Professionals often find themselves overwhelmed by the intricacies of packet analysis. The OIDA methodology — Observe, Identify, Dissect, Analyze—can be used to better address this challenge. This approach aims to streamline the packet analysis process, making it more accessible to newcomers, while enhancing the efficiency of experienced analysts.
This article is part of a series. Each article covers one of the four phases of OIDA: Observe, Identify, Dissect, Analyze.
OIDA represents a four-step process designed to guide analysts through the packet analysis journey:
While each step plays a crucial role, this article focuses on the foundational first step: Observe. This step sets the stage for all subsequent analyses and can significantly impact the quality of the results.
Observation in packet analysis is more than just capturing or receiving data. It's a strategic process that requires careful planning and execution. The key aspects of this critical first step are explored below.
Before beginning packet capture, it's essential to clearly define the goal. Whether troubleshooting a specific application, investigating a security incident, or understanding overall network performance, the objective guides the entire observation strategy, from capture location to duration.
Network traffic flows through many points, and selecting the right capture point is crucial. For analyzing traffic between two servers, capturing at a point where all relevant traffic is visible without being overwhelmed by unrelated data is ideal. Understanding network topology is key to making this decision. If receiving existing traffic, it should also be ensured that all relevant traffic can be seen. Therefore, an additional question should be to ask for a network diagram.
Some network issues are intermittent or time-sensitive. Observing at the right time can be the difference between capturing the problem and missing it entirely. This might involve scheduling captures during peak hours or setting up triggers to start capturing when certain conditions are met. Additionally, some issues might require long-term monitoring in order to gain enough information to detect them. The same goes for performance analysis, where it is often beneficial to have a long-term capture in place for a more varied historical data capture.
While Wireshark is a powerful and popular tool for packet analysis, it's not always the best choice for every situation. Devices like Profitap's IOTA offer both traffic capture, on-board analysis, and real-time insights, which can be invaluable in certain scenarios. The IOTA, with its ability to provide immediate visibility into network traffic, exemplifies how the right tool can enhance the observation phase of OIDA.
Before starting packet capture, it's crucial to ensure necessary permissions are in place and all relevant laws and company policies are being followed. In many jurisdictions, capturing certain types of data without consent can be illegal. Ethical considerations should always be prioritized in the observation process.
While avoiding excessive data capture is important, ensuring sufficient data collection for thorough analysis is crucial. This often involves balancing capture duration, buffer size, and data management techniques. Capturing for extended periods or increasing buffer size can provide more comprehensive data, but may lead to unwieldy file sizes and potential data loss if the system can't keep up.
Implementing rotating capture buffers offers a solution to this challenge. This technique involves creating multiple capture files of a fixed size or duration, automatically starting a new file when the previous one reaches its limit. Rotating buffers allow for:
The key is to find the right balance between comprehensive data collection and efficient data management, tailoring the approach to the specific requirements of the analysis task at hand
Documenting the process during observation and capture is crucial. Noting the time, location, duration of the capture, and any relevant network conditions provides invaluable information for the subsequent steps of OIDA, particularly during the analysis phase.
Mastering the art of observation sets the stage for successful packet analysis. The quality of analysis is only as good as the data captured. Careful planning and execution of the observation strategy can make the subsequent steps of OIDA—Identify, Dissect, and Analyze—more straightforward and effective.
Obviously, the process is iterative. Sometimes, the first try will not yield captures that show the problem clearly, and the capture needs to be redone. However, this process strives to help target all pain points to ensure a good first step in capturing the relevant information.
This article is part of a series. The following articles delve into the "Identify", "Dissect", and "Analyze" phases of OIDA, exploring how tools like Wireshark dialogs and IOTA dashboards can help pinpoint needed data amidst the sea of captured packets: