Data Centers

Monitor the data packets on your network with eEye's Iris

Hundreds of thousands of data packets flow across your network every day. Knowing what's inside of those packets is practically impossible without a little help. Here's how you can keep an eye on your network with Iris.

Most companies spend thousands of dollars each year for Internet and WAN bandwidth. The problem is that many network administrators have absolutely no idea how a lot of that bandwidth is being used. Sure, you can use a protocol analyzer to see what packets are flowing across your network, but let's face it, you practically need a Ph.D. in computer science to decipher what some of the more popular protocol analyzers are telling you.

Recently, however, I found a really interesting protocol analyzer that not only can track which Web sites have been visited, but can even reassemble the individual Web pages into something viewable. The name of this software is Iris Network Traffic Analyzer.

What Is Iris?
Iris, from eEye Digital Security, is a next-generation protocol analyzer that's designed to take the guesswork out of bandwidth monitoring. Suppose for a moment that you suspected an employee was visiting porn sites while at work. You could configure Iris to scan packets flowing across your network, looking for words like slut, babe, sex, or whatever. When a packet flows across the network that meets that criteria, it will be flagged and you can actually reconstruct the Web page that triggered the alert.

This software also allows you to monitor a specific user or IP address so that you can see what an individual person is doing during working hours. You can even snoop on e-mail. Not only can you read the contents of an e-mail message, but you can even view any attachments that might have gone with the message.

Acquiring Iris Network Traffic Analyzer
You can buy a copy of Iris directly from the eEye's Iris Web site for just under $1,000. The price includes a year's worth of technical support and free upgrades. The Iris Web site also contains a 15-day free trial download. This free trial is just under 5 MB in size and offers most of the features found in the licensed version. For the purposes of this article, I will be using the trial version.

Installing Iris
The trial version consists of a self-extracting executable file. When you run this file, you'll see the end user license agreement. After accepting the agreement and clicking Next, you'll see a warning screen telling you that you need to close all other applications prior to continuing with the installation. Click Next and the Setup program will ask you for the installation directory. Specify the installation folder if necessary, click Next, and the software will ask you if you would like to create a backup copy of all of the files that Iris overwrites.

Since this is a 15-day trial version, I strongly recommend allowing Setup to backup the files. When you eventually uninstall the trial version, having the backups on hand will allow Windows to be returned to its previous state. The screen that asks if you want to back up the original files also allows you to specify the backup path. Click Next twice and Setup will install all of the necessary files. When installation completes, click Finish to close the Setup wizard and launch Iris.

When Iris first opens, you'll see a screen displaying all the network adapters within your system. Most of the time, there will only be a single adapter, but if you have more than one NIC in your machine, you must select the NIC that's connected to the network that you wish to monitor. then click the Apply button.

Capturing packets
Once you have selected the network adapter that you want to work with, you'll see the main Iris screen. This screen has a task bar on the left with buttons for Capture, Decode, Guard, Filters, and Logs. The first thing that you'll need to do to begin using Iris is to capture some data. Therefore, click the Capture button and you'll see an empty capture screen.

Naturally, there are various capture filters that you can use to narrow down the types of data that you are capturing. For now, though, just click the green icon on the toolbar at the top that looks like a play symbol (triangle). When you do, Iris will begin to capture data.

At this point, open Internet Explorer and browse a few Web pages. When you've finished, go back to Iris and click the red square icon to stop the data capture. The captured data will look something like what you see in Figure A.

Figure A
The first step is to capture some data.

Decoding packets
Now that you've captured some data, it's time to decode it. To do this, click the Decode button. When you do, you'll see a list of computers on your network from which Iris has captured data. This could turn out to be a long list. During my testing, I had half of my computers turned off and I only captured about two minutes worth of data and was working from a single machine. Even so, nine different computers generated packets within my capture period.

Each computer is presented in tree format. If you expand an individual computer, you can see the various protocols that were transmitted or received by that computer. Unfortunately, the trial version only allows you to decode data from the computer on which you are running Iris. Even so, you can get a good idea of how the decoding process works.

Begin by selecting the computer itself. When you do, you'll see a report showing the amount and types of traffic that the computer was using, as shown in Figure B. As you can see in the figure, you can even tell what percentage of the total network bandwidth is being consumed by the computer that you're looking at.

Figure B
You can see a report of the bandwidth being used by an individual computer.

Next, try selecting one of the individual protocols beneath the computer, and you'll see the packets associated with that protocol, as shown in Figure C. As you look at the figure, there are a couple of things you should note. First, notice that I have selected TCP -> HTTP (80) as the protocol. This is the protocol used by Web browsers to open Web pages. You might also notice that the packet list contains the date, time, site name, site IP address, and port number. More importantly, though, you'll notice that some of the packets also contain an icon with a globe and a piece of paper. These icons indicate individual Web pages.

Figure C
These are individual HTTP packets.

You might also have noticed in the figure that the pane on the bottom right portion of the screen shows the selected packet's HTTP header information. If you click the green icon in the tool bar just above this information, you can choose to view this information in HTML, ASCII, or in raw packet format. Likewise, the icon with the red and blue arrows allows you to select from viewing client packets, server packets, or both.

