SlideShare a Scribd company logo

Pattern-Oriented Network Trace Analysis

Dmitry Vostokov, profile picture
Dmitry Vostokov

The document outlines the principles and methodologies of network trace analysis and software diagnostics, emphasizing the importance of identifying patterns in software behavior through various analytical tools like Wireshark. It provides structured approaches to classify and interpret software execution artifacts, including logs and traces, to diagnose issues and recommend solutions. It also hints at future topics such as accelerated network trace analysis and generative software narratology.

Software
1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Network Trace Analysis Dmitry Vostokov Software Diagnostics Services Version 1.0 Facebook LinkedIn Twitter
Wireshark Hark  Listen (to) “Hark! There’s the big bombardment.”  Speak in one’s ear; whisper Shorter Oxford English Dictionary Hark back (idiom)  To return to a previous point, as in a narrative http://www.thefreedictionary.com/hark © 2013 Software Diagnostics Services
Prerequisites  Interest in software diagnostics, troubleshooting, debugging and network trace analysis  Experience in network trace analysis using Wireshark or Network Monitor © 2013 Software Diagnostics Services
Why?  A common diagnostics language  Network diagnostics as software diagnostics © 2013 Software Diagnostics Services
Software Diagnostics A discipline studying abnormal software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using pattern-driven, systemic and pattern-based analysis methodologies. © 2013 Software Diagnostics Services
Diagnostics Pattern A common recurrent identifiable problem together with a set of recommendations and possible solutions to apply in a specific context. © 2013 Software Diagnostics Services
Pattern Orientation © 2013 Software Diagnostics Services Pattern-driven  Finding patterns in software artefacts  Using checklists and pattern catalogs Pattern-based  Pattern catalog evolution  Catalog packaging and delivery
Catalog Classification  By abstraction Meta-patterns  By artifact type Software Log* Memory Dump Network Trace*  By story type Problem Description Software Disruption UI Problem  By intention Malware © 2013 Software Diagnostics Services
Traces and Logs © 2013 Software Diagnostics Services
Trace and Log Patterns © 2013 Software Diagnostics Services
Software Narrative A temporal sequence of events related to software execution. © 2013 Software Diagnostics Services
Software Trace © 2013 Software Diagnostics Services  A sequence of formatted messages  Arranged by time  A narrative story
Network Trace © 2013 Software Diagnostics Services  A sequence of formatted packets as trace messages  Arranged by time  A narrative story
Network Trace Analysis © 2013 Software Diagnostics Services Software Trace Analysis Patterns Network Trace Analysis Patterns
Capture Tool Placing  Sniffer placing  Process Monitor placing © 2013 Software Diagnostics Services
Trace Maps  Network map  Deployment architecture map © 2013 Software Diagnostics Services
Name Resolution  MAC -> IP and IP -> DNS  PID -> process name © 2013 Software Diagnostics Services
Trace Presentation © 2013 Software Diagnostics Services Full Trace (Story, Fable, Fabula) Trace 1 (Plot, Sujet) Trace 2 (Plot, Sujet) Trace 3 (Plot, Sujet) Trace 4 (Plot, Sujet) Trace 5 (Plot, Sujet) Trace Presentation A (Discourse) Trace Presentation B (Discourse) Trace Presentation C (Discourse)
Minimal Trace Graphs © 2013 Software Diagnostics Services Time # Src Dst Time Message
Pattern-Driven Analysis © 2013 Software Diagnostics Services Logs Checklists Patterns Action
Pattern-Based Analysis © 2013 Software Diagnostics Services Software Trace New Pattern Discovery Pattern Catalog + Usage
Pattern Classification © 2013 Software Diagnostics Services  Vocabulary  Error  Trace as a Whole  Large Scale  Activity  Message  Block  Trace Set
