Capturing Network Traffic and Logs – CompTIA Security+ SY0-401: 2.4

The packets traversing network can be a wealth of information. In this video, you’ll learn how to collect information from network traffic and logs.

<< Previous Video: Capturing System ImagesNext: Capturing Video >>

A lot of the things we do with our computers traverse the network. They’re sending information back and forth over our network connections. And being able to pull up traffic logs can tell you a lot about what a person did, where they visited on the network, what information might have been transferred. These are very, very common to find. And things like firewalls– which are designed to be security devices, and they’re designed to protect your network– very often those are logging everything, every flow of data going in and out. At least at a high level. And it will tell you that this particular IP address and perhaps even this user went to the internet, and they transferred a file to this server. It may not show you the contents of the file, but at least you know that’s what happened. And then you can at least go from there and determine what file did you transfer? Maybe that file’s on someone’s hard drive. Maybe you can go to the server they transferred it to and obtain the file that way.

The firewalls usually have a great deal of detail there. Things like switches and routers don’t log a lot of user-level information generally. They’re telling you that a port on the switch was activated and not activated. But not necessarily what traffic traversed the switch or router. So if you’re a security person, you’re looking for a lot more detail, the firewall may be the place you go from a network logging perspective.

There’s also a lot of log stored in intrusion detection and intrusion prevention systems. Normally they’re just logging unusual traffic or traffic that happened to match a particular signature. So not a comprehensive set. But if somebody’s downloading a file that happens to have in it some information and something that fires off this signature– they’re downloading a vulnerability scanner, they’re downloading some code they can use to attack another machine– your IDS or your IPS might identify that. Yet another data source to go to.

And one of the ultimate data sources, if you have this luxury, is the way to go back to the raw network traffic that traversed the network. Not everybody has this capability, but there are stream-to-disk solutions– that’s what this is called– that takes every bit and byte going in and out of your organization or past a network connection, and it stores it on this massive array, these terabytes and terabytes and terabytes of hard drive space.

These are usually recording every single bit and byte. And so this is great. You can now go back in time and pull out the exact information that traversed the network. Which means you can rebuild emails that went back and forth. You can recreate the files that were transferred. You can see the exact page in a browser when somebody visited a website. You can see everything, because it’s all in that data going over the network. And if you have a stream-to-disk solution, that’s a great place to go to help recreate exactly what went across the network.