Network Capture Visualisation Integrated Design Project 3 Euan McKerrow S1223475 Khalid Zeari S1312249 Nabeel Nabi S1222196 Tamar Everson S1226265 Published, April 28th 2015 1 | P a g e Content Page Abstract 1 Introduction 2 Literature Review 2.1 Network Comparison 2.2 Intrusion Detection 2.3 Visualisation Tools 2.4 Specific Tools 3 Method 3.1 Design 3.2 Apparatus & Software 3.3 Procedure 4 Results 4.1 RUMINT 4.2 Wireshark 4.3 EtherApe 4.4 Network Miner 4.5 Comparison 4.6 Our tool (ENVA) 5 Final Discussion & Conclusions 5.1 Discussion 5.2 Project critique 5.3 Further work 5.4 Conclusions References Bibliography 2 | P a g e Abstract: There have been many tools which have been created for visually analysing network traffic, these have been created to show visually the packets and the data about live PCAP files and captured PCAP files. These tools have made it easier for an analyst to view the data instead of reading it, because it is easier for them to comprehend the information. The tools created can do more that just display the information they can allow the analyst to filter certain packets so that the visual representation isn’t overwhelming. Keywords: PCAP, Network visualisation, unusual traffic detection. 1 Introduction for both manual and automated visualisation techniques we have PCAP There has been a growing interest visualisation techniques to bring human life in the visualisation of PCAP files and the into the investigative cycle. (Mehmet security of a network. Trying to detect Celenk, Member, IEEE, Thomas Conley, John malicious activity within a network is a Willis, Student Member, IEEE, and James difficult problem to face, made more Graham, Student Member, IEEE 2010) difficult by large scale databases and very Predictive Network Anomaly Detection and limited function of analysis tools. Even on a Visualization. Research has been done in the small network analysing packets manually past for many years for PCAP files to be is inefficient and time consuming. (Sven used to create an alert system. In our Krasser’, Member, IEEE; Gregory Conti, research we will be reviewing these 2005)Real-Time and Forensic Network Data software and tools, to observe what Analysis information can be obtained from the tools Using Animated and Coordinated and compare them to each other. The Visualization.Current machine processing information that we would like to know techniques, while they are quite fast, they from each software is how well they can still suffer from a unpleasant percentage of handle a trojan attack, worm attack what false positive and false negative alert. The information it can give from the packets. By world wide web has become one of the comparing the tools that we are looking at nation's critical infrastructures, there is a we will be able to pick out the one that we large amount of data being transmitted find most useful and user friendly, which all everyday over a standard network making it other tools should follow as an example. We very difficult to notice any malicious will also be looking to develop a preferred activity. There are many ways to display solution program, which will address the PCAP files; typically, we analyse data with issues of the programs already tested on the written reports, command scripts, or simple market. bar graphs and pie charts. However there is ways of displaying those files visually, using 2 Literature Review programs and tools, with the intention to test which programs exceeds in cost, packet In this literature review, we aim to visualisation, malformed packet research into specific areas so later in our identification, malicious packet detection, report we can bring the areas together, and filters, blacklist packets for flags, and create our own intake and interruption of unusual packet detection. Using visual the results from our experiment. The areas representation instead of textual we look to cover is: network comparison representation can help in carrying out tool paper, searching for papers that analysis on the data. Looking at the data it compare network monitoring tools, to find a takes humans less time to understand best possible solution to carry out and specific information or patterns in an image display the results of our own experiment; rather than in text. Life form over time have intrusion detection papers, papers that become more advanced and knowledgeable research into patterns of attacks and the in recognising complex patterns better than how they appear mixed-in with ‘normal’ and computers.