Network Monitoring

Deploy Zeek (Bro), Security Onion, Wireshark. Deep packet inspection. Traffic baselining.

IntermediatePhase 3: Password SecurityInteractive Traffic Monitor

What is Network Monitoring?

Network Monitoring continuously captures and analyzes network traffic to detect anomalies, threats, and performance issues. Unlike firewalls that block traffic, monitoring tools passively observe everything flowing through the network for forensics, threat hunting, and compliance.

Why Monitor Network Traffic?

Threat Detection: Identify malware C2, data exfiltration, lateral movement
Forensics: Historical data for incident investigation (PCAP replay)
Compliance: PCI-DSS, HIPAA require network logging and monitoring
Performance: Bandwidth usage, latency issues, misconfigurations

Essential Network Monitoring Tools

🦬 Zeek (Bro)

Network Security Monitor (NSM) framework

• Deep protocol analysis (HTTP, DNS, SMB, SSL)
• Generates structured logs for SIEM ingestion
• Scriptable detection engine (Zeek scripting)
• Tracks connections, files, certificates

🦈 Wireshark

Packet capture & analysis (GUI)

• Interactive packet inspection (deep dive)
• 1000+ protocol dissectors
• Display filters for targeted analysis
• Reconstruct files, decrypt SSL (with keys)

🧅 Security Onion

All-in-one NSM distro (Linux)

• Combines Zeek + Suricata + Elastic Stack
• Pre-configured dashboards (Kibana)
• Full packet capture (Stenographer)
• Ideal for SOC deployment

🔎 tcpdump

CLI packet capture (lightweight)

• Command-line PCAP capture
• BPF filters for targeted capture
• Low resource usage (headless servers)
• Capture files readable by Wireshark

Key Network Indicators to Monitor

🌐 DNS Queries:

Unusual domains (DGA), DNS tunneling (data exfil via DNS), C2 beaconing

🔒 SSL/TLS Certificates:

Self-signed certs (malware), suspicious CN/SAN fields, expired certificates

📁 File Transfers:

Large outbound transfers (exfiltration), FTP/SMB file activity, archive uploads (.zip, .rar)

🌍 Geolocation:

Connections to unexpected countries (e.g., China, Russia for US org), blacklisted IPs

⏱️ Connection Patterns:

Regular beaconing (malware C2), long-duration connections, port scanning

📡 Protocols:

Unusual protocols (IRC, Tor), protocol misuse (HTTP on port 8443), raw sockets

Zeek Log Files (NSM Output)

conn.log: All network connections (src, dst, ports, bytes)

http.log: HTTP requests (URLs, user-agents, status codes)

dns.log: DNS queries/responses (domains resolved)

ssl.log: TLS connections (certificates, ciphers, SNI)

files.log: Files transferred (hashes, MIME types)

smtp.log: Email traffic (sender, recipient, attachments)

x509.log: SSL certificate details (CN, validity)

weird.log: Protocol violations, anomalies

💡 These logs are JSON/TSV formatted and easily ingested into Splunk, ELK, or QRadar for correlation

Traffic Analysis Workflow

Capture:

Deploy SPAN/TAP to mirror traffic. Use tcpdump or Zeek to capture packets.

Parse:

Zeek generates logs. Wireshark dissects packets. Extract metadata (IPs, domains, files).

Enrich:

GeoIP lookup, threat intel feeds (VirusTotal, AlienVault OTX), WHOIS, passive DNS.

Correlate:

SIEM correlates network logs with endpoint, firewall, AD logs. Detect attack chains.

Hunt:

Proactively search for IOCs (indicators of compromise). Stack counting, frequency analysis.

Example Commands

Capture HTTP traffic (tcpdump):

tcpdump -i eth0 -w capture.pcap port 80

Wireshark display filter (show only DNS):

dns

Zeek analyze PCAP file:

zeek -r capture.pcap

Query Zeek logs (find all connections to IP):

cat conn.log | zeek-cut id.resp_h | grep 203.0.113.45

Best Practices

Capture at Choke Points: Core switch, internet gateway (not every segment - too much data)

Retention Policy: Full PCAPs (7-30 days), metadata logs (90+ days), long-term SIEM storage

Privacy Compliance: Encrypt stored PCAPs, restrict access, anonymize sensitive data

Integrate with SIEM: Forward Zeek logs to Splunk/ELK for correlation and alerting

Baseline Normal: Understand typical traffic patterns to detect anomalies

Automate Enrichment: Integrate GeoIP, threat intel APIs for automated context

Network Traffic Monitor

Real-time network event capture and analysis. Detect threats through traffic patterns.

Clean Traffic

Suspicious Events

Malicious Threats

Network Events

No events. Click "Capture Traffic" to monitor network.