What's on your network? Connected on mine at home are my phone, various computers, my ISP-issued router, a Philips Hue bridge and some lights, my games consoles, and my smart TV. I'm pretty confident that's a comprehensive list since my router configuration page conveniently displays what devices are currently connected according to their uniquely-identifying MAC addresses and their device names, and all of those listed are familiar and trusted to me. More importantly, I haven't detected any rogue traffic on my network. The packets I've captured are all to or from known machines and involve the expected alphabet soup of protocols, such as some ARP requests every hundred packets or so to know which device is assigned which IP address, and SSDP for my smart lights to communicate statuses and commands to each other. Awen Collective’s knowledge base deciphers more of these terms.

As busy as my home network may be, it is much simpler than the typical enterprise environment, where DMZs, AD servers, and access points abound. A diverse range of users will be using the network to complete varying objectives. Take into account any operational technology (whether or not they are strictly kept on their own dedicated network), and there will be an even wider array of device types and protocols involved, with chatter from hundreds of devices throughout all these networks. Examining the traffic on these networks gets very complicated very quickly, and establishing a baseline of normal activity is not easy. Observability is vital to ensuring responsible and efficient use of your networks, and it is integral to a defence-in-depth strategy. Anyone who has worked in incident response knows first-hand that sifting through thousands if not millions of packets can feel exactly like searching for a needle in a haystack, especially if the team has not yet identified what exactly is being investigated. Examining network traffic effectively is paramount in the pre-incident phase as well. It can mean the difference between an external attack reaching your sensitive data or equipment, or your SOC and their suite of tools blocking this attempt to defend your organisation.

    A simple way to package this traffic for efficient parsing is to save the packets into a collection using a PCAP. Widely considered an abbreviation for “Packet CAPture,” a PCAP is self-explanatory: the file contains network packets that were captured. This file type is denoted with the .pcap or .pcapng filename extensions.

Network architecture for capturing packets

    How does one get started obtaining pcaps in an enterprise environment? Having each endpoint on your network store the traffic they detect is likely both heavy on resources and difficult to manage and aggregate. On the other hand, having your network perimeter devices such as your firewalls do the same would mean capturing unfiltered traffic or compelling an already-preoccupied machine to work overtime to either analyse packets itself or forward packets to another machine for monitoring.

An efficient, easy-to-deploy method to capture the network traffic you want to be capturing is to have your switches output the packets it comes across. This output can be fed into a centralised system dedicated to examining this traffic (such as an IDS) and/or displaying this information to your operations staff for manual analysis. Configuring the SPAN port (Switched Port ANalyser; also called a mirror port) allows the switch to mirror the traffic passing through it to this dedicated system. If your network deals with heavy loads, which increases the risk of switches dropping packets if full-duplex (when the switch is configured to handle both transmitting and receiving to other devices simultaneously), then a network TAP may be necessary for best visibility. While TAPs provide the advantage of full coverage, they are separate devices that will require configuration and management in addition to the existing devices on your network.

PCAPs and your network: how to get the most value for your pcap?

Wireshark is a popular, free tool to examine PCAPs, available for Windows, Mac, and several Linux distributions. This tool allows users to examine packets down to the byte level. Here is a screenshot of Wireshark when viewing a modbus packet:

Wireshark displays the timestamp representing when the packet was detected, the source and destination IP and MAC addresses, the protocol used, and a summary of the packet payload. The middle section details the information in the packet organised according to each layer in the OSI model, and the bottom portion displays a hex dump of the entire contents of the packet. In this particular packet of the pcap, 10.0.0.3 is sending 10.0.0.9 some of its register values that 10.0.0.9 had requested in the preceding packet.

Dot by Awen Collective performs this deep packet inspection on your network so you have clear, detailed visibility of which devices are sending what information. Alongside the ability to view and search the important details found in packets, you can view information on a per-device basis. Through Dot, you can capture and save live traffic, and by integrating your SIEM, your technical operations team can view the details of traffic as it comes and discover immediately if there’s an anomaly. Pictured below is a screenshot of what Dot has discovered from the same PCAP in the Wireshark example.

Users are able to see much of the same information in Wireshark, through an intuitive interface. Dot is also able to determine whether a particular device is a modbus master or slave. In this case, the device currently viewed which has a MAC address of 00:02:b3:ce:70:51 is a slave. Recall that in this packet, this device is sending register values to the other device, which is behaviour that indeed correlates with that of a slave.

In addition to extracting key information from network traffic both live and via PCAP uploads, Dot offers the ability to search for vulnerabilities for the devices discovered on your network, allows you to examine your network using the Purdue-Model, and much more. For more information about how Dot can help you discover more about your networks no matter your organisational context then get in touch to book a demo or contact us for a no obligation call about how our services can help secure your systems.

Summary

    Monitoring computer network traffic is applicable to a range of use cases, in both IT and OT environments. Whether your aim is to troubleshoot a technical error, improve network performance, or prevent cyber attacks, your technical operations team will most likely come across packet capturing in one form or another and will have to analyse individual packets or traffic trends. Awen Collective’s solutions streamline this process to help your organisation achieve the best visibility over its networks and stay protected.