Ayoi’s

Ok, I did mention few times in my blog that CLI is the THING and GUI only for WIMP users ;). I seldom use wireshark compared to TShark, more on tcpdump.. You know the CLI thingy. But then I’ve read many times about this one tool. Some people said that it would replace wireshark later on but those guys behind this tool said it should never replace wireshark but should be used WITH wireshark instead. So what the heck, I just browse to this tool’s developer web site and decided to download it. Ok you need to register and activate this software as well but I think adding applications into my facebook interface is much more complicated ;P (yeah yeah, I have a facebook account. No big deal

Guys, this tool is impressive.. Even for CLI-is-the-best-zealot like me

NetWitness Investigator is somewhat different from other protocol analyzers like wireshark. Those guys at Netwitness.com prefer to call this application as Interactive Threat Analysis Application where Investigator is one of the applications in their NextGen product solution. This application provides more information on session and application layers of the network. But it also provide statistical view of the trace files as well. In fact it also provides alerts as well and yeah, you can create your own alert rule and it is not that difficult (compared to snort rules writing though).

Hey, it seems that it is NSM in motion eh? Or structured traffic analysis to be exact. First you obtain the overview of the trace file. You can see the summary of that trace file including the protocols, the time lines the hosts involved and many other things.

For the summary, you’ll be presented with the overviews of Session Count Timeline, Session Size Timeline and Packet Count Timeline. And these were presented in graph format.

So I just use the last UITM’s i-Hacks defense challenge packet capture for analysis purpose using this tool. Load the packet capture and the result? Very Impressive..

You’ll be presented with Alerts information to indicates that there are malicious contents in this trace files. Then Service type (OTHER, FTP, SMB, SNMP, RIP, HTTP - these are the ones from the i-hack trace file) followed by src and dst IPs, Hostname aliases, User account (yes it can show you the user account as well), Action Event, File Extention, Filename, TCP and UDP src and dst ports, and event any clear text password will be published as well. Kewl eh

For example, let say I want to see more on FTP services details. I just click on the FTP and all information on any packets using this service will be published. How many alerts generated by this service and other information like I’ve mentioned above. To see the sessions content I just click on the number of packets that using this service as in i-hack defence pcap, it has 14 packets. You’ll be presented with the thumbnail of that packet content, the timestamp, the services involved, size of the packets and even the event details.

Click on the thumbnail and you can see the session content. You can filter the display either just to see any ascii characters or in hexadecimal. In fact you can view as in pcap style by invoking wireshark by selecting the “Open as pcap file” option. Cool eh.

Well I can’t give more input anyway as I’m still new in using this tool. Maybe I will post my analysis on the I-hack Defense challenge pcap using this tool.

For now, I really recommend for any of you who involve in network either as administrator or as analysis, this tool is definitely a must in you kitbag

Download this tool from the website here. It is free btw

p/s: Saying that, still CLI is useful when you need to look for something like the password within the password.pcap in the i-hack defense challenge.

Comments RSS