Network forensic tools

4,280 pts.
Tags:
Network administration
Network forensics
Network monitoring
Network Monitoring Tools
What tools do you use to perform network forensics? Do you have any favorites, and why?
ASKED: June 30, 2009  9:03 PM
UPDATED: July 23, 2009  8:02 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

My advice is to basically log everything you can, and make sure you also use NTP on everything so the times are all synchronised. We set everything to GMT, and never change to summer time (daylight saving), so it is clear when events happen.

Use syslog for most devices, and archive the logs from those that generate them. Make sure you also have the start/stop records from any RADIUS server, also making sure that this is used to authenticate access to the network and any devices.

To analyse this data I usually just do it manually. I have not really found any good tools, other than the Cisco MARS, but that is a bit too expensive for the network I manage (and for the manager’s I work for !).

most times when I have had to look at incidents, it is over a fairly restricted timeframe, and it is focussed on certain devices, so a manual trawl through the data is not as horrible as it could be. With everything timestamped, and synchronised, it is made a lot easier.

Just my 2p (2c) worth :-)

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kevin Beaver
    I've always recommended people not overlook a good old-fashioned network analyzer such as OmniPeek and CommView for incident response. A hex editor such as WinHex and a data recovery tool such as Davory are good things to have in your toolbox as well.
    14,990 pointsBadges:
    report
  • JennyMack
    It depends on the environment and requirements. A simple tool like ntop can help track usage over a period of time or Wireshark (tshark) can be used to capture ring buffer files and details can be captured over a set period of time for analysis.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following