Sunday, April 26, 2009

Traffic Talk 5 Posted

My fifth edition of Traffic Talk, titled Network security monitoring using transaction data, has been posted. From the article:

Welcome back to Traffic Talk, a regular series for network solution providers and consultants who troubleshoot business networks. We took a break, but we're back with more articles on using network traffic to make your business more productive and secure.

In this article, I discuss network security monitoring (NSM) and introduce one specific form of NSM data -- transaction data.

If you have any questions on the article, please post them here.

I should be writing new Traffic Talk articles every other month. Snort Report seems to be on hold for the time being, but if that changes I will post word here. If you'd like to see the Snort Report return to, post a comment here. Thank you.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Early Las Vegas registration ends 1 May.


Anonymous said...

Richard the link you have published is wrong and it point to the 4th traffic talk article

Richard Bejtlich said...

Doh! Fixed, thanks.

alec said...

Careful with httpry - it doesn't perform the necessary TCP stream reassembly needed to get HTTP header fields that aren't in the first segment of a request/response.

For example, if an HTTP request spans two segments and the Host: header is in the second one, httpry won't be able to parse it out.

Tshark can be used for this kind of thing:

tshark -r yourfile.pcap -R http.request -T fields -e -e http.request.uri

...which will do all the reassembly you need.

Joe said...


Is there any way to read the article without creating a TechTarget membership?