Protocol Analysis: Onsite Case Studies

Transcription

1 Protocol Analysis: Onsite Case Studies Laura Chappell Sr. Protocol Analyst, Founder Protocol Analysis Institute

2 The Case Studies Case Study #1: The Network is Slow Case Study #2: The Network is Slow Case Study #3: Internet Access is Slow

3 The Top 10 reasons to analyze your network traffic

4 Top 10 reasons to analyze your network traffic: 6. Justify buying the most expensive damned laptop available. 7. Find out if the CEO actually uses the network. 8. See who s breaking into your Windows XP systems today. 9. Figure out how that big fat packet fits through that little tiny cable. 10. Learn what the really hot porno sites are.

5 Top 10 reasons to analyze your network traffic: 1. Look for a Microsoft product that actually works! 2. Call yourself a sniffer without getting a sexual harassment writeup. 3. Alter stock quote packets to control the company mood. 4. Intimidate your boss with hex code Have a sociallyacceptable reason to ping someone.

6 The Onsite Process Prerequisites 4 Prime directive 4 Network map 4 Tap-in point information Process 4 The Laying On Of Hands 4 Latency tests 4 The client bootup/login analysis process 4 The application analysis process

7 Typical Network Map

8 Case Study #1: The Network Is Slow Define slow? Slow for whom? Application-specific? Network segment-specific? Intermittent? Constant? Can you replicate the problem? Lousy stinky Everyone All Nope Constant Yes

9 Slow Is Relative What do we expect on a LAN? What do we expect on a WAN? What does the CEO expect? HH:MM:SS.mmm.yyy 4 Where HH = hours MM = minutes SS = seconds Switch IP Router mmm = milliseconds (thousandths of a second) yyy = microseconds (millionths of a second) Switch IP Router Switch

10 Test Your Own Latency 4 Perform local latency tests 4 Perform remote latency tests NetDoppler (WildPackets)

11 Ok A Better Network Diagram All Users Off Switches Fourth Floor All Users Off Switches Third Floor All Users Off Switches Second Floor All Users Off Switches First Floor Switch Router Servers Is latency due to Client configurations Switch overload Router buffering Server delays Media faults Other? Hub Firewall/ Router Internet Internet T1 Links

12 Laying On Of Hands Broadcast/multicast storms? Excessive ICMP traffic? Rogue traffic? General network conditions? Server delay packets (spanning required)? Retransmissions-media faults (spanning required)?

13 Performing The Client Analysis Bootup slow? Login slow? Application slow? IP Router Switch IP Router Switch Switch

14 The Application Analysis Form On Laura s Lab Kit Simple format DON T TOUCH THE KEYBOARD!

15 Elsie s Login Sequence Look for time irregularities. Delta/interpacket: Time from end of one packet to end of next packet. Relative: Relative to first or marked packet.

16 Look for Consistencies First look for other time problems Then look for the surrounding packets 18 second delay every 90 seconds (approx.) - all users -

17 Work Backwards To ID Process In this case, a UDP transmission was triggered by a local application looking for a remote service that did not exist at the destination IP address. SAP for service DNS name resolution Lab server answers Client babbles away

18 Keep Those Traces! Great evidence! Fun reading! Good jokes at bars!

19 Case 2: The Network Is Slow Again! Define slow? Slow for whom? Application-specific? Network segment-specific? Intermittent? Constant? Can you replicate the problem? Irritating Scattered users All Nope Intermittent Probably

20 Laying On Of Hands Broadcast/multicast storms? Excessive ICMP traffic? Rogue traffic? General network conditions? Server delay packets (spanning required)? Retransmissions-media faults (spanning required)?

21 Check Out The Broadcasts How effective are broadcast attacks?

22 Watching The Client At Idle Yipes is the NetWare client the killer app? Server hit 100% This problem moved around

23 Compare to Other Clients Configuration? OS? Applications? Is this client unique? If so, why? Checks out Several Variety Somewhat NFS client piece old and unnecessary

24 Keep That Trace! More laughs at the bar Some tears

25 Case Study #3: Internet Access Is Slow Define slow? Slow for whom? Application-specific? HTTP v. FTP Network segment-specific? Intermittent? Constant? Can you replicate the problem? Unusable Everyone All Nope Constant Yes, damn it now fix it!

26 Laying On Of Hands Broadcast/multicast storms? Excessive ICMP traffic? Rogue traffic? General network conditions? DNS faults? TCP faults? Retransmissions-media faults (spanning required)?

27 Proxy Firewall Configuration Private-side of network switch Proxy/ Firewall Public-side of network Hub Router Hub Analyzer #2 Client Analyzer #1

28 Checking The Client Side

29 Outside Proxy Firewall

30 Correlating The Traffic

31 Identifying The Area Of Fault The moral 4 You can t always pinpoint the exact cause 4 You can usually pinpoint the area of fault

32 In Summary Document your network behavior now Get the analyzer out Learn to perform application analysis Use the time columns to find slow points Know your switch span/mirror commands Learn analysis!

33 Laura Chappell s US/Canada Hands-On Roadshow! Get hands-on experience with many tools and analysis techniques for analysis and security! Washington, DC April 1-2 Chicago April 4-5 Seattle April 8-9 Atlanta April Boston May 2-3 Dallas May Houston May San Jose May San Francisco June 4-5 Minneapolis June Phoenix June San Diego June Toronto July 8-9 Vancouver July St. Louis July Los Angeles July Honolulu July New York City August 5-6 Hands-On Classes! Register NOW!

34