How to analyze a TCP and UDP network traffic spike
What does it mean when TCP and UDP network traffic spikes? Network security expert Mike Chapple explains what this means for enterprise network security management.
In order to analyze network traffic, check the destination port number using the network monitoring tool that identified the spikes. In many cases, this will tell you the type of TCP and UDP traffic you're seeing. For example, traffic on port 80 is normally HTTP traffic, while traffic on port 443 is normally HTTPS traffic. You can consult the Port Database if you encounter a port you don't recognize.
If that doesn't do the trick, you'll need to sniff the network traffic to identify it. You can do this by connecting a computer running a packet sniffer to your network and leaving it running during one of the spikes. My favorite tool for this job is Wireshark. For more information on using Wireshark, see my tutorial: How to sniff network traffic.
For more information:
- Learn more about writing Wireshark network traffic filters.
- How should service providers address VoIP security issues and threats? Read more.
Dig Deeper on Threat detection and response
Related Q&A from Mike Chapple
Stateful vs. stateless firewalls: Understanding the differences
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Wired vs. wireless network security: Best practices
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
The difference between AES and DES encryption
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading