Category: Wireshark

Making Packet Forensics Easy

Original Entry by : Cary Wright

Extracting files and other information from recorded packet data

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, EndaceRecorded network traffic often holds vital clues required to resolve serious Cyber Incidents, or difficult network or application issues. The challenge has been locating a packet guru with the skills to search and analyse recorded traffic to extract the vital evidence needed to resolve the issue at hand. Such skilful analysts can be a rare breed, so we have taken that expertise and packaged it into our latest EndaceProbe software.

Recorded network traffic is now faster to search from within existing security tools such as SIEM or SOAR, and extraction of files and other important information can be done by any team member with the click of a mouse.

Getting to the Packets Faster

Our integrations with partner solutions focus on making it quicker and easier for analysts to find and analyze the packet data they need to investigate and resolve incidents.

Analysts can go from an issue or alert in their security or performance monitoring tools directly to the related packet data in InvestigationManager™ with a click of the mouse. That can save hours of time extracting, downloading and carving-up massive .pcap files so they can be opened up in Wireshark®.

With EndaceVision, analysts can rapidly zoom the timeline in-and-out to look at pre-cursor or post event activity to understand the full scope of any event or alert. Analysis of packet data is done on EndaceProbe appliances at the place it was recorded using hosted Wireshark without having to download or transfer large .pcap files across your network.

Making packet data even more useful

In the past packet analysis has required deep expertise and experience with tools like Wireshark or Zeek used to extract essential information from the recorded packet data. This has made it difficult for less experienced analysts to extract value from packet data and often meant issues requiring packet forensics piled up on the desks of senior analysts to investigate.

With our latest software release (OSm 7.1), we’ve made it easy for even junior analysts to extract useful information from recorded packet data without requiring deep knowledge of packet structures and decode tools. Simply select traffic of interest in EndaceVision and with a single click extract malicious files, or generate detailed log data from all the selected packets. This makes investigating historical events fast, and far more efficient. And it does not require deep expertise – which means even junior analysts can perform packet forensics tasks.

Some examples of tasks that are made easier with the latest Endace software release include:

  • Reconstructing malware file downloads or transfers so you can submit them to a sandbox or virus tool.
  • Understanding exactly what data left your network by reconstructing file exfiltration events.
  • Easily generating logs from recorded traffic to look for things like unusual DNS activity, port scans, DDoS events, or other threatening activity.

See how easy this is in the short 10 minute demonstration below (file extraction is at 08:15):

For more information on these great new features, or to arrange a demonstration to show how Endace could help you, contact us.

Packet Detectives Episode 3: Is my video conferencing really secure?

Original Entry by : Michael Morris

Demystifying Network Investigations with Packet Data

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

The Covid-19 pandemic has seen us all become all too familiar with video conferencing tools as we’ve switched to work-from-home. Zoom, Webex, GoToMeeting, and Microsoft Teams are all part of our daily work routine now.

We assume that all these services are secure and the content of our web conferencing and collaboration is encrypted and safe from eavesdroppers. But is it really secure? And where is all that data stored anyway?

In this third installment of Packet Detectives, industry-renowned SharkFest presenter and all-round Wireshark guru, Betty DuBois, takes an in-depth look at a web-conferencing session to find the answers to these questions, and shows how you can do the same for the web conferencing tools you use.

We hope you find this video useful. Please let us know if you have ideas for other examples you’d like to see.

Endace Packet Forensics Files: Episode #6

Original Entry by : Michael Morris

Michael talks to Betty Dubois, Founder and CEO of Packet Detectives

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Don’t miss the latest episode of our Endace Packet Forensic Files Vidcast/Podcast series with this week’s special guest Betty Dubois, CEO /Founder of Packet Detectives and renowned Sharkfest Speaker.

Betty talks about the challenges NetOps and SecOps teams are facing in today’s IT environment. She highlights best practices teams are adopting to adjust to today’s environments and shares her recommendations about how NetOps and SecOps teams can elevate their network investigation skills and processes.

Betty also gives some great tips on how to become a packet capture and Wireshark “power-user” and addresses some of the misconceptions about PCAP data.

Other episodes in the Secure Networks video/audio podcast series are available here.

Wireshark without the wait!

Original Entry by : Cary Wright

With Wireshark on EndaceProbe you can quickly search hundreds of Terabytes of packet data to analyze important packets in Wireshark

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, Endace

Who can afford to wait when responding to a critical security incident? With Wireshark now hosted on EndaceProbe we have eliminated all the waiting around to see packet evidence. Reviewing captured network history will often reveal vital evidence needed to remediate a threat, evidence that may have been wiped from system logs.

