Project Name: Network Threat Hunting Using Bmon
Linux commands are most powerful way to analyze traffic and find anomaly & attacks. Bmon is one of the utilities which helps threat hunter to perform analysis on network traffic.
Threat Hunting Using Bmon
(Bandwidth Monitor) is a utility similar to nload that displays the traffic load over all the network interfaces on the host. The results also contain a graph and a section with packet level details.
# bmon –show-all –use-si
To observe more complete graphical statistics/information of bandwidth usage, press d key. To get additional information use i key.
The statistics in the left column are as follows:
Bytes: Traffic in bytes.
Abort Error: A count of abort errors. Somewhere in the connection path between the source and the destination, a piece of software caused a connection to abort.
Collisions: A count of collision errors. Two or more devices have tried to send a packet simultaneously. This shouldn’t be a problem in a full-duplex network.
CRC Errors: A count of cyclic redundancy check errors.
Errors: The total count of errors.
Frame Error: A count of frame errors. A frame is a network container for a packet. An error means malformed frames were detected.
ICMPv6: The number of Internet Control Message Protocol v6 traffic packets.
ICMPv6 Errors: A count of ICMP v6 errors.
Ip6 Broadcast: A count of IPv6 Broadcasts, which are sent to all devices on the network.
Ip6 CE Packets: CE stands for “customer edge.” This usually applies to routers. They connect with the provider edge (PE) of the connectivity service to which the customer subscribes.
Ip6 Delivers: The count of incoming IPv6 packets.
Ip6 ECT(1) Packets: An Explicit Congestion Notification (ECN) allows either end of a network connection to alert the other of impending congestion. Packets are marked with a flag that serves as the warning. The receiving end can reduce transmission rates to try to avoid congestion and possible packet loss. ECN-Capable Transport (ECT) packets are marked with a flag to indicate they’re being delivered via an ECN Capable Transport. This allows intermediate routers to react accordingly. Type 1 ECN packets tell the receiving end to enable ECN and add it to outgoing transmissions.
Ip6 Header Errors: The count of packets with errors in the IPv6 Header.
Ip6 Multicast packets: The count of IPv6 Multicast (a form of broadcast) packets.
Ip6 Non-ECT Packets: The count of IPv6 packets not flagged as ECT(1).
Ip6 Reassembly/Fragment OK: The count of IPv6 packets that were fragmented due to size and successfully reassembled upon receipt.
Ip6 Reassembly Timeouts: The count of IPv6 packets that were fragmented due to size, but failed to be reassembled upon receipt because of timeouts.
Ip6 Truncated Packets: The count of truncated packets. When an IPv6 packet is transmitted, it can be flagged as a candidate for truncation. If any intermediate routers can’t handle the packet because it exceeds the maximum transmission unit (MTU), the router truncates the packet, marks it as such, and forwards it on to the destination. When it’s received, the far end can send an ICMP packet back to the source, telling it to update its MTU estimate to shorten its packets.
Ip6 Discards: The count of discarded IPv6 packets. If any devices between the source and destination weren’t set up correctly, and their IPv6 settings don’t work, they won’t handle IPv6 traffic; it will be discarded.
Ip6 Packets: The total count of all types of IPv6 packets.
Missed Error: The count of packets missing from a transmission. Packets are numbered so the original message can be recreated. If any are missing, they’re absence is conspicuous.
No Handler: The count of packets for which no protocol handler was found.
Window Error: The count of window errors. The window of a packet is the number of octets in the header. If this holds an abnormal number, the header can’t be interpreted.
The statistics in the right column are as follows:
Packets: Traffic in packets.
Carrier Errors: A count of carrier errors. These occur if a problem arises with the modulation of a signal. This could indicate either a duplex mismatch between networking equipment or physical damage to a cable, socket, or connector.
Compressed: The number of compressed packets.
Dropped: The number of packets dropped, which, as a result, failed to reach their destination (possibly due to congestion).
