An Intro to Network Analyzers
References:
•“Introduction to Wiresharkl”, Dr. Farid Farahmand, Fall 2014
•"Packet analyzer", Wikipedia, March 2013..
•“Wireshark User’s Guide”, For Wireshark 1.99.
•“Wireshark Installation & packet Chapter”, August 2011.
Network Analysis & Sniffing
• Process of capturing, decoding, & analyzing
network traffic
– Why is the network slow
– What is the network traffic pattern
– How is the traffic being shared between nodes
• Also known as
– traffic analysis, protocol analysis, sniffing, packet
analysis, eavesdropping*, etc.
*Listen secretly to what is said in private!
2
Network Analyzer
• A combination of hardware &
software tools what can detect,
decode, & manipulate traffic on
the network
– Passive monitoring (detection) Difficult to detect
– Active (attack)
• Common network analyzers
–
–
–
–
–
Wireshark / Ethereal
Windump
Etherpeak
Dsniff
& much more….
• Available both free &
commercially
• Mainly software-based (utilizing
OS & NIC)
– Also known as sniffer
– A program that monitors the
data traveling through the
network passively
Read: Basic Packet-Sniffer
Construction from the Ground Up!
by Chad Renfro
Checkout his program: sniff.c
3
Network Analyzer - Components
• Hardware
– NIC Card
– Buffer
memory
– Special hardware devices
CRC & Parity Errors
Monitoring voltage
fluctuation
Jitter (random timing
variation)
Jabber (failure to handle
electrical signals)
• Capture driver
– capturing the data
– or disk-based
• Real-time analysis
– analyzing the traffic in real
time; detecting any
intrusions
• Decoder
– making data readable
Capturing the data is easy!
The question is what to do with it!
4
Who Uses Network Analyzers
• System administrators
– Identify system
problems &
– Analyze performance
• Malicious individuals
(intruders)
– Capture cleartext data
– Passively collect data on
vulnerable protocols
• FTP , HTTP, IMAP, POP3,
rlogin, SNTP, etc.
• Capture VoIP data
– Mapping the target
network
– Traffic pattern discovery
– Actively break into the
network (backdoor
techniques)
• Test engineers
– Protocol analyzers can
also generate traffic &
thus act as the reference
device
5
Basic Operation
• Ethernet traffic is broadcast to all nodes on the same
segment
• Sniffer can capture all the incoming data when the
NIC is in promiscuous (not restricted to one port) mode:
– ifconfig eth0 promisc
– ifconfig eth0 –promisc
– Default setup is non-promiscuous
• restricted - only receives the data destined for the NIC
– Note: hub receives all the data!
• If switches are used the sniffer must perform port
spanning
– Also known as port mirroring
– The traffic to each port is mirrored to the sniffer
6
Port Monitoring
• Assume the sniffer (@ port
5) is to monitor the data on
computer A (port 1).
• Port 5 needs first to be
spanned to port 1 (port
spanning).
• The sniffer can now
monitor the data destined
to Computer A.
7
Review: Hub, Switch, & Span Port
•
•
•
•
•
•
•
If you want to capture Ethernet traffic that is sent
by host A to host B, & both are connected to a
HUB,
Just attach a sniffer to this hub.
All other ports see the traffic between hosts A & B.
On a SWITCH, after the host B MAC address is
learned, unicast traffic from A to B is only
forwarded to the B port.
Therefore, the sniffer DOES NOT see this traffic:
An extra feature is necessary that artificially copies
unicast packets that host A sends to the sniffer
port.
Here, the sniffer is attached to a port that is
CONFIGURED to receive a copy of every packet
that host A sends. This port is called a SPAN port.
8
Protecting Against - Sniffers
• Spoofing the MAC is often referred to changing the MAC
address (in Linux:)
–
–
–
–
ifconfig eth0 down
ifconfig eth0 hw ether 00:01:02:03:04:05
ifconfig eth0 up
Register the new MAC address by broadcasting it
• ping –c 1 –b 192.168.1.1
• To detect a sniffer (Linux)
– Download Promisc.c)
– ifconfig -a (search for promisc)
– ip link (search for promisc)
• To detect a sniffer (Windows)
– Download PromiscDetect
Remember:
00:01:02:03:04:05 MAC
address (HWaddr)=
Vender Address + Unique NIC
#
Protecting Against Sniffers
• Using switches can help
• Use encryption
Remember: Never use
unauthorized Sniffers at work!
– Making the intercepted data unreadable
– Note: in many protocols the packet headers are clear text!
• VPNs use encryption & authorization for secure
communications
– VPN Methods
• Secure Shell (SSH): headers are not encrypted
• Secure Sockets Layer (SSL): high network level packet security;
headers are not encrypted
• IPsec: Encrypted headers but does not use TCP or UDP
What is Wireshark?
• Formerly called Ethereal
• An open source program
– free with many features
• Decodes over 750 protocols
Remember: You must have a
good understanding of the
network before you use
Sniffers effectively!
