Download - Network monotoring
![Page 1: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/1.jpg)
![Page 2: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/2.jpg)
Methodology
Passive Approach Does not increase the traffic on the network Measures traffic in real time Lowest implementation costs Non-proprietary Independent from hardware vendor No escape Non-obtrusive.
![Page 3: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/3.jpg)
Passive Monitoring Key Points
Highly secure compared to SNMP and RMON
Provides the highest detail of monitoring In practice, all network problems can be discovered
and solved using passive packet sniffer technology. Stealth nature cannot be detected by other tools.
![Page 4: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/4.jpg)
To whom is it useful?
useful to… Network Administrators Application Developers Network Auditors Students. Everyday “Joe” who would like to know
what is happening in his network
![Page 5: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/5.jpg)
Display in real time: General traffic information Total network traffic and bandwidth utilization Graph for utilization and distribution
Detailed breakdown of packets, raw and decoded with optional filtering
Decode major protocols and sub-protocols
Highly secure compared to SNMP and RMON
Unique Features…
![Page 6: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/6.jpg)
Abnormal or Suspicious Activities Monitoring Intrusion Monitoring Bandwidth Monitoring Critical Node Monitoring Application Monitoring Data Forensic (Packet Analysis) Real time / offline Analysis. Network Anomaly Detection. Top Usage.
Common Usage
![Page 7: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/7.jpg)
Bandwidth monitoring
Network Usage Statistic (General)
![Page 8: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/8.jpg)
Critical node monitoring
Network Usage Statistic (Single)
![Page 9: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/9.jpg)
Critical node monitoring
Network Trace (Single)
![Page 10: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/10.jpg)
Intelligent Address Book
Critical node monitoring
![Page 11: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/11.jpg)
Protocol Monitoring
Network Charts (Protocol Distribution -> Network Layer and IP-based)
![Page 12: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/12.jpg)
Application Monitoring
Network Charts (Protocol Distribution -> Application Layer Distribution)
![Page 13: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/13.jpg)
Packet Analysis
Network Analyzer (Capture and Decode)
![Page 14: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/14.jpg)
Packet AnalysisFiltering
![Page 15: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/15.jpg)
Reporting Toolkit Interface
Daily, Weekly, Monthly ReportingControl Window
![Page 16: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/16.jpg)
Sample Report
![Page 17: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/17.jpg)
Network analysis fundamentalsEthernet
A network card is an Ethernet adapter
Each Ethernet adapter is globally assigned a unique hardware address.
It’s a 48-bit binary number generally written as 12 hexadecimal digits
Ex: (00:e0:30:3f:21:b6)
MAC addresses are used for data communication on a network Unicast Multicast Broadcast The destination address of all 1s
(ff:ff:ff:ff:ff:ff in hexadecimal)
Ethernet II Frame
![Page 18: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/18.jpg)
Network analysis fundamentalsHubs
A hub is a device that runs at the physical layer of the OSI model and allows Ethernet networks to be easily expanded.
When devices are connected to a hub, they hear everything that the other devices attached to the hub are sending, whether the data is destined for them or not.
![Page 19: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/19.jpg)
Network analysis fundamentals
Bridges and switches are both intelligent devices that divide a network into collision domains to improve performance.
A collision domain is defined as a single CSMA/CD network in which there will be a collision if two stations attached to the system transmit at the same time.
Switches and Bridging
![Page 20: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/20.jpg)
Deployment
A Technician’s Tool Kit for Troubleshooting: a laptop with j-Portable Some straight-through and cross-over cables a mini-hub
For Constant Monitoring A dedicated monitoring machine installed with j-
enterprise Dedicated hub / mirrored switch for monitoring
The point to plug in the monitoring machine depends on what we want to monitor.
![Page 21: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/21.jpg)
LAN Monitoring
![Page 22: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/22.jpg)
“Over the wire” monitoring
![Page 23: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/23.jpg)
Monitoring network applications with j-Portable
correct placement to capture specific communication
![Page 24: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/24.jpg)
Further steps to be taken will be based on these questions:
What do we want to monitor? Where do we want to monitor? What do we want to look for?
![Page 25: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/25.jpg)
Things to monitor
To monitor network applications/software
To monitor performance of the network
To analyze network data & issues
To detect security breaches
![Page 26: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/26.jpg)
Scenario: You are developing a client server application. You need to troubleshoot it. Did the packets actually get transmitted by the client to the server?
Scenario: You have installed a web based application server.Is the traffic to/from it as it should be?
Use Capture Decode to see actual traffic, use Netrace to see actual connections
Common Cases
![Page 27: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/27.jpg)
2. How we can monitor network performance ?
Scenario:You have a network gateway and would like to monitor and know the percentage of utilization of your
Internet access traffic.
Use Network Statistics to view actual usage statistics, use Graph to view distributions by protocols.
For history, use Reporting Tool.
Bandwidth utilization, use Node Monitor
Common Cases…
![Page 28: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/28.jpg)
3. How to perform analysis of network data?
Scenario: A worm is existent in your network
Scenario: ARP poisoning is being actively done on the local network
Capture and Decode to look for abnormal traffic. Pinpoint of the culprit can be done based on the
Address Book data.
Common Cases…
![Page 29: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/29.jpg)
4. When can I use tools to analyze network issues?
Scenario: A user complains “the network is slow”
Use Statistical View to see if the network is congested,
use Capture and Decode to view traffic and
to pinpoint sources of problem.
Common Cases…
![Page 30: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/30.jpg)
5. How can I gain better network security?
Scenario: An outsider is trying to scan machines on my network.
Netrace will tell me the sources and destinations of those scans.
Common Cases…
![Page 31: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/31.jpg)
6. How can I optimize my network with j-Portable?
Scenario: Your newly installed network printer is running AppleTalk and IPX but no one else is using it.
Scenario: One of your routers is running unneeded IGMP or BGP protocols
j-Portable:
Use Capture & Decode and view network traffic,
Filter for single address. Look for unneeded traffic.
Make the needed adjustments on those devices.
Common Cases…
![Page 32: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/32.jpg)
1. ARP storm detection
Problem Detection …..
Monitor each host for certain time. Each host should send a reasonable amount of
ARP packet to resolve its IP address. The host is sending an ARP storm, if it
continuously send ARP requests to certain IPs or even to a range of IPs. ( broadcast normally)
![Page 33: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/33.jpg)
3. Worm detection
Problem Detection …..
AV maintain a DB of all known worm signatures. The moment av start the capturing process, it will sniff
each packet and apply all filters on these packets. The decoder will decode each of the captured and
filtered traffic. The dissector will extract the payload depend on the
traffic type. The payload then are matched to the DB of signatures. If the match return 1, then worm detected.
![Page 34: Network monotoring](https://reader030.vdocument.in/reader030/viewer/2022032420/55a5bbba1a28abe3438b4594/html5/thumbnails/34.jpg)