An Intro to Network Analyzers References: •“Introduction to Wiresharkl”, Dr. Farid Farahmand, Fall 2014 •"Packet analyzer", Wikipedia, March 2013.. •“Wireshark User’s Guide”, For Wireshark 1.99. •“Wireshark Installation & packet Chapter”, August 2011. Network Analysis & Sniffing • Process of capturing, decoding, & analyzing network traffic – Why is the network slow – What is the network traffic pattern – How is the traffic being shared between nodes • Also known as – traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping*, etc. *Listen secretly to what is said in private! 2 Network Analyzer • A combination of hardware & software tools what can detect, decode, & manipulate traffic on the network – Passive monitoring (detection) Difficult to detect – Active (attack) • Common network analyzers – – – – – Wireshark / Ethereal Windump Etherpeak Dsniff & much more…. • Available both free & commercially • Mainly software-based (utilizing OS & NIC) – Also known as sniffer – A program that monitors the data traveling through the network passively Read: Basic Packet-Sniffer Construction from the Ground Up! by Chad Renfro Checkout his program: sniff.c 3 Network Analyzer - Components • Hardware – NIC Card – Buffer memory – Special hardware devices CRC & Parity Errors Monitoring voltage fluctuation Jitter (random timing variation) Jabber (failure to handle electrical signals) • Capture driver – capturing the data – or disk-based • Real-time analysis – analyzing the traffic in real time; detecting any intrusions • Decoder – making data readable Capturing the data is easy! The question is what to do with it! 4 Who Uses Network Analyzers • System administrators – Identify system problems & – Analyze performance • Malicious individuals (intruders) – Capture cleartext data – Passively collect data on vulnerable protocols • FTP , HTTP, IMAP, POP3, rlogin, SNTP, etc. • Capture VoIP data – Mapping the target network – Traffic pattern discovery – Actively break into the network (backdoor techniques) • Test engineers – Protocol analyzers can also generate traffic & thus act as the reference device 5 Basic Operation • Ethernet traffic is broadcast to all nodes on the same segment • Sniffer can capture all the incoming data when the NIC is in promiscuous (not restricted to one port) mode: – ifconfig eth0 promisc – ifconfig eth0 –promisc – Default setup is non-promiscuous • restricted - only receives the data destined for the NIC – Note: hub receives all the data! • If switches are used the sniffer must perform port spanning – Also known as port mirroring – The traffic to each port is mirrored to the sniffer 6 Port Monitoring • Assume the sniffer (@ port 5) is to monitor the data on computer A (port 1). • Port 5 needs first to be spanned to port 1 (port spanning). • The sniffer can now monitor the data destined to Computer A. 7 Review: Hub, Switch, & Span Port • • • • • • • If you want to capture Ethernet traffic that is sent by host A to host B, & both are connected to a HUB, Just attach a sniffer to this hub. All other ports see the traffic between hosts A & B. On a SWITCH, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer DOES NOT see this traffic: An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port. Here, the sniffer is attached to a port that is CONFIGURED to receive a copy of every packet that host A sends. This port is called a SPAN port. 8 Protecting Against - Sniffers • Spoofing the MAC is often referred to changing the MAC address (in Linux:) – – – – ifconfig eth0 down ifconfig eth0 hw ether 00:01:02:03:04:05 ifconfig eth0 up Register the new MAC address by broadcasting it • ping –c 1 –b 192.168.1.1 • To detect a sniffer (Linux) – Download Promisc.c) – ifconfig -a (search for promisc) – ip link (search for promisc) • To detect a sniffer (Windows) – Download PromiscDetect Remember: 00:01:02:03:04:05 MAC address (HWaddr)= Vender Address + Unique NIC # Protecting Against Sniffers • Using switches can help • Use encryption Remember: Never use unauthorized Sniffers at work! – Making the intercepted data unreadable – Note: in many protocols the packet headers are clear text! • VPNs use encryption & authorization for secure communications – VPN Methods • Secure Shell (SSH): headers are not encrypted • Secure Sockets Layer (SSL): high network level packet security; headers are not encrypted • IPsec: Encrypted headers but does not use TCP or UDP What is Wireshark? • Formerly called Ethereal • An open source program – free with many features • Decodes over 750 protocols Remember: You must have a good understanding of the network before you use