What is OIDA?

OIDA represents a four-step process designed to guide analysts through the packet analysis journey:

1. Observe: Capture the right data at the right time and place.
2. Identify: Pinpoint the relevant information within the captured data.
3. Dissect: Break down the identified data for detailed examination.
4. Analyze: Draw meaningful conclusions from the dissected information.

While each step plays a crucial role, this article focuses on the foundational first step: Observe. This step sets the stage for all subsequent analyses and can significantly impact the quality of the results.

The power of observation in packet analysis

Observation in packet analysis is more than just capturing or receiving data. It's a strategic process that requires careful planning and execution. The key aspects of this critical first step are explored below.

Defining the objective

Before beginning packet capture, it's essential to clearly define the goal. Whether troubleshooting a specific application, investigating a security incident, or understanding overall network performance, the objective guides the entire observation strategy, from capture location to duration.

Choosing the optimal capture point

Network traffic flows through many points, and selecting the right capture point is crucial. For analyzing traffic between two servers, capturing at a point where all relevant traffic is visible without being overwhelmed by unrelated data is ideal. Understanding network topology is key to making this decision. If receiving existing traffic, it should also be ensured that all relevant traffic can be seen. Therefore, an additional question should be to ask for a network diagram.

Timing the capture

Some network issues are intermittent or time-sensitive. Observing at the right time can be the difference between capturing the problem and missing it entirely. This might involve scheduling captures during peak hours or setting up triggers to start capturing when certain conditions are met. Additionally, some issues might require long-term monitoring in order to gain enough information to detect them. The same goes for performance analysis, where it is often beneficial to have a long-term capture in place for a more varied historical data capture.

Selecting the right tools

While Wireshark is a powerful and popular tool for packet analysis, it's not always the best choice for every situation. Devices like Profitap's IOTA offer both traffic capture, on-board analysis, and real-time insights, which can be invaluable in certain scenarios. The IOTA, with its ability to provide immediate visibility into network traffic, exemplifies how the right tool can enhance the observation phase of OIDA.

Ensuring legal and ethical compliance

Before starting packet capture, it's crucial to ensure necessary permissions are in place and all relevant laws and company policies are being followed. In many jurisdictions, capturing certain types of data without consent can be illegal. Ethical considerations should always be prioritized in the observation process.

Capturing sufficient data

While avoiding excessive data capture is important, ensuring sufficient data collection for thorough analysis is crucial. This often involves balancing capture duration, buffer size, and data management techniques. Capturing for extended periods or increasing buffer size can provide more comprehensive data, but may lead to unwieldy file sizes and potential data loss if the system can't keep up.

Implementing rotating capture buffers offers a solution to this challenge. This technique involves creating multiple capture files of a fixed size or duration, automatically starting a new file when the previous one reaches its limit. Rotating buffers allow for:

1. Continuous capture over long periods without creating unmanageably large files.
2. Preservation of recent data even if older data must be discarded.
3. Easier post-capture analysis by working with smaller, more manageable file sizes.
4. Reduced risk of data loss due to system resource constraints.

The key is to find the right balance between comprehensive data collection and efficient data management, tailoring the approach to the specific requirements of the analysis task at hand

Documenting the process

Documenting the process during observation and capture is crucial. Noting the time, location, duration of the capture, and any relevant network conditions provides invaluable information for the subsequent steps of OIDA, particularly during the analysis phase.

Conclusion

Mastering the art of observation sets the stage for successful packet analysis. The quality of analysis is only as good as the data captured. Careful planning and execution of the observation strategy can make the subsequent steps of OIDA—Identify, Dissect, and Analyze—more straightforward and effective.

Obviously, the process is iterative. Sometimes, the first try will not yield captures that show the problem clearly, and the capture needs to be redone. However, this process strives to help target all pain points to ensure a good first step in capturing the relevant information.

This article is part of a series. The following articles delve into the "Identify", "Dissect", and "Analyze" phases of OIDA, exploring how tools like Wireshark dialogs and IOTA dashboards can help pinpoint needed data amidst the sea of captured packets:

• Identify: https://insights.profitap.com/oida-a-structured-approach-to-packet-analysis-the-art-of-identification
• Dissect: https://insights.profitap.com/oida-mastering-packet-analysis-the-art-of-dissection
• Analyze: https://insights.profitap.com/oida-mastering-packet-analysis-the-art-of-analysis

OIDA observation checklist

1.  Have you clearly defined the problem or scenario you're investigating?
2.  Have you identified the best location in the network to capture the relevant traffic?
3.  Have you selected an appropriate packet capture tool for your needs (e.g., Wireshark, tcpdump, Profitap IOTA)?
4.  Have you determined the optimal time window to capture the relevant traffic?
5.  Do you have the necessary permissions to capture traffic on this network?
6.  Have you configured your capture filters to focus on relevant traffic (if appropriate)?
7.  Is your capture buffer size set appropriately for the amount of data you expect to collect?
8.  Have you ensured you have enough storage space for the expected capture file size?
9.  Is your capture device's clock synchronized correctly for accurate timestamps?
10.  Are you prepared to document the details of your capture (time, location, duration, network conditions)?