Reference and Course © 2013 Software Diagnostics Services  Catalog from Software Diagnostics Library Software Trace Analysis Patterns  Free reference graphical slides Accelerated-Windows-Software-Trace-Analysis-Public.pdf  Training course* Accelerated Windows Software Trace Analysis * Available as a full color paperback book, PDF book, on SkillsSoft Books 24x7. Recording is available for all book formats
Selected Patterns © 2013 Software Diagnostics Services
Master Trace Normal network capture © 2013 Software Diagnostics Services Pattern Category Trace Set
Message Current Packets/s © 2013 Software Diagnostics Services Time # Src Dst Time Message Time # Src Dst Time Message 10.100 10.200 10.100 12.100 J1 > J2 Pattern Category Trace as a Whole
Message Density D1 > D2 © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Trace as a Whole
Characteristic Block D1 < D2 L1 > L2 © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Large Scale
Example © 2013 Software Diagnostics Services
Thread of Activity © 2013 Software Diagnostics Services Pattern Category Activity Time # Src Dst Time Message Time # Src Dst Time Message
Adjoint Thread Filtered by:  Source  Destination  Protocol  Message  Expression © 2013 Software Diagnostics Services Pattern Category Activity Time # Src Dst Time Message Time # Src Dst Time Message
No Activity © 2013 Software Diagnostics Services Time # Src Dst Time Message We messages from other servers but only see our own traffic Pattern Category Activity
Discontinuity © 2013 Software Diagnostics Services Pattern Category Activity Time # Src Dst Time Message Time # Src Dst Time Message
Dialog Conversation between 2 endpoints © 2013 Software Diagnostics Services Time # Src Dst Time Message
Significant Event Time Reference feature in Wireshark © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Message
Marked Messages Marked Packets feature in Wireshark © 2013 Software Diagnostics Services Annotated messages: session initialization [+] session tear-off [-] port A activity [+] port B activity [-] protocol C used [-] address D used [-] [+] activity is present in a trace [-] activity is undetected or not present Pattern Category Message
Partition Connection initiation (Prologue) and termination (Epilogue) © 2013 Software Diagnostics Services Tail Epilogue Head Time Prologue Core # Src Dst Time Message Pattern Category Trace as a Whole
Inter-Correlation  Several packet sniffers at once  Internal and external views Process Monitor log + network trace © 2013 Software Diagnostics Services Pattern Category Trace Set
Circular Trace © 2013 Software Diagnostics Services Pattern Category Trace as a Whole Time # Src Dst Time Message Problem Repro
Split Trace © 2013 Software Diagnostics Services Pattern Category Trace Set Time # Src Dst Time Message # PID TID Time Message # PID TID Time Message
Paratext Info column in Wireshark © 2013 Software Diagnostics Services
Frames OSI, TCP/IP Layers © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Large Scale
Visibility Limit Visibility window for sniffing © 2013 Software Diagnostics Services PC 1 PC 2 PC 3 sniffer Pattern Category Trace as a Whole
Incomplete History  Packet loss  Missing ACK © 2013 Software Diagnostics Services
Possible New Patterns  Full Trace (promiscuous mode)  Embedded Message (PDU chain, protocol data unit, packet)  Ordered Message (TCP/IP sequence numbers)  Illegal Message (sniffed with illegally obtained privileges)  Dual Trace (in / out, duplex) © 2013 Software Diagnostics Services
Further Reading  Practical Packet Analysis, 2nd edition, by Chris Sanders  Software Diagnostics Institute  Memory Dump Analysis Anthology: Volumes 3, 4, 5, 6, … Volume 7 is in preparation (July, 2013)  Introduction to Software Narratology  Malware Narratives © 2013 Software Diagnostics Services
What’s Next? © 2013 Software Diagnostics Services  Accelerated Network Trace Analysis  Generative Software Narratology  Pattern-Oriented Hardware Signal Analysis
Q&A Please send your feedback using the contact form on DumpAnalysis.com © 2013 Software Diagnostics Services
Thank you for attendance! © 2013 Software Diagnostics Services Facebook LinkedIn Twitter

