Network Trace Analysis

(1)

Network Trace Analysis

Dmitry Vostokov

Software Diagnostics Services

Version 1.0

(2)

Wires

hark

Hark



Listen (to)

“Hark! There’s the big bombardment.”



Speak in one’s ear; whisper

Shorter Oxford English Dictionary

Hark back

(idiom)



To return to a previous point,

as in a narrative

http://www.thefreedictionary.com/hark

(3)

Prerequisites



Interest in software diagnostics,

troubleshooting, debugging and

network trace analysis



Experience in network trace analysis

using Wireshark or Network Monitor

(4)

Why?



A common diagnostics language



Network diagnostics as software

diagnostics

(5)

Software Diagnostics

A discipline studying abnormal

software structure and behavior in

software execution artifacts (such

as memory dumps, software and

network traces

and logs) using

pattern-driven

,

systemic

and

pattern-based

analysis

methodologies.

(6)

Diagnostics Pattern

A common recurrent identifiable

problem together with

a set of

recommendations

and

possible

solutions to apply in a specific

context.

(7)

Pattern Orientation

Pattern-driven



Finding patterns in software artefacts



Using checklists and pattern catalogs

Pattern-based



Pattern catalog evolution

(8)

Catalog Classification



By abstraction

Meta-patterns



By artifact type

Software Log

*

Memory Dump

Network Trace

*



By story type

Problem Description

Software Disruption

UI Problem



By intention

Malware

(9)

Traces and Logs

(10)

Trace and Log Patterns

(11)

Software Narrative

A temporal sequence of events

related to software execution.

(12)

Software Trace



_{A sequence of formatted messages}



Arranged by time

(13)

Network Trace



_{A sequence of formatted packets as trace}

messages



Arranged by time

(14)

Network Trace Analysis

Software Trace Analysis Patterns

(15)

Capture Tool Placing



Sniffer placing



Process Monitor placing

(16)

Trace Maps



Network map



Deployment architecture map

(17)

Name Resolution



MAC -> IP and IP -> DNS



PID -> process name

(18)

Trace Presentation

Full Trace (Story, Fable, Fabula)

Trace 1

(Plot,

Sujet)

Trace 2

(Plot,

Sujet)

Trace 3

(Plot,

Sujet)

Trace 4

(Plot,

Sujet)

Trace 5

(Plot,

Sujet)

Trace

Presentation

A

(Discourse)

Trace

Presentation

B

(Discourse)

Trace

Presentation

C

(Discourse)

(19)

Minimal Trace Graphs

Time

(20)

Pattern-Driven Analysis

(21)

Pattern-Based Analysis

Software Trace

New Pattern

Discovery

Pattern

Catalog

+

Usage

(22)

Pattern Classification



_Vocabulary



Error



_{Trace as a Whole}



Large Scale



_Activity



Message



Block



Trace Set

(23)

Reference and Course



_{Catalog from Software Diagnostics Library}

Software Trace Analysis Patterns



Free reference graphical slides

Accelerated-Windows-Software-Trace-Analysis-Public.pdf



Training course*

Accelerated Windows Software Trace Analysis

(24)

Selected Patterns

(25)

Master Trace

Normal network capture

Pattern Category

(26)

Message Current

Packets/s

Time

# Src Dst Time Message

Time

# Src Dst Time Message 10.100 10.200 10.100 12.100

J

₁

>

J

₂

Pattern Category

Trace as a Whole

(27)

Message Density

D

₁

>

D

₂

Time

Pattern Category

(28)

Characteristic Block

D

₁

<

D

₂

L

₁

>

L

₂

Time

Pattern Category

(29)

Example

(30)

Thread of Activity

Pattern Category

Activity

Time

(31)

Adjoint Thread

Filtered by:



Source



Destination



Protocol



Message



Expression

Pattern Category

Activity

Time

(32)

No Activity

Time

We messages from other servers but only see our own traffic

Pattern Category

(33)

Discontinuity

Pattern Category

Activity

Time

(34)

Dialog

Conversation between 2 endpoints

Time

(35)

Significant Event

Time Reference feature in Wireshark

Time

Pattern Category

(36)

Marked Messages

Marked Packets

feature in Wireshark

Annotated messages:

session initialization [+]

session tear-off [-]

port A activity [+]

port B activity [-]

protocol C used [-]

address D used [-]

[+]

activity is present in a trace

[-]

activity is undetected or not present

Pattern Category

(37)

Partition

Connection initiation (Prologue) and

termination (Epilogue)

Tail

Epilogue

Head

Time

Prologue

Core

Pattern Category

Trace as a Whole

(38)

Inter-Correlation



Several packet sniffers at once



Internal and external views

Process Monitor log + network trace

Pattern Category

(39)

Circular Trace

Pattern Category

Trace as a Whole

Time

# Src Dst Time Message Problem Repro

(40)

Split Trace

Pattern Category

Trace Set

Time

(41)

Paratext

Info column in Wireshark

(42)

Frames

OSI, TCP/IP Layers

Time

Pattern Category

(43)

Visibility Limit

Visibility window for sniffing

PC 1

PC 2

PC 3

sniffer

Pattern Category

Trace as a Whole

(44)

Incomplete History



Packet loss



Missing ACK

(45)

Possible New Patterns



Full Trace (promiscuous mode)



Embedded Message (PDU chain, protocol data

unit, packet)



Ordered Message (TCP/IP sequence numbers)



Illegal Message (sniffed with illegally obtained

privileges)



Dual Trace (in / out, duplex)

(46)

What’s Next?



Accelerated Network Trace Analysis



Generative Software Narratology

(48)

Q&A

Please send your feedback using the contact

form on DumpAnalysis.com

(49)

Thank you for attendance!