Capturing Network Traffic

This chapter goes over the process of capturing network traffic. There are two perspectives to think about in regards to network traffic. First, why the hacker is collecting traffic, and second, why the network defender collects network traffic. In a switch though, every port/interface is considered its own collision domain and will not forward packets across all interfaces unless it is a broadcast packet or is set up for some type of network monitoring. Investigators use this program to capture network traffic easily and efficiently and also use this program to filter data down to better investigate. Investigators can perform text-based searches on network captures using grep or gawk to search for known bad terms such as malware signatures, IP addresses, or even file names. Snort rules can be configured to detect intrusions, from exploitation and research gathering, to transferring malware over the network.