More Related Content

PDF
sDDS: An Adaptable DDS Solution for Wireless Sensor Networks
Real-Time Innovations (RTI)
 
PDF
State of the art parallel approaches for
ijcsa
 
PDF
Survey of Different DNA Cryptography based Algorithms
IRJET Journal
 
PDF
Signpost at FOCI 2013
Amir Chaudhry
 
PDF
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
PDF
Java Abs Scalable Wireless Ad Hoc Network Simulation Using
ncct
 
PDF
G43053847
IJERA Editor
 
PDF
Performance evaluation of Hard and Soft Wimax by using PGP and PKM protocols ...
IOSR Journals
 
sDDS: An Adaptable DDS Solution for Wireless Sensor Networks
Real-Time Innovations (RTI)
 
State of the art parallel approaches for
ijcsa
 
Survey of Different DNA Cryptography based Algorithms
IRJET Journal
 
Signpost at FOCI 2013
Amir Chaudhry
 
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
Java Abs Scalable Wireless Ad Hoc Network Simulation Using
ncct
 
G43053847
IJERA Editor
 
Performance evaluation of Hard and Soft Wimax by using PGP and PKM protocols ...
IOSR Journals
 

What's hot (19)

PDF
IRJET- Data Security in Network Flow using Obfuscation Technique
IRJET Journal
 
PPT
Nwc rsa
anupamnm
 
PDF
(130511) #fitalk network forensics and its role and scope
INSIGHT FORENSIC
 
PDF
An4101227230
IJERA Editor
 
PDF
IRJET- Estimating Various DHT Protocols
IRJET Journal
 
PDF
Markle Tree Based Authentication Protocol for Lifetime Enhancement in Wireles...
Eswar Publications
 
PDF
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
cscpconf
 
PDF
DoS Forensic Exemplar Comparison to a Known Sample
CSCJournals
 
DOC
Detection of application layer ddos attack using hidden semi markov model (20...
Mumbai Academisc
 
PDF
BasepaperControlling IP Spoofing through Interdomain Packet Filters
bhasker nalaveli
 
DOC
Controlling ip spoofing through inter domain packet filters(synopsis)
Mumbai Academisc
 
PDF
An analysis of the skype peer to-peer
xiaoran815
 
PDF
An experimental study of the skype peer to-peer vo ip system
xiaoran815
 
PDF
An enhanced ip traceback mechanism for tracking the attack source using packe...
IAEME Publication
 
PDF
1670 1673
Editor IJARCET
 
PDF
Ijnsa050211
IJNSA Journal
 
PDF
Authentication in Different Scenarios
Raj Sikarwar
 
PDF
Content aware p2 p video streaming with lowlatency
xiaoran815
 
PDF
Linguistic Passphrase Cracking
Priyanka Aash
 
IRJET- Data Security in Network Flow using Obfuscation Technique
IRJET Journal
 
Nwc rsa
anupamnm
 
(130511) #fitalk network forensics and its role and scope
INSIGHT FORENSIC
 
An4101227230
IJERA Editor
 
IRJET- Estimating Various DHT Protocols
IRJET Journal
 
Markle Tree Based Authentication Protocol for Lifetime Enhancement in Wireles...
Eswar Publications
 
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
cscpconf
 
DoS Forensic Exemplar Comparison to a Known Sample
CSCJournals
 
Detection of application layer ddos attack using hidden semi markov model (20...
Mumbai Academisc
 
BasepaperControlling IP Spoofing through Interdomain Packet Filters
bhasker nalaveli
 
Controlling ip spoofing through inter domain packet filters(synopsis)
Mumbai Academisc
 
An analysis of the skype peer to-peer
xiaoran815
 
An experimental study of the skype peer to-peer vo ip system
xiaoran815
 
An enhanced ip traceback mechanism for tracking the attack source using packe...
IAEME Publication
 
1670 1673
Editor IJARCET
 
Ijnsa050211
IJNSA Journal
 
Authentication in Different Scenarios
Raj Sikarwar
 
Content aware p2 p video streaming with lowlatency
xiaoran815
 
Linguistic Passphrase Cracking
Priyanka Aash
 
Ad

Similar to Pattern-Oriented Network Trace Analysis (20)

PDF
Malware Narratives
Dmitry Vostokov
 
PDF
Accelerated Windows Software Trace Analysis training public slides
Dmitry Vostokov
 
PDF
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET Journal
 
PDF
Interruption Timer PĂ©riodique
Anne Nicolas
 
PDF
dtrace_topics_intro.pdf
ssuser785ce21
 
PPT
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
PPT
Network monotoring
Programmer
 
PDF
Systemic Software Diagnostics
Dmitry Vostokov
 
PDF
Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best ...
Dmitry Vostokov
 
PDF
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
PDF
Code Tracing with Zend Server 5: A Flight Recorder for your PHP Applications!
Zend by Rogue Wave Software
 
PPTX
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
PPTX
Designing Tracing Tools
Sysdig
 
PPT
Types of NETWORK RECONNAISSANCE with its Cases.ppt
RohitAhuja58
 
PDF
Designing Tracing Tools
Brendan Gregg
 
PDF
Lisa12 methodologies
Brendan Gregg
 
PDF
A22 Introduction to DTrace by Kyle Hailey
Insight Technology, Inc.
 
