Network Protocol Analyzer Administration

What it does

The Network Protocol Analyzer monitors all networks packets that pass through the host computers network interfaces. This enables KFSensor to detect attacks that cannot be detected by the Sim Servers that operate at application level.

The data captured by the Network Protocol Analyzer is collated and translated into events in the same format as that produced by the Sim Servers. This enables KFSensor to combine the benefits of both high and low level honeypot detection.

KFSensor makes use of the industry standard packet libraries to capture network traffic. WinPCap and Npcap are both supported.

See the Admin Guide for information on how to install one of these libraries

Events detected

The Network Protocol Analyzer enables KFSensor to detect and report on the following different types of events.

Event Description
ICMP ICMP is a low level network control and information protocol.
By monitoring for this protocol KFSensor can detect Echo requests, caused by use of the Ping utility.
Closed Ports KFSensor can detect connection attempts to any TCP or UDP port even if the port is closed.
Connection made to closed ports will be listed under the special Closed Ports item in the ports view.
These type of connections will be labeled as TCP Connection in the event log.
Native Listens KFSensor can monitor and log connections made to native services. A native service is a third party server program that is running on the host computer. For example this could be the IIS web server or the Microsoft SMTP server.
This enables real production services to be used as part of the honeypot configuration. The events are logged in exactly the same way as for KFSensor's own Sim Servers.
To setup a Native service in KFSensor just define a Listen definition in the normal way specifying the protocol and port number of the production service. Set the Action Type to Native and KFSensor will not attempt to open that port, but will monitor it instead.
Stealth Scans One technique used by hackers is to deliberately send mal-formed packets to a target computer. These are rejected by the operating system at the network level, without generating events at the application layer. It is possible for such techniques to be used to perform a stealth scan of a network that is unlikely to be detected by conventional means. KFSensor detects such connections.
Important note

The events detected by the Network Protocol Analyzer will almost certainly be blocked by most firewalls.
If you want to use this facility to its full effect then it is best to disable the firewall, or to configure it to its lowest possible setting.

Network packet dumps

In addition to generating events in the log, KFSensor can also dump the raw network packets to an external file.
These dump files contain all the protocol information for the network traffic and can be used for more detailed analysis then is possible from examining the KFSensor log files.

These dump files are in the industry standard LIBPCAP TCPDUMP format.

There are a number of utilities available that will capture network traffic and store it in the same way as KFSensor.
There are two advantages for letting KFSensor perform this task.
  1. There is not need to run a separate utility as KFSensor captures all network traffic already
  2. KFSensor contains various capture filters that reduce the amount of data captured, keeping the dump files smaller.

This feature is turned off by default, as dump files can rapidly fill even a large hard disk.
To turn on this feature and configure the capture filter use the Network Protocol Analyzer dialog box, available from the Settings menu.

Viewing the dump files

KFSensor produces a new dump file each day.
The file name contains the date the dump file was created.
For example "pktdump_1_20051130".

The default dump path will be c:\kfsensor\dumps
This directory can be configured in the Network Protocol Analyzer dialog box.

KFSensor does not provide a way to view these dump files.
Instead it is recommended that a third party application is used .
We recommend that Wireshark be used for this purpose. It contains many advanced features for analyzing dump files and is compatible with the dump files produced by KFSensor.

Wireshark is a free utility and can be obtained at

KFSensor On-Line Manual Contents