Network protocol analyzers are essential to running and maintaining any serious honeypot system. A network protocol analyzer captures network traffic and also should display it in a logical format so the captured information can be interpreted. There are dozens of network analyzers to choose from, but they all basically work the same way. You install the analyzer, capture traffic running by it, and analyze the results. Here are the basic steps:
Place the network protocol analyzer on the network with a connection type that ensures that it can physically intercept the packets it’s being asked to grab. Make sure that your network interface card is using a promiscuous mode packet driver.
Install and execute the network protocol analyzer.
Select which network interface adapter card to use if multiple adapters exist.
Define what traffic to capture.
Define which layer 2 frame protocols (802.3, Ethernet II, 802.11, and so on) to capture.
Define which layer 3 protocols (IP, ICMP, IPX, NetBIOS, AppleTalk, and so on) to capture.
Define which network addresses (such as the IP address) to capture, as defined by MAC or network protocol address.
Define which upper-layer protocols (DNS, FTP, HTTP, and so on) to capture.
Define which packet data to capture. For example, you might want all packets or just packets with the word password in the data payload field.
Or just accept the default and capture everything.
Capture traffic. Usually, this process must be turned on and off; it’s not automatic. However, many network analyzers can be configured to trigger (start capturing) when they detect predefined network traffic patterns.
In this case, you want to capture all traffic headed to and from your honeynet, regardless of protocol or data contents. You want to capture everything, although later on, you can apply filters to organize different streams of data into more readable, logical subsets.
Picking what traffic to capture isn’t always as easy as it seems. In December 2002, the Honeynet Project ran into a problem when a malicious hacker seemed to be using a new form of encryption, hampering packet payload reading. It turns out the hacker was using IPv6 packets tunneled in IPv4 traffic (4over6). Once the honeypot administrators figured this out, it was as simple as updating Snort and Ethereal to capture and decode the new protocol.
Most network protocol analyzers share a common feature set and look. When you start them, you need to choose a network interface card to capture packets and define what packets to capture (called a filter). You start capturing, either manually or due to some predefined event, and packets are stored in memory or to a file.
When you’re analyzing the captured packets, the main part of the screen shows a summary of each packet. Packets are numbered and timestamped according to when they were captured. Packet summaries usually include the protocol, source IP address, source port address, destination IP address, destination port address, data payload size, and a partial data listing. Other screens highlight the details of the packet that is currently selected in the main window.
Ethereal is a powerful protocol analyzer and has a great representative feature set. We’ll look at those features in the next section.