Using network forensics to track acceptable use or compliance | 51
domain names and URL information but cannot show what exact content was being displayed at the time. If
those sites cease to exist or change their content, providing adequate documentation is nearly impossible.
The solution is to record the traffic in its entirety, which offers the ability to view the transactions, and also to
reconstruct the original stream of data.
1. Isolate the time frame where you suspect the person was misusing the network. See
2. Click the
IP Stations tab
and find the address of the user you are tracking. Select the address. This creates a
filter.
3. Click Update Chart. This updates the Detail Chart and shows you all of the traffic from the address.
4. You can further filter the chart and reports by selecting specific traffic types (for example, HTTP, SMTP,
Telnet, and so on).
5. Analyze the data using one of the options described in
Mining data from your GigaStor
. This opens your data
in the Decode tab in the Observer analyzer.
6. Assuming the data is HTTP, select a packet in the Decode tab and right-click. Choose TCP Dump (HTTP) from
the menu. This analyzes the data and opens it in the Expert tab.
7. Scroll through the decoded packets. Click the “ReconstructedPage.html” files to see the web page as it
looked when the user saw it.
This same process can be used for replaying VoIP calls or capturing e-mail and instant messaging to ensure your
company’s “acceptable use” policy is being followed.