Data analysis tools

Wireshark
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable.

Some intended purposes

Here is some examples people use Wireshark for:

network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals

Features
The following are some of the many features Wireshark provides:

Available for UNIX and Windows. Capture live packet data from a network interface. Display packets with very detailed protocol information. Open and Save packet data captured. Import and Export packet data from and to a lot of other capture programs. Filter packets on many criteria. Search for packets on many criteria. Colorize packet display based on filters. Create various statistics.

What Wireshark is not

Here are some things Wireshark does not provide:

Wireshark isn't an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on. Wireshark will not manipulate things on the network, it will only "measure" things from it. Wireshark doesn't send packets on the network or do other active things (except for name resolutions, but even that can be disabled).

Tshark:
Tshark can be used to dump network traffic into capture files for later processing. For this, we need to tell tshark which interface to listen to and which traffic to capture. This is an example.

The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured. The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to whatever your interface name is. The -w flag is used to specify a file where the captured traffic will be saved for later processing

Network capture rules or filters, specified by the -f option allows you to tell tshark which packets should be captured. Tshark can process network capture files and produce an output that can be exploited for analyzing and troubleshooting network protocols. The dissection capability allows for example to display some specific fields/information about each packet in a network traffic capture file. This generate the following Output (sample> 192.168.2.100;51514;213.173.163.136;21 192.168.2.100;50914;213.173.163.136;50366 192.168.2.100;47575;213.173.163.136;35328 192.168.2.100;43957;213.173.163.136;56747 192.168.2.100;36637;213.173.163.136;33607 What tshark do Display http response codes Display Top 10 URLs Display Source IP and MAC Address. Source and Target IP Source and Target IPv6 Source IP and DNS Query

Tcpdump
Tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Tcpdump is free software. Common uses Tcpdump analyzes network behavior, performance and applications that generate or receive network traffic. It can also be used for analyzing the network infrastructure itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem. It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as Telnet or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information. The user may optionally apply a BPF-based filter to limit the number of packets seen by tcpdump; this renders the output more usable on networks with a high volume of traffic.

NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

Features

Network Forensics Network Sniffing PCAP Parser Digital Forensics Packet Sniffer

Data leakage and data seepage

Another use of NetworkMiner is in evaluating how much data, regarding you and your computer, is being disclosed to the network without your knowledge. By connecting your laptop to an unknown network or unencrypted WiFi access point you make this data available to any malicious lurker who might be sniffing that particular network. Not only might the lurker be able to read your emails and see your passwords, he may also be able to identify your previous IP address and to see which file servers you have network shares on. This type of information is called "Data Seepage" and can be used by an attacker to gain useful information in order to, for example, plan an attack. By launching NetworkMiner locally on your own machine, you will be able to see what information your computer is leaking to potentially malicious network-lurkers who might be performing Man-in-the-Middle or WiFi sniffing. After using NetworkMiner, you will soon learn that connecting your computer into an unknown network (wired or wireless) cannot be considered "safe sex"; so be sure to use protection if you wish to connect your Ethernet cable to a non-trusted RJ45 socket.