Use Binary Analyzer Filters for Network Security Screening and Much More!
Bill Alderson, Technology Consulting Officer, NetQoS, Inc.

Just as virus detection software looks for binary signatures on your disk, an analyzer can be used to look for binary signatures for security purposes. One such binary filter might be to filter on "Ping of Death" frames within your environment or from the Internet. By combining filters on the IP protocol, an ICMP Echo inside the IP packet and the binary filter of a one in the binary "more IP fragments coming" flag we can trigger on a potential security event.

In addition, this feature can also be used, for example, to trigger on REJ or SABME frames in an LLC, (SNA perhaps) conversation between a mainframe and a gateway to try and identify the precursor events that lead to a restart of a session.

Another application would be to filter on TCP/IP SYN frames to get a general idea of network response time between two devices. By comparing the delta times for pairs of SYN frames starting a TCP connection, you can determine a rudimentary estimate of network latency passively by analyzing an existing data stream.

A third example would be to use a binary filter to look for IP frames with the "don't fragment" bit set to discover what devices attempt to discover the network maximum transfer unit (MTU) in order to match TCP MSS (Maximum Segment Size).

Take some time to get familiar with some of the more unique options on your analyzer to be "ready for action" when problems or esoteric security issues arise. If you wait, it's too late!