In the OIDA methodology (Observe, Identify, Dissect, Analyze), the Dissect phase is crucial for refining the vast amount of data collected during the Observe and Identify phases. This stage focuses on sifting through captured data, stripping it down to the most relevant parts, and preparing it for in-depth analysis. The goal is to identify relevant data streams and payloads, understand the protocols involved in potential issues, and verify that the data identified as relevant in the Identify phase is applicable for further analysis.
This article is part of a series. Each article covers one of the four phases of OIDA: Observe, Identify, Dissect, Analyze.
Understanding the dissection process
Dissection in packet analysis involves breaking down complex network captures into manageable, meaningful segments. It involves a deep dive into the structure of network communications, requiring a broad understanding of network protocols and attention to minute details.
Key dissection techniques
Protocol analysis: navigating the layers
Protocol analysis forms the backbone of the dissection process. It involves examining each layer of the network stack, from the physical layer up to the application layer.
OSI model layers - quick reference
The OSI (Open Systems Interconnection) model describes seven layers that computer systems use to communicate over a network:
- Physical Layer: Deals with the physical connection between devices. It defines the physical and electrical specifications of the network media.
- Data Link Layer: Provides node-to-node data transfer and handles error correction from the physical layer. Ethernet operates at this layer.
- Network Layer: Manages addressing, routing, and traffic control. IP (Internet Protocol) operates at this layer.
- Transport Layer: Ensures complete data transfer. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) operate here.
- Session Layer: Establishes, manages, and terminates connections between applications.
- Presentation Layer: Transforms data into a form that the application layer can accept. It handles encryption, compression, and data formatting.
- Application Layer: Provides network services directly to end-users or applications. HTTP, FTP, and SMTP operate at this layer.
Understanding these layers helps packet analysts dissect the structure of network communications and identify where specific issues might occur.
In Wireshark, the Protocol Hierarchy Statistics (accessible via Statistics > Protocol Hierarchy) provide an excellent starting point for this analysis. This feature offers a breakdown of protocols present in the capture, allowing analysts to quickly understand the distribution of traffic types and focus on the most prevalent or unusual aspects of network communication.
.png?width=1600&height=810&name=unnamed%20(1).png)
IOTA's Application dashboard serves a similar purpose, providing an overview of all applications identified within the capture. This dashboard allows analysts to select specific applications of interest, streamlining the dissection process by focusing on relevant traffic from the outset.
Following streams: reconstructing conversations
While individual packets provide snapshots of network activity, following streams allow analysts to see the bigger picture. Wireshark's stream-following feature is not limited to TCP: it also works with protocols like HTTP and SIP. This capability is invaluable for reconstructing entire conversations and understanding the communications' context.
To use this feature in Wireshark:
- Right-click on a packet.
- Select "Follow" and choose the appropriate protocol stream.
IOTA's TCP Flows feature offers similar functionality, displaying detailed information about individual TCP flows. This tool is particularly useful for direct inspection of timing and bandwidth issues within specific conversations.
Decrypting traffic: unveiling secured communications
Decryption is often crucial for thorough analysis, but seeing the decrypted content is not always possible or necessary to gain valuable insights. When decryption is feasible, Wireshark can be configured with appropriate keys or certificates to reveal the contents of encrypted communications.
However, even when full decryption isn't possible (due to incomplete captures for TLS 1.2 or the use of TLS 1.3), encrypted streams can still provide valuable information. Analysts can focus on metadata such as:
- Throughput
- Delays
- Timing patterns
- Packet sizes
- Handshake details
.png?width=1600&height=810&name=unnamed%20(2).png)
IOTA's TLS dashboard offers built-in functionality for analyzing TLS based traffic and providing detailed timing and communication analysis for encrypted data streams up until the key negotiation phase. This is a very useful tool for finding issues with mismatched keys or TLS configurations.
Examining payload data: diving into the details
The payload—the actual data being transmitted—often holds the most valuable information for analysts. In Wireshark, the Packet Bytes pane allows for direct examination of raw packet data. This can be crucial for identifying patterns, known signatures, or anomalies that might indicate malicious activity or application issues.
IOTA provides similar capabilities through its various dashboards, allowing analysts to drill down into specific packets and examine payload data in detail.
Preparing for analysis
A key aspect of the Dissect phase is preparing the data for the final Analysis phase. Both Wireshark and IOTA excel in this regard:
- In Wireshark, analysts can use display filters to isolate specific traffic of interest and save these filtered captures for further analysis.
- IOTA goes a step further by allowing downloads of exactly the viewed information as PCAP files from each dashboard. This feature seamlessly bridges the Dissect and Analyze phases, ensuring that analysts can focus on the most relevant data in their final analysis.
Conclusion: the art of dissection
The Dissect phase of OIDA is where the initial flood of data is refined into a focused stream of relevant information. It requires a blend of technical knowledge, intuition, and a methodical approach. By mastering the dissection techniques discussed and leveraging the powerful features of tools like Wireshark and IOTA, analysts can efficiently sift through vast amounts of network data, isolating the critical information needed for effective problem-solving and network optimization.
Remember, effective dissection is iterative and exploratory. It involves moving between different levels of abstraction, from broad protocol statistics to the minutiae of individual packets. The goal is to strip away the noise and focus on the signal—those packets and streams that truly matter for understanding and resolving network issues.
OIDA network traffic dissection checklist
To ensure a thorough approach to the Dissect phase, consider the following questions:
- Have you used Wireshark's Protocol Hierarchy Statistics or IOTA's Application dashboard to get an overview of the traffic composition?
- Did you identify and follow relevant protocol streams to understand the context of the communication?
- For encrypted traffic, have you attempted decryption where possible? If not, have you examined metadata for insights?
- Have you thoroughly examined payload data for patterns or anomalies relevant to your investigation?
- Did you verify that the data identified as relevant in the Identify phase is indeed applicable for detailed analysis?
- Have you prepared focused datasets (through filtering or IOTA's download feature) for the Analysis phase?
By addressing these questions and applying the dissection techniques discussed, analysts can ensure a comprehensive examination of network packets, setting the stage for insightful analysis in the final OIDA phase.
This article is part of a series. Each article covers one of the four phases of OIDA: Observe, Identify, Dissect, Analyze.
