Episode 17 - Home Labs and Tinted Windows: Why Network Visibility Starts at Your Front Door
Episode 17 - Home Labs and Tinted Windows: Why Network Visibility Starts at Your Front Door
0:00 / 0:00
About the episode
In this episode, host Richard Bejtlich and guest Ricky Lin explore the practical—and often personal—side of network defense: monitoring the home network. Ricky shares how he uses Corelight and Zeek to track everything from his children's YouTube habits to the constant chatter of IoT devices like Tesla vehicles and smart appliances. They delve into the "tinted windows" analogy to explain why visibility into encrypted traffic is still possible through network metadata, even when the contents are hidden. By reflecting on 30 years of networking history—transitioning from the physical complexity of T1 lines to the dominance of Ethernet and IP—the conversation reveals why building with visibility in mind is the most essential, yet often overlooked, step in modern security architecture and troubleshooting.
Episode transcript
Download transcriptEpisode 17 - Home Labs and Tinted Windows: Why Network Visibility Starts at Your Front Door
Welcome to Corelight Defenders. I'm Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response. Today I'm speaking with Ricky Lin, technical director for the Advanced Technology
Group. Welcome, Ricky. Thanks, Richard. Glad to be here. We have something special for our listeners today. We're gonna be talking about monitoring your home network, and you have a risk model that may be familiar to many of us. Can you talk about it and your own monitoring approach? I've got, uh, four daughters. One of the things that's a little unique about home is it's not, it's not necessarily
APTs I'm looking for trying to, you know, get into my home network, but it is really interesting what you can see on the network. And, uh, I often will just kind of use the network as kind of a bit to assist me in seeing what new devices come up, uh, if
I have a kid that's watching YouTube a little longer than they should be, uh, things like that, um, that are pretty interesting things I can do from monitoring the network. How did you architect it so that you could see traffic? Since I'm pretty familiar with Cisco stuff, I have, uh, a Cisco switch and a bunch of
Cisco AP, uh, access points, and I basically have the network switching, doing packet mirroring over to my, uh, Corelight device. You had to deploy a secondary wireless network that your users, and we'll talk about them, right? That your users will connect to. If the users were simply connecting to whatever the CPE device you got from your vendor or from your, your ISP, you wouldn't be able to monitor that unless you got on the other side of it and then you're looking at basically a single NATed IP address, right? Let's talk a little bit about how it is that you can see stuff.
Today, uh, most things are encrypted, especially if you go to most websites, um, almost all of them are encrypted. Uh, that said, uh, even in my home network, I generally don't decrypt things.
I can, so I have done some decryption, so let me talk about the, uh, things I don't decrypt right now. You can, you can still see... I use the analogy of kind of a, a, uh, I use the analogy of kind of like where cars are untinted, uh, and then decrypt- or encrypted traffic you can kind of think of as a car that has really heavy tints.
Uh, while you still can't see inside the car anymore, uh, you can still see where the car comes from, where it's going, and pretty much h-how much, how much the cargo is that it's carrying, if it's a truck versus a small car. And along those lines, uh, even seeing encrypted traffic, I can still see if my devices on my network or home are going to YouTube, are going to social media sites, going to shopping sites.
Uh, there's still so much you can see from even n- just even encrypted traffic. You can still see destination, uh, things like
SS- SSL, uh, SNI, DNS, and still have a very good idea of what's actually happening. Let's take the, uh, spotlight off your kids for a moment, and let's put it on other devices. If-- I know you've talked about this a little bit internally, but have you found any activity involving, say, consumer devices that might be interesting? Yeah.
