Network traffic analysis holds a key role in safeguarding network security and uptime, so it’s imperative that those responsible for it can identify any issues or irregularities that could cause problems later down the line. Here, we talk through everything you need to know about network traffic analysis to keep your network as secure as possible.
What Is Network Traffic Analysis?
Network traffic analysis is the activity of analysing the activity and availability of a network as it functions. This includes the tracking of what data is being processed around the network, when it is processed and where it’s going to and from. It’s useful to have an idea of traffic across the network but the monitoring of such activity is considered key to security – so that threats or problems can be picked up.
The basis of network traffic analysis is for the organization to understand what their standard baseline traffic looks like, so that any irregularities can be easily detected. The visibility of how data moves across a network can be vastly helpful in increasing performance and functionality to the best of a network’s ability.
How does Network Traffic work?
Every download of a file, every click on a website and every video call generates traffic that works across a network. Traffic follows set protocols as it flows.
The OSI Model
The Open Systems Interconnection (OSI) Model is a conceptual framework that describes how data moves from one device to another across a network. Not all of the concepts are exactly relevant to network traffic analysis, but those most appropriate are:
- Layer 3 – Network Layer – handles addressing and routing, ensuring that data packets reach the correct IP
- Layer 4 – Transport Layer – manages sending and receiving data, ensuring reliability and speed (dependent on its protocol, TCP or UDP)
- Layer 7 – Application Layer – represents user-facing apps such as web browsers, such as HTTP, DNS, SMTP.
In essence, the OSI Model works like a delivery system. The Network Layer is the address, the Transport Layer is the actual delivery and the Application Layer is the type of data being delivered.
Transport Layer Protocols
At the Transport Layer (Layer 4), there are two primary protocols that define how the communication between devices happen: TCP and UDP.
Transmission Control Protocol (TCP) is a reliable and connection-oriented protocol that organises data to ensure it arrives correctly and in the right order. Web apps such as HTTP/HTTPS and SMTP/IMPA use TCP; so when you load a web page, TCP is the protocol used.
User Datagram Protocol (UDP) is a fast and connectionless protocol, but does not guarantee delivery. It’s used for real-time comms such as video streaming, DNS queries, gaming, and VoIP. For example, during a call, if one voice packet is lost in delivery, it’s skipped rather than delaying the conversation to wait for it to load.
The Role of IP
Internet Protocol (IP) operates at the Network Layer (Layer 3) and is responsible for:
- Assigning IP addresses to different devices
- Routing packets the sender to the recipient across different networks
- Handling the fragmentation of a data packet and then it’s reassembly.
Every data packet contains an IP Header, which includes:
- Source IP address – where the data came from
- Destination IP address – where the data is going to
- Time-To-Live (TTL) and protocol type (such as TCP, UDP, ICMP).
Other Common Network Traffic Protocols
The most common protocols come across when analysing network traffic are:
- HTTP/HTTPS – Application Layer – used for web browsing
- DNS – Application Layer – translates domain names into IP addresses
- SMTP/IMAP/POP3 – Application Layer – used for sending and receiving e-mails
- VoIP (SIP, RTP) – Application Layer – used for voice and video calls across IP networks
- ICMP – Network Layer – used to provide network diagnostics
- ARP – maps the IP addresses to physical MAC addresses in a local network.
The Different Types of Network Traffic
Different applications generate different types of traffic across a network. Typically, these include:
- Web traffic – HTTP/HTTPS requests from browsing websites
- DNS traffic – the lookups of and responses from domain names
- E-mail traffic – the sending and receiving of messages across SMTP/IMACP
- Streaming/VoIP – continuous audio-video data flow
- File transfers – transferring files using protocols such as FTP or SFTP.
Each traffic type has distinct patterns, and understanding these helps analysts identify normal vs. suspicious behaviour as it unfolds across the network. This matters as it can help identify:
- What kind of data is flowing (web, DNS, etc.).
- Identifying which protocols are being used.
- Detect any unusual or malicious patterns — e.g., strange DNS requests, high-volume UDP traffic (possible DDoS), or suspicious IPs.
How to Analyze Network Traffic
In most cases, operators use a purpose-built analysis tool to monitor network traffic. There are a variety of different solutions on the market, and each network configuration may be suited to different such programs. To choose the most appropriate tool for your business, you’ll need to consider the following:
Determine Data Sources
You must identify which data sources will be used – which could be any device at all attached to the network (including routers, firewalls, servers, switches and desktops, or even applications). Ideally the business will undergo (or have undergone) a full inventory of their network to best understand this.
Determine Collection: Agent-based or Agentless?
Once the data sources have been identified, it must be determined how data will be collected from them.
Agent-based collection requires software to be deployed on the data sources that collect information on resource performance, network communications and system functionality. This gives a great level of detail in the data it provides, but with so much of it, the business must have sufficient storage capacity for it and the functionality to actually process it.
Agentless collection relies on APIs and the existing network management protocol. This includes Syslog on firewalls and SNMP or Netflow. APIs give considerably less information overall, but as a result there is less requirement for data processing and storage.
Decide on the Data Destination
Once the traffic analysis data has been collected, it must be decided where the information will be stored. This is dependent on the business’ existing capabilities – but dependent on the amount of data to be collected, may require a large and complex storage solution, so may require an upgrade.
Data may be stored on virtual machines or purpose-built hardware. It should also present the analysis information in a way that can be internally understood and processed.
Understand Restrictions and Boundaries
The nature of network configurations is that data collection usually can’t just be installed and run without permissions. It is critical that operators understand any such restrictions so that they can be worked around. These may include:
- Opening specific ports
- Configuring Access Control Lists for SNMP
- Obtaining permissions for SD-WAN tech
- Obtaining approval from internal resources to collection information
- Breaking down any internal information silos
- Understanding any industry, legal or regulatory guidelines that affect information collection and storage.
Understand Admin Panels
Of course, having information is great – but it’s not of much use unless it’s properly understood. The solution chosen by the business should offer a dashboard with configurable access to data in a variety of different formats for reporting purposes, as well as the ability to view, analyse and manipulate it further as required.
Implement Alerts
Continuous monitoring only works if it recognises when an irregularity occurs. Implementing and configuring alerts to the system allow for those relevant to be notified of any issues (or potential issues) and take action to rectify any unfolding situation as needed. Such alerts can also be integrated into existing tools such as network fault monitoring systems.
The Importance of Network Traffic Analysis
If a business is sure of their security, why do they need to continue with network traffic analysis? In reality, a business can be as protected as they like, but the information provided by network traffic analysis simply can’t be found anywhere else. Network traffic analysis provides:
- Data source protection
- Alerts ahead of intrusion detection systems and prevention schemes to notify of potential issues
- Insights into network operations based on real-time data
- Accounting for all devices attached to the network
- The recording of relationships between devices, users and actions on the network.
Indeed, as big data continues to dominate the tech landscape, we can only see reliance on the above increasing.
The above all combine to help automatically detect anomalies, improve overall network availability, and enhance network performance.
Work with the Experts
If you need access to a team of specialist engineers and technicians who understand even the most technical and complex of network configurations, get in touch with Procurri today. We offer around-the-clock expert support and have an unbeaten track record of channel support!
