Traffic study

Archived from groups: comp.security.firewalls (More info?)

Hi,

I am a home ADSL user with a hardware firewall installed and up-to-date Norton AV. I have Norton
Internet Security 2004 but haven't installed it as yet.

So far there is no evidence of any spyware etc operating on my PC but I would like to be sure about
this. I would like to set up some sort of traffic analyser to monitor the lan connection between
the PC and the firewall to generate daily stats showing which programs are accessing the lan/net and
an indication of the traffic type and amount. It would be useful lf the log could be able to be
imported into Excel for analysis purposes.

I was going to install NIS 2004 to cover this but it looks like an overkill to me and won't really
give me the stats I want afaik. Any suggestions as to the best way to achieve this?

Cheers . . . JC
10 answers Last reply
More about traffic study
  1. Archived from groups: comp.security.firewalls (More info?)

    JC <jhoppyc@westnet.com.invalid> wrote in
    news:321ke0t0hvtas9n0bb8lavjql1r33de902@4ax.com:

    > Hi,
    >
    > I am a home ADSL user with a hardware firewall installed and
    > up-to-date Norton AV. I have Norton Internet Security 2004 but
    > haven't installed it as yet.
    >
    > So far there is no evidence of any spyware etc operating on my PC but
    > I would like to be sure about this. I would like to set up some sort
    > of traffic analyser to monitor the lan connection between the PC and
    > the firewall to generate daily stats showing which programs are
    > accessing the lan/net and an indication of the traffic type and
    > amount. It would be useful lf the log could be able to be imported
    > into Excel for analysis purposes.
    >
    > I was going to install NIS 2004 to cover this but it looks like an
    > overkill to me and won't really give me the stats I want afaik. Any
    > suggestions as to the best way to achieve this?
    >
    > Cheers . . . JC
    >

    You could possibly take the router's logs and do this if the router has
    logging. The router will log all inbound and outbound traffic for all
    machines connected to it.

    You could use KIWI Syslog Daemon (free) which works with various routers
    and FW appliances and dump the log via ODBC into and Access or SQL Server
    database Table and run Excel on the table.

    Duane :)
  2. Archived from groups: comp.security.firewalls (More info?)

    In article <5hike05dhfrpj5movbimr1424bc46i04dr@4ax.com>,
    jhoppyc@westnet.com.invalid says...
    > The external hardware firewall generates logs of packets dropped and the reason why the packets were
    > dropped etc but doesn't generate anything in the way of traffic reports. I am already importing
    > the logs into Excel and using that data to send reports to abuse@x.y.z regarding nuisance port
    > probes.
    >
    > What I want is data on the outbound and inbound traffic that passes through the firewall to/from my
    > PC.

    You need to configure the firewall to also report permitted traffic.
    Most firewalls have the ability to report traffic that is permitted
    based on the type of traffic.

    Probes, in general, are not illegal and go unresolved when you report
    them.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  3. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 06 Jul 2004 11:56:30 +1000, JC <jhoppyc@westnet.com.invalid>
    wrote:

    >Hi,
    >
    >I am a home ADSL user with a hardware firewall installed and up-to-date Norton AV. I have Norton
    >Internet Security 2004 but haven't installed it as yet.
    >
    >So far there is no evidence of any spyware etc operating on my PC but I would like to be sure about
    >this. I would like to set up some sort of traffic analyser to monitor the lan connection between
    >the PC and the firewall to generate daily stats showing which programs are accessing the lan/net and
    >an indication of the traffic type and amount. It would be useful lf the log could be able to be
    >imported into Excel for analysis purposes.
    >
    >I was going to install NIS 2004 to cover this but it looks like an overkill to me and won't really
    >give me the stats I want afaik. Any suggestions as to the best way to achieve this?
    >
    >Cheers . . . JC
    You might install Sygate personal firewall. It logs all traffic in and
    out. I believe there is a free version you can try. (google)

    --
    Clarke
  4. Archived from groups: comp.security.firewalls (More info?)

    JC wrote:


    > The external hardware firewall generates logs of packets dropped and the
    > reason why the packets were
    > dropped etc but doesn't generate anything in the way of traffic reports.

