Network Trace Analysis

Transcription

1 Network Trace Analysis Version 1.0 Facebook LinkedIn Twitter Dmitry Vostokov Software Diagnostics Services

2 Wireshark Hark Listen (to) Hark! There s the big bombardment. Speak in one s ear; whisper Shorter Oxford English Dictionary Hark back (idiom) To return to a previous point, as in a narrative

3 Prerequisites Interest in software diagnostics, troubleshooting, debugging and network trace analysis Experience in network trace analysis using Wireshark or Network Monitor

4 Why? A common diagnostics language Network diagnostics as software diagnostics

5 Software Diagnostics A discipline studying abnormal software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using pattern-driven, systemic and pattern-based analysis methodologies.

6 Diagnostics Pattern A common recurrent identifiable problem together with a set of recommendations and possible solutions to apply in a specific context.

7 Pattern Orientation Pattern-driven Finding patterns in software artefacts Using checklists and pattern catalogs Pattern-based Pattern catalog evolution Catalog packaging and delivery

8 Catalog Classification By abstraction Meta-patterns By artifact type Software Log* Memory Dump Network Trace* By story type Problem Description Software Disruption UI Problem By intention Malware

9 Traces and Logs

10 Trace and Log Patterns

11 Software Narrative A temporal sequence of events related to software execution.

12 Software Trace A sequence of formatted messages Arranged by time A narrative story

13 Network Trace A sequence of formatted packets as trace messages Arranged by time A narrative story

14 Network Trace Analysis Software Trace Analysis Patterns Network Trace Analysis Patterns

15 Capture Tool Placing Sniffer placing Process Monitor placing

16 Trace Maps Network map Deployment architecture map

17 Name Resolution MAC -> IP and IP -> DNS PID -> process name

18 Trace Presentation Trace Presentation A (Discourse) Trace Presentation B (Discourse) Trace Presentation C (Discourse) Trace 1 (Plot, Sujet) Trace 2 (Plot, Sujet) Trace 3 (Plot, Sujet) Trace 4 (Plot, Sujet) Trace 5 (Plot, Sujet) Full Trace (Story, Fable, Fabula)

19 Minimal Trace Graphs Time # Src Dst Time Message

20 Pattern-Driven Analysis Logs Checklists Patterns Action

21 Pattern-Based Analysis Usage Software Trace Discovery Pattern Catalog + New Pattern

22 Pattern Classification Vocabulary Error Trace as a Whole Large Scale Activity Message Block Trace Set

23 Reference and Course Catalog from Software Diagnostics Library Software Trace Analysis Patterns Free reference graphical slides Accelerated-Windows-Software-Trace-Analysis-Public.pdf Training course* Accelerated Windows Software Trace Analysis * Available as a full color paperback book, PDF book, on SkillsSoft Books 24x7. Recording is available for all book formats

24 Selected Patterns

25 Master Trace Pattern Category Trace Set Normal network capture

26 Message Current Pattern Category Trace as a Whole Time # Src Dst Time Message Time # Src Dst Time Message J 1 > J 2 Packets/s

27 Message Density Pattern Category Trace as a Whole Time # Src Dst Time Message D 1 > D 2

28 Characteristic Block Pattern Category Large Scale Time # Src Dst Time Message D 1 < D 2 L 1 > L 2

29 Example

30 Thread of Activity Time # Src Dst Time Message Pattern Category Activity Time # Src Dst Time Message

31 Adjoint Thread Time # Src Dst Time Message Pattern Category Activity Filtered by: Time # Src Dst Time Message Source Destination Protocol Message Expression

32 No Activity Time # Src Dst Time Message Pattern Category Activity We messages from other servers but only see our own traffic

33 Discontinuity Pattern Category Time # Src Dst Time Message Time # Src Dst Time Message Activity

34 Dialog Time # Src Dst Time Message Conversation between 2 endpoints

35 Significant Event Pattern Category Message Time # Src Dst Time Message Time Reference feature in Wireshark

36 Marked Messages Pattern Category Message Annotated messages: session initialization [+] session tear-off [-] port A activity [+] port B activity [-] protocol C used [-] address D used [-] Marked Packets feature in Wireshark [+] activity is present in a trace [-] activity is undetected or not present

37 Partition Time # Src Dst Time Message Pattern Category Trace as a Whole Head Prologue Core Connection initiation (Prologue) and termination (Epilogue) Epilogue Tail

38 Inter-Correlation Pattern Category Trace Set Several packet sniffers at once Internal and external views Process Monitor log + network trace

39 Circular Trace Pattern Category Trace as a Whole Time # Src Dst Time Message Problem Repro

40 Split Trace Pattern Category Trace Set Time # Src Dst Time Message # PID TID Time Message # PID TID Time Message

41 Paratext Info column in Wireshark

42 Frames Time # Src Dst Time Message Pattern Category Large Scale OSI, TCP/IP Layers

43 Visibility Limit Pattern Category Trace as a Whole Visibility window for sniffing PC 3 sniffer PC 1 PC 2

44 Incomplete History Packet loss Missing ACK

45 Possible New Patterns Full Trace (promiscuous mode) Embedded Message (PDU chain, protocol data unit, packet) Ordered Message (TCP/IP sequence numbers) Illegal Message (sniffed with illegally obtained privileges) Dual Trace (in / out, duplex)

46 Further Reading Practical Packet Analysis, 2 nd edition, by Chris Sanders Software Diagnostics Institute Memory Dump Analysis Anthology: Volumes 3, 4, 5, 6, Volume 7 is in preparation (July, 2013) Introduction to Software Narratology Malware Narratives

47 What s Next? Accelerated Network Trace Analysis Generative Software Narratology Pattern-Oriented Hardware Signal Analysis

48 Q&A Please send your feedback using the contact form on DumpAnalysis.com

49 Thank you for attendance! Facebook LinkedIn Twitter