Network Traffic Analysis - Course Outline This course is designed for system/network administrations with an overall understanding of computer networking. At the end of this course, students will have a clear understanding of TCP/IP protocol stack and different application level protocols, as well as being able to capture live network traffic and perform various types of analysis on the captured traffic. Prerequisites: Students should be familiar with basic concepts of TCP/IP and IP addressing using IPv4 protocol and also should have basic understanding of Linux operating system in order to be able to use various tools and methods discussed in this course. 1
Module 1 - TCP/IP Primer (12 hours) This section is intended to be a crash course for TCP/IP protocol family and give an overall idea of TCP/IP working internals to the student - Fundamental Protocols o IP Protocol o TCP Protocol o UDP Protocol o ICMP Protocol o ARP Protocol - Application Protocols o DNS o DHCP o HTTP/HTTPS o FTP o SMTP/POP/IMAP o TELNET/SSH o H.323/SIP o RIP/OSPF/BGP o SMB/CIFS o SNMP - Protocol Security Here we will discuss the protocol weaknesses that are imposed by design or misuse of each protocol. Give the fact that most of protocols are designed back in 70s, there are some weaknesses that has been there for ages, and how they are addressed (countermeasures will be discussed later). Also importance of end to end encryption and end to end integrity checking is discussed here. 2
Module 2 - Network Security Primer (9 hours) - Internet Architecture Here we provide a blueprint of Internet infrastructure and where important protocols are used o How Routing works o How DNS infrastructure works o How NAT works o How Packet Filtering Firewall works o How Intrusion Detection / Prevention System works - Virtual Private Networks o Encryption Primer o Client / Server VPN o Site to Site VPN o Peer to Peer VPN o VPN Protocols IPSec PPTP/L2TP SSL VPN OpenVPN GRE/IPinIP Custom VPNs SSH as a VPN Protocol Combined VPN protocols - Network Security Tools Here we introduce a few important network security tools. Students would be able to use these tools to audit and improve network security on their network. - Basic tools: ping, dig, host, netstat, whois, traceroute Most people know these tools, but they don t know how, where and when to properly use them. Advanced tips will be provided on these tools. - nmap Using nmap to determine available services and what OS is running on a remote host - Nessus Finding vulnerable services on a remote host - Netcat Creating network connections and interacting with network protocols - Kismet / Aircrack-ng Scanning and auditing security of Wi-Fi networks as well as traffic decryption 3
Module 3 Traffic Capture and Analysis (21 hours) - TCPDUMP Capturing Live IP traffic - ngrep Using ngrep to filter out certain packets and find specific information in live network traffic - Wireshark Using wireshark for network analysis o Module 1: Overview Network Analysis Overview Wireshark & Ethereal Special Capture Hardware Installation and first capture o Module 2: User interface and Navigation View Panes Toolbar and Statusbar Decode and Hexview Column Configuration Searching in Tracefiles Using Display Filters Capture to Disk and Ring buffer Capture Capture Filters Open, Save, Export, Print for captured network data o Module 3: Additional Configuration and command line tools Name resolution: MAC, Network, Service GeoIP localization of IP addresses Colorization of packets with specific attributes TCP Protocol Reassembly for reconstructing content Wireshark Peculiarities: Checksum errors, wrong frame size readings Configuration profiles for keeping multiple settings Command line tools: tshark, mergecap, editcap, dumpcap o Module 4: Functions and Statistics Baselining the network Summary Statistics Endpoint List, Conversation List Protocol Hierarchy TCP Stream Graphs and Round Trip Time I/O Graph and Flow Graph The Wireshark Expert Service Respone Time Statistics o Module 5: Analysis Fundamentals Network, Server, Cient or Application Procedures to track down Problems Planning captures Point of Capture: HUB, SPAN 4
Response Time, Overhead, Throughput o Module 6: Troubleshooting Troubleshooting Bottom-Up vs. Top-Down Proving the Opposite Correcting Problems Typical Network Problems Overview Application Design Errors Application Types: Throughput, Transaction, Stream Performance Parameters Measuring Bandwidth Response Times, Delay TCP Turns 5