Network Traffic and Data

Network Traffic and Data

Yu Wang (Yale University, USA)
DOI: 10.4018/978-1-59904-708-9.ch003
OnDemand PDF Download:
No Current Special Offers


In this chapter we will focus on examining computer network traffic and data. A computer network combines a set of computers and physically and logically connects them together to exchange information. Network traffic acquired from a network system provides information on data communications within the network and between networks or individual computers. The most common data types are log data, such as Kerberos logs, transmission control protocol/Internet protocol (TCP/IP) logs, Central processing unit (CPU) usage data, event logs, user command data, Internet visit data, operating system audit trail data, intrusion detection and prevention service (IDS/IPS) logs, Netflow1 data, and the simple network management protocol (SNMP) reporting data. Such information is unique and valuable for network security, specifically for intrusion detection and prevention. Although we have already presented some essential challenges in collecting such data in Chapter I, we will discuss traffic data, as well as other related data, in greater detail in this chapter. Specifically, we will describe system-specific and user-specific data types in Sections System- Specific Data and User-Specific Data, respectively, and provide detailed information on publicly available data in Section Publicly Available Data.
Chapter Preview

We cannot solve life's problems except by solving them.

– M. Scott Peck


System-Specific Data

System-level data can provide important baseline information about user and system behaviors, traffic patterns, and provide warning information for any anomalous traffic that could harm the network system. These data types can also be collected with commercial products or data-specific programs. Log data can be drawn from three sources: network, host, and security. Data from each of such sources provide different components of the whole network behavior. The network log files that include TCPdump2 and Netflows information focus on the packets of the network, and are the most important part of information that represents the network traffic. The host log files provide the host’s activities, commands, and user log-in information, and the security log data, which includes firewall and other security-related information, specializes in the application activities. Most log data are easily acquired—the security log, application log, and event log files are automatically collected on both the server and workstation of the Microsoft windows system without specific hardware. TCP/IP data can be captured by various “sniffer” programs, which capture parts, if not all, TCP/IP packets that pass through a typical network point without modifying the packets. Such a program can be installed outside the firewall.

Complete Chapter List

Search this Book: