Within the network administration tasks is traffic from computers connected to the networks monitoring. This monitoring is key for many tasks such as determining errors with a device or with the network itself or the performance of traffic analysis to determine if there is any unwanted or unexpected traffic, or if the packets sent and received are correctly formed and their interpretation does not pose a problem to final computers.
In corporate networks, this analysis must include an output to the Internet, as this is usually the link with the heaviest traffic and therefore the most complex in terms of management. In industrial networks, the complexity lies in the quantity of different protocols used, making it necessary to interpret multiple different patterns, separating them by protocol type.
Types of Analyzers
The tools used to carry out the analysis of the network may be hardware or software.
- Software analyzers are usually generic and have capacity for analysis only widely used and documented protocols. These are often free tools.
- Hardware equipment is more oriented towards specific environments with very specific protocols. They are usually paid tools, due to the hardware required, and their price depends on the protocols they are capable of interpreting.
-Software-based network analyzers-
Thus, while software analyzers are usually used in corporate environments, in industrial control systems, hardware-based analyzers tend to be used for the most part.
-Hardware-based network analyzers-
In the case of using a software-based analyzer, it is necessary to redirect the network traffic it intends to analyze and there are two methods of doing this:
- Hub port or concentrator: This consists of a concentrator placed in the network and in one of the free ports in the analyzer. The quantity of traffic it can analyze is limited.
-Capture of traffic through the hub port-
- Mirror port: This consists of configuring a mirror port in a network switch so that all traffic is redirected to said port, which is where the network analyzer is heard. All traffic that passes through the switch will be copied and sent to the mirror port so that the analyzer can monitor all traffic. One must remember that the port can become saturated if the number of packets is very high, in which case the monitoring will be partial, missing some traffic..
-Capture of traffic through mirror port-
In the case of the hardware-based analyzer, a specific device is used for the task.
- Network Tap: This is a specially designed hardware device designed to capture the traffic and redirect it towards the analysis application. These devices are capable of working with different media (Ethernet, RS-232, RS-485, fiber, etc.) and typically communicate with the application through a USB connection.
-Capture of traffic through hardware equipment-
Software network analyzers are usually limited to traffic monitoring work, identifying protocols, origins and destinations; hardware analyzers, however, provide more functions, including the fuzzer function to check the implementation of protocols, oscilloscope for checking frequencies and signal analyzers to measure voltage values, etc. On the contrary, the software analyzers are also capable of analyzing previously taken captures, something not usually available on hardware analyzers.
Network Analyzers in Control Systems
The selection of hardware-based analyzers for control systems is due to the fact that many protocols are neither open nor used on a massive basis and therefore the typical tools are not compatible with them and specific products must be acquired based on the protocols to be analyzed. The products for control systems are only capable of comprehending a set of these protocols; for the most part they work with more widespread protocols such as ModBus, DNP3, etc. but there are also specific products for a certain protocol.
These analyzers used not only focus on the traffic they can monitor and capture, but also check the implementation of the specification of the protocol in use to prevent potential failures and breaches of security, this being their most important function. This check is carried out through the traffic generation and injection on the network.
The use of network analyzers to check the traffic in transit does not constitute a problem for the functioning of an industrial system, except the period of time it takes to install the equipment in the network. However, if one intends to analyze the implementation of the protocol it is necessary to do so in test environments or when the main system is out of production as the equipment will generate many packets of traffic, the majority invalid, to perform the protocol validation tests that will almost certainly bring the system into an unstable state that may force shut-down and subsequent restart.
Tools and Products
There are numerous tools, both free and payment, capable of carrying out network analyses. Depending on the tool, the intervention of an operator to manage it may be more or less necessary.
The most well-known software network analyzer is probably Wireshark, but there are others with very similar functions, such as Windump and TCPDump.
Within the hardware tools there is a wide range of commercial products, such as Achilles, Netdecoder, Line Eye, etc. It all depends on the needs in terms of protocols and interfaces to be analyzed.