PDF
Debugging TV Frame 0x15
Dmitry Vostokov
 
PDF
Network traffic analysis course
TECHNOLOGY CONTROL CO.
 
PDF
Pattern-Driven Software Diagnostics: An Introduction
Dmitry Vostokov
 
Malware Narratives
Dmitry Vostokov
 
Accelerated Windows Software Trace Analysis training public slides
Dmitry Vostokov
 
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET Journal
 
Interruption Timer PĂ©riodique
Anne Nicolas
 
dtrace_topics_intro.pdf
ssuser785ce21
 
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
Network monotoring
Programmer
 
Systemic Software Diagnostics
Dmitry Vostokov
 
Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best ...
Dmitry Vostokov
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
Code Tracing with Zend Server 5: A Flight Recorder for your PHP Applications!
Zend by Rogue Wave Software
 
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Designing Tracing Tools
Sysdig
 
Types of NETWORK RECONNAISSANCE with its Cases.ppt
RohitAhuja58
 
Designing Tracing Tools
Brendan Gregg
 
Lisa12 methodologies
Brendan Gregg
 
A22 Introduction to DTrace by Kyle Hailey
Insight Technology, Inc.
 
Debugging TV Frame 0x15
Dmitry Vostokov
 
Network traffic analysis course
TECHNOLOGY CONTROL CO.
 
Pattern-Driven Software Diagnostics: An Introduction
Dmitry Vostokov
 
Ad

More from Dmitry Vostokov (20)

PDF
Accelerated Windows Debugging 3 training public slides
Dmitry Vostokov
 
PDF
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x1C
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x1A
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x34
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x33
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x31
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x25
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x24
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x21
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x20
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x19
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x18
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x17
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x16
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x14
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x13
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x12
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x11
Dmitry Vostokov
 
PDF
Debugging TV Frame 0x10
Dmitry Vostokov
 
Accelerated Windows Debugging 3 training public slides
Dmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 
Debugging TV Frame 0x1C
Dmitry Vostokov
 
Debugging TV Frame 0x1A
Dmitry Vostokov
 
Debugging TV Frame 0x34
Dmitry Vostokov
 
Debugging TV Frame 0x33
Dmitry Vostokov
 
Debugging TV Frame 0x31
Dmitry Vostokov
 
Debugging TV Frame 0x25
Dmitry Vostokov
 
Debugging TV Frame 0x24
Dmitry Vostokov
 
Debugging TV Frame 0x21
Dmitry Vostokov
 
Debugging TV Frame 0x20
Dmitry Vostokov
 
Debugging TV Frame 0x19
Dmitry Vostokov
 
Debugging TV Frame 0x18
Dmitry Vostokov
 
Debugging TV Frame 0x17
Dmitry Vostokov
 
Debugging TV Frame 0x16
Dmitry Vostokov
 
Debugging TV Frame 0x14
Dmitry Vostokov
 
Debugging TV Frame 0x13
Dmitry Vostokov
 
Debugging TV Frame 0x12
Dmitry Vostokov
 
Debugging TV Frame 0x11
Dmitry Vostokov
 
Debugging TV Frame 0x10
Dmitry Vostokov
 

Recently uploaded (20)

PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
System and Network Administraation Chapter 3
jaramharo
 

