References Introduction to Wiresharkl Dr Farid Farahmand Fall 2014 Packet analyzer Wikipedia March 2013 Wireshark User s Guide For Wireshark 199 Wireshark ID: 276657
Download Presentation The PPT/PDF document "An Intro to Network Analyzers" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
An Intro to Network Analyzers
References:
“
Introduction to
Wiresharkl
”, Dr. Farid Farahmand, Fall 2014
"
Packet analyzer
", Wikipedia, March 2013..
“
Wireshark User
’
s Guide
”, For Wireshark 1.99.
“Wireshark
Installation & packet
Chapter
”, August 2011.Slide2
Network Analysis & Sniffing
Process of capturing, decoding
, & analyzing
network traffic Why is the network slow What is the network traffic pattern How is the traffic being shared between nodesAlso known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping*, etc.
2
*Listen secretly to what is said in private! Slide3
Network Analyzer
A combination of
hardware & software
tools what can detect, decode, & manipulate traffic on the network Passive monitoring (detection) -
Difficult to detectActive (attack) Available both free & commercially Mainly software-based (utilizing OS & NIC)Also known as sniffer A program that monitors the data traveling through the network passivelyCommon network analyzersWireshark / EtherealWindump
Etherpeak
Dsniff
& much more….
3
Read:
Basic Packet-Sniffer Construction from the Ground Up! by Chad Renfro
Checkout his program:
sniff.c
Slide4
Network Analyzer - Components
Hardware
NIC Card
Buffer memory Special hardware devices
CRC & Parity ErrorsMonitoring voltage fluctuationJitter (random timing variation)Jabber (failure to handle electrical signals) Capture driver capturing the dataor disk-based Real-time analysis analyzing the traffic in real time; detecting any intrusions
Decoder
making data readable
4
Capturing the data is easy!
The question is what to do with it! Slide5
Who Uses Network Analyzers
System administrators
Identify system problems &
Analyze performance Malicious individuals (intruders) Capture cleartext data Passively collect data on vulnerable protocolsFTP , HTTP, IMAP, POP3, rlogin, SNTP, etc.
Capture VoIP data Mapping the target network Traffic pattern discovery Actively break into the network (backdoor techniques)Test engineersProtocol analyzers can also generate traffic & thus act as the reference device
5Slide6
Basic Operation
Ethernet traffic is broadcast to all nodes on the same segment
Sniffer can capture all the incoming data when the NIC is in
promiscuous (not restricted to one port) mode: ifconfig eth0 promisc
ifconfig eth0 –promiscDefault setup is non-promiscuous restricted - only receives the data destined for the NICNote: hub receives all the data! If switches are used the sniffer must perform port spanning Also known as port mirroring
The traffic to each port is mirrored to the
sniffer
6Slide7
Port Monitoring
Assume the sniffer (@ port 5) is to monitor the data on computer A (port 1).
Port 5 needs first to be spanned to port 1 (port spanning).
The sniffer can now monitor the data destined to Computer A.
7Slide8
Review: Hub, Switch, & Span
Port
8
If you want to capture Ethernet traffic that is sent by host A to host B
, & both
are connected to a
HUB
,
Just
attach a sniffer to this hub. All
other ports see the traffic between hosts
A & B
.
On a
SWITCH
,
after the host B MAC address is
learned, unicast
traffic from A to B is only forwarded to the B port.
Therefore
, the sniffer
DOES NOT
see
this traffic:
An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer
port.
Here
, the sniffer is attached to a port that is CONFIGURED to receive a copy of every packet that host A sends. This port is called a SPAN port. Slide9
Protecting Against - Sniffers
Spoofing the MAC
is often referred to changing the MAC address (in Linux:)
ifconfig eth0 down ifconfig eth0 hw ether 00:01:02:03:04:05ifconfig eth0 upRegister the new MAC address by broadcasting it
ping –c 1 –b 192.168.1.1To detect a sniffer (Linux) Download Promisc.c)ifconfig -a (search for promisc)ip link (search for promisc)To detect a sniffer (Windows) Download PromiscDetect
9
Remember:
00:01:02:03:04:05
MAC address (HWaddr)=
Vender Address + Unique NIC #Slide10
Protecting Against Sniffers
Using switches can help
Use encryption
Making the intercepted data unreadable Note: in many protocols the packet headers are clear text! VPNs use
encryption & authorization for secure communications VPN MethodsSecure Shell (SSH): headers are not encrypted Secure Sockets Layer (SSL): high network level packet security; headers are not encrypted IPsec: Encrypted headers but does not use TCP or UDP
10
Remember:
Never use unauthorized Sniffers at work!Slide11
What is Wireshark?
