Why you should ignore the darkside of network taps

Now I’m not promoting Wireshark as being any better or worse than the mass of other packet loggers that are available out there, although I’ll offer you these two salient points: first of all, her breakout session was demonstrating a non-Microsoft product at an Microsoft educational convention, and second, her session was packed to the rafters, which was quite fortunate because towards the end of her presentation she showed us the packet log for the Wi-Fi connection in the lecture hall, including various people’s POP3 account logins and plain-text passwords (much to the surprise of certain delegates who were happy to hide in the crowd).

Why you should ignore the darkside of network taps

I think the step change in the power of such tools parallels the step change in server and virtualisation technology that was made clear to us at Dell’s TechCamp.

Its value to me as a diagnostic tool far outweighs the unfortunate fact that its like can also facilitate the misdeeds of hackers and identity thieves

Suddenly, we’ve passed a certain speed threshold with those common-or-garden laptops that anyone with a modicum of sense can now easily purchase to use with packet-logging software.

My Wireshark laptop that runs this little network tap is one I paid £40 for, and it’s perfectly able to keep up a sustained real-time log of my internet connection (a humble but consistent 4Mbits/sec), duplicating every byte that hits my firewall without even hitting 20% usage on its 1.8GHz Intel CPU.

My tap actually cost more than the laptop that runs it, and wireless taps are a bit more expensive still, but its value to me as a diagnostic tool far outweighs the unfortunate fact that its like can also facilitate the misdeeds of hackers and identity thieves.

Trapping trojans

The draw of Laura Chappell’s presentation, which ensured that demo room was full up, wasn’t her many cute anecdotes about her kids, nor her war stories about corporations suffering from a dysfunctional paranoia about what was on their LANs – it was the knowledge that even the stealthiest of trojan will give itself away by the network traffic it produces.

Wireshark these days looks quite a lot like Excel: you can sort and summarise your network traffic by type of packet, which means that even quite low-volume, infrequent-but-odd packets stick out in its display simply by being at the end of the list.

There are probably 50 or so distinct Ethernet packet types circulating on the average LAN, and while it may be impossible to identify one IRC channel conversation in a half-megabyte text log-file, it’s easy to spot IRC packets (the favoured traffic type for trojans) in a sorted analysis even if they constitute only 0.1% of your totally traffic volume.

That, to my mind, excuses all the bad applications of network taps. To deny yourself their power, just because the bad guys have them too, would be mad.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos