Multi-trace Packet Analysis - tips and tricks
I can confidentially say that one of the most asked for item when I teach, present or work onsite with packet analysts, is “Show me how to analyze multi-trace file analysis”.
In all cases, I stress that every trace will be different depending on the network topology and equipment involved. For example if you are on the same VLAN, the packets that leave the client will be the same as what the receiving host sees. If the client traverses a proxy or NAT device, everything in the receiving and sending packet will probably change.
My advice is to take small filtered traces when everything is working so even if you don’t have time to analyze the packets, they are there in case something goes wrong. Of course please record or document the start, end points as well as the network path and equipment the packet traverses.
In this video I share some tips and tricks that I use for my workflow. Some analysts I know took this to the next level and wrote some LUA, python, powershell scripts or created databases to troubleshoot faster or handle larger trace files. The point is to start small and learn before automating anything.