Cisco Blog

Student project collaboration with NC State University

Panos Kampanakis | October 16, 2012 at 10:26 am PST

(0 Comments)

It was about a year ago that Dr. Yannis Viniotis, Professor of the Electrical & Computer Engineering (ECE) department at North Carolina State University (NCSU), met with senior Cisco Engineers and agreed to collaborate on several small, hands-on projects with Cisco Engineers and NCSU students.

The NCSU ECE department partners with the industry as part of their Senior Design Project Program, where various vendors serve as sponsors and offer several projects for NCSU students to complete. That is also how the Cisco-NCSU collaboration started. Students get to work on real networking industry problems guided by engineers that already work in the industry. The students gain experience that can be later used in their professional lives. The Cisco engineers get to work with future engineers, mentoring and preparing them for their professional lives and solving some real world technical challenges. It is fun and educational for both sides.

Tags: packet capture, security, TCP, wireshark

Finding A Needle In A PCAP

Shiva Persaud | August 13, 2009 at 1:16 pm PST

(11 Comments)

When news of Conficker surfaced I obtained a traffic sample from our botnet honeynet. I wanted to see what relevant aggregate information I could extract and see if there was any specific indication of Conficker activity. Using some lightweight tools I was able to quickly analyze my traffic sample and focus further research. I find that these high level analysis techniques lead me to ask the more interesting questions and, more importantly, come to my rescue when I’m pressed for time. Below, I share a little about how I deconstructed the traffic sample, briefly discuss visualization and turn to IPS and Global Correlation to get a bigger perspective on what was happening. Some of my colleagues here in Cisco Security Intelligence Operations (SIO) find these techniques useful so I thought I would pass them on in the hopes that others will as well. I’d like to hear from some of you on your favorite tools and tricks for this sort of sleuth work.

There are some things I should point out before delving into my traffic sample:

I sanitized all IP addresses because the hosts in this traffic sample are Internet facing. That is, I replaced all IP addresses with a fictitious FQDN. Hosts with the domain honeynet.eg are on the honeynet and all other hosts use the network.eg domain. The hostnames are randomly selected three-letter words from CrackLib’s dictionary. My fictitious FQDNs are consistent across this post.
Some of the xterm windows below may have a scroll bar. It’s easy to miss. Scroll down for more info.
The honeynet has several hosts which each have multiple IP addresses. We use this to increase attack surface. Because this isn’t relevant, I normalized the traffic such that each host on my network has one and only one IP address.

Tags: conficker, emerging threats, security, security research, tshark, wireshark