Um, in general, those ones are... I can see them talking, and that's probably the most interesting part. So I've got, I have a Tesla vehicle, and you can see it, uh, communicating out to, uh, to Tesla's cloud, if they call that. But, uh, like Samsung smart devices and such like that, so it's interesting how much communication they do. Uh, Google Cast devices talk constantly as well. Uh, as far as anything,
I, I, I guess you could see if there's anything abnormal happening, like if they are doing traffic to the devices rather than sending out. That could be a, that could be a indication of some type of abnormal behavior of something trying to access devices versus other way around. Do you find yourself using the network for troubleshooting? 'Cause sometimes when I see people asking for help in, like, a gaming forum or a
Linux forum or, or whatever, on Reddit, and they never even think, and m- most, most times it seems, or even, even in a networking forum like, uh, like you've mentioned, Ubiquiti devices. I, I have Ubiquiti all in my house as well, and, uh, people don't think to look what's happening on the network to figure out what the problem could be. They usually, they tend to go back to configurations and asking questions about, "Is this configured properly?"
And I wanna know, is it acting properly? Like, do you, do you actually see traffic? Right. Right. Uh, definitely. So I, I think people default to what they're most comfortable and knowledgeable using, so, uh, my default is often look at the network. So I've used it for troubleshooting, like, uh, small stuff like, you know, putting on a new smart light bulb or something like that and seeing if it's connecting to a network. Uh, what was I doing recently? Like, just a Raspberry Pi that's trying to co-connect online, uh, trying to get it what, m- verify that it got a IP address from DHCP logs, uh, from the Zeek's DHCP logs, uh, seeing if it's trying to talk to where I want it to go to as well. Yeah. The way I like to approach it is to ask what question are you trying to answer? And with the visibility you have, can you answer those questions? And if you can't,
I mean, it could be as something as simple as we need to be able to see traffic exiting this data center in Germany, and we don't have sensors there because of, uh, workers' rights laws and whatever. We have to put together the proper package to get approval to be there. But, and maybe that's the, that's the question, you get it answered, you're good to go. But if you wanna be able to see traffic from one segment to another or potentially one user to another, you know, if you have some type of focus monitoring that might be HR-directed 'cause you feel like you've identified an insider threat or something, uh, you know, you've gonna have to probably change the way you approach it, and you can't just have that level of monitoring constantly because, like you said, it's just gonna be so expensive in terms of the... You know, nobody deploys networks with visibility in mind. It's very, very rare that, uh, that's actually built in from the beginning. Yeah, that's correct. And I can attest to that from network admin days, right? Is you're trying to, you're trying to build something, the plumbing that makes this device talk to this. Your-- That's what your job is to make sure that is reliable and consistent. Uh, the secondary priorities areThat it's spelled correctly and, you know, you have passwords and the right hygiene for it and such. But, uh, generally when you're building this out, your primary priority is making sure the network plumbing is correct and reliable. So let's talk about plumbing for a second. So you are an old school CCIE, like I think you told me 27 years ago you, you got your CCIE, and you didn't just begin your life as a CCIE, you were using networks before that. So you've been, you've had a hand in this industry now for a very long time. Can you tell me a little bit about your perception about how networks have changed over those last like, like 30 years basically? I think my number is 7469, which means that everything I learned, uh, about token rings and, uh, AppleTalk and IPX is now completely obsolete
. So in some ways, a lot of what I learned isn't necessarily, uh, useful in the actual details of it. The, the things that I think have changed the most is, well, beyond like the physical side, the physical side has definitely changed. So in the, the old days, your mediums were very diverse, so I think in that way you had, you had different coax cables, you had dial-up modems, you had, um, what was the thing? Uh, ISDN lines and such like that.
Um, you had T1 interfaces for routers once you, once it went, went to work world, right? There's a lot of circuits for WANs. Uh, a lot of that has now simplified down to essentially mostly ethernet from a medium perspective, like a layer two perspective, and then for layer three perspective, all those protocols like Novell
IPX, AppleTalk, which I think AppleTalk was, the only purpose I saw for that was playing Oregon, Oregon Trail between Macs, I think.
