Summary

Analyzing real-world packet captures is both a science and an art. A high traffic network segment can present the analyzer with thousands of packets containing hundreds of connections, sessions, and protocols. Ethereal’s built-in features such as TCP session reconstruction, display filters, and packet colorization help simplify the process of analyzing data. However, as with any skill, you must practice, practice, practice. Constantly analyzing network data will help you quickly assess what is normal and what is unusual behavior. If you don’t have the ability to analyze your own network traffic data, participate in the Honeynet Project Scan of the Month challenges. These challenges cover network traffic analysis, as well as malicious code, exploits, and methodology.

You should also become familiar with reading and interpreting hexadecimal output. This will come in handy when you are analyzing day-zero attacks and you may have to implement your own custom signature. Intrusion detection systems often match a signature on the content of a packet in hexadecimal format.

In this chapter we presented several different types of packet captures and the processes used to analyze the data. You should have an understanding of the types of activity to look for in a packet capture and how to identify various types of network traffic. Combining this skill with the network troubleshooting methodology presented in Chapter 2 will help you to detect, analyze, and respond quickly to the next major worm outbreak.