• Compatible with many other sniffers
• Plenty of online resources are available
• Supports command-line & graphical user interfaces (CLI, GUI)
– TSHARK (CLI) has three components
• Editcap
– similar to “Save As” to translate the format of captured packets
• Mergecap
– combines multiple saved captured files
• Text2pcap
– ASCII Hexdump captures & writes the data into a libpcap output file
11
Installing Wireshark
• Download the Wireshark program from
– www.wireshark.org/download.html
, OR
– UBUNDU 14.04 Webpage
– Requires to install capture drivers
• monitor ports & capture all traveling packets
12
Installing Wireshark
• If you did not succeed, do the
following.
• On UBUNTU screen go to the
“Dash board”
– Search for “Wireshark” & Install,
OR
– Go to Firefox in UBUNTU &
Google “Wireshark for Ubuntu
14.04” & follow the instruction.
• You can also download it using a
“Terminal” by command:
sudo apt-get install wireshark
• If you could not see any
interface for capturing, with the
current configuration, you need
“root” privileges to capture
traffic with Wireshark (or
dumpcap, for that matter).
• Here are the commands
sudo -s
usermod -a -G wireshark your-username
chgrp wireshark /usr/bin/dumpcap
chmod 4750 /usr/bin/dumpcap
You can safely run Wireshark to inspect, edit or filter packet dumps without
root privileges, e.g.,
wireshark -i eth0 -c 5
13
Wireshark Window
Menu Bar
Tool Bar
Filter Bar
Packet List
Frame view
Frame bytes
(content)
14
Protocol Tree Window: Details
of the selected packet (#8)
Packet number 8 –
BGP (Boarder
Gateway Prot)
Raw data (content
of packet # 8)
15
Filtering BGP
packets only
16
Ethernet & IEEE 802.3
• Ethernet - most popular protocol
standard to enable computer
communication
– 2nd Layer protocol
– Based on shared medium &
broadcasting
– Close to IEEE 802.3
• Ethernet address is called MAC
address
– 48 bit HW address coded in the
RON of the NIC card
– 1st 24 bits represent the vender
– 2nd 24 bits represent the NIC
• Use: “arp –a”
– To get the Hardware address
from IP address
FSC = Frame Check Sequence
SOF = Start of Frame Delimiter
MAC = Medium Access Control, 6-byte hardware address
17
TCP/IP Stack
• Application
• Transport
– Provides reliable end-to-end transport
– Can be connectionless (UDP) or
connection oriented (TCP)
– Connection oriented requires ACK
• Network
– Logical addressing (IP, Internet protocol)
• Link *
– Frames & carries IP packets between
adjacent network devices
• Physical
* Data Link Layer (IEEE) has 2 sublayers:
• MAC (Medium Access Control): Physical
addressing, moves packets from one NIC
card to another
• LLC (Logical Link Control): Flow control,
error control
19
Internet Packet (IP) Format
Physical &
Link
Header
L3 (Internet)
Header
L4 (Transport)
header
L5 (Application)
header
Data (digitized data, voice, video)
Headers
20
More on Installing Wireshark
•
•
•
•
Download the program from
– www.wireshark.org/download.html
Requires to install capture drivers (monitor ports & capture all traveling
packets)
– Linux: libpcap
– Windows: winpcap (www.winpcap.org)
Typically the file is in TAR format (Linux)
To install in Linux
– rpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install libpcap RPM)
– rpm –q libpcap (query libpcap RPM)
– tar –zxvf libpcap-0.9.5.tar.gz
– ./config
– make
– sudo make install
21
Appendix - Installing Wireshark
•
Log in as the ‘root’ user
•
•
•
Insert Fedora Code 4 Disk #4
Navigate to the following folder in the disk /Fedora/RPMS
Locate packages
– ethereal—0.10.11.-2.i386.rpm
– ethereal-gnome-0.10.11-2.i386.rpm
•
•
Copy the above packages to your system
Change directory to the packages location
– cd <package_dir>
•
Install Ethereal
– rpm –ivh ethereal—0.10.11.-2.i386.rpm
•
Install Ethereal GNOME user Interface
– rpm –ivh ethereal-gnome-0.10.11-2.i386.rpm
• Packages that are needed for
Installation
• Ethereal (available in Fedora Core
4 disk #4)
– ethereal—0.10.11.-2.i386.rpm
• Ethereal GNOME User Interface
– ethereal-gnome-0.10.112.i386.rpm
22
Appendix: Some Helpful References
• Wireshark capture
– https://wiki.wireshark.org/CaptureFilters
• Wireshark screenshots
–
https://www.google.com/search?q=display+wireshark+screenshots&biw=1234&bih=92
0&tbm=isch&tbo=u&source=univ&sa=X&ved=0CBwQsARqFQoTCLPO5uKGmMgCFdI7iA
odbY0ABw#imgrc=LTv96BTj4FElYM%3A
• Wireshark for TCP
– https://wiki.wireshark.org/Transmission_Control_Protocol
• Wireshark for TCP
– https://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html
• Wireshark for TCP & UDP
– https://en.wikiversity.org/wiki/Wireshark/UDP
• Wireshark YouTube on filter
– https://www.youtube.com/watch?v=__SR6JO6l-A
23