Yeah. That's the only time I remember it being useful. But, uh a lot of those layer three protocols have all pretty much gone down to IP, right? There's, there's still pockets of cities and stuff like that, municipals that have mainframes and like I, I think my, my father worked for, uh, City of Houston for a while, and they had, they still have mainframes. I think they're just replacing them now, like in the
2020s . But a lot of those things are really, really legacy. For the most part, everything has been converted to a single kind of standard, uh, for ethernet layer two, and then IP for layer three. Um, that said, while that part has gotten simpler, networks have gotten much harder in the, in the spread and speed, especially with cloud.
So I think where standardization helped to clean like the different, the different types of mediums up, uh, together into a single standards, uh, it also, uh, it also enabled things like cloud to happen, which also kind of spreads the problem of like, well, it's harder to manage everything that spins up in this rapid, rapid pace that happens today. Yeah, it is amazing when you think back. Like I remember w- right after I got out of the Air Force in 2001, I joined up some friends and we created a little MSSP. And I remember one of our customers was a bank, and it wa- it had a T1 circuit, which was
1.544 megabit, and to monitor it, we put a, a EN104 10 megabit hub on it and had our sensor plug into that. And because it was a true hub, it copied the packets to every port. So imagine to think that this bank had its...
I mean, it's, it's the bank's network. It was a, it was a, you know, small regional bank in Texas, but it was the bank's network connected to a little, little enter... you know, uh, not even enterprise grade hub, like a consumer hub with our sensor connected to it, and it worked great. Uh, and it was easy to troubleshoot and all that. It, it is interesting as well, you said that the world collapsed on, on IP, but, uh, IP itself, everything that on top of it, uh, became so much more c- complicated in some ways. Uh, you know,
I, I think earlier I was talking about TCP/IP. It's like UDP ate the world. All these UDP based protocols have, you know, quick and all these things. That's, that seems where the action's at. Yep, definitely. Uh, I remember back in the day, um, lugging around one of those Flukes, I think Network Associates bought them. Yeah. But they were like a 15 pound suitcase that you're... Well, not a suitcase, more like a laptop bag that you carried around, and find in there, sometimes you would have to find a hub and plug that in, as you said, just to get some, uh, some, uh, raw packets going. But, uh, that, that has, you know, that, that's unheard of today now. I mean, uh, now it's Wi- Wireshark for if you run on your laptop. In general, you can also do a lot of remote monitoring as well.
A lot of switches and devices have ability to either do, uh, PCAPs or at least NetFlow type data. Um, so much of that physical walking around trying to monitor stuff, um, isn't quite, uh, it's, it's pretty much days of the past. So if, uh, let's say we've got some beginners listening and they want to learn more about their network. I, I'll just give one piece of advice, and I'd love to hear what you think as well. The first piece of advice would be just monitor what you have. So if you have, uh, you're, you're not gonna be able to generally do this on a phone or a tablet or something or, you know, an iPad, something that's really locked down. But if you have a laptop and you can run even Windows, but you can run Linux or whatever, generally you can watch traffic to and from your own computer, and that's, that's a great place to start. Because if you can't understand your own computer, trying to look at a bunch of computers or a bunch of devices is just gonna be even more confusing. So that's what I would start with. And I wouldn't even necessarily recommend, I mean, maybe not even starting with Wireshark, because you're kinda gonna get overwhelmed initially, but maybe that is the easiest 'cause it's just, you know, double click install, you've got it. But, uh, do you have any advice for people who might wanna get started in trying to understand how networks work? So if you're starting from scratch today, right? Um,
I, I think, as you said, packets are, uh, packet, packets are the, the ground truth, but there's many tools now, and I, I will put a plug in for Zeek and, and also Seracada, but for understanding your own network, uh, Zeek is, uh, incredible for that, right? So it, it takes what you have to look at for individual packets and translates it into essentially a structured JSON that is pretty easy to read, and, uh, well,
I would say it's, it's much easier to read than packets for a human, and way, way easier for a AI to read. The packets are an aspect of what's on the network, but it is not the only interface to what's happening.