Unfortunately, if you’re using Wireshark on your desktop to view that evidence you know it can be a very slow process. Just downloading a multi-GB capture file from your capture appliance can take a while, and then loading it up on your desktop can also be a lengthy process.  All this waiting and context switching is a productivity hit for you and your team– not to mention a data privacy risk if those PCAPs are sitting on your desktop or laptop.

I’m excited to say there will be no more waiting around to view packets with our newly released OSm 7.0 software! A full instance of native Wireshark is now hosted right on each EndaceProbe appliance so you can review captured network traffic quickly and securely. We have also included WireShark on each Endace InvestigationManager instance, allowing you to search over up to 100 EndaceProbes in parallel and present a single merged packet view inside Wireshark.

There is no need to download large PCAPs over the network, and no need to store them insecurely on your desktop PC or laptop to view in Wireshark. Viewing network packet captures is now lightning fast because EndaceProbe high-performance hardware serves the packets from the local RAID directly to a Wireshark instance hosted on the EndaceProbe.

If you’re a regular Wireshark user you will know that Wireshark doesn’t handle large PCAPs very well, just loading a 1GB file can take forever let alone a 100TB pcap. With Wireshark on EndaceProbe you can now quickly search hundreds of Terabytes of packet data to view or analyze important packets in Wireshark. The workflow is much faster and more secure. And Wireshark power users will be glad to know it’s a full Wireshark instance with all the useful features and decodes that you’ve come to know and love.

Here’s a sneak preview:

Wireshark on EndaceProbe with OSm7
With OSm 7.0, now you can go directly from EndaceVision to Wireshark hosted on EndaceProbes – without having to download large pcap trace files.

Packet Detectives Episode 1: The Case of the Retransmissions

Original Entry by : Michael Morris

Demystifying Network Investigations with Packet Data

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

As I talk to security analysts, network operations engineers and applications teams around the world a common theme regularly emerges: that troubleshooting security or performance issues with log or flow data alone just doesn’t cut it.

Most folks report spending way too many hours troubleshooting problems only to realize they just don’t have enough detail to know exactly what happened. Often this results in more finger pointing and unresolved issues. Too much time spent investigating issues also causes other alerts to start piling up, resulting in stress and undue risk to the organisation from a backlog of alerts that never get looked at.

On the other hand, those that use full packet capture data to troubleshoot problems report significantly faster resolution times and greater confidence because they can see exactly what happened on the wire.

Many folks I talk to also say they don’t have the expertise necessary to troubleshoot issues using packet data. But it’s actually much easier than you might expect. Packet decode tools – like Wireshark – are powerful and quite self-explanatory. And there’s tons of resources available on the web to help you out. You don’t need to be a mystical, networking guru to gain valuable insights from packet data!

Getting to the relevant packets is quick and easy too thanks to the EndaceProbe platform’s integration with solutions from our Fusion Partners like Cisco, IBM, Palo Alto Networks, Splunk and many others. Analysts can quickly pivot from alerts in any of those tools directly to related packet data with a single click, gaining valuable insights into their problems quickly and confidently.

To help further, we thought it would be useful to kick-off a video series of “real-world” investigation scenarios to show just how easily packet data can be used to investigate and resolve difficult issues (security or performance-related) in your network.

So here’s the first video in what we hope to make a regular series. Watch as industry-renowned SharkFest presenter and all-round Wireshark guru, Betty Dubois, walks us through investigating an application slow-down that is problems for users. The truth is in the packets …

We hope you find this video useful. Please let us know if you have ideas for other examples you’d like to see.

Inaugural Sharkfest Europe a great success

Original Entry by : Endace

endace-sharkfest-standEurope got its own Sharkfest in October and the inaugural Wireshark Developer and User Conference was a great success with strong attendance from the user and developer community across Europe. Congratulations to Sharkfest Europe for a great launch to what is sure to be a fantastic annual event.

There was a great program of speakers over the three days. Kicking things off with the pre-conference course was Wireshark University’s Laura Chappell. Her Troubleshooting with Wireshark tutorial was well attended and included invaluable tips for working with Wireshark using workflows which make optimal use of Wireshark to quickly highlight potential issues.

Continue reading “Inaugural Sharkfest Europe a great success”