Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring

Network IDS devices use passive network monitoring extensively to detect possible threats. Through passive monitoring, a security admin can gain a thorough understanding of the network’s topology: what services are available, what operating systems are in use, and what vulnerabilities may be exposed on the network. Much of this data can be gathered in an automated, non-intrusive manner through the use of standard tools, which will be discussed later in this article. While the concepts presented here are not difficult to understand, the reader should have at least an intermediate understanding of IP and a base-level familiarity with the operation of network sniffers. Since it is assumed the reader has an intermediate level understanding of the Internet Protocol suite (IP), we will take only a cursory look at the IP and TCP headers, highlighting and giving a brief description of the fields of interest. A very detailed reference to the specific IP protocols is available at in the RFC Sourcebook. In the sample header below, we are primarily interested in the fields that are highlighted in blue and red: the blue fields require mostly manual interpretation while the red fields have tools that automate much of the analysis. Full Story