Shulou(Shulou.com)06/01 Report--

Practice of packet capture based on Web

Packet grabbing is a necessary skill for operation and maintenance. Many network failures need to be solved by packet grabbing, such as ARP spoofing and broadcast storms. In addition, there are some network cable or optical fiber contact failure, without grasping the packet is also difficult to analyze, such as the interconnection between the two companies, the network cable test is no problem, but always does not work. After packet capture analysis, it is found that the ping requests of other units are accompanied by ARP queries rather than routing, and it is suspected that the mask may be set incorrectly. after careful investigation, it is indeed the error of the mask on the router. Bag catchers have a lot of them, but it's important to choose a tool that suits you.

This paper mainly introduces the troubleshooting tool-Web-based packet analysis tool in OSSIM environment, which is another form of Wireshark, which is very similar to the expression of CloudSharkAppliance (cloudshark.org). This is shown in the following figure.

Functionally, this Web-based package grab analysis tool is a compact version of Wireshark. Its advantage is that the remote client can catch packets on the server side through the Web interface, and it can also catch the packet anomalies detected by different sensors (which can collect information from different network segments). When reading this chapter, the reader needs to have the basic knowledge of network sniffing and Datagram analysis, and have some Wireshark packet grabbing experience.

In the past, network failures were often analyzed in a system using tcpdump to grab the packet, save the package, and then import it into Wireshark for analysis. However, it is not so troublesome to use Traffic Capture under OSSIM WebUI now. The operation method is Environment → Traffic Capture.

Select the sensor to grab the bag

Notice that under the settings option, both the source address and destination address are optional. It is easy to use, enter the source address and destination address, and then click the capture button.

However, before applying this tool, operators should be familiar with TCP, UDP, IP and ICMP protocols and common application layer protocols such as HTTP, DHCP, DNS, FTP, including TCP and UDP traffic formats, which are described below:

For more information, please refer to the best practices of OSSIM, an open source security operation and maintenance platform.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.