CS408 Lab1 Packet Analysis With Wireshark Instructor PhD Albert Levi What is a Network Analyzer?(a.k.a Packet sniffer) Packet sniffers are software programs that can see the traffic passing over a network or part of a network. As data streams travel over the network, the program captures each packet and eventually decodes its content following the RFC specification. Why do we need such an analysis? • Troubleshoot a network. • Detect network intrusion attempts. • Monitor the network usage and filter for suspicious content • Spy on other network users and collect their passwords. How is it possible to capture other users packets? Ethernet was built around a "shared" principle: all machines on a local network share the same wire. So, all machines are able to "see" all the traffic on the same wire. Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it. It does this by ignoring all frames whose MAC address doesn't match. If you put your Ethernet Hardware into "promiscuous mode“, you will deactivate the mentioned “filter” and start accepting packets rather than discarding them... What is an Ethernet MAC address? MAC Adress is a 12-digit hex number (6 bytes), embedded in your ethernet card chipsets, that uniquely identifies you over the ethernet. Example : 00:C0:49:A7:25:45 Windows: Run the program "ipconfig /all" from the command-line. To see the MAC address for your adapter. Linux: Run the program "ifconfig". To see the MAC address for your adapter. What is an Ethernet MAC address? MAC stands for Media Access Control. The Ethernet MAC address is a 48 bit number. This number is broken down into two halves, the first 24-bits identify the vendor of the Ethernet board, the second 24-bits is a serial number assigned by the vendor. This sufficiently guarantees that no two Ethernet cards have the same MAC address. Example MAC Adress is 00:C0:49:A7:25:45 00:C0:49 is Registered for the vendor U.S Robotics. This number is called OUI ("Organizationally Unique Identifier"). You can find the list of vendor/OUI codes at http://standards.ieee.org/regauth/oui/ How do hosts communicate over Ethernet? Each Host in the same ethernet network has an IP adress. Inorder to send data to a destination host, first we have to know the MAC Adress for the destination host. To get the IP adress of the destination, the source broadcasts an ARP packet over the network. ARP stands for Adress Resolution Protocol. (RFC 826) ARP Overview All network hosts maintain their own ARP tables (caches) to reduce the ARP broadcast overhead. The table is as follows Protocol Protocol Adress Hardware Address (MAC) IP 10.1.32.5 BA D0 BE EF FF FA IP 10.1.32.9 BA D0 BE EF FF 03 Simply Remeber this: ARP translates IP address into a physical MAC address. To see your computers ARP Cache type “arp –a” and hit enter The Ethernet Frame Remember the 4 Layer Model, in each layer, the data coming from the upper layer is encapsulated into the current layers PDU. The Application data is sent to a host with the above encapsulation scheme. The Ethernet Frame There are two kinds of Ethernet framing in common use today. The "official" standard is IEEE 802.3 framing, but TCP/IP traffic on Ethernet is usually carried in DIX (Digital / Intel / Xerox) type II (usually written “Ethernet II" or just "DIX") frames. Other transport-independent protocols, may use 802.3. The two frame types can coexist on the same wire. The Ethernet II “Header” simply consist of (omitting preamble) •Destination MAC Address •Source MAC Address •Type Of Encapsulated Data The Ethernet Frame types diagram Type Field Description 0x0800 IP datagram 0x0806 ARP request 0x0835 ARP responset 0x8863 PPPoE Discovery Stage Datagram 0x8864 PPPoE Session Stage Datagram The Ethernet Frame Analysis with Wireshark The following ethereal screen shots are from the last frame containig HTTP response from a URL with the HTML data “ Hello CS 408” The Ethernet Frame – Ethernet II Destination MAC Adress 0 x 00 80 ad 02 ad ad Source MAC Adress 0 x 00 02 44 10 e5 00 Type 0 x 08 00 The Ethernet Frame – IP Packet 0x4. First 4 bits IPv4 0x.5 Last 4 bits Internet header length 5x 32bit words (20 byte) 0x00 Type of Service 0x01 31 Size of datagram in bytes 40 byte (Header+Data) 0x85 59 ID # for reassembly of fragmented packets The Ethernet Frame – IP Packet Bit 0: reserved, must be zero Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment. Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments. 010 = Dont fragment , Last Fragment The Ethernet Frame – IP Packet 0x80 TTL in Seconds (Time to Live) 0x06 Contained Protocol . 1=ICMP , 2=IGMP, 6=TCP , 17=UDP (decimal) 0xf30b CheckSum 0xc0 a8 00 07 Source IP Adress 0xc0 a8 00 0a Destination IP Adress The Ethernet Frame – TCP Segment 0x00 50 Source Port (80) 0x0c dc Destination Port (3292) 0x94 1e 2a 75 Sequence Number 0x2f 80 80 6c ACK Number 0x5. Data Offset (Header Length) in 32bit words The Ethernet Frame – TCP Segment 0x5. Data Offset (Header Length) in 32bit words 0x.018 Flags (ACK, SYN... You will see later) 0xfe29 Senders Window size (65065) 0xed0d Check Sum 0x0000 Urgent Pointer Field The Ethernet Frame – HTTP Header There is not much to say about HTTP header as its mostly ASCII. Observe that HTTP header is ending in two line-feeds (0D 0A 0D 0A) and then the data comes. <html><b> Hello CS 408 </b><html>