An Intro to Network Analyzers

Slides:



Advertisements
Similar presentations
Introduction to Network Analysis and Sniffer Pro
Advertisements

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
1 Fall 2005 Internetworking: Concepts, Architecture and TCP/IP Layering Qutaibah Malluhi CSE Department Qatar University.
OSI Model.
An introduction to Network Analyzers Dr. Farid Farahmand 3/23/2009.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
COEN 252 Computer Forensics
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Presentation on Osi & TCP/IP MODEL
Computer Networks.  The OSI model is a framework containing seven layers that defines the protocols and devices used at each stage of the process when.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
1 Version 3.0 Module 11 TCP Application and Transport.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
Linux Networking and Security
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
CHAPTER 9 Sniffing.
Data Communications and Networks
INTRODUCTION TO NETWORKS 8/2/2015 SSIG SOUTHERN METHODIST UNIVERSITY.
TCP/IP (Transmission Control Protocol / Internet Protocol)
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 3: TCP/IP Architecture.
Sniffer, tcpdump, Ethereal, ntop
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Linux Operations and Administration Chapter Eight Network Communications.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 1 Essential TCP/IP Network Protocols and.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 5 – VoIP and the OSI Model.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI transport layer CCNA Exploration Semester 1 – Chapter 4.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Introduction to Networks v6.0
CompTIA Security+ Study Guide (SY0-401)
Networks Fall 2009.
Chapter 5: Making Networks Work
Instructor Materials Chapter 5 Providing Network Services
Computer Networks.
Lab 2: Packet Capture & Traffic Analysis with Wireshark
Introduction to TCP/IP
Instructor Materials Chapter 5: Ethernet
Part I. Overview of Data Communications and Networking
Unit 4: Transport protocols
LAN Vulnerabilities.
Lec 2: Protocols.
Understