Studying Normal Network Traffic, Part One

by Karen Kent Frederick
Sept. 19, 2017 0 comments Symantec Detection & Response

Many intrusion detection analysts concentrate on identifying the characteristics of suspicious packets - illegal TCP flag combinations or reserved IP addresses, for example. However, it is also important to be familiar with what normal traffic looks like. A great way to learn what traffic should look like is to generate some normal traffic, capture the packets and examine them. In this article, I will discuss a tool for logging packets, and I will review some packet captures in depth. In future articles in this series, I will be examining normal traffic in greater depth, as well as reviewing some examples of abnormal traffic. Note that in order to understand this material, you should already know the fundamentals of TCP/IP.