Network Forensics 2

Page 1: Packet Capture and TCP/IP Model

Packet Capture (PCAP/PCAPnG)

  • Packet Capture (PCAP): An API for capturing network traffic.

  • Contains captured packet data useful for analyzing network events and extracting specific data.

  • Helps determine network status and identify problems encountered on the network.

  • Essential for studying data communications.

  • PCAPnG: Newer version of PCAP, capable of storing captures from multiple interfaces in a single file.

  • Expanded metadata capabilities compared to traditional PCAP.

  • Generates smaller logs compared to full packet captures.

  • Can also record audio from entire conversations occurring during network events.

TCP/IP Model

  • Commonly known as the TCP/IP stack, consisting of several layers:

    • Packets: Smallest unit of data within the model, containing:

      • Data intended for transmission between systems

      • Control information for directing the packet’s path

  • Layer 1: Physical Layer

    • Represents the medium for data flow.

    • Data is represented in binary (0s and 1s), transmitted through cables, etc.

    • Concerns physical components like cables and wireless connections.

  • Layer 2: Data Link Layer (Ethernet)

    • Ensures data packets reach the correct destination on a local area network (LAN).

    • Uses MAC addresses to identify hosts within the same network and makes IP addresses unique.

  • Layer 3: Network Layer (IP, ICMP)

    • Internet Protocol (IP): Facilitates communication between hosts both within a network and on the Internet.

    • Internet Control Message Protocol (ICMP): Focuses on error reporting and direct communication between hosts.

  • Layer 4: Transport Layer (TCP, UDP)

    • TCP (Transmission Control Protocol): Provides reliable data transport, ensuring packet ordering and re-transmission of lost packets.

    • Essential for applications where data integrity is critical.

    • UDP (User Datagram Protocol): Offers a faster transport option with less overhead, suitable for low-latency applications, albeit without reliability guarantees.

Page 2: Data Link Layer and Network Protocols

Data Link Layer

  • Ethernet Protocols: Facilitate data transfer from one host to another on a LAN.

  • Uses MAC addresses for host identification, differentiating IP addresses within a local network.

Key Network Protocols

  • Layer 3 (IP): The main communication protocol for addressing hosts locally and on the internet.

  • Layer 4 (Transport Protocols):

    • TCP: Ensures reliable delivery of packets, handling ordering and retransmission of corrupted packets, optimal for important data transfers.

    • UDP: Faster option for traffic where some data loss is acceptable, such as live streams or short requests.

Page 3: Access Log Fields and Command-line Utilities

Access Log Fields

  • Example log entry: 104.245.97.236 - - [29/Sep/2015:21:15:18 -0400] "GET /xmlrpc.php HTTP/1.1" 404 162 "-" "-"

    • IP Address: Identifies the source of a request (104.245.97.236).

    • Timestamp: Shows when the request was made ([29/Sep/2015:21:15:18 -0400]).

    • Request Details: Contains method (GET), resource being requested (/xmlrpc.php), and HTTP protocol version (HTTP/1.1).

    • Status Code: Indicates the result of the request (404 - Not Found).

    • Size of Bytes Sent: Total bytes sent in response (162 bytes).

    • Referrer URL: The page URL that linked to the requested resource.

    • User Agent: Provides details on the client's browser.

Command-line Utilities

  • Practical exercises with command-line utilities will reinforce understanding as discussed in Chapter 2.