Live and Easy Packet Analysis

Packet Analyzer Enterprise Edition is a real time network traffic monitoring and analysis tool which provides detailed reports for various events

Tuesday, October 10, 2006

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Packet analysis has always been an integral part of any network audit. This month we look at a packet analyzer tool that provides real time analysis of the network, with easy to understand and informative reports. You can monitor network traffic for bandwidth, errors and other events. It also lets you capture traffic from multiple adapters simultaneously. Plus, you can view the analyzed data of FTP transfers and HTTP requests, e-mail messages, etc. It can also log the attachments coming through e-mails. This feature is very useful to keep a check on the network against e-mail virus attacks.

To capture packets, you need to create or open a project. The tool divides each project into three groups: Protocol Explorer, Physical Explorer and IP Explorer. The Protocol Explorer provides diagnosis and information related to protocols; Physical Explorer provides information about local segments, gateways, broadcast and multicast addresses; while IP Explorer lists information according to local subnets, Internet addresses, etc.
You can have multiple projects running at the same time, and information related to these can be saved (including the packets captured by them) for analysis.

Step 1: Diagnosis
Like other network analyzers, this software too comes with filters to help you catch the required packets. You can choose to use its default global or project specific filters, or create your own filters. When you start capturing packets for the first time, it will open its Project Settings window. Here you can choose which network adapters you want to use for creating filters for packet capturing and what logs the tool should
create, while capturing packets.

On the Settings Diagnosis tab, you can choose what kind of diagnosis the software should perform on the network. By default it comes with a list of known events, categorized by OSI layers-application layer, transport layer, network layer and data link layer. You can choose the type of diagnosis that the packet analyzer should do by choosing one of these events, or you can create your own customized events.

Select the machine where you want to deploy the application from the Machine Tree on the left. Drag it to Machine Queue window on the right

It shows live status of packets captured, lost, rejected, buffer usage, etc at the bottom left corner under Project Status. One good thing about this tool is that for analyzing captured traffic, you don't have to stop capturing packets. The same can be done in real time. Now, to start analyzing, browse to the Summary tab, where you can see a summary of network events. For details, click on the Diagnosis tab. Here you can see errors and warnings flashing on your screen, as and when they occur. The details of the events are shown according to the diagnosis events chosen by you earlier. It will also show the count of the number of times a particular event has occurred. Click on the References tab to see details of the event.

Step 2: Analysis
To see the graphs of the network events, click on the Graphs tab. Here you can see live graphs related to network utilization, packet size distribution, errors, etc.

In the Diagnosis tab you can view a detailed analysis of the problems in your network

It also shows TCP analysis, E-mail analysis, FTP analysis and HTTP analysis through these graphs. You can also compare two graphs. For this, select a graph, click on the Compare Mode button and choose the other graph with which you want to compare. The live IP Matrix of the network can also be viewed. Click on the Matrix tab and choose the traffic types you want to include. Also choose whether you want to see IP Matrix of all nodes or only the TOP nodes.

Step 3: TCP reconstruction
Packet Analyzer can reconstruct a TCP conversation that has taken place between two end points. This can be done by clicking on the Conversation tab and by choosing TCP. Select an item from the list of conversations. Now click on the Stream tab. This will open conversation details including streams and logs in plain text format. Similarly, if you want to view an HTTP conversation, choose an HTTP conversation from the packet's sub-view and click on the Stream tab. Here, it will show the data of all conversations, including URLs, .css and .js files. Unfortunately, it doesn't have an option to decrypt the encrypted data.

Packet Analyzer can easily reconstruct a TCP conversation that has taken place between two end points

Step 4: Reports
Packet Analyzer creates separate reports for each project. By default it creates reports of diagnosis events, protocol statistics, top ten IP protocols, physical addresses, IP addresses, etc. To view reports click on the Reports tab and on the new screen click on the report that you want to see.
These reports can also be saved separately in HTML format. One of the drawbacks of this tool is that it doesn't let you
create your own reports.

You can view real time reports about the network such as network traffic and node behavior

However, you can customize its default reports template. For this, go to the Reports tab and click on Options push button. In the window that pops up, choose the reports that you want to see and also how you want to see them.

Page(s)   1