Umer Khan

Detecting and Performing Security Breaches with Sniffer Pro

Sniffer Pro can be used to hack a network and this chapter looks at the analysis of viruses and worms, Telnet, SNMP, e-mail, and any other clear-text password protocol and its dangers. A Domain Name System (DNS) zone transfer capture is examined along with eavesdropping and replaying. It is demonstrated how the SCP can use Sniffer Pro to examine a network vulnerability in the same way an evidence technician would use a microscope to examine a crime scene. The power of this tool lies in its ability to capture and analyze data to as fine a granularity as desired. The latest threat to the internet and some of the emerging issues of concern to corporate chief security officers as well as system administrators has been covered. DNS vulnerabilities, including the topics of zone transfer reconnaissance and DNS cache poisoning have been examined. The chapter also looks at SMB signing as a means to prevent man-in-the-middle attacks.

Chapter 3 – Exploring the Sniffer Pro Interface

and toolbars Sniffer Pro offers. In learning how to use this interface, the chapter focuses on the navigation of the product. Sniffer Pro is a graphical user interface (GUI) network analyzer that includes a DHTML-based Dashboard. The Sniffer Pro Dashboard consists of gauges that display utilization and error statistics, a Detail tab that displays a tabular view with detailed statistics on network utilization, size distribution, and errors, topology-specific tabs that display tabular views with detailed statistics, and customizable graphs that show network utilization, errors, and size distribution. The Detailed Errors section provides a breakdown of the errors that are shown on the errors-per-second dial. These errors include CRCs, runts, oversizes, fragments, jabbers, alignment errors, and collisions. Sniffer Pro provides monitor applications that run in promiscuous mode to gather statistical information from the network and calculate and display these statistics in real time. The monitor applications do not require data capture. The software also provides a number of additional tools that aid in troubleshooting, such as Packet Generator, the Address Book, the ping, Trace Route, DNS lookup finger, and Who Is utilities. The Sniffer Pro Expert analyzes data in real time to find objects, symptoms, and diagnoses on the network.

Chapter 12 – Troubleshooting Traffic for Network Optimization

This chapter ties up the different concepts covered by looking at how to use all the features of Sniffer Pro to find a problem on the network and optimize it with those findings. A final topical look is offered at Network and Protocol Analysis using the Sniffer Pro LAN Analyzer, as well as a review of some of the very important skills. Speed is the most noticeable element to users and a perceived lack of it will often be the source of troubleshooting efforts. By using base-lining, a point of normal operating performance can be set, which is the first step in discovering network problems. It can be used to set reasonable expectations for the users. Reliability is another key element. It is crucial that network professionals maintain a stable network that people can trust to be there when needed. Security has always been a top priority for network support professionals. Losing control of how the network is being used or who is using it means losing control of the network completely. Many networks are the result of many hands and many long-gone network designers. ls.

Chapter 9 – Understanding and Using Triggers and Alarms

This chapter shows some of the additional, but usually unexplored, functionalities of Sniffer Pro. Triggers allow automating Sniffer Pro operations to look for and monitor network events, even when the program is not being operated by personnel. Triggers can be used to raise an alert when potential network errors are manifested or when Sniffer Pro identifies a trend that is alarmed. Triggers can operate only one at a time and a new triggered capture cannot be initiated until the currently active triggered capture is stopped. They can be defined to start and stop an automated capture. These copy the packets that are being transmitted over the network, whereas monitor sessions only retain the statistical information and measurements of capture sessions. The trigger graphics outline provides a graphical display of the current trigger configuration. This display is useful for quickly identifying the triggers that are engaged and whether repeat mode is active. Alarms are used to identify that an event threshold or network condition has occurred during a capture sequence. The Alarm Monitor is always active during a capture sequence and does not need special configurations to begin monitoring events. Sniffer Pro can be configured to trigger external actions based on the severity of an alarm. These notifications can be used to alert staff and third-party applications of a detected symptom or condition. Sniffer Pro can notify of an alarm by sounding an audible alarm, sending an e-mail, calling a beeper, sending an alarm message to a pager, and/or starting a Visual Basic script to open a third-party application or send an alarm to a monitoring agent such as an SNMP console.

Chapter 8 – Using Filters

This chapter provides information about the fundamentals of building filters for network traffic capture and analysis. One of the common problems technicians face is how to understand and build filters. It looks easy – patterns are built and offsets are used. In the data transmission environment, filtering becomes very important when it comes to the search and use of specific information hidden in the midst of unimportant data. One of the most difficult and significant tasks involved in working with Sniffer Pro is to define the right filter, which will save a great deal of time when it comes to detecting a problem on the network or analyzing data that have been captured using a particular filter. Traffic can be filtered based on Layer 2 and Layer 3 addresses, protocol types, and/or data patterns. To access and use the predefined filters, a sample profile has to be copied and saved as a new one. Profiles are special units in which Sniffer Pro stores filters, and each filter has its own profile. New profiles can be created from the Monitor, Capture, and Display menus, depending on a type of filter needed. Generally, capture filters are used when, at the moment before capturing starts, the specific data that is needed to analyze is pinpointed and is saved into the capture buffer. One of the advantages of this type of filtering is that only specific information is captured and saved, thus saving space on the hard drive.

