Device Profiles
Behavorial Profiling with Netcap
Motivation
Which device on the network uses which IP address? Which addresses / devices did it contact?
How are devices related to each other, how does communication flow?
Identifying devices within a network is a good starting point for any investigation and helps to understand complex situations and relations quickly. The DeviceProfile custom decoder implements exactly this, and is enabled from v0.5 on by default.
Note: DeviceProfile currently get written when processing all traffic is done - that means when using live capture, the profiles will be available when processing stopped. Future versions will implement a flushing mechanism similar to the one for Flows / Connections.
DeviceProfiles rely heavily on local resolvers to be set up and configured. You can use the DeviceProfile audit records without resolvers, but you will get less information. Read more about the resolvers here:
Analyzing DeviceProfiles can be done using Maltego, for example:
DeviceProfile Audit Records
Lets look at the protocol buffer definition for a device profile:
As you can see, a DeviceProfile is a summary structure built around the hardware address of a physical device. It captures the addresses that have been used, as well as the contacted addresses in form of IPProfiles, among other meta information, like the number of packets or the hardware manufacturer.
Lets take a closer look at an IPProfile:
This is the information associated with a single ip address. Note how in addition to general meta data like the number of packets, bytes and timestamps, there is also information retrieved from the new resolvers API, namely the geolocation and dns names.
Additionally, the results from Deep Packet Inspection for all flows seen from or towards this IP are added as well, in addition to the Server Name Indicators seen and flow statistics for each seen port number from this address.
To enhance encrypted telemetry, Ja3 fingerprints seen for this host are mapped to lookup results from the Ja3 database.
Last updated