Your best bet is to pick a tool and use it BEFORE problems occur, to get a
baseline for what normal network traffic looks like on your network. Normal
network traffic is different depending on the network and where in the
network you are. That way you can identify any new or unexpected traffic
and changes in traffic that may be suspicious or worth further
investigation. I agree that a sniffer like Ethereal is not the best first
tool for monitoring network traffic, although you can capture sniffer files
and run them through an IDS analysis tool like Snort later if you want.

If you want to learn more, you could read up on IDS / network intrusion
detection, e.g. signature based versus anomaly based, network based versus
host based, etc. There are a bunch of books by Stephen Northcutt that are
good. But if this isn't your primary job duty, you could easily start
wasting all your time learning about and monitoring your network and never
finish. There are some shorter IDS FAQs here:

http://www.google.com/search?q=robert%2Dgraham+ids%2Dfaq
There is a lot of different malicious traffic, each with different
characteristics. And it can change daily, monthly, yearly as new attacks
come out. And then there's a lot of "malicious" and unwanted traffic that
is best ignored, depending on where you're seeing it. And there are attacks
you might miss no matter how closely you're watching, because they're
encrypted for example. You may want to look generically for new and
unexpected traffic instead of looking for specific packet characteristics.

(posted from IE general;unknown cross-posting truncated at microsoft.public.security by OE)
I think outbound malicious traffic, e.g. from Trojans, spyware, etc.
might be easiest to identify. E.g. there could be many requests
being sent to a few unexpected IP addresses for their home sites.

Then if you don't want to use a full protocol analyser such as Ethereal
you could try something like this:

<title>KB837243 - Availability and description of the Port Reporter tool</title>
Good luck

Robert Aldwinckle
---

The latter one. It is a very complex area - it can be difficult to identify
traffic and match its pattern to something that *may* be malicious.

... ah.. "may be" = that'll be the "vaguely and evasively" answer you worry
about below. The problem can be subjective.

Let me give you an example... VNC. Fantastic tool that lets you take control
of one computer's desktop from another ( http://www.realvnc.com/ if you want
to take a look ).

I install VNC on my apple Mac laptop at home so I can run things on the Mac
from my windows desktop machine. Not malicious; I own both machines, I
install it knowingly to help me do what I want to do.

I send an email to you tricking you into installing it, without telling you
what it is or why, and I use it to hack into your computer to steal whatever
it is you'd really hate for a stranger like me to steal. Now we're being
malicious, yet its the same bit of code both times. The code hasn't changed.
The code isn't malicious one moment and fine the next, what has changed is
the intent of the person installing and using it.
Malicious implies intent. A mistake, e.g. mis-configuration, isn't malicious
as there is no intent to cause harm.
Right, as you hopefully have guessed from my answer, there is no simple way
to identify malicious traffic, because there is no simple definition - As my
VNC example shows, the same bit of code can be "malicious" on my computer
because I didn't put it there and just fine on your computer because you
want it there.

When looking at traffic with a sniffer, you can't know the intent of the
user by looking at the network headers. There are some patterns that
indicate malicious traffic, sure, but nobody can give you a magic answer and
say "this protocol" or "this port" is malicious, end of story.

So how would we identify malicious traffic from within a sniffer? Well we
probably wouldn't, as it isn't the easiest method. We can use automated
scanning tools that identify certain kinds of traffic that can ONLY be
malicious (Google on "intrusion detection systems"). These aren't perfect
but are useful. We can use firewalls and other similar tools that are good
at spotting malicious looking patterns in network traffic and blocking them.
Again, not perfect but very useful.

As for using a sniffer manually, this might help in two ways. If you know
your network VERY well then you might notice something unusual via a
sniffer. It's all too easy to miss important things by relying on this but I
thought I'd mention it. More usefully, once you know through other methods
that something "wrong" is going on, and hopefully you've narrowed the
problem down to a few machines, you can use a manual sniffer to inspect
traffic to/from your suspect machines to get a good picture of what is going
on. In other words, manual traffic sniffing is a bad method of detecting a
problem, but a good tool to use for investigating a problem once you know
its there.

Now I have been understanding better.
I want to thank all of you who posted.
Once again thank you.

---