    That is because the 'hardware firewall' is a packet filter and therefore is
    not able to know anything about the software that generated the packets.
    And even if it was a proxy it could not know the application.

    > I am already importing the logs into Excel and using that data to send
    > reports to abuse@x.y.z regarding nuisance port probes.

    You simply waste the time of hopefully skilled admins and bore them to death
    with that. Just forget about it. If you want to save the internet read some
    books about network protocols and get the knowledge to realize that what
    your do is senseless.

    > What I want is data on the outbound and inbound traffic that passes
    > through the firewall to/from my PC.

    So learn everything about the software that is installed on your system.
    That mmight require reading the source code. You don't have access to the
    source code? Well, what a pity.

    > I figured that this would have to come from a program running on the
    > PC and sniffing the packets so it can determine the
    > originating/destination program, origin/destination IP address etc
    > data.

    You cannot identify the sofwtare that is using the network unless you have
    the source code of every piece of software running on your system.

    > I am assuming that packet sniffing programs exist.

    You are assuming ...

    Well, I know that they exist and I even use them. And having seen quite some
    output of ethereal or typdump I can honestly tell that you cannot identify
    the software that produced the packtes by viewing the packets.

    > For one thing
    > this should give me stats on what is normal traffic and quickly indicate
    > if any spyware/trojan is at work that were not detected by NAV.

    Complete nonsense. Forget it. Install only software you trust ... done.

    > The NIS manual didn't indicate that it could do this - it seemed to be
    > designed to sit in the background watching the lan traffic and can be
    > configured to automatically allow trusted programs access to the net or to
    > ask if access to the net is allowed for each program the first time it
    > tries to access the net.

    Personal firewalls are playground stuff for the kiddies, nothing more. THey
    are of no real value.

    > Now that I am retired I can afford to spend some time each day analysing
    > what is happening on my
    > little corner of the net and taking steps to correct anything abnormal.

    Spend the time reading good books about how network communication functions.
    If you still have spare time learn programming languages (especially C) and
    read (a lot!) source code.

    > A minor problem in doing this is that while I can understand a lot of what
    > is happening I am not an IT engineer but I do have the time now to learn
    > if pointed in the right direction.

    Fine, forget the kiddie stuff and read good books.

    > Do others do this type of thing?

    Yes, other dummies do, people who really know how network comminication
    functions, read source code.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind.
    from 'Not one of us', (c) 1980 Peter Gabriel
  5. Archived from groups: comp.security.firewalls (More info?)

    JC <jhoppyc@westnet.com.invalid> wrote in
    news:321ke0t0hvtas9n0bb8lavjql1r33de902@4ax.com:

    > I would like to set up some sort of traffic analyser to monitor the
    > lan connection between
    > the PC and the firewall to generate daily stats showing which programs
    > are accessing the lan/net and an indication of the traffic type and
    > amount.

    Only your PC itself can know which programs are accessing the NIC. Once it
    leaves the box, it's just TCP/IP.

    You can capture the packets and learn a great deal about what is happening
    by using a program called Ethereal. You will need another box to run
    Ethereal on.


    Bob


    --
    Delete the inverse SPAM to reply
  6. Archived from groups: comp.security.firewalls (More info?)

    Wolfgang Kueter <wolfgang@shconnect.de> wrote in
    news:ccfb0t$8bt$1@news.shlink.de:

    > Personal firewalls are playground stuff for the kiddies, nothing more.
    > THey are of no real value.
    >

    I think they are very handy for determining the access patterns of
    installed software.

    They can also keep other people from using software that isn't authorized.
    As an example, if you install ZoneAlarm Pro, and if you enable the password
    feature, then the overwhelming majority of users won't be able to use any
    software to access the net besides what is provided for them.

