Chapter 7 - Real World Packet Captures

Abstract

Analyzing real-world packet captures is both a science and an art. A high-traffic network segment can present the analyzer with thousands of packets containing hundreds of connections, sessions, and protocols. This chapter presents several different types of packet captures and the processes used to analyze the data. Network scanning is used to identify available network resources. Also known as discovery or enumeration, network scanning can be used to discover available hosts, ports, or resources on the network. Once a vulnerable resource is detected, it can be exploited, and the device can be compromised. Some of the network scans include Transmission Control Protocol (TCP) Connect scan, TCP SYN scan, XMAS Scan, and Null Scan. The chapter also discusses several Trojan and Worm attacks. Trojans are malicious programs that are often disguised as other programs such as jokes, games, network utilities, and sometimes even the Trojan removal program itself. Internet worms such as SQL Slammer, Code Red, and Ramen are becoming faster, smarter, and stealthier. The Snort Intrusion Detection System (IDS) and the Netfilter firewall in the Linux kernel offer the ability to send TCP RST packets to forcibly close TCP sessions. These RST packets are generated in response to a rule match on specific criteria such as malicious application layer data within one of the TCP packets in an established TCP stream.