Service Analyzer

The mechanism helps in the initial setup of protection by identifying services in the protected network based on the uploaded dump. Currently, any loaded dump is perceived by the mechanism as a dump of incoming traffic from an external network.

The following checkboxes can be activated for mechanism:

  • Advanced report — for “Used IP addresses in protected network” and “Services in protected network” sections. More detailed statistics are displayed in the corresponding sections of the report;
  • Aggregated statistics by protocol — adds “Proto stat” sections to “Services in protected network”;
  • Advanced report for general statistics — “General stat” section displays more detailed statistics;
  • Advanced report for external connections — “SYN+ACK external connections in protected network” section displays more detailed statistics.

The output in all sections of the report can be sorted in descending order of:

  • packets quantity;
  • bytes quantity;
  • pps rate;
  • bps rate;
  • capture time.

By default, sorting is performed in descending order of packets quantity.

Report

The report contain sections:

  • Total;

    • Packets total — total packets in the PCAP file;
    • File — name of the analyzed PCAP;
    • Capture begin — date and time of capture start;
    • Capture end — date and time of capture end;
    • Capture duration — capture duration.

  • IPs in protected network;

    The section provides a list of unique destination IP addresses from the dump. The following statistics are built for each IP address:

    • number of packets to IP address;
    • percentage of packets to IP address to the total number of packets in the dump;
    • total volume of packets to IP address in bytes;
    • average rate of packets arriving at an IP address in packets per second;
    • average rate of packets arriving at an IP address in bits per second.

    If the “Advanced report” checkbox is checked, then similar statistics are added to the section for each unique source IP address in the direction of each destination IP address.

  • Services in protected network;

    The section contains a list of unique combinations of destination IP address + destination port from the dump. For each combination the following data is displayed:

    • IP address;
    • port;
    • protocol;
    • number of packets to destination IP address + destination port;
    • percentage of packets to destination IP address + destination port to the total number of packets in the dump;
    • total volume of packets to destination IP address + destination port in bytes;
    • average pps rate to destination IP address + destination port;
    • average bps rate to destination IP address + destination port.

    If the “Advanced report” checkbox is checked, then data is displayed for each unique 5-tuple combination (source IP address, source port, destination IP address, destination port, protocol).

    In the “Aggregated services” section, data is grouped by recipient IP address. The range of ports to which packets were received for each recipient IP address and the number of ports in the range are given.

    If the “Aggregated statistics by protocol” checkbox is checked, then the “Proto stat” section is added, which displays the distribution of packets from the dump by transport layer protocols.

  • External connections in protected network;

    The section contains a list of unique external resources that were accessed from the protected network. All sections of the section provide data on unique src endpoints:

    • IP address;
    • port;
    • protocol;
    • number of packets from endpoint;
    • percentage of packets from the endpoint to the total number of packets in the dump;
    • total volume of packets from the endpoint in bytes;
    • average pps from the endpoint;
    • average bps from the endpoint.

  • “General stat” Section;

    Raw data for all src endpoints found in the PCAP file.

    If the “Advanced report for general statistics” checkbox is checked, then advanced statistics for unique 5-tuples are displayed.

  • “SYN+ACK external connections in protected network” Section;

    The list of sessions established with protected services is taken into account by the SYN+ACK packet received in response to the SYN of the protected service and other packets with the same tuple.

  • “Src IP + src port –> many dst ports” Section.

    A list of unique source IP address and port combinations that address multiple destination ports.

    If the “Advanced report for external connections” checkbox is checked, then extended statistics for unique 5-tuples are displayed.