2.1 Given a scenario, use appropriate monitoring tools - Paiet/Tech-Journal-for-Everything GitHub Wiki
2.1 Given a scenario, use appropriate monitoring tools
- Packet/network analyzer
- AKA packet sniffer
- Captures packets that are being passed through a computer network
- Finds possible problems
- Network intrusions
- Performance
- Filtering
- Testing network security
- Reads/analyzes PDUs from OSI Layers 1,2,3,4
- Enables the administrator to find problems with TCP, IP, MAC data or addresses
- Easy to use in a network with hubs
- Must enable port mirroring for switched networks
- Requires the NIC to be placed in "Promiscuous Mode"
- This enables the OS to accept all network traffic
- Won't filter out possible clues in the normally discarded packets
- Popular packet sniffers
- Wireshark
- TCPDump
- Microsoft Network Monitor
- NETSTAT
- Displays useful information about network connections
- TCP/UDP connections
netstat -p tcpnetstat -p udp
- Routing table
- Port and socket connections
- Interface monitoring tools
- Reports the status of a network interface
- Interface up/down
- Packets received/transmitted (RX/TX)
- Errors
- Both built-in and 3rd party tools
- SNMP monitoring tools
- Set alerts
- Port scanner
- Tests computer systems for open ports usually for security reasons
- Nmap
- Most popular
- Able to be scripted
- ZenMap
- SuperScan
- Top talkers/listeners
- Top talkers are the devices that are sending the most data across the network
- Transmits the most network traffic
- Top listeners are consuming the most bandwidth
- Receiving the most inbound data
- SNMP management software
- Used to monitor network devices like servers, workstations, printers, and network equipment (routers and switches)
- SNMP Agents
- On the clients and report to the Manager
- SNMP Manager
- Receives the data from the agents
- Used to generate reports and/or alerts
- Trap
- Used to inform the manager of events +
- Get
- Retrieves the value of a specific variable(s)
- Walk
- A GET for child nodes or column nodes
- MIBS
- Management Information Base
- Defines the information that will be gathered about the system agent to report to the manager
- Alerts
- Email
- Sends email to specified account when alert conditions are triggered
- SMS
- Packet flow monitoring
- Used to gather general statistics for a network
- Overall bandwidth utilization
- Different than deep packet inspection which actually looks at the packet headers and contents
- SYSLOG
- The gathering of program data, errors, or messages
- Stored as log files
- Log Files are broken up into 3 categories
- System
- System events built into the OS
- History
- Date, time, user, event keywords/IDs
- General
- Anything that might be worth noting by the system
- Software install/upgrade
- Driver/software updates
2.1 Given a scenario, use appropriate monitoring tools Pt2
- SIEM
- Security Information and Event Management
- OSSIM
- Environmental monitoring tools
- Power monitoring tools
- Monitors the power consumption, flow, and quality
- Enables admin to better protect equipment from power issues that can cause physical damage
- Data Center Infrastructure Management (DCIM)
- Hardware and software power management
- Real-time monitoring
- Allows to control power to DCIM devices
- Wireless survey tools
- Netstumbler
- Airsnort
- Used to check signal strength of an AP
- Helps put the APs in the most efficient positions
- Check for rogue APs
- Check for signal interference
- RF spectrum survey
- Check the RF spectrum for interference
- Can be software and a laptop or dedicated hardware device
- SNR (Signal to Noise Ratio)
- Compares the Wireless Network signal to the ambient signal around it from electrical devices
- Microwaves
- Florescent lights
- Cordless phones
- Measured in dB (the higher the better for signal)
- 40 dB Good
- 10-25 dB OK
- 5-10 dB Poor
- Wireless analyzers