If you-- I mean, you could start with packets, that's great. You know, you're gonna get the most detail, and if your tools are sufficiently capable, and you're collecting them, uh, in the right way, you're gonna learn a lot. But if you just wanna know who talked to who or, or what protocols are involved, or you wanna get some sort of, uh, high-fidelity summarization, and the term I think you used, which
I really liked, um, when we talked earlier, was, uh, unbiased data or judgment-free network data. If you just wanna get that, that's where Zeek, I think, is, is great. And even Suricata's, uh, uh, flow data and all the protocols that they're, uh, summarizing now are, are excellent as well. So you can get a good sense of what your network is doing potentially without looking at individual packets, as you would perhaps with
Wireshark, just by using one of those alternatives. Yep, absolutely. And I would say the, the packets are still definitely useful, but the, the place that it's all about the level of detail that is easily consumed and then understanding that. Uh, for, for understanding networks, I think the right level is this metadata that, um, you don't have to go in the packets right away. It's definitely something I would kind of do as a workflow is like if I'm trying to troubleshoot something, I might look at the... I might look at some Zeek logs first, and then if I wanna prove it out and look at the actual, oh, well, maybe I wanna look at the actual header option that wasn't in the Zeek log, then I can look at the actual packets to get that level of detail. But to start off on that is almost overwhelming to look at the packet level first. I recommend capturing to disk as opposed to looking live. Because if you just look live, it can get overwhelming. If you captured a disk, uh, I mean, you can look live and then save to disk, but I always prefer just to capture for a period and then look at that saved capture, because you can then, that's a little bit of forensic evidence you have that you can put into other tools.
You could, for example, uh, upload it to tri.zeek.org, and you get an interface into the latest version, or actually probably multiple versions of Zeek that you can, uh, it'll gen- it'll generate log entries for you. You can just take a look at them there. Once you start collecting these little you know, these little snippets of what's happening in your environment, uh, it becomes a nice way to, as a, as a learning tool, but you can even do more with it later on if you want. All right, Ricky, well, this was a, this was a great conversation.
This is a different one from some of the ones we've had recently, and I really enjoy hearing your perspective as someone who's, uh, been working with networks for so long. So thank you for joining me on the Corelight Network Defenders. podcast today. Yeah, my pleasure.
Thank you for joining us on the Network Defenders podcast sponsored by Corelight. We will see you on the network. You've been listening to Corelight. Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Group. Welcome, Ricky. Thanks, Richard. Glad to be here. We have something special for our listeners today. We're gonna be talking about monitoring your home network, and you have a risk model that may be familiar to many of us. Can you talk about it and your own monitoring approach? I've got, uh, four daughters. One of the things that's a little unique about home is it's not, it's not necessarily
APTs I'm looking for trying to, you know, get into my home network, but it is really interesting what you can see on the network. And, uh, I often will just kind of use the network as kind of a bit to assist me in seeing what new devices come up, uh, if
I have a kid that's watching YouTube a little longer than they should be, uh, things like that, um, that are pretty interesting things I can do from monitoring the network. How did you architect it so that you could see traffic? Since I'm pretty familiar with Cisco stuff, I have, uh, a Cisco switch and a bunch of
Cisco AP, uh, access points, and I basically have the network switching, doing packet mirroring over to my, uh, Corelight device. You had to deploy a secondary wireless network that your users, and we'll talk about them, right? That your users will connect to. If the users were simply connecting to whatever the CPE device you got from your vendor or from your, your ISP, you wouldn't be able to monitor that unless you got on the other side of it and then you're looking at basically a single NATed IP address, right? Let's talk a little bit about how it is that you can see stuff.
Today, uh, most things are encrypted, especially if you go to most websites, um, almost all of them are encrypted. Uh, that said, uh, even in my home network, I generally don't decrypt things.
