Options
Good places to have pcaps reviewed?
I have learned a ton on how to use Wireshark in the past month, but somethings are still over my head. The hardest part is not having a baseline of when a network was good, then troubleshooting with wireshark and trying to pinpoint the issue when I don't have the experience required to know whats normal and what is not normal.
This problem has led to my question. Does anyone know of a resource/website where pcaps can be peer reviewed by more seasoned people? My first thought is "no", pcaps usually contain sensitive info therefore are not the type of things you would want in the public eye. But I thought I would ask, maybe I am wrong or there is a better way to proceed with this problem.
Core issue: I have a server/system that has sporadic "outages" I have been capturing 24/7 on the server, a workstation in each vlan and on the firewall. Today there was a "system wide" outage for about 10 minutes. In the pcaps that covered this time period I am seeing 30% DNS traffic, 3.5% ARP traffic and 13% of the traffic are retransmissions (most of them are spurious retrans).
During a "normal" or possible baseline for this network, DNS = 5% of traffic, ARP = 2% and retrans = 5%. Are the "bad numbers" above bad enough to cause perceived network outages for end users/workstations?
From what I can gather, this is a problem. But I wanted to confirm that these numbers are a symptom of a problem and not just a typical/normal network behavior.
This problem has led to my question. Does anyone know of a resource/website where pcaps can be peer reviewed by more seasoned people? My first thought is "no", pcaps usually contain sensitive info therefore are not the type of things you would want in the public eye. But I thought I would ask, maybe I am wrong or there is a better way to proceed with this problem.
Core issue: I have a server/system that has sporadic "outages" I have been capturing 24/7 on the server, a workstation in each vlan and on the firewall. Today there was a "system wide" outage for about 10 minutes. In the pcaps that covered this time period I am seeing 30% DNS traffic, 3.5% ARP traffic and 13% of the traffic are retransmissions (most of them are spurious retrans).
During a "normal" or possible baseline for this network, DNS = 5% of traffic, ARP = 2% and retrans = 5%. Are the "bad numbers" above bad enough to cause perceived network outages for end users/workstations?
From what I can gather, this is a problem. But I wanted to confirm that these numbers are a symptom of a problem and not just a typical/normal network behavior.
Comments
-
Options
JoJoCal19
Mod Posts: 2,835 Mod
I recommend taking SANS SEC503 with Mike Poor
I just got back from his class last week and it was great. Learned a TON on how to spot suspicious/malicious traffic by analyzing pcaps. Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
Options
--chris--
Member Posts: 1,518 ■■■■■□□□□□
I recommend taking SANS SEC503 with Mike Poor I just got back from his class last week and it was great. Learned a TON on how to spot suspicious/malicious traffic by analyzing pcaps.
I am supremely jealous!! But it's not in the budget for me lol.
Doing some more digging I think I can rule out or confirm link saturation if these sg series switches allow the viewing of that data...