This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture real time Network traffic? Also, what are the various network parameters which can be used to perform anomaly analysis?

1

I am new to networking. I would like to capture real time network traffic with which i can determine a normal network behavior. I would like to make an Anomaly based Intrusion detection system. I would like to know how to implement this. I would like to know the following

1) How to capture real time network traffic ? 2) What all network parameters does the collected data have? 3) What is the significance of each parameter in determining anomalies in normal network behavior? 4) I have a laptop and wifi internet. Can i implement this using these two things? If not, please suggest some simple method with which i can implement this. Advices and suggestions deeply appreciated.

Thank you

asked 15 Mar '11, 16:37

varkeyed's gravatar image

varkeyed
21115
accept rate: 0%

edited 15 Mar '11, 16:41


One Answer:

2

If you really want to do all this you're in for a lot of work, so let's see if I can break it down for you:

1) You can capture real time network traffic using Wireshark, tshark, dumpcap or tcpdump, which usually results in one or more network trace files (recorded packets) to be written to disk. For this you might need large amount of storage space and a fast PC architecture that is able to write data as fast to the disks as it is coming in the network card used to capture it.

2) Not really sure what you mean by network parameters - if you decide to capture full packets you'll get everything that was transmitted over the network at the point of capture. Keep in mind that (at least for wired networks) it is usually not possible to have one single capture recording everything that happens in your network, but you'll have to concentrate on one or more specific choke points. Even with wireless installations you might not be able to record everything that is going on since you might capture in a spot that doesn't see all radio activity going on.

3) This is the complicated part - if you want to do anomaly detection you first need to know what's normal and what isn't. This is a huge area and not something you can easily do in a short amount of time. Anomaly detection requires the ability to compare packets with each other, track certain events over time, and (in the most simple cases) to detect invalid packet structures (for example, TCP headers with SYN and FIN bit being set at the same time). If you take a look around at IPS/IDS solutions you'll see that all of them struggle to detect as much as possible, and still there are tons of anomalies (by dedicated hacking techniques or by faulty stack implementations) that they don't detect.

4) a laptop and a wifi card that is supported by Wireshark is the most basic thing you'd need, and you can start with it. It is good enough to capture packets and look at them, but if you're interested in doing fully automated live traffic inspection you'll have to code some kind of application that reads the live recorded trace files and processes them. You'll have to give it all the expert functionality to detect what is correct traffic patterns and what isn't. Not trying to scare you off, but it can easily turn into a huge project ;-)

answered 15 Mar '11, 17:01

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 15 Mar '11, 17:04

Thank you Jasper. Actually,i want to do signature analysis on incoming network traffic. For that i will have to use Netflow coming to my system. I want to know what this "Netflow" contains. This is what i mean by network traffic parameters.In simple terms, i mean the content of "Netflow" ..something like source and dest ip, packet delay etc with which i can do analysis.....(continued in next comment..)

(16 Mar '11, 10:54) varkeyed

I heard about something called KDD dataset which contains predefined intrusion patterns. So i would like to create a database using that dataset and want to compare incoming netflow with those database entries for performing signature analysis.Please tell me if it is possible. Also, i would like to use Artificial Neural Networks for anomaly analysis... I would like to train the Neural Network using the "Netflow" and making it learn that it is the normal behavior..and an entirely different Netflow can be taken as an anomaly..I would like to do these things..Please advice me on what to do.. :)

(16 Mar '11, 11:00) varkeyed

Well if you want to be able to receive netflow records you need to write an application that opens a UDP socket and listens to the incoming UDP packets containing the data. I've written a windows service application like that for netflow version 5 to do traffic accounting, and if I remember correctly I used the format details from http://netflow.caligare.com/netflow_v5.htm, which will also tell you the contents of such a netflow packet.

I don't know if you have experience in Neural Network programming, but you're still aiming pretty high I'd say :-)

(16 Mar '11, 12:21) Jasper ♦♦