FIFO Errors: The count of first in, first out (FIFO) buffer errors. The network interface transmission buffer is overrunning because it isn’t being emptied fast enough.
Heartbeat Errors: Hardware or software might utilize a regular signal to show they’re operating correctly or to allow synchronization. The number here is how many “heartbeats” have been lost.
ICMPv6 Checksum Errors: The count of Internet Control Message Protocol v6 message checksum errors.
Ip6 Address Errors: The count of errors due to bad IPv6 addresses
Ip6 Broadcast Packets: The count of IPv6 Broadcast packets.
Ip6 Checksum Errors: The count of IPv6 checksum errors. ICMP and User Datagram Protocol (UDP) packets in IPv6 use checksums, but regular IPv6 IP packets do not.
Ip6 ECT(0) Packets: These are treated the same as ECT(1) packets.
Ip6 Forwarded: The count of IPv6 packets unicast forwarding delivered. Unicast hops the packets from source to destination through a chain of intermediary routers and forwarders.
Ip6 Multicasts: The number of IPv6 packets multicast forwarding delivered. Multicast sends the packets to a group of destinations simultaneously (which is how Wi-Fi works).
Ip6 No Route: The count of no route errors. This means the destination is unreachable because a route to the far end can’t be calculated
Ip6 Reassembly/Fragment Failures: The count of IPv6 packets that were fragmented due to size, and failed to be reassembled upon receipt.
Ip6 Reassembly/Fragment Requests: The count of IPv6 packets that were fragmented due to size, and had to be reassembled upon receipt.
Ip6 Too Big Errors: The number of ICMP “too big” messages received, indicating that IPv6 packets were sent that were larger than the maximum transmission unit.
Ip6 Unknown Protocol Errors: The count of packets received using an unknown protocol.
Ip6 Octets: The volume of octets received and transmitted. IPv6 has a header of 40 octets (320 bits, 8 bits per octet), and a minimum packet size of 1,280 octets (10,240 bits).
Length Error: The number of packets arriving with a length value in the header that’s shorter than the minimum possible packet length.
Multicast: A count of multicast broadcasts.
Over Errors: A count of over errors. Either the receive buffer has overflowed, or packets have arrived with a frame value larger than what is supported, so they can’t be accepted.
The additional information is as follows:
MTU: The maximum transmission unit.
Operstate: The operational state of the network interface.
Address: The media access control (MAC) address of the network interface.
Mode: This is usually set to default, but you could see tunnel, beet, or ro. The first three relate to IP security (IPSec). The default setting is usually transport mode, in which the payload is encrypted. Client-to-site virtual private networks (VPNs) typically use this. Site-to-site VPNs typically use tunnel mode, in which the entire packet is encrypted. In a Bound End-to-End Tunnel (beet) mode, a tunnel is created between two devices with fixed, hidden, IP addresses, and other, visible IP addresses. The ro mode is a routing optimization method for mobile IPv6.
Family: The network protocol family that is in use.
Qdisc: Queuing discipline. This can be set to red (Random Early Detection), codel (Controlled Delay), or fq_codel (Fair Queueing with Controlled Delay).
Flags: These indicators show the capabilities of a network connection. Our connection can use broadcast and multicast transmissions, and the interface is Up (operational and connected).
IfIndex: The Interface Index is a unique, identifying number associated with a network interface.
Broadcast: The broadcast MAC address. Sending to this address broadcasts received packets to all devices.
TXQlen: The transmission queue size (capacity).
Alias: An IP alias gives a physical network connection multiple IP addresses. It can then give access to different subnets via one network interface card. There are no aliases in use on our test computer.
# bmon -r 5 -p eth0:- This command will help you to observe traffic for 5 seconds of interval.
# bmon -p eth0:- It is used for traffic analysis for specific interface.
# bmon -p eth0 -o ascii:- This command will help you to get ASCII output display.