Network Monitoring and Analysis

Course Overview
Hey everyone. I'm Dan Lachance, and welcome to my course, Network Monitoring and Analysis. As an IT security professional, having knowledge of network monitoring techniques and tools, along with the ability to interpret scan results, will help you optimize network performance and also to detect suspicious network activity. Some of the major topics that we're going to talk about include network attack signatures and monitoring techniques, OS fingerprinting, network scanning techniques, and how to use Wireshark to analyze network traffic. By the end of this course, you'll be able to determine the optimal placement of network monitoring solutions, you'll know how to detect malicious network reconnaissance activities on the network, and you'll also know how to interpret network captures gathered from the Wireshark tool. I hope you'll join me to learn about network monitoring and analysis here at Pluralsight.

Monitoring Network Activity
Welcome to Network Monitoring and Analysis. I'm Dan Lachance. Our first focus is going to be on the monitoring of network activity. In this module, we'll cover a variety of network monitoring techniques. That even includes things such as the placement of sensors on the network to perform the monitoring. Then we'll jump into operating system, or OS, fingerprinting. This is a reconnaissance technique that might be executed by malicious users or bots, or even security testers. It allows us to identify the specific operating systems running on devices on the network, along with services running on those devices. We'll then take a look at attack signatures, which is a big deal when it comes to intrusion, detection, and prevention. IDS and IPS devices can use signature databases to look to for known patterns of suspicious activity or attacks that are in progress, so we'll talk about the various categories of attack signatures.

Identifying Suspicious Network Activity
Hello, and welcome. I'm Dan Lachance. Welcome to this module where we're going to focus on the identification of suspicious network activity. Now more specifically, we're going to start by talking about reconnaissance through network scanning. We've already briefly discussed this already, but now we're going to dive into a little bit more detail where we even take a look at some scan types, whether they be TCP or UDP based. Then we'll have a discussion about password cracking. And what's interesting about these things and how they come full circle and are interrelated is that through reconnaissance of a network, a malicious user would learn perhaps of router identities, client identities, server identities. And by scanning each of those devices in a targeted way in detail, the attacker might then be able to do something like ARP poisoning, which would allow them perhaps to see sensitive data they otherwise shouldn't see, such as passwords.

Monitoring Network Activity Using Wireshark
Wireshark is a popular open source network analysis tool, and we could spend days talking about it. But in this module, we're going to take a look at how to use Wireshark to capture and to analyze various types of network traffic. The great thing about Wireshark is while it can also be used to help you troubleshoot network performance issues by capturing traffic and carefully examining it, you might even be able to identify suspicious activity on the network. So the first thing we'll do is we'll do an overview of the Wireshark tool and how to navigate its interface. Then we'll focus on display and capture filters. These are used so that we can hone in and look at only what we're interested in. And of course, the syntax differs a little bit between display and capture filters, and we'll learn about that. As a result, we will analyze captured network traffic so that we can identify specific items that are occurring on the network simply by viewing a packet trace.