Formerly called
Ethereal
An open source program free with many features Decodes over 750 protocols Compatible with many other sniffers Plenty of online resources are available
Supports command-line & graphical user interfaces (CLI, GUI) TSHARK (CLI) has three componentsEditcap similar to “Save As” to translate the format of captured packetsMergecapcombines multiple saved captured filesText2pcap
ASCII
Hexdump
captures & writes the data into a
libpcap output file
11
Remember:
You must have a good understanding of the network before you use Sniffers effectively! Slide12
Installing Wireshark
Download the Wireshark program from
www.wireshark.org/download.html
, ORUBUNDU 14.04 WebpageRequires to install capture driversmonitor ports & capture all traveling
packets
12Slide13
Installing Wireshark
If you did not succeed, do the following.
On UBUNTU screen go to the “Dash board”
Search for “Wireshark” & Install, ORGo to Firefox in UBUNTU & Google “Wireshark for Ubuntu 14.04” & follow the instruction.You can also download it using a “Terminal” by command:
sudo apt-get install wiresharkIf you could not see any interface for capturing, with the current configuration, you need “root” privileges to capture traffic with Wireshark (or dumpcap, for that matter).Here are the commandssudo -susermod -a -G wireshark your-user-namechgrp wireshark /usr/bin/dumpcapchmod 4750 /usr/bin/dumpcap
13
You can safely run Wireshark to inspect, edit or filter packet dumps without root privileges, e.g.,
wireshark -i eth0 -c 5Slide14
Wireshark Window
14
Menu Bar
Tool Bar
Filter Bar
Frame view
Frame bytes (content)
Packet ListSlide15
Packet number 8 – BGP (Boarder Gateway Prot)
Protocol Tree Window: Details of the selected packet (#8)
Raw data (content of packet # 8)
15Slide16
Filtering BGP packets only
16Slide17
Ethernet & IEEE 802.3
Ethernet - most popular
protocol standard to enable computer
communication 2nd Layer protocolBased on shared medium & broadcasting
Close to IEEE 802.3Ethernet address is called MAC address48 bit HW address coded in the RON of the NIC card 1st 24 bits represent the vender 2nd 24 bits represent the NICUse: “arp –
a”
To get the Hardware address from IP address
17
FSC = Frame Check Sequence
SOF = Start of Frame DelimiterMAC = Medium Access Control, 6-byte hardware addressSlide18
Appendixes
18Slide19
TCP/IP Stack
Application
Transport
Provides reliable end-to-end transport Can be connectionless (UDP) or connection oriented (TCP)Connection oriented requires ACKNetwork
Logical addressing (IP, Internet protocol)Link *Frames & carries IP packets between adjacent network devicesPhysical
19
*
Data
Link
Layer (IEEE)
has
2
sublayers:
MAC (Medium Access Control): Physical addressing, moves packets from one NIC card to another
LLC (Logical Link Control): Flow control, error controlSlide20
Internet Packet (IP) Format
20
Physical & Link Header
L3 (Internet) Header
L4 (Transport) header
L5 (Application) header
Data (digitized data, voice, video)
HeadersSlide21
More on Installing Wireshark
Download the program from
www.wireshark.org/download.html
Requires to install capture drivers (monitor ports & capture all traveling packets) Linux: libpcap
Windows: winpcap (www.winpcap.org)Typically the file is in TAR format (Linux)To install in Linuxrpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install libpcap RPM)rpm –q libpcap (query libpcap RPM)tar –
zxvf
libpcap-0.9.5.tar.gz
./
config
makesudo make install
21Slide22
Appendix - Installing Wireshark
22
Log in as the
‘root’
userInsert Fedora Code 4 Disk #4 Navigate to the following folder in the disk /Fedora/RPMSLocate packages ethereal—0.10.11.-2.i386.rpmethereal-gnome-0.10.11-2.i386.rpmCopy the above packages to your system
Change directory to the packages location
cd <package_dir>
Install Ethereal
rpm –ivh ethereal—0.10.11.-2.i386.rpmInstall Ethereal GNOME user Interface
rpm –ivh ethereal-gnome-0.10.11-2.i386.rpmPackages that are needed for Installation Ethereal (available in Fedora Core 4 disk #4)ethereal—0.10.11.-2.i386.rpmEthereal GNOME User Interfaceethereal-gnome-0.10.11-2.i386.rpmSlide23
Appendix: Some Helpful References
Wireshark
capture https://wiki.wireshark.org/CaptureFiltersWireshark screenshots https://www.google.com/search?q=display+wireshark+screenshots&biw=1234&bih=920&tbm=
isch&tbo=u&source=univ&sa=X&ved=0CBwQsARqFQoTCLPO5uKGmMgCFdI7iAodbY0ABw#imgrc=LTv96BTj4FElYM%3AWireshark for TCP https://wiki.wireshark.org/Transmission_Control_Protocol Wireshark for TCPhttps://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html Wireshark for TCP & UDPhttps://en.wikiversity.org/wiki/Wireshark/UDP
Wireshark
YouTube
on filter https://www.youtube.com/watch?v=__SR6JO6l-A
23