Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Analyzing Network Metadata

When analyzing network traffic it’s typically not as important to look at the contents of the packets; rather the information about them, where they are going and how they got there. This “network metadata” (often referred to as NetFlow data) can reveal interesting information about your network and often uncover misconfigurations, policy abuses and security incidents. I relate it to the movie "The Matrix". In the movie there is a scene where the characters are looking at computer screens displaying “the matrix”. Those who are not accustomed to looking at the matrix will not see "The Blonde" or the "Brunette", but will just see a bunch of green characters.

What do you see?

Fortunately, there are tools available to network security analysts that help decipher the vast amount of network metadata. The Tenable Network Monitor (TNM) is a small process that works with the Log Correlation Engine (LCE) and runs on a system that is connected to a network span port. It listens to all the traffic seen on the network interface and reports on the connections. Typically the network interface is connected to a SPAN port on the switch, allowing it to see more than just its own traffic.

Tenable LCE customers can install TNM on any supported Operating System: Red Hat, Debian, and FreeBSD. Once installed you can use the “interface” directive in the TNM configuration file ("/opt/network_monitor/tnm.conf") to select the appropriate network interface:

interface "eth1";

TNM also needs to know which LCE server to send the data to, in addition to a shared secret to use for encrypting the data in transit:

lce-server {
client-auth auth-secret-key "areallylongrandomstring";

Finally you can specify the networks to include or exclude from monitoring:

include-networks {

exclude-networks {



Once TNM has been configured, it will send the network traffic information to LCE, and LCE reports it to Tenable’s Security Center console. For example, one of the reports built-in to Security Center is an alert that identifies TCP sessions that have carried more than 1 gigabyte of traffic. A traffic pattern at a Tenable research site was identified by TNM as shown below:

Click the image above for a larger version

The entries themselves represent a TCP connection between the internal host ( and a host on the Internet ( over port 80 that transferred more than 1 GB in a single session.

Detailed Flow Information

TNM provides information about each "flow", or TCP/IP conversation between two hosts. The fields in the log entries above are represented as follows:

Date/Time of event: Thur Sep 24 09:56:56

Event name: TNM-TCP_Session_Whole_1GB

Total amount of data transferred (bytes): 1902450810

Source IP/Port:

Dest IP/Port:

Uploaded bytes: 372504937

Downloaded bytes: 1529945873

Beginning unix timestamp of flow: 1253799587

End unix timestamp of flow: 1253800616

Duration of flow (seconds): 1029

Typically, web browsing traffic would not generate this amount of traffic. A typical HTTP transaction is short and transfers much less than 1 GB of data, especially with HTTP 1.1. In addition, even if a large file was being downloaded, chances are it would not be a gigabyte or more; files of that size are usually distributed via a Peer-To-Peer networking protocol, such as BitTorrent. To gather more information about this traffic, further research was done to identify the host A simple DNS reverse lookup did not return anything very interesting about this IP address:

Non-authoritative answer: = 207-176-6-65.static.pccwglobal.net.

bing.com was used with a query string of "ip:" to see if this IP was part of a shared hosting environment, and produced the following results:


One of the sites, www.puritan.com, sells a variety of herbal and vitamin supplements. Transferring over 1 gigabyte of traffic from this site seemed unlikely, (unless you were really into B-12 and Acidophilus). The other site was a bit more interesting. Browsing to "free103.http-tunnel.com/ConnectionTest.htm", displayed the following message:

Connection test succeeded, HTTP-Tunnel should work fine

Interesting! It seems that HTTP tunnel is self-explanatory, providing an HTTP tunnel for users to proxy through. This scenario is more likely to be true, if the user was browsing to multiple sites through one connection to a proxy, the download size could easily exceed 1 gigabyte. Searching for the homepage of the makers of this HTTP tunnel technology brought the investigation to www.http-tunnel.com, which had the following reasons for using HTTP tunnel posted to their web site:

  * Need to bypass any firewall
* Need secure internet browsing
* Need to use favorite programs with out being monitored by work, school, ISP or gov.
* Extra security for online transactions
* Encrypt all your Internet traffic
* Need play online games
* Visit sites that you are previously blocked
* Prevent 3rd party monitoring or regulation of your Internet browsing and download
* Use your favorite applications previously blocked
* Hide your IP address
* Make it next to impossible for you to identify online
* Free unlimited data transfer
* Compatible with most major Internet applications
* Secure and virus-free servers
* 99% uptime
* No spam, pop-ups, or banners

It seems that HTTP Tunnel allows you to make an encrypted connection to their proxy server and then the connection to your destination is made by one of their servers where it can be proxied back to you. All the outgoing gateways and traffic monitoring software sees is a single outgoing HTTP connection, which is typically allowed on most networks. However, the end user can proxy several different applications, such as the web browser, Instant Message client and Voice-Over-IP services.


Analyzing the layer 3 information (referred to above as the "network metadata"), identifies interesting patterns in the traffic. TNM, coupled with the LCE and the Security Center, can aid in this process and allows you to easily collect and analyze the data. While much of this process is automated for us, it takes some investigative thinking to uncover what may really be happening on the network. In this case, it takes the form of a policy violation, but proves that analyzing the network traffic patterns, and not just the content, can be a worth while endeavor.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.