I can, so I have done some decryption, so let me talk about the, uh, things I don't decrypt right now. You can, you can still see... I use the analogy of kind of a, a, uh, I use the analogy of kind of like where cars are untinted, uh, and then decrypt- or encrypted traffic you can kind of think of as a car that has really heavy tints.
Uh, while you still can't see inside the car anymore, uh, you can still see where the car comes from, where it's going, and pretty much h-how much, how much the cargo is that it's carrying, if it's a truck versus a small car. And along those lines, uh, even seeing encrypted traffic, I can still see if my devices on my network or home are going to YouTube, are going to social media sites, going to shopping sites.
Uh, there's still so much you can see from even n- just even encrypted traffic. You can still see destination, uh, things like
SS- SSL, uh, SNI, DNS, and still have a very good idea of what's actually happening. Let's take the, uh, spotlight off your kids for a moment, and let's put it on other devices. If-- I know you've talked about this a little bit internally, but have you found any activity involving, say, consumer devices that might be interesting? Yeah.
Um, in general, those ones are... I can see them talking, and that's probably the most interesting part. So I've got, I have a Tesla vehicle, and you can see it, uh, communicating out to, uh, to Tesla's cloud, if they call that. But, uh, like Samsung smart devices and such like that, so it's interesting how much communication they do. Uh, Google Cast devices talk constantly as well. Uh, as far as anything,
I, I, I guess you could see if there's anything abnormal happening, like if they are doing traffic to the devices rather than sending out. That could be a, that could be a indication of some type of abnormal behavior of something trying to access devices versus other way around. Do you find yourself using the network for troubleshooting? 'Cause sometimes when I see people asking for help in, like, a gaming forum or a
Linux forum or, or whatever, on Reddit, and they never even think, and m- most, most times it seems, or even, even in a networking forum like, uh, like you've mentioned, Ubiquiti devices. I, I have Ubiquiti all in my house as well, and, uh, people don't think to look what's happening on the network to figure out what the problem could be. They usually, they tend to go back to configurations and asking questions about, "Is this configured properly?"
And I wanna know, is it acting properly? Like, do you, do you actually see traffic? Right. Right. Uh, definitely. So I, I think people default to what they're most comfortable and knowledgeable using, so, uh, my default is often look at the network. So I've used it for troubleshooting, like, uh, small stuff like, you know, putting on a new smart light bulb or something like that and seeing if it's connecting to a network. Uh, what was I doing recently? Like, just a Raspberry Pi that's trying to co-connect online, uh, trying to get it what, m- verify that it got a IP address from DHCP logs, uh, from the Zeek's DHCP logs, uh, seeing if it's trying to talk to where I want it to go to as well. Yeah. The way I like to approach it is to ask what question are you trying to answer? And with the visibility you have, can you answer those questions? And if you can't,
I mean, it could be as something as simple as we need to be able to see traffic exiting this data center in Germany, and we don't have sensors there because of, uh, workers' rights laws and whatever. We have to put together the proper package to get approval to be there. But, and maybe that's the, that's the question, you get it answered, you're good to go. But if you wanna be able to see traffic from one segment to another or potentially one user to another, you know, if you have some type of focus monitoring that might be HR-directed 'cause you feel like you've identified an insider threat or something, uh, you know, you've gonna have to probably change the way you approach it, and you can't just have that level of monitoring constantly because, like you said, it's just gonna be so expensive in terms of the... You know, nobody deploys networks with visibility in mind. It's very, very rare that, uh, that's actually built in from the beginning. Yeah, that's correct. And I can attest to that from network admin days, right? Is you're trying to, you're trying to build something, the plumbing that makes this device talk to this. Your-- That's what your job is to make sure that is reliable and consistent. Uh, the secondary priorities areThat it's spelled correctly and, you know, you have passwords and the right hygiene for it and such. But, uh, generally when you're building this out, your primary priority is making sure the network plumbing is correct and reliable. So let's talk about plumbing for a second. So you are an old school CCIE, like I think you told me 27 years ago you, you got your CCIE, and you didn't just begin your life as a CCIE, you were using networks before that. So you've been, you've had a hand in this industry now for a very long time. Can you tell me a little bit about your perception about how networks have changed over those last like, like 30 years basically? I think my number is 7469, which means that everything I learned, uh, about token rings and, uh, AppleTalk and IPX is now completely obsolete
. So in some ways, a lot of what I learned isn't necessarily, uh, useful in the actual details of it. The, the things that I think have changed the most is, well, beyond like the physical side, the physical side has definitely changed. So in the, the old days, your mediums were very diverse, so I think in that way you had, you had different coax cables, you had dial-up modems, you had, um, what was the thing? Uh, ISDN lines and such like that.
