CS408 Lab1 Packet Analysis With Ethereal Instructor PhD Albert

advertisement
CS408 Lab1
Packet Analysis With Wireshark
Instructor
PhD Albert Levi
What is a Network Analyzer?(a.k.a Packet sniffer)
Packet sniffers are software programs that can see the traffic
passing over a network or part of a network. As data streams travel
over the network, the program captures each packet and eventually
decodes its content following the RFC specification.
Why do we need such an analysis?
• Troubleshoot a network.
• Detect network intrusion attempts.
• Monitor the network usage and filter for suspicious content
• Spy on other network users and collect their passwords.
How is it possible to capture other users packets?
Ethernet was built around a "shared" principle: all machines on a
local network share the same wire. So, all machines are able to
"see" all the traffic on the same wire. Thus, Ethernet hardware is built
with a "filter" that ignores all traffic that doesn't belong to it.
It does this by ignoring all frames whose MAC address doesn't
match. If you put your Ethernet Hardware into "promiscuous mode“,
you will deactivate the mentioned “filter” and start accepting packets
rather than discarding them...
What is an Ethernet MAC address?
MAC Adress is a 12-digit hex number (6 bytes), embedded in your
ethernet card chipsets, that uniquely identifies you over the ethernet.
Example : 00:C0:49:A7:25:45
Windows:
Run the program "ipconfig /all" from the command-line. To see the
MAC address for your adapter.
Linux:
Run the program "ifconfig". To see the MAC address for your
adapter.
What is an Ethernet MAC address?
MAC stands for Media Access Control.
The Ethernet MAC address is a 48 bit number. This number is
broken down into two halves, the first 24-bits identify the vendor of
the Ethernet board, the second 24-bits is a serial number assigned
by the vendor. This sufficiently guarantees that no two Ethernet
cards have the same MAC address.
Example MAC Adress is 00:C0:49:A7:25:45
00:C0:49 is Registered for the vendor U.S Robotics. This number is
called OUI ("Organizationally Unique Identifier").
You can find the list of vendor/OUI codes at
http://standards.ieee.org/regauth/oui/
How do hosts communicate over Ethernet?
Each Host in the same ethernet network has an IP adress.
Inorder to send data to a destination host, first we have to know the
MAC Adress for the destination host. To get the IP adress of the
destination, the source broadcasts an ARP packet over the network.
ARP stands for Adress Resolution Protocol. (RFC 826)
ARP Overview
All network hosts maintain their own ARP tables (caches) to reduce
the ARP broadcast overhead. The table is as follows
Protocol
Protocol Adress
Hardware Address (MAC)
IP
10.1.32.5
BA D0 BE EF FF FA
IP
10.1.32.9
BA D0 BE EF FF 03
Simply Remeber this:
ARP translates IP address into a physical MAC address.
To see your computers ARP Cache type “arp –a” and hit enter
The Ethernet Frame
Remember the 4 Layer Model, in each layer, the data coming from
the upper layer is encapsulated into the current layers PDU.
The Application data is sent to a host with the above encapsulation
scheme.
The Ethernet Frame
There are two kinds of Ethernet framing in common use today. The
"official" standard is IEEE 802.3 framing, but TCP/IP traffic on
Ethernet is usually carried in DIX (Digital / Intel / Xerox) type
II (usually written “Ethernet II" or just "DIX") frames. Other
transport-independent protocols, may use 802.3. The two frame
types can coexist on the same wire.
The Ethernet II “Header” simply consist of (omitting preamble)
•Destination MAC Address
•Source MAC Address
•Type Of Encapsulated Data
The Ethernet Frame types diagram
Type Field
Description
0x0800
IP datagram
0x0806
ARP request
0x0835
ARP responset
0x8863
PPPoE Discovery Stage Datagram
0x8864
PPPoE Session Stage Datagram
The Ethernet Frame Analysis with Wireshark
The following ethereal screen shots are from the last frame containig
HTTP response from a URL with the HTML data “ Hello CS 408”
The Ethernet Frame – Ethernet II
Destination MAC Adress
0 x 00 80 ad 02 ad ad
Source MAC Adress
0 x 00 02 44 10 e5 00
Type
0 x 08 00
The Ethernet Frame – IP Packet
0x4.
First 4 bits IPv4
0x.5
Last 4 bits Internet header length 5x 32bit words (20 byte)
0x00
Type of Service
0x01 31
Size of datagram in bytes 40 byte (Header+Data)
0x85 59
ID # for reassembly of fragmented packets
The Ethernet Frame – IP Packet
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
010 =
Dont fragment , Last Fragment
The Ethernet Frame – IP Packet
0x80
TTL in Seconds (Time to Live)
0x06
Contained Protocol . 1=ICMP , 2=IGMP, 6=TCP , 17=UDP
(decimal)
0xf30b
CheckSum
0xc0 a8 00 07
Source IP Adress
0xc0 a8 00 0a
Destination IP Adress
The Ethernet Frame – TCP Segment
0x00 50
Source Port (80)
0x0c dc
Destination Port (3292)
0x94 1e 2a 75
Sequence Number
0x2f 80 80 6c
ACK Number
0x5.
Data Offset (Header Length) in 32bit words
The Ethernet Frame – TCP Segment
0x5.
Data Offset (Header Length) in 32bit words
0x.018
Flags (ACK, SYN... You will see later)
0xfe29
Senders Window size (65065)
0xed0d
Check Sum
0x0000
Urgent Pointer Field
The Ethernet Frame – HTTP Header
There is not much to say about HTTP header as its mostly ASCII.
Observe that HTTP header is ending in two line-feeds
(0D 0A 0D 0A) and then the data comes.
<html><b> Hello CS 408 </b><html>
Download