Active and Passive Network Monitoring
Active monitoring entails injecting test traffic onto a network and monitoring the flow of that traffic. Passive monitoring is more an observational study. Instead of injecting artificial traffic into a network, passive monitoring entails monitoring traffic that is already on the network (Sullivan, 2013).
One popular passive monitoring tool is Wireshark. Wireshark technically is referred to as a “protocol analyzer”, but it uses only passive observation of network traffic. Wireshark supports both live and offline analysis, has a graphical user interface, and can be used for analyzing multiple protocols. It is especially helpful when you need to troubleshoot an active problem on the network or perform forensic analysis of trace files (Sullivan, 2013).
An example of an active network monitoring tool is Active Network Monitor (ANM) developed by DeviceLock. ANM uses a plug-in based architecture where each plug-in module is used for a specific task. Specific uses include the ability to scan networks for computer types or by name. ANM can also monitor services, devices, installed applications, disks, shared resources, hardware resources (IRQs, I/O, DMA and Memory), users, local groups, and global groups, as well as analyze security patches (DeviceLock, n.d.).
DNS tools such as nslookup and dig can also be used for reconnaissance These tools are usually used for troubleshooting DNS issues, but they can also provide a lot of information about a system. A properly structured dig query can return results which reveal IP addresses of DNS, web, mail, and other application servers. A dig query can also provide information about SPF and TXT records which are useful in controlling an attacker’s ability to forge emails from the organizations email system (OpenSPF.org, 2006).
Nmap is another popular network monitoring application. Nmap can determine what hosts are available on a network, what services are running on hosts to include; application name and version, what OS versions hosts are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but still works well against single hosts. Nmap runs on all major computer operating systems to include; Linux, Windows, and Mac OS X. It has become even more popular with the addition of GUI front-ends like Zenmap (Nmap.org, n.d.).
DeviceLock DLP. (n.d.). About Active Network Monitor. Retrieved April 27, 2016, from http://www.devicelock.com/anm/
Nmap.org. (n.d.). Nmap Introduction. Retrieved April 28, 2016, from https://nmap.org/
OpenSPF.org. (2006, March 11). FAQ/What is SPF. Retrieved April 28, 2016, from http://www.openspf.org/FAQ/What_is_SPF
Sullivan, D. (2013, May 08). What’s on Your Network? The Need for Passive Monitoring. Retrieved April 27, 2016, from http://www.tomsitpro.com/articles/network_monitoring-netflow-it_security-networking-snmp,2-561.html