Packet analysis has always been an integral part of any network audit. This
month we look at a packet analyzer tool that provides real time analysis of the
network, with easy to understand and informative reports. You can monitor
network traffic for bandwidth, errors and other events. It also lets you capture
traffic from multiple adapters simultaneously. Plus, you can view the analyzed
data of FTP transfers and HTTP requests, e-mail messages, etc. It can also log
the attachments coming through e-mails. This feature is very useful to keep a
check on the network against e-mail virus attacks.
|
To capture packets, you need to create or open a project. The tool divides
each project into three groups: Protocol Explorer, Physical Explorer and IP
Explorer. The Protocol Explorer provides diagnosis and information related to
protocols; Physical Explorer provides information about local segments,
gateways, broadcast and multicast addresses; while IP Explorer lists information
according to local subnets, Internet addresses, etc.
You can have multiple projects running at the same time, and information related
to these can be saved (including the packets captured by them) for analysis.
Step 1: Diagnosis
Like other network analyzers, this software too comes with filters to help you
catch the required packets. You can choose to use its default global or project
specific filters, or create your own filters. When you start capturing packets
for the first time, it will open its Project Settings window. Here you can
choose which network adapters you want to use for creating filters for packet
capturing and what logs the tool should
create, while capturing packets.
On the Settings Diagnosis tab, you can choose what kind of diagnosis the
software should perform on the network. By default it comes with a list of known
events, categorized by OSI layers-application layer, transport layer, network
layer and data link layer. You can choose the type of diagnosis that the packet
analyzer should do by choosing one of these events, or you can create your own
customized events.
Select the machine where you want to deploy the application from the Machine Tree on the left. Drag it to Machine Queue window on the right |
It shows live status of packets captured, lost, rejected, buffer usage, etc
at the bottom left corner under Project Status. One good thing about this tool
is that for analyzing captured traffic, you don't have to stop capturing
packets. The same can be done in real time. Now, to start analyzing, browse to
the Summary tab, where you can see a summary of network events. For details,
click on the Diagnosis tab. Here you can see errors and warnings flashing on
your screen, as and when they occur. The details of the events are shown
according to the diagnosis events chosen by you earlier. It will also show the
count of the number of times a particular event has occurred. Click on the
References tab to see details of the event.
Step 2: Analysis
To see the graphs of the network events, click on the Graphs tab. Here you can
see live graphs related to network utilization, packet size distribution,
errors, etc.
In the Diagnosis tab you can view a detailed analysis of the problems in your network |
It also shows TCP analysis, E-mail analysis, FTP analysis and HTTP analysis
through these graphs. You can also compare two graphs. For this, select a graph,
click on the Compare Mode button and choose the other graph with which you want
to compare. The live IP Matrix of the network can also be viewed. Click on the
Matrix tab and choose the traffic types you want to include. Also choose whether
you want to see IP Matrix of all nodes or only the TOP nodes.
Step 3: TCP reconstruction
Packet Analyzer can reconstruct a TCP conversation that has taken place between
two end points. This can be done by clicking on the Conversation tab and by
choosing TCP. Select an item from the list of conversations. Now click on the
Stream tab. This will open conversation details including streams and logs in
plain text format. Similarly, if you want to view an HTTP conversation, choose
an HTTP conversation from the packet's sub-view and click on the Stream tab.
Here, it will show the data of all conversations, including URLs, .css and .js
files. Unfortunately, it doesn't have an option to decrypt the encrypted data.
Packet Analyzer can easily reconstruct a TCP conversation that has taken place between two end points |
Step 4: Reports
Packet Analyzer creates separate reports for each project. By default it creates
reports of diagnosis events, protocol statistics, top ten IP protocols, physical
addresses, IP addresses, etc. To view reports click on the Reports tab and on
the new screen click on the report that you want to see.
These reports can also be saved separately in HTML format. One of the drawbacks
of this tool is that it doesn't let you
create your own reports.
You can view real time reports about the network such as network traffic and node behavior |
However, you can customize its default reports template. For this, go to the
Reports tab and click on Options push button. In the window that pops up, choose
the reports that you want to see and also how you want to see them.