On the Wire

A network’s physical layer is deceptively quiet. Hub lights blink in response to network traffic, but do little to convey the range of information that the network carries. Analysis of the individual traffic flows and their content is essential to a complete understanding of network usage. Many tools let you view traffic in real time, but real-time monitoring at any level requires significant human and hardware resources, and doesn’t scale to networks larger than a single workgroup. It is generally more practical to archive all traffic and analyze subsets as necessary. This process is known as reconstructive traffic analysis, or network forensics.1 In practice, it is often limited to data collection and packetlevel inspection; however, a network forensics analysis tool (NFAT) can provide a richer view of the data collected, allowing you to inspect the traffic from further up the protocol stack.2 The IT industry’s ever-growing concern with security is the primary motivation for network forensics. A network that has been prepared for forensic analysis is easy to monitor, and security vulnerabilities and configuration problems can be conveniently identified. It also allows the best possible analysis of security violations. Most importantly, analyzing a complete record of your network traffic with the appropriate reconstructive tools provides context for other breach-related events. For example, if your analysis detects a user account and its Pretty Good Privacy (PGP, www.pgp.com/index.php) keys being compromised, good practice requires you to review all subsequent activity by that user, or involving those keys. In some industries, laws such as the Health Insurance Portability and Accountability Act (HIPAA, http://cms.hhs.gov/hipaa) regulate monitoring the flow of information. While it is often difficult to balance what is required by law and what is technically feasible, a forensic record of network traffic is a good first step. Security and legal concerns are not the only reasons to want a fuller understanding of your network traffic, however. Forensics tool users have reported many other applications. If your mail server has lost several hours’ or days’ worth of received messages and traditional backup methods have failed, you can recover the messages from the recorded traffic. Similarly, the forensics record allows unhurried analysis of anomalies such as traffic spikes or application errors that might otherwise have remained hearsay.