    Bob

    --
    Delete the inverse SPAM to reply
  7. Archived from groups: comp.security.firewalls (More info?)

    bob <usenetMAPS@2fiddles.com> wrote in
    news:Xns953CC8002CE9Cbobatcarolnet@207.69.154.205:

    > Wolfgang Kueter <wolfgang@shconnect.de> wrote in
    > news:ccfb0t$8bt$1@news.shlink.de:
    >
    >> Personal firewalls are playground stuff for the kiddies, nothing
    >> more. THey are of no real value.
    >>
    >
    > I think they are very handy for determining the access patterns of
    > installed software.
    >
    > They can also keep other people from using software that isn't
    > authorized. As an example, if you install ZoneAlarm Pro, and if you
    > enable the password feature, then the overwhelming majority of users
    > won't be able to use any software to access the net besides what is
    > provided for them.
    >
    > Bob
    >

    The responsibility for that belongs with the O/S like and NT based O/S
    using NTFS, as malware can circumvent and defeat any PFW solution.

    Duane :)
  8. Archived from groups: comp.security.firewalls (More info?)

    bob wrote:

    > I think they are very handy for determining the access patterns of
    > installed software.

    They are not since they can be fooled by malware. The same refers to the
    rest of your posting.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind
    Peter Gabriel, Not one of us, 1980
  9. Archived from groups: comp.security.firewalls (More info?)

    Wolfgang Kueter <wolfgang@shconnect.de> wrote in
    news:cevgj1$eml$1@news.shlink.de:

    > bob wrote:
    >
    >> I think they are very handy for determining the access patterns of
    >> installed software.
    >
    > They are not since they can be fooled by malware. The same refers to
    > the rest of your posting.
    >
    > Wolfgang

    Photoshop, for example, is not malware, and does not try to fool the
    firewall. I find it handy to know when Photoshop accesses the internet.
    Same thing for all my other non-malware applications.

    I don't know that there is any particular reason to know, but I like to
    anyway.

    From what I understand, the circumstances under which malware can trick
    a software firewall are somewhat limited. For instance, I know that most
    users give internet explorer access to the internet, and that it is
    possible for other applications to use IE through VBA, for instance, but
    it is not necessary to give IE access.

    Bob

    --
    Delete the inverse SPAM to reply
  10. Archived from groups: comp.security.firewalls (More info?)

    bob <usenetMAPS@2fiddles.com> wrote in
    news:Xns953EE95E2F0ACbobatcarolnet@207.69.154.203:

    > Wolfgang Kueter <wolfgang@shconnect.de> wrote in
    > news:cevgj1$eml$1@news.shlink.de:
    >
    >> bob wrote:
    >>
    >>> I think they are very handy for determining the access patterns of
    >>> installed software.
    >>
    >> They are not since they can be fooled by malware. The same refers to
    >> the rest of your posting.
    >>
    >> Wolfgang
    >
    > Photoshop, for example, is not malware, and does not try to fool the
    > firewall. I find it handy to know when Photoshop accesses the internet.
    > Same thing for all my other non-malware applications.
    >
    > I don't know that there is any particular reason to know, but I like to
    > anyway.

    > From what I understand, the circumstances under which malware can trick
    > a software firewall are somewhat limited.

    So what if malware is disguised as an O/S program and one doesn't know
    it, then what? What if malware is piggy backing off of something like
    svchost.exe, which svchost.exe's job is to access the Internet? What if
    malware is piggy backing off the Wireless Zero Configuration Service,
    because WZCS uses RPC and NDIS Usermode I/O Protocol?

    There are many, many and many more ways of malware circumventing and
    defeating a PFW solution with App Control once the malware hits the
    machine.

    > For instance, I know that most
    > users give internet explorer access to the internet, and that it is
    > possible for other applications to use IE through VBA, for instance,
    > but it is not necessary to give IE access.

    So, if one stops IE for that reason and one never knew what wanted access
    through IE, because IE's job is to access the Internet, and then one
    let's IE access the Internet for some other reason, what happened to that
    reason IE was being stopped? The reason that IE was being stopped never
    went anywhere and because one never knew what it was to begin with in the
    first place, it has its chance.

    Do you think that malware designed to exploit Photoshop couldn't be
    accomplished?

    I use to think the PFW solution with App Control was all *that*, but not
    anymore. Yes, BlackIce is on the machines with App Control, which I think
    its App Control is one of the best. But I don't use it as a crutch to
    tell me what's happening on the machine as I know malware can circumvent
    and defeat any PFW solution. I use other tools to tell me what traffic is
    coming in and leaving the machine and why.

    Duane :)
Ask a new question

Read More

Firewalls Networking