Problem solve Get help with specific problems with your technologies, process and projects.

Monitoring user activity with network analyzers

Network analyzers are one of the best -- and cheapest -- security tools for managing an enterprise and minimizing business risks, but they are often overlooked.

Network analyzers are one of the best security tools for managing an enterprise and minimizing business risks, but they are often overlooked.

Traditionally, network analyzers -- a.k. a. sniffers -- are used to troubleshoot common network and application problems, analyze performance, and so on. But these tools are also good at monitoring user activity -- often at a fraction of the cost of traditional Web content-filtering systems.

Managers can justify the use of network analyzers by citing several issues, including the following:

  • The increase in personal usage of social media and other Internet time-wasters
  • A struggle by businesses to get the most out of what they've got
  • Malware problems, such as a careless user bringing a virus into a corporate environment

I have yet to see a network where users didn't have unfettered abilities to send and receive sensitive information. If you don't know who's doing what on the network (within reason), then anything is fair game.

Network analyzers such as OmniPeek, CommView, and Wireshark can monitor what is entering and leaving a network, who the top talkers are, what programs/protocols are being used and general Internet usage trends.

In addition, they can highlight problems in the making and notify you about security policy violations. The information gathered can also help quantify technical and operational issues.

Furthermore, certain network analyzers can monitor without ever capturing packets in the traditional sense and having to sift through a bunch of technical details.

For instance, in Figure 1, OmniPeek's Node Statistics clearly show the top talkers on the network.

Figure 1: Using OmniPeek to view communication sessions and determine top talkers (Click to enlarge).

The same information can be used to uncover people connecting to inappropriate sites or hosts on the Internet.

A network analyzer can also highlight odd behavior on the network, like one protocol being used more than any other, as shown in Figure 2.

Figure 2: Using OmniPeek to detect anomalous FTP traffic (Click to enlarge).

Protocols such as HTTP, SMB and CIFS are the most common. If something stands out -- especially a protocol you know doesn't belong -- it can be a sign that someone is doing something they shouldn't be.

By using a tool like this on my small network, I'm always amazed at the traffic being generated and sites communicated with by the software I have loaded on my systems. If anything, this is a good exercise to see how easily the average Windows desktop can become bogged down with junk.

In addition, network analyzers such as NetIntercept and NetResident are designed to monitor specific network protocols that users may be abusing, as shown in Figure 3.

Figure 3: NetResident's protocol options for monitoring common network applications (Click to enlarge).

Once you get used to running a network analyzer in this capacity, you'll develop a baseline and know what to look for.

Don't assume that questionable usage will always jump out at you. Just because something isn't screaming and shouting "Look at me!" doesn't mean it's normal and acceptable.

Although you can tell users what to do and not to do, this is not a sustainable risk-mitigation strategy. You have to know and understand what's taking place on your network by using tools like the not-so-obvious network analyzer. Once you have a clear picture, you can set additional controls as necessary to set everyone up for success.

One word of caution: Be careful going down the employee-monitoring path. Generally speaking, it's OK in the U.S., but there are legal and human resources issues dealing with privacy and consent. Be sure to check with the powers that be to make sure things are being done safely and legally.

Also, be sure to manage your employee-monitoring program at a committee level. IT almost always has -- but never should have -- solely managed employee monitoring. This is a much higher-level business issue that management has to oversee; IT just needs to be there to make things work.

Overall, network analyzers are simple to use, relatively cheap (if not free) and, most importantly, they tell it like it is. Packets don't lie.

About the author
Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. In the industry for over two decades and having worked for himself the past eight years, Kevin specializes in performing independent security assessments in support of compliance and managing business risks. He has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks for Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at

Dig Deeper on Unified endpoint management