Security analysis methodology
Security analysis at the packet level is based on detecting and analyzing suspect traffic, that is, the traffic that does not match normal patterns because of the presence of unusual protocol types or ports, or unusual requests, responses, or packet frequency. Suspicious traffic may include reconnaissance (discovery) sweeps, phone home behavior, denial of service attacks, botnet commands, or other types of behavior from direct attacks or virus- or botnet-based agents.
Wireshark captures strategic points in the network to investigate suspicious packets from specific hosts or on network segments and egress points can also complement any Intrusion Detection System (IDS) systems that may be in place to alert the IT staff about the suspicious traffic.
The importance of baselining
The ability to identify abnormal traffic patterns that bear investigation versus traffic caused by poorly behaving applications, misconfigurations, or faulty devices can be made much easier...
