background
We have deployed the NetInside traffic analysis system in the computer room of a city hospital, using the traffic analysis system to provide real-time and historical raw traffic. This analysis focuses on the analysis of network traffic security for security forensics, network quality monitoring and deep network analysis.
analysis time
The report analysis time range is: 2023-04-12 16:00—2023-04-18 16:00, with a total duration of 7 days.
detailed analysis
The detailed analysis of traffic is as follows.
traffic distribution
The total traffic distribution trend of the system for 7 days, the maximum reaches 400Mbps.
The distribution trend of the total traffic of the system in one day can be seen from 4 am to 5 am, there is a continuous peak traffic, the IP address is XXX.XXX.1.41, and the corresponding application is MICROSOFT-DS (port 445); work during the day The time flow is leveling off.
Abnormal analysis
When the IP is XXX.XXX.250.200, there are 13990 sending failures, and the corresponding application is MICROSOFT-DS (port 445).
Through the analysis of some data packets downloaded, the cause of the exception is that XXX.XXX.250.200 accessed many internal addresses and transmitted RST to the other party.
Analysis conclusion
It is found that there is an abnormal connection in the network , and the IP is XXX.XXX.250.200, and there are 13990 sending failures .
suggestion
Through the data analysis of the hospital, it is recommended to focus on checking the abnormality of the XXX.XXX.250.200 host.