I am new to networking. I would like to capture real time network traffic with which i can determine a normal network behavior. I would like to make an Anomaly based Intrusion detection system. I would like to know how to implement this. I would like to know the following
1) How to capture real time network traffic ? 2) What all network parameters does the collected data have? 3) What is the significance of each parameter in determining anomalies in normal network behavior? 4) I have a laptop and wifi internet. Can i implement this using these two things? If not, please suggest some simple method with which i can implement this. Advices and suggestions deeply appreciated.
asked 15 Mar '11, 16:37
edited 15 Mar '11, 16:41
If you really want to do all this you're in for a lot of work, so let's see if I can break it down for you:
1) You can capture real time network traffic using Wireshark, tshark, dumpcap or tcpdump, which usually results in one or more network trace files (recorded packets) to be written to disk. For this you might need large amount of storage space and a fast PC architecture that is able to write data as fast to the disks as it is coming in the network card used to capture it.
2) Not really sure what you mean by network parameters - if you decide to capture full packets you'll get everything that was transmitted over the network at the point of capture. Keep in mind that (at least for wired networks) it is usually not possible to have one single capture recording everything that happens in your network, but you'll have to concentrate on one or more specific choke points. Even with wireless installations you might not be able to record everything that is going on since you might capture in a spot that doesn't see all radio activity going on.
3) This is the complicated part - if you want to do anomaly detection you first need to know what's normal and what isn't. This is a huge area and not something you can easily do in a short amount of time. Anomaly detection requires the ability to compare packets with each other, track certain events over time, and (in the most simple cases) to detect invalid packet structures (for example, TCP headers with SYN and FIN bit being set at the same time). If you take a look around at IPS/IDS solutions you'll see that all of them struggle to detect as much as possible, and still there are tons of anomalies (by dedicated hacking techniques or by faulty stack implementations) that they don't detect.
4) a laptop and a wifi card that is supported by Wireshark is the most basic thing you'd need, and you can start with it. It is good enough to capture packets and look at them, but if you're interested in doing fully automated live traffic inspection you'll have to code some kind of application that reads the live recorded trace files and processes them. You'll have to give it all the expert functionality to detect what is correct traffic patterns and what isn't. Not trying to scare you off, but it can easily turn into a huge project ;-)
answered 15 Mar '11, 17:01
edited 15 Mar '11, 17:04