Chapter 2 – Installing Sniffer Pro

This chapter discusses how to install Sniffer Pro and covers the issues that could be faced while installing and upgrading. The in-depth information focuses on the minimum requirements for every platform. The chapter also describes how to configure the drivers and why special drivers are needed for Ethernet, Token Ring, or any other platform used with Sniffer Pro. Sniffer Pro is as simple as installing any other application on Microsoft Windows and it uses the standard InstallShield Wizard to guide through the setup process. Promiscuous mode network cards and drivers should be used to capture traffic. Otherwise, the Sniffer Pro system only sees frames destined for it. To gain most from the system, an NAI-supported NIC with NAI enhanced drivers should be installed. These drivers are optimized for use with Sniffer Pro and provide the best capture performance as well as the ability to monitor physical layer errors.

Chapter 5 – Using Sniffer Pro to Monitor the Performance of a Network

This chapter discusses how to initially isolate a problem, monitor the networks performance using Sniffer Pro, and offers suggestions on how to correct the issues. The chapter focuses on monitoring the network in real time with the Dashboard; how to monitor the performance of Ethernet, Token Ring, and LAN routing technologies as well as how to baseline these technologies and perform trending. Sniffer Pro cannot be used to give the answers outright. The problems have to be extracted while using Sniffer Pro as a tool in the arsenal. The chapter also shows other ways to monitor performance on the network to augment the use of Sniffer Pro. Analysis of multiple technologies using Sniffer Pro analyzer for real time has been illustrated. The dashboard is used to gather baselines and troubleshooting while referring to the Alarm log based on set thresholds. Lastly, advanced problems that can be experienced with Ethernet, token ring, and LAN-based routing problems have been discussed.

Chapter 1 – Introduction to Sniffer Pro

This chapter describes the importance of network analysis and introduces a network analyzing software known as Sniffer Pro. Network analysis is a range of techniques that network engineers and designers employ to study the properties of networks, including connectivity, capacity, and performance. Network analysis can be used to estimate the capacity of an existing network, look at performance characteristics, or plan for future applications and upgrades. A typical network analyzer understands many protocols, which enables it to display conversations taking place between hosts on a network. Network analyzers can capture all the traffic that is going across a network and interpret the captured traffic to decode and interpret the different protocols in use. The decoded data is shown in a format that makes it easy to understand. A network analyzer can also capture only traffic that matches only the selection criteria as defined by a filter. This allows a technician to capture only traffic that is relevant to the problem at hand. Network analyzers further provide the ability to create display filters so that a network professional can quickly find what he or she is looking for. Advanced network analyzers provide pattern analysis capabilities. This feature allows the network analyzer to go through thousands of packets and identify problems. The network analyzer can also provide possible causes for these problems and hints on how to resolve them.

Chapter 4 – Configuring Sniffer Pro to Monitor Network Applications

This chapter describes how to configure the Sniffer Pro to capture traffic and presents the real-life applications of using Sniffer Pro proactively and reactively with regard to network applications. The steps to start and stop a capture with Sniffer Pro have been covered. The proper positioning of the workstation with Sniffer Pro installed is also described. The concepts of monitoring applications and application response time (ART) have also been discussed along with how Sniffer Pro monitors ART. The Sniffer Pro is broken down to see how it is customized, what each layer represents, and how to use it for troubleshooting and analysis. The Sniffer Pro Decode tab is studied in great detail to show what each pane does, how to read it, how to customize it, and what to look for while doing analysis work. Two complex problems have been sampled with how to apply all this knowledge that decides to capture, decode, and analyze possible problems with Sniffer Pro.

Chapter 6 – Capturing Network Data for Analysis

This chapter covers details about capturing data and saving it for analysis and discusses how to save and archive capture files for logging and/or future base-lining. Using Sniffer Pro to capture traffic is one of the fastest ways to obtain a complete picture of what is happening on the network, analyze captured information, and resolve the issue. It is also possible to capture traffic, experiment with it, and analyze it in a test environment the way the network would react to specific groups of data. Besides the ability to capture all the data that is flowing on the network, Sniffer Pro has broad filtering capabilities that greatly facilitate troubleshooting on highly loaded networks. Once the data has been captured, the main task before the analysis is to save capture in the right way. There is a choice of saving between manual and automatic savings of captures, whichever is more convenient. The specifics of capturing data, the capture and analysis of Address Resolution Protocol (AKP), Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) have also been covered.