Um, you had T1 interfaces for routers once you, once it went, went to work world, right? There's a lot of circuits for WANs. Uh, a lot of that has now simplified down to essentially mostly ethernet from a medium perspective, like a layer two perspective, and then for layer three perspective, all those protocols like Novell
IPX, AppleTalk, which I think AppleTalk was, the only purpose I saw for that was playing Oregon, Oregon Trail between Macs, I think.
Yeah. That's the only time I remember it being useful. But, uh a lot of those layer three protocols have all pretty much gone down to IP, right? There's, there's still pockets of cities and stuff like that, municipals that have mainframes and like I, I think my, my father worked for, uh, City of Houston for a while, and they had, they still have mainframes. I think they're just replacing them now, like in the
2020s . But a lot of those things are really, really legacy. For the most part, everything has been converted to a single kind of standard, uh, for ethernet layer two, and then IP for layer three. Um, that said, while that part has gotten simpler, networks have gotten much harder in the, in the spread and speed, especially with cloud.
So I think where standardization helped to clean like the different, the different types of mediums up, uh, together into a single standards, uh, it also, uh, it also enabled things like cloud to happen, which also kind of spreads the problem of like, well, it's harder to manage everything that spins up in this rapid, rapid pace that happens today. Yeah, it is amazing when you think back. Like I remember w- right after I got out of the Air Force in 2001, I joined up some friends and we created a little MSSP. And I remember one of our customers was a bank, and it wa- it had a T1 circuit, which was
1.544 megabit, and to monitor it, we put a, a EN104 10 megabit hub on it and had our sensor plug into that. And because it was a true hub, it copied the packets to every port. So imagine to think that this bank had its...
I mean, it's, it's the bank's network. It was a, it was a, you know, small regional bank in Texas, but it was the bank's network connected to a little, little enter... you know, uh, not even enterprise grade hub, like a consumer hub with our sensor connected to it, and it worked great. Uh, and it was easy to troubleshoot and all that. It, it is interesting as well, you said that the world collapsed on, on IP, but, uh, IP itself, everything that on top of it, uh, became so much more c- complicated in some ways. Uh, you know,
I, I think earlier I was talking about TCP/IP. It's like UDP ate the world. All these UDP based protocols have, you know, quick and all these things. That's, that seems where the action's at. Yep, definitely. Uh, I remember back in the day, um, lugging around one of those Flukes, I think Network Associates bought them. Yeah. But they were like a 15 pound suitcase that you're... Well, not a suitcase, more like a laptop bag that you carried around, and find in there, sometimes you would have to find a hub and plug that in, as you said, just to get some, uh, some, uh, raw packets going. But, uh, that, that has, you know, that, that's unheard of today now. I mean, uh, now it's Wi- Wireshark for if you run on your laptop. In general, you can also do a lot of remote monitoring as well.