OK, now for the fun part. Suppose that you wanted to see what an individual user had been doing on the Web. Select any of the packets containing the globe icon and then click the Go icon. When you do, a dialog box will appear telling you that items are about to be downloaded. Click the Go Get It button and, after a brief delay, the Web page will be displayed directly within Iris, as shown in Figure D.

Figure D
You can view the same Web pages as your users.

As you can see, it can be really handy to see exactly what Web sites your users have been visiting. You can actually take things a few steps further, though. Remember that Iris captures all types of packets, including SMTP and POP3. This means that you can use the same technique to read e-mail messages and to look at e-mail attachments.

You can even use Iris as a hacking tool. Iris can be used to launch a replay attack or a spoofing attack against someone. A replay attack is a technique used to gain unauthorized access to resources by playing back a packet that someone had already sent. For example, suppose for a moment that an employee was visiting an Internet site that required a logon. You may not know the employee's password, but you can probably find the packet that was used to send the password. You could replay that packet and trick the Web site into thinking that you knew the password, thus logging you in with the employee's credentials.

You can also modify a packet prior to sending it. This allows you to do things like change a packet's time stamp prior to retransmission. To do so, select the packet that you wish to spoof and then click the Select Displaying Formats icon in Iris's lower toolbar. Change the display format to Packets. Now, select the Options icon and choose the View packets option from the drop down menu. You will now be able to see individual frames.

As you can see in Figure E, the data is presented in hex format, with the ASCII equivalent displayed to the right. The packet that is shown in Figure E displays the contents of a cookie. Notice that you could easily recreate the cookie just based on the text shown (part of the text is off of the screen for security reasons).

Figure E
You can see the contents of each individual frame.

Now, suppose that I wanted to modify the packet. I could do so by simply double clicking on the location that I wanted to modify and typing right over the existing text. When I finished my modification, I could use the icons on the toolbar above the packet display to either transmit the packet or add the packet to a packet list. The idea behind creating a packet list is that you can assemble specific packets in a specific order and replay them when the timing is right. For example, you might assemble all of the packets necessary for an authentication and then play back those packets.

The Guard feature
Another interesting Iris feature is Guard mode. You can activate Guard mode by clicking the Guard icon on the left portion of the screen. When Guard has been activated, Iris watches for anyone attempting to connect to your machine. If a connection attempt is made, Iris alerts you to the connection and provides all of the pertinent details.

One of the biggest problems about monitoring a network is that millions of packets can be generated in a very short period of time. Fortunately, Iris has a filtering capability. This allows you to tell Iris what types of packets interest you. Iris will then capture those packets and ignore all others.

You can filter on a variety of criteria. As you might expect, you can filter by MAC address, port number, protocol, and IP address. However, you can also filter by key words. By doing so, you could filter packets relating to a specific subject. For example, you could filter by key words that might indicate that an employee is surfing the porn sites while at work. You can see an example of the keyword-filtering screen shown in Figure F.

Figure F
Iris allows you to filter packets by key words.

The logging option allows you to make a log of any packets that have been captured. There is also a separate log for decoding of packets. The idea behind logging is that it helps you to see exactly what has been captured. If there is ever a security breach, your logs provide you with the forensic evidence that you need to determine exactly how the breach occurred.

In all of the above figures, you might have noticed the Statistics bar in the lower left corner of the screen. If you click the Statistics bar, you will see an entirely new set of icons related to the statistical analysis of network traffic. Unfortunately, this feature is disabled in the free trial version, but I can still show you what statistical analysis is all about.

The first icon under the Statistics section is Protocols. If you click this icon, you will see a graph showing you which protocols are running on your network. By looking at this graph, you can easily see which protocols make up the bulk of your network traffic. The graph shown in Figure G is made up of random data, but is representative of what you would see in the commercial version of the software.

Figure G
The Protocols graph shows you which protocols are running on your network and how much of the overall bandwidth each protocol is consuming.

The next graph that the software contains is the Top Ten Local Hosts graph, accessible through the Top Hosts icon. This graph displays which 10 machines on your local network consume the most bandwidth, and how much bandwidth these hosts consume. This is a great way to find malfunctioning network cards. If a NIC is constantly resending packets, you'll notice an excessive number of packets for that machine. Excessive amounts of traffic from a workstation might also point to suspicious behavior by the end user.

The Size Distribution icon displays a graph breaking down packets by size. This graph uses six different colors to show six different packet sizes ranging from 0 bytes to over 1 KB. By looking at this graph, you can see what the average packet size is on your network.

The last graph found in the Statistics section is the bandwidth graph. This graph actually does function in the trial version. As you can see in Figure H, this graph shows in real time the amount of bandwidth being used on your network.

Figure H
The Bandwidth graph shows the network's current bandwidth utilization.

The eEyes have it
As you can see, Iris is a handy tool for network administrators, forensic analysts, and hackers alike. In my opinion, Iris is an invaluable tool that no serious administrator should be without.

Editor's Picks

Free Newsletters, In your Inbox