Pattern-Oriented Network Trace Analysis

  • 1. Network Trace Analysis Dmitry Vostokov Software Diagnostics Services Version 1.0 Facebook LinkedIn Twitter
  • 2. Wireshark Hark ď‚ž Listen (to) “Hark! There’s the big bombardment.” ď‚ž Speak in one’s ear; whisper Shorter Oxford English Dictionary Hark back (idiom) ď‚ž To return to a previous point, as in a narrative http://www.thefreedictionary.com/hark © 2013 Software Diagnostics Services
  • 3. Prerequisites ď‚ž Interest in software diagnostics, troubleshooting, debugging and network trace analysis ď‚ž Experience in network trace analysis using Wireshark or Network Monitor © 2013 Software Diagnostics Services
  • 4. Why? ď‚ž A common diagnostics language ď‚ž Network diagnostics as software diagnostics © 2013 Software Diagnostics Services
  • 5. Software Diagnostics A discipline studying abnormal software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using pattern-driven, systemic and pattern-based analysis methodologies. © 2013 Software Diagnostics Services
  • 6. Diagnostics Pattern A common recurrent identifiable problem together with a set of recommendations and possible solutions to apply in a specific context. © 2013 Software Diagnostics Services
  • 7. Pattern Orientation © 2013 Software Diagnostics Services Pattern-driven ď‚ž Finding patterns in software artefacts ď‚ž Using checklists and pattern catalogs Pattern-based ď‚ž Pattern catalog evolution ď‚ž Catalog packaging and delivery
  • 8. Catalog Classification ď‚ž By abstraction Meta-patterns ď‚ž By artifact type Software Log* Memory Dump Network Trace* ď‚ž By story type Problem Description Software Disruption UI Problem ď‚ž By intention Malware © 2013 Software Diagnostics Services
  • 9. Traces and Logs © 2013 Software Diagnostics Services
  • 10. Trace and Log Patterns © 2013 Software Diagnostics Services
  • 11. Software Narrative A temporal sequence of events related to software execution. © 2013 Software Diagnostics Services
  • 12. Software Trace © 2013 Software Diagnostics Services ď‚ž A sequence of formatted messages ď‚ž Arranged by time ď‚ž A narrative story
  • 13. Network Trace © 2013 Software Diagnostics Services ď‚ž A sequence of formatted packets as trace messages ď‚ž Arranged by time ď‚ž A narrative story
  • 14. Network Trace Analysis © 2013 Software Diagnostics Services Software Trace Analysis Patterns Network Trace Analysis Patterns
  • 15. Capture Tool Placing ď‚ž Sniffer placing ď‚ž Process Monitor placing © 2013 Software Diagnostics Services
  • 16. Trace Maps ď‚ž Network map ď‚ž Deployment architecture map © 2013 Software Diagnostics Services
  • 17. Name Resolution ď‚ž MAC -> IP and IP -> DNS ď‚ž PID -> process name © 2013 Software Diagnostics Services
  • 18. Trace Presentation © 2013 Software Diagnostics Services Full Trace (Story, Fable, Fabula) Trace 1 (Plot, Sujet) Trace 2 (Plot, Sujet) Trace 3 (Plot, Sujet) Trace 4 (Plot, Sujet) Trace 5 (Plot, Sujet) Trace Presentation A (Discourse) Trace Presentation B (Discourse) Trace Presentation C (Discourse)
  • 19. Minimal Trace Graphs © 2013 Software Diagnostics Services Time # Src Dst Time Message
  • 20. Pattern-Driven Analysis © 2013 Software Diagnostics Services Logs Checklists Patterns Action
  • 21. Pattern-Based Analysis © 2013 Software Diagnostics Services Software Trace New Pattern Discovery Pattern Catalog + Usage
  • 22. Pattern Classification © 2013 Software Diagnostics Services ď‚ž Vocabulary ď‚ž Error ď‚ž Trace as a Whole ď‚ž Large Scale ď‚ž Activity ď‚ž Message ď‚ž Block ď‚ž Trace Set
  • 23. Reference and Course © 2013 Software Diagnostics Services ď‚ž Catalog from Software Diagnostics Library Software Trace Analysis Patterns ď‚ž Free reference graphical slides Accelerated-Windows-Software-Trace-Analysis-Public.pdf ď‚ž Training course* Accelerated Windows Software Trace Analysis * Available as a full color paperback book, PDF book, on SkillsSoft Books 24x7. Recording is available for all book formats
  • 24. Selected Patterns © 2013 Software Diagnostics Services
