tag:blogger.com,1999:blog-8631624812585403362.post2150648709766905787..comments2009-08-22T14:28:37.644-07:00Marcus J. Careyhttp://www.blogger.com/profile/07441426999698326334noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8631624812585403362.post-75367166006726226032009-05-06T07:19:00.000-07:002009-05-06T07:19:00.000-07:00J.D.,<br><br>You are right! The only way to determine what&#39;s normal is to dive deep into a tool like Wireshark and know what traffic looks like. This can also be said with log analysis.<br><br>-MJCMarcus J. Careynoreply@blogger.comtag:blogger.com,1999:blog-8631624812585403362.post-88935023993857245362009-05-05T01:59:00.000-07:002009-05-05T01:59:00.000-07:00Good tool choice!<br><br>Many people think that Wireshark is only for when there&#39;s a problem. But one of the good things to do with Wireshark is to get an idea of what&#39;s &quot;normal&quot; with the systems and nets you&#39;re handling.<br><br>Not just the networks themselves, but also with the typical computers you have connected to the networks. Tap into the network connection (cheap way: get an old ethernet hub, not a switch). <br><br>Listen in what happens when the computer is powered on, when logging in, doing usual net activities. See what&#39;s talking to what. See what goes by in plaintext that should have been encrypted. An so on.<br><br>Finally, need a book to help you get started with packet analysis? One that&#39;s a nice starter is &quot;Practical Packet Analysis&quot; from No Starch Press (http://nostarch.com/packet.htm).J.D. Abolinsnoreply@blogger.com