Network Monitoring
Traffic analysis, flow monitoring, packet capture, and anomaly detection.
Overview
Network monitoring detects threats through traffic analysis.
Monitoring Types
| Type | Tool | Purpose |
|---|---|---|
| Packet Capture | Wireshark | Deep inspection |
| Flow Analysis | NetFlow | Traffic patterns |
| IDS/IPS | Snort | Intrusion detection |
| Bandwidth | PRTG | Usage monitoring |
| DNS | Passive DNS | Domain analysis |
Packet Analysis
# Capture packets
tcpdump -i eth0 -w capture.pcap
# Read capture
tcpdump -r capture.pcap -nn
# Filter by IP
tcpdump -r capture.pcap host 10.0.0.1
# Filter by port
tcpdump -r capture.pcap port 80
Wireshark Filters
Architecture Diagram
# HTTP traffic
http.request.method == "POST"
# DNS queries
dns.qry.name == "malicious.com"
# Failed connections
tcp.flags.syn == 1 && tcp.flags.ack == 0
# Data exfiltration
frame.len > 10000 && ip.src == 10.0.0.1
Flow Analysis
# Enable NetFlow
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
ip flow-export version 9
ip flow-export destination 10.0.0.100 9996
Anomaly Detection
# Simple anomaly detection
import numpy as np
def detect_anomaly(baseline, current, threshold=2.0):
mean = np.mean(baseline)
std = np.std(baseline)
z_score = (current - mean) / std
return abs(z_score) > threshold
Network Diagram
Architecture Diagram
Internet
ā
āāāāā“āāāā
ā FW ā
āāāāā¬āāāā
ā
āāāāā“āāāā
ā IDS ā
āāāāā¬āāāā
ā
āāāāā“āāāāāāāā
ā Switch ā
āāāāā¬āāāāāāāā
ā
āāāāā“āāāā
ā SIEM ā ā Logs
āāāāāāāāā
Practice
Capture and analyze network traffic using Wireshark.