The Network Protocol Analyzer monitors all networks packets that pass through the host computers network interfaces. This enables KFSensor to detect attacks that cannot be detected by the Sim Servers that operate at application level.
The data captured by the Network Protocol Analyzer is collated and translated into events in the same format as that produced by the Sim Servers. This enables KFSensor to combine the benefits of both high and low level honeypot detection.
KFSensor makes use of the industry standard packet libraries to capture network traffic. WinPCap and Npcap are both supported.
See the Admin Guide for information on how to install one of these libraries
The Network Protocol Analyzer enables KFSensor to detect and report on the following different types of events.
| Event | Description |
| ICMP | ICMP is a low level network control and information protocol. By monitoring for this protocol KFSensor can detect Echo requests, caused by use of the Ping utility. |
| Closed Ports |
KFSensor can detect connection attempts to any TCP or UDP port even if the port is closed. Connection made to closed ports will be listed under the special Closed Ports item in the ports view. These type of connections will be labeled as TCP Connection in the event log. |
| Native Listens |
KFSensor can monitor and log connections made to native services. A native service is a third party server
program that is running on the host computer. For example this could be the IIS web server or the Microsoft SMTP server. This enables real production services to be used as part of the honeypot configuration. The events are logged in exactly the same way as for KFSensor's own Sim Servers. To setup a Native service in KFSensor just define a Listen definition in the normal way specifying the protocol and port number of the production service. Set the Action Type to Native and KFSensor will not attempt to open that port, but will monitor it instead. |
| Stealth Scans | One technique used by hackers is to deliberately send mal-formed packets to a target computer. These are rejected by the operating system at the network level, without generating events at the application layer. It is possible for such techniques to be used to perform a stealth scan of a network that is unlikely to be detected by conventional means. KFSensor detects such connections. |
The events detected by the Network Protocol Analyzer will almost certainly be blocked by most firewalls.
If you want to use this facility to its full effect then it is best to disable the firewall, or to configure it to its lowest possible setting.
In addition to generating events in the log, KFSensor can also dump the raw network packets to an external file.
These dump files contain all the protocol information for the network traffic and can be used for more detailed analysis then is possible from
examining the KFSensor log files.
These dump files are in the industry standard LIBPCAP TCPDUMP format.
There are a number of utilities available that will capture network traffic and store it in the same way as KFSensor.This feature is turned off by default, as dump files can rapidly fill even a large hard disk.
To turn on this feature and configure the capture filter use the Network Protocol Analyzer dialog box, available from the Settings menu.
KFSensor produces a new dump file each day.
The file name contains the date the dump file was created.
For example "pktdump_1_20051130".
The default dump path will be c:\kfsensor\dumps
This directory can be configured in the Network Protocol Analyzer dialog box.
KFSensor does not provide a way to view these dump files.
Instead it is recommended that a third party application is used .
We recommend that Wireshark be used for this purpose. It contains many advanced features for analyzing dump files and is compatible with
the dump files produced by KFSensor.
Wireshark is a free utility and can be obtained at
http://www.wireshark.org/