A lot of switches and devices have ability to either do, uh, PCAPs or at least NetFlow type data. Um, so much of that physical walking around trying to monitor stuff, um, isn't quite, uh, it's, it's pretty much days of the past. So if, uh, let's say we've got some beginners listening and they want to learn more about their network. I, I'll just give one piece of advice, and I'd love to hear what you think as well. The first piece of advice would be just monitor what you have. So if you have, uh, you're, you're not gonna be able to generally do this on a phone or a tablet or something or, you know, an iPad, something that's really locked down. But if you have a laptop and you can run even Windows, but you can run Linux or whatever, generally you can watch traffic to and from your own computer, and that's, that's a great place to start. Because if you can't understand your own computer, trying to look at a bunch of computers or a bunch of devices is just gonna be even more confusing. So that's what I would start with. And I wouldn't even necessarily recommend, I mean, maybe not even starting with Wireshark, because you're kinda gonna get overwhelmed initially, but maybe that is the easiest 'cause it's just, you know, double click install, you've got it. But, uh, do you have any advice for people who might wanna get started in trying to understand how networks work? So if you're starting from scratch today, right? Um,
I, I think, as you said, packets are, uh, packet, packets are the, the ground truth, but there's many tools now, and I, I will put a plug in for Zeek and, and also Seracada, but for understanding your own network, uh, Zeek is, uh, incredible for that, right? So it, it takes what you have to look at for individual packets and translates it into essentially a structured JSON that is pretty easy to read, and, uh, well,
I would say it's, it's much easier to read than packets for a human, and way, way easier for a AI to read. The packets are an aspect of what's on the network, but it is not the only interface to what's happening.
If you-- I mean, you could start with packets, that's great. You know, you're gonna get the most detail, and if your tools are sufficiently capable, and you're collecting them, uh, in the right way, you're gonna learn a lot. But if you just wanna know who talked to who or, or what protocols are involved, or you wanna get some sort of, uh, high-fidelity summarization, and the term I think you used, which
I really liked, um, when we talked earlier, was, uh, unbiased data or judgment-free network data. If you just wanna get that, that's where Zeek, I think, is, is great. And even Suricata's, uh, uh, flow data and all the protocols that they're, uh, summarizing now are, are excellent as well. So you can get a good sense of what your network is doing potentially without looking at individual packets, as you would perhaps with
Wireshark, just by using one of those alternatives. Yep, absolutely. And I would say the, the packets are still definitely useful, but the, the place that it's all about the level of detail that is easily consumed and then understanding that. Uh, for, for understanding networks, I think the right level is this metadata that, um, you don't have to go in the packets right away. It's definitely something I would kind of do as a workflow is like if I'm trying to troubleshoot something, I might look at the... I might look at some Zeek logs first, and then if I wanna prove it out and look at the actual, oh, well, maybe I wanna look at the actual header option that wasn't in the Zeek log, then I can look at the actual packets to get that level of detail. But to start off on that is almost overwhelming to look at the packet level first. I recommend capturing to disk as opposed to looking live. Because if you just look live, it can get overwhelming. If you captured a disk, uh, I mean, you can look live and then save to disk, but I always prefer just to capture for a period and then look at that saved capture, because you can then, that's a little bit of forensic evidence you have that you can put into other tools.
You could, for example, uh, upload it to tri.zeek.org, and you get an interface into the latest version, or actually probably multiple versions of Zeek that you can, uh, it'll gen- it'll generate log entries for you. You can just take a look at them there. Once you start collecting these little you know, these little snippets of what's happening in your environment, uh, it becomes a nice way to, as a, as a learning tool, but you can even do more with it later on if you want. All right, Ricky, well, this was a, this was a great conversation.
This is a different one from some of the ones we've had recently, and I really enjoy hearing your perspective as someone who's, uh, been working with networks for so long. So thank you for joining me on the Corelight Network Defenders. podcast today. Yeah, my pleasure.
Thank you for joining us on the Network Defenders podcast sponsored by Corelight. We will see you on the network. You've been listening to Corelight. Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Subscribe now
