In the OIDA methodology (Observe, Identify, Dissect, Analyze), the Dissect phase is crucial for refining the vast amount of data collected during the Observe and Identify phases. This stage focuses on sifting through captured data, stripping it down to the most relevant parts, and preparing it for in-depth analysis. The goal is to identify relevant data streams and payloads, understand the protocols involved in potential issues, and verify that the data identified as relevant in the Identify phase is applicable for further analysis.
This article is part of a series. Each article covers one of the four phases of OIDA: Observe, Identify, Dissect, Analyze.
Dissection in packet analysis involves breaking down complex network captures into manageable, meaningful segments. It involves a deep dive into the structure of network communications, requiring a broad understanding of network protocols and attention to minute details.
Protocol analysis forms the backbone of the dissection process. It involves examining each layer of the network stack, from the physical layer up to the application layer.
The OSI (Open Systems Interconnection) model describes seven layers that computer systems use to communicate over a network:
Understanding these layers helps packet analysts dissect the structure of network communications and identify where specific issues might occur.
In Wireshark, the Protocol Hierarchy Statistics (accessible via Statistics > Protocol Hierarchy) provide an excellent starting point for this analysis. This feature offers a breakdown of protocols present in the capture, allowing analysts to quickly understand the distribution of traffic types and focus on the most prevalent or unusual aspects of network communication.
IOTA's Application dashboard serves a similar purpose, providing an overview of all applications identified within the capture. This dashboard allows analysts to select specific applications of interest, streamlining the dissection process by focusing on relevant traffic from the outset.
While individual packets provide snapshots of network activity, following streams allow analysts to see the bigger picture. Wireshark's stream-following feature is not limited to TCP: it also works with protocols like HTTP and SIP. This capability is invaluable for reconstructing entire conversations and understanding the communications' context.
To use this feature in Wireshark:
IOTA's TCP Flows feature offers similar functionality, displaying detailed information about individual TCP flows. This tool is particularly useful for direct inspection of timing and bandwidth issues within specific conversations.
Decryption is often crucial for thorough analysis, but seeing the decrypted content is not always possible or necessary to gain valuable insights. When decryption is feasible, Wireshark can be configured with appropriate keys or certificates to reveal the contents of encrypted communications.
However, even when full decryption isn't possible (due to incomplete captures for TLS 1.2 or the use of TLS 1.3), encrypted streams can still provide valuable information. Analysts can focus on metadata such as:
IOTA's TLS dashboard offers built-in functionality for analyzing TLS based traffic and providing detailed timing and communication analysis for encrypted data streams up until the key negotiation phase. This is a very useful tool for finding issues with mismatched keys or TLS configurations.
The payload—the actual data being transmitted—often holds the most valuable information for analysts. In Wireshark, the Packet Bytes pane allows for direct examination of raw packet data. This can be crucial for identifying patterns, known signatures, or anomalies that might indicate malicious activity or application issues.
IOTA provides similar capabilities through its various dashboards, allowing analysts to drill down into specific packets and examine payload data in detail.
A key aspect of the Dissect phase is preparing the data for the final Analysis phase. Both Wireshark and IOTA excel in this regard:
The Dissect phase of OIDA is where the initial flood of data is refined into a focused stream of relevant information. It requires a blend of technical knowledge, intuition, and a methodical approach. By mastering the dissection techniques discussed and leveraging the powerful features of tools like Wireshark and IOTA, analysts can efficiently sift through vast amounts of network data, isolating the critical information needed for effective problem-solving and network optimization.
Remember, effective dissection is iterative and exploratory. It involves moving between different levels of abstraction, from broad protocol statistics to the minutiae of individual packets. The goal is to strip away the noise and focus on the signal—those packets and streams that truly matter for understanding and resolving network issues.
To ensure a thorough approach to the Dissect phase, consider the following questions:
By addressing these questions and applying the dissection techniques discussed, analysts can ensure a comprehensive examination of network packets, setting the stage for insightful analysis in the final OIDA phase.
This article is part of a series. Each article covers one of the four phases of OIDA: Observe, Identify, Dissect, Analyze.