equifax revealed a data breach that compromised the personal information of 143 million Americans. The fact is, in nearly 7% of the cases, the breach goes undiscovered for more than a year. That is why network traffic analysis at the packet level is necessary, as it can identify many different threats and attacks that could remain unnoticed by antivirus and antimalware software. It's essential to understand what your network looks like when it's healthy so you can determine if it's sick. That is what baselining is all about. A baseline is a snapshot of network traffic during a particular window of time using Wireshark or Tshark. Characteristics can include utilization, network protocols, and latency issues. The network team can use the baselines for forecasting and planning, along with optimization, tuning, and troubleshooting. Although you may be tempted to do a large capture, Wireshark has size limitations on effectively analyzing a packet capture. I generally suggest you limit your capture to around 1,000 packets. That way you can have a consistent size when comparing. When you do your first baseline, the entire process might take a while. That is mainly because you'll need a procedure for gathering and a repository for storing the captures. The baseline process goes through several stages: plan, capture, analyze, and save. First plan by making a network map and list all of the subnetworks that you want to baseline. You also should include VoIP VLANS. That's mainly because VoIP traffic is much more sensitive to latency, jitter, and packet loss than typical network applications. And it's common that you will be troubleshooting your VoIP traffic more often to ensure quality of service. Then you'll capture the network traffic. Now the goal, when possible, is to tap into the network so that you're able to view all of the traffic. Take a moment and document how you did the capture, where, what time of day it was, and what equipment you used during capture. The key is to be as consistent as possible so you compare apples to apples. Then you'll want to analyze the capture. Once it's captured, take a quick look and see if anything stands out as unusual or suspicious. Finally, log your captures. Have a location and format to document your findings. You can use either a spreadsheet or a database. You'll want a consistent and searchable format so you can reference them later. It's important to baseline your network using Wireshark or Tshark so you can use the baselines for forecasting and planning, along with optimization, tuning, and troubleshooting.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
Baseline your network4m 11s
-
(Locked)
Displaying data using filters3m
-
(Locked)
Creating complex filters5m 24s
-
(Locked)
Capture filters3m 18s
-
(Locked)
Using statistics3m 14s
-
(Locked)
Save, export, and print6m 28s
-
(Locked)
Coloring rules3m 55s
-
(Locked)
Using a ring buffer4m 24s
-
(Locked)
Challenge: HTTP packets39s
-
(Locked)
Solution: HTTP packets1m 27s
-
(Locked)
Challenge: Firewall rules1m 27s
-
(Locked)
Solution: Firewall rules3m 37s
-
-
-
-