print

Tip of the Month

Network Analysis Tip of the Month – May 2006

Needle in a Haystack? No problem!

By Jim Thor, WildPackets Professional Services

This story is long, but the tip is short! That is the bottom line of this forensic mining expedition.

Have you ever found yourself on the research side of a forensic investigation where your job was to look through the logs, trace files, and other historical data? If so, you know just how hard it can be. But now, there is a solution (at least for the trace files).

With the newest release of OmniPeek, 4.0, you can now find that proverbial ‘Needle in a Haystack’ when using our distributed analysis solution, the OmniEngine. You can quickly build search criteria which could include a specific IP or MAC address, or a timeframe, specific filters, or a protocol, or several of them. Then you can search through several or many saved trace files and find anything related to your investigation, even if it happened weeks ago or longer.

To start off, you would have OmniEngines connected at any critical links in your environment. One of the newest capture templates that comes included in 4.0 is a Forensic Capture template. You can use this template, or just start long term captures with the settings you prefer. The biggest concern here is to make sure you have enough disk storage to save what ever amount of traffic you have. Now that you are capturing, you can just sit back and wait for the day you need to find the needle.

So the day finally comes when you boss pulls you into his office and asks you to find that needle. He doesn’t know when, but he does know that a particular system was involved and he wants you to find any and all traffic related to that system over the past three weeks. So you set out on your quest, with you boss knowing that it will take you days or weeks to get him the information he requested.

Click on thumbnail for larger view

You sit down at your OmniPeek console, connect to your engine, go to the Files tab and select the files you need to include in your search (one or many), right click and select ‘New Files View’.

Click on thumbnail for larger view

You will then be prompted to build out your criteria based on the Media type, Interface, Time Range, one or many Filters and include some or many types of output statistics. Now just let the query run, and you will shortly have all the information your boss needed, with very little effort or time invested, just a little preparation (starting long term captures and having the disk space to store them) and a quick query.

This is just one of the new features of the OmniPeek Product Family. Stay tuned for future tips as we will cover several of them in future months. Or be proactive, and join us for one of our classes, and learn all the tips and tricks to protocol analysis using the OmniPeek Product Family.