Question

Analyzing network traffic and understanding packets is an important task for IT security professionals. Illegitimate hackers also use network traffic to steal information and/or to about an organization's network infrastructure.

• How can different methods of packet capture be useful and why might one be chosen over another?
• How can understanding of the OSI model inform a discussion of packet capture?

Answer 1

Any network connected to the Internet is subject to cyber attacks. Strong security measures, forensic tools, and investigators contribute together to detect and mitigate those attacks, reducing the damages and enabling reestablishing the network to its normal operation, thus increasing the cybersecurity of the networked environment. This paper addresses the use of a forensic approach with Deep Packet Inspection to detect anomalies in the network traffic. As cyber attacks may occur on any layer of the TCP/IP networking model, Deep Packet Inspection is an effective way to reveal suspicious content in the headers or the payloads in any packet processing layer, excepting of course situations where the payload is encrypted. Although being efficient, this technique still faces big challenges. The contributions of this paper rely on the association of Deep Packet Inspection with forensics analysis to evaluate different attacks towards a Honeynet operating in a network laboratory at the University of Brasilia. In this perspective, this work could identify and map the content and behavior of attacks such as the Mirai botnet and brute-force attacks targeting various different network services. Obtained results demonstrate the behavior of automated attacks (such as worms and bots) and non-automated attacks (brute-force conducted with different tools). The data collected and analyzed is then used to generate statistics of used usernames and passwords, IP and services distribution, among other elements. This paper also discusses the importance of network forensics and Chain of Custody procedures to conduct investigations and shows the effectiveness of the mentioned techniques in evaluating different attacks in networks.

To fix this problem the International Organization for Standardization (ISO) researched different network models and the result is the OSI-model which was released in 1984. Nowadays most vendors build networks based on the OSI model and hardware from different vendors is compatible….excellent!

The OSI-model isn’t just a model to make networks compatible; it’s also one of the BEST ways to teach people about networks. Keep this in mind since when you are studying networking you will see people refer a lot to the OSI model.

Here’s what the OSI model looks like:

“All People Seem To Need Data Processing”

This is the OSI-model which has seven layers; we are working our way from the bottom to the top. Let’s start at the physical layer:

• Physical Layer: This layer describes stuff like voltage levels, timing, physical data rates, physical connectors and so on. Everything you can “touch” since it’s physical.
• Data Link: This layer makes sure data is formatted the correct way, takes care of error detection and makes sure data is delivered reliably. This might sound a bit vague, but for now, try to remember this is where “Ethernet” lives. MAC Addresses and Ethernet frames are on the Data Link layer.
• Network: This layer takes care of connectivity and path selection (routing). This is where IPv4 and IPv6 live. Every network device needs a unique address on the network.
• Transport: The transport layer takes care of transport. When you downloaded this lesson from the Internet the webpage was sent in segments and transported to your computer.
  • TCP lives here; it’s a protocol which sends data in a reliable way.
  • UDP lives here; it’s a protocol which sends data in an unreliable way.

I’m taking a short break here, these four layers that I just described are important for networking, and the upper three layers are about applications.

• Session: The session layer takes care of establishing, managing and termination of sessions between two hosts. When you are browsing a website on the internet you are probably not the only user of the webserver hosting that website. This webserver needs to keep track of all the different “sessions”.
• Presentation: This one will make sure that information is readable for the application layer by formatting and structuring the data. Most computers use the ASCII table for characters. If another computer would use another character like EBCDIC then the presentation layer needs to “reformat” the data so both computers agree on the same characters.
• Application: Here are your applications. E-mail, browsing the web (HTTP), FTP and many more.

  “People Do Need To See Pamela Anderson”

This one normally gives me more smiles when I’m teaching CCNA in class and it’s another way to remember the OSI-Model.

P = Physical
D = Data Link
N = Network
T = Transport
S = Session
P = Presentation
A = Application

Remember that you can’t skip any layers in the OSI-model, it’s impossible to jump from the Application layer directly to the Network layer. You always need to go through all the layers to send data over the network.

Let’s take a look at a real-life example of data transmission:

1. You are sitting behind your computer and want to download some files of a local webserver. You start up your web browser and type in the URL of your favorite website. Your computer will send a message to the web server requesting a certain web page. You are now using the HTTP protocol which lives on the application layer.
2. The presentation layer will structure the information of the application in a certain format.
3. The session layer will make sure to separate all the different sessions.
4. Depending on the application, you want a reliable (TCP) or unreliable (UDP) protocol to transfer data towards the web server. In this case, it’ll choose TCP since you want to make sure the webpage makes it to your computer. We’ll discuss TCP and UDP later.
5. Your computer has a unique IP address (for example 192.168.1.1) and it will build an IP packet. This IP packet will contain all the data of the application, presentation and session layer. It also specifies which transport protocol it’s using (TCP in this case) and the source IP address (your computer 192.168.1.1) and the destination (the web server’s IP address).
6. The IP packet will be put into an Ethernet Frame. The Ethernet frame has a source MAC address (your computer) and the destination MAC address (web server). More about Ethernet and MAC addresses later.
7. Finally, everything is converted into bits and sent down the cable using electric signals.

Once again, you are unable to “skip” any layers of the OSI model. You always have to work your way through ALL layers. If you want a real-life story converted to networking land just think about the postal service:

1. First, you write a letter.
2. You put the letter in an envelope.
3. You write your name and the name of the receiver on the envelope.
4. You put the envelope in the mailbox.
5. The content of the mailbox will go to the central processing office of the postal service.
6. Your envelope will be delivered to the receiver.
7. They open the envelope and read its contents.

If you put your letter directly in the mailbox it won’t be delivered. Unless someone at the postal office is friendly enough to deliver it anyway, in network-land it doesn’t work this way! Going from the application layer all the way down to the physical layer is what we call encapsulation. Going from the physical layer and working your way up to the application layer is called de-encapsulation.

Now you know about the OSI-model, the different layers and the function of each layer. During peer-to-peer communication, each layer has ‘packets of information’. We call these protocol data units (PDU). Now every unit has a different name on the different layers:

• Transport layer: Segments; For example, we talk about TCP segments.
• Network layer: Packets; For example, we talk about IP packets here.
• Data link layer: Frames; For example, we talk about Ethernet frames here.

This is just terminology, so don’t mix up talking about IP frames and Ethernet packets