(Mansour Alsaleh, David legitimate network traffic; visualisation Barrera, P.C. van Oorschot 2008) Improving development papers, looking into the Security Visualization with Exposure Map benefits of visualizing a tool and what type Filtering Most importantly advanced of visualisation is the best to use; and finally visualization tools make it easier for research papers on specific tools we are humans to detect threats. To accommodate going to aim to use in our research paper, 3 | P a g e looking at their design and underlined key Systems and EtherApe and Caspa were features of the tool. found to visualise the data the best and most efficient. The first area we are looking at in In this paper, Suri and Batra the literature review is network tools and demonstrated the benefits and defining how the tools stand out in comparison with feature of the four tools. one another. The next research paper is the similar to the Suri and Batra’s research paper only looking at three of the tools. 2.1 Network Comparison tools: (Gandhi, Suri, Golyan, Saxena and Saxen. 2014) Packet Sniffer - A Comparative Study. The first paper researches the use Gandhi, Suri, Golyan, Saxena and Saxen of four network tools: Wireshark, Tcpdump, (2014) researched key features of the EtherApe and Caspa. Looking at functions following network tools: Wireshark, each tool can carry out and how they work Tcpdump, Colasoft Caspa. They stated like, what Operating System they work on. similar to Suri and Batra (2012) paper that (Suri, Batra. 2012) Comparative Study of Wireshark had the best cross-platform as it Network Monitoring Tools. Suri and Batra is able to use on Windows and Unix based (2012) examined and defined the key Operating System, whereas Tcpdump is feature of the following network tools: only Unix based and Caspa is only Windows Wireshark, Tcpdump, EtherApe and Caspa. based. It was tested that Wireshark uses the They found Wireshark had the best cross- most disk usage and Tcpdump the least by platform working on Mac OS X, Windows, quite a bit. Caspa is the only tool that costs Solaris, and BSD, then Tcpdump and money ($999) as the other two are free. EtherApe was next best working on Unix Wireshark can deal with the most protocols based operating system and then finally with over 1000, then Caspa at 300 protocol, Caspa only working on some Linux based and lastly Tcpdump only deals with the TCP Operating Systems. They also underlined and IP packet protocols. Caspa is the only each tools defining features starting with tool that can put alarms on traffic and Wireshark. Wireshark can capture data live protocols, however both Wireshark and “from the wire”, meaning it can capture Caspa can identify packets with forged data. packets in real-time as they go through the Again in this paper, the benefits of network. Wireshark also has the capabilities each tools is underlined, creating a ranking to read from already logged PCAP files. They system based on capabilities. In this paper, also found Wireshark has the capability to the results were placed in a results table capture VoIP packets, which none of the making the comparison of tools easy to read other tools can do and the tool is split into for the reader, and is a good, efficient way of three panels: the transmission overview, displays the results. packet details and a panel for showing raw The next section and area of hex. Next they researched into Tcpdump interest is intrusion detection. which is a command-line based tool and found the tool picked up all packets, even the ones without an address. As Tcpdump is 2.2 Intrusion Detection: command-line based they are a lot of different options that the user can use, This paper looks how to develop a making the tool very effective if the user tool for intrusion detection visually. (Alaa knows what they are doing. EtherApe was El-Din Riad, Ibrahim Elhenawy, Ahmed the next tool researched finding the tool Hassan and Nancy Awadallah. 2011) Data have the benefit of a well thought-through visualisation Technique Framework for visual design, with colour coordination. Intrusion Detection. El-Din Riad, Elhenawy, EtherApe also has a filter feature like the Hassan and Awadallah, researched into the rest of the tools used except Tcpdump. ways intrusion detection can be improved, Finally they looked at Caspa, Caspa was and found that for the best results and found to be easy to use, and deals better would be more beneficial to capture in real- with real-time packets. Caspa was ideal for time. In this paper, they proposed to looking at LAN and WLAN networks. develop the tool called Snort, making it From Suri and Batra’s paper, more visual and better at detecting Wireshark was found to Wireshark worked intrusion. They suggested to implement this best, working on different Operating by using CSS & PHP. The paper also stated to make this work with Snort, it would 2 | P a g e require five elements: a packet decoder, a preprocessor, a detection engine, a logging 2.4 Specific Tools: and alerting system and output modules. This also requires the identification of Wireshark attack signatures that are in common with (McRee.