Sniffers effectively! • Compatible with many other sniffers • Plenty of online resources are available • Supports command-line & graphical user interfaces (CLI, GUI) – TSHARK (CLI) has three components • Editcap – similar to “Save As” to translate the format of captured packets • Mergecap – combines multiple saved captured files • Text2pcap – ASCII Hexdump captures & writes the data into a libpcap output file 11 Installing Wireshark • Download the Wireshark program from – www.wireshark.org/download.html , OR – UBUNDU 14.04 Webpage – Requires to install capture drivers • monitor ports & capture all traveling packets 12 Installing Wireshark • If you did not succeed, do the following. • On UBUNTU screen go to the “Dash board” – Search for “Wireshark” & Install, OR – Go to Firefox in UBUNTU & Google “Wireshark for Ubuntu 14.04” & follow the instruction. • You can also download it using a “Terminal” by command: sudo apt-get install wireshark • If you could not see any interface for capturing, with the current configuration, you need “root” privileges to capture traffic with Wireshark (or dumpcap, for that matter). • Here are the commands sudo -s usermod -a -G wireshark your-username chgrp wireshark /usr/bin/dumpcap chmod 4750 /usr/bin/dumpcap You can safely run Wireshark to inspect, edit or filter packet dumps without root privileges, e.g., wireshark -i eth0 -c 5 13 Wireshark Window Menu Bar Tool Bar Filter Bar Packet List Frame view Frame bytes (content) 14 Protocol Tree Window: Details of the selected packet (#8) Packet number 8 – BGP (Boarder Gateway Prot) Raw data (content of packet # 8) 15 Filtering BGP packets only 16 Ethernet & IEEE 802.3 • Ethernet - most popular protocol standard to enable computer communication – 2nd Layer protocol – Based on shared medium & broadcasting – Close to IEEE 802.3 • Ethernet address is called MAC address – 48 bit HW address coded in the RON of the NIC card – 1st 24 bits represent the vender – 2nd 24 bits represent the NIC • Use: “arp –a” – To get the Hardware address from IP address FSC = Frame Check Sequence SOF = Start of Frame Delimiter MAC = Medium Access Control, 6-byte hardware address 17 TCP/IP Stack • Application • Transport – Provides reliable end-to-end transport – Can be connectionless (UDP) or connection oriented (TCP) – Connection oriented requires ACK • Network – Logical addressing (IP, Internet protocol) • Link * – Frames & carries IP packets between adjacent network devices • Physical * Data Link Layer (IEEE) has 2 sublayers: • MAC (Medium Access Control): Physical addressing, moves packets from one NIC card to another • LLC (Logical Link Control): Flow control, error control 19 Internet Packet (IP) Format Physical & Link Header L3 (Internet) Header L4 (Transport) header L5 (Application) header Data (digitized data, voice, video) Headers 20 More on Installing Wireshark • • • • Download the program from – www.wireshark.org/download.html Requires to install capture drivers (monitor ports & capture all traveling packets) – Linux: libpcap – Windows: winpcap (www.winpcap.org) Typically the file is in TAR format (Linux) To install in Linux – rpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install libpcap RPM) – rpm –q libpcap (query libpcap RPM) – tar –zxvf libpcap-0.9.5.tar.gz – ./config – make – sudo make install 21 Appendix - Installing Wireshark • Log in as the ‘root’ user • • • Insert Fedora Code 4 Disk #4 Navigate to the following folder in the disk /Fedora/RPMS Locate packages – ethereal—0.10.11.-2.i386.rpm – ethereal-gnome-0.10.11-2.i386.rpm • • Copy the above packages to your system Change directory to the packages location – cd <package_dir> • Install Ethereal – rpm –ivh ethereal—0.10.11.-2.i386.rpm • Install Ethereal GNOME user Interface – rpm –ivh ethereal-gnome-0.10.11-2.i386.rpm • Packages that are needed for Installation • Ethereal (available in Fedora Core 4 disk #4) – ethereal—0.10.11.-2.i386.rpm • Ethereal GNOME User Interface – ethereal-gnome-0.10.112.i386.rpm 22 Appendix: Some Helpful References • Wireshark capture – https://wiki.wireshark.org/CaptureFilters • Wireshark screenshots – https://www.google.com/search?q=display+wireshark+screenshots&biw=1234&bih=92 0&tbm=isch&tbo=u&source=univ&sa=X&ved=0CBwQsARqFQoTCLPO5uKGmMgCFdI7iA odbY0ABw#imgrc=LTv96BTj4FElYM%3A • Wireshark for TCP – https://wiki.wireshark.org/Transmission_Control_Protocol • Wireshark for TCP – https://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html • Wireshark for TCP & UDP – https://en.wikiversity.org/wiki/Wireshark/UDP • Wireshark YouTube on filter – https://www.youtube.com/watch?v=__SR6JO6l-A 23