  • 25. Master Trace Normal network capture © 2013 Software Diagnostics Services Pattern Category Trace Set
  • 26. Message Current Packets/s © 2013 Software Diagnostics Services Time # Src Dst Time Message Time # Src Dst Time Message 10.100 10.200 10.100 12.100 J1 > J2 Pattern Category Trace as a Whole
  • 27. Message Density D1 > D2 © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Trace as a Whole
  • 28. Characteristic Block D1 < D2 L1 > L2 © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Large Scale
  • 29. Example © 2013 Software Diagnostics Services
  • 30. Thread of Activity © 2013 Software Diagnostics Services Pattern Category Activity Time # Src Dst Time Message Time # Src Dst Time Message
  • 31. Adjoint Thread Filtered by: ď‚ž Source ď‚ž Destination ď‚ž Protocol ď‚ž Message ď‚ž Expression © 2013 Software Diagnostics Services Pattern Category Activity Time # Src Dst Time Message Time # Src Dst Time Message
  • 32. No Activity © 2013 Software Diagnostics Services Time # Src Dst Time Message We messages from other servers but only see our own traffic Pattern Category Activity
  • 33. Discontinuity © 2013 Software Diagnostics Services Pattern Category Activity Time # Src Dst Time Message Time # Src Dst Time Message
  • 34. Dialog Conversation between 2 endpoints © 2013 Software Diagnostics Services Time # Src Dst Time Message
  • 35. Significant Event Time Reference feature in Wireshark © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Message
  • 36. Marked Messages Marked Packets feature in Wireshark © 2013 Software Diagnostics Services Annotated messages: session initialization [+] session tear-off [-] port A activity [+] port B activity [-] protocol C used [-] address D used [-] [+] activity is present in a trace [-] activity is undetected or not present Pattern Category Message
  • 37. Partition Connection initiation (Prologue) and termination (Epilogue) © 2013 Software Diagnostics Services Tail Epilogue Head Time Prologue Core # Src Dst Time Message Pattern Category Trace as a Whole
  • 38. Inter-Correlation ď‚ž Several packet sniffers at once ď‚ž Internal and external views Process Monitor log + network trace © 2013 Software Diagnostics Services Pattern Category Trace Set
  • 39. Circular Trace © 2013 Software Diagnostics Services Pattern Category Trace as a Whole Time # Src Dst Time Message Problem Repro
  • 40. Split Trace © 2013 Software Diagnostics Services Pattern Category Trace Set Time # Src Dst Time Message # PID TID Time Message # PID TID Time Message
  • 41. Paratext Info column in Wireshark © 2013 Software Diagnostics Services
  • 42. Frames OSI, TCP/IP Layers © 2013 Software Diagnostics Services Time # Src Dst Time Message Pattern Category Large Scale
  • 43. Visibility Limit Visibility window for sniffing © 2013 Software Diagnostics Services PC 1 PC 2 PC 3 sniffer Pattern Category Trace as a Whole
  • 44. Incomplete History ď‚ž Packet loss ď‚ž Missing ACK © 2013 Software Diagnostics Services
  • 45. Possible New Patterns ď‚ž Full Trace (promiscuous mode) ď‚ž Embedded Message (PDU chain, protocol data unit, packet) ď‚ž Ordered Message (TCP/IP sequence numbers) ď‚ž Illegal Message (sniffed with illegally obtained privileges) ď‚ž Dual Trace (in / out, duplex) © 2013 Software Diagnostics Services
  • 46. Further Reading ď‚ž Practical Packet Analysis, 2nd edition, by Chris Sanders ď‚ž Software Diagnostics Institute ď‚ž Memory Dump Analysis Anthology: Volumes 3, 4, 5, 6, … Volume 7 is in preparation (July, 2013) ď‚ž Introduction to Software Narratology ď‚ž Malware Narratives © 2013 Software Diagnostics Services
  • 47. What’s Next? © 2013 Software Diagnostics Services ď‚ž Accelerated Network Trace Analysis ď‚ž Generative Software Narratology ď‚ž Pattern-Oriented Hardware Signal Analysis
  • 48. Q&A Please send your feedback using the contact form on DumpAnalysis.com © 2013 Software Diagnostics Services
  • 49. Thank you for attendance! © 2013 Software Diagnostics Services Facebook LinkedIn Twitter