Report on Traffic Between a Certain Source IP and Destination IP Address
Reporting on traffic between network devices
Recently one of our customers got in contact with this simple query.
“I am looking to find out if it’s possible to get traffic between a certain source IP and destination IP along with the time of the connections.”
They needed a historical report so there was no point in launching a tool like Wireshark as it would not report on the historical activity. As they have LANGuardian installed they have 24/7 visibility throughout their network. By utilizing a SPAN, mirror port or network TAP at strategic locations you can monitor network traffic you can spot abnormal behavioral patterns as they occur. But, critically for this use case, the LANGuardian retains rich network traffic metadata very cost effectively for long periods.
Network traffic reports
The image below shows a sample output from a LANGuardian IP search. Click on the image to access our demo where you can drill down on sample data. The element (1) shows the traffic between a certain source IP and destination IP which is what the customer was looking for. LANGuardian also shows what applications (2) were in use by this network device, suspicious events (3) triggered by the IP. In this case we can see that there was a Malware infection as well as some BitTorrent activity.
The image below shows the exact level of detail that the customer was looking for. We can see the traffic between a certain source IP and destination IP along with the time of the connections. The logged in user can also be shown as LANGuardian can integrate with Active Directory to capture usernames. Country flags are shown which is useful for forensics, this is made possible by matching IP addresses against a GeoIP database.
For this incident the customer wanted to look back 3 months. This is easy to select in LANGuardian by picking a specific time range from within the reports.
Other uses for network traffic analysis
Network traffic analysis was traditionally seen as an operational tool. Something to report bandwidth usage on WAN and Internet links. However, it is an excellent data source for network security use cases including:
- Internal and east-west traffic analysis
- Ransomware detection
- Automated threat hunting
- Passive detection of weak ciphers and vulnerable SSL certificates
- Report on insecure protocol use such as FTP and Telnet
- Root out network devices scanning your internal networks
By monitoring network traffic on your network you can get visibility as to what is happening without the need for agents or log files. Agents can be difficult to deploy and scale and they become one other thing to update and manage. Log files do not always have the answer as they only report about local server issues. Wire data which can be extracted from network traffic, is instant and way more flexible than log data. It can provide high-fidelity user and application evidence to enhance your evolving security operations center (SOC).