Federal government cybersecurity breaches rose by 453 percent between fiscal years 2016 and 2021, according to the Government Accountability Office. To combat and overcome these threats, federal IT administrators can use IP packet capture to examine network traffic for security threats using Microsoft Network Monitor (Netmon). In network monitoring, IP packet capture enables real-time or retrospective packet analysis to establish a baseline. Deviation from the baseline enables the identification of anomalous or suspicious behavior. Here’s how to use Netmon:
Sort Out Information That’s Relevant to Behavior
Microsoft Network Monitor includes associated drivers and hooks for network interface cards. The “Run as Administrator” command gives you the most control when capturing traffic. Choose the network adapters where you’d like to capture traffic, then click “New Capture” followed by “Start.” Next, perform an action to reproduce an issue or incident. Netmon will capture packets in real time. You will see a list of frames and statistics. To save a .cap file for future reference, click “Save As” and choose a destination. You can choose all, displayed, selected or a range for frame selection.
Click the banner to learn more about zero-trust and IT modernization within the government.
Fine-Tune the Filters for More Specific Search Targets
To filter by IP or MAC address, port or protocol, the first option is the “Display Filter” tab. Click “Load Filter” and go to “Standard Filters,” then a drop-down list with all filtering options appears. For granular control over filters, use the commonly used filters section on the Microsoft documentation website. Click “Apply Filter” or use the shortcut Ctrl + Enter to apply the filter rule.
Sort Network Conversations by Protocol Layer
The definition of a conversation — for example, between UDP and TCP sources and destinations — is set by the chosen protocol parser. When you capture network packet frames, each frame can have multiple conversations for each protocol layer. To find conversations in Netmon, right-click on a frame in the Netmon console, then hover on “Find conversations” and choose the target protocol. The conversation will open in the left sidebar next to a key icon, which you can track using the conversation ID.
EXPLORE: How to protect SCADA networks in an evolving threat landscape.
Analyze the Entire Network in Promiscuous Mode
P-Mode (or Promiscuous Mode) forces the network interface card to accept all packets regardless of the MAC address of the source or destination. This critical functionality offers unrestricted visibility for all machines on the network. P-Mode also enables the identification of bottlenecks and anomalies to find the root cause of network performance problems. To meet compliance requirements or conduct a forensic investigation, P-Mode is mandatory; it preserves a complete record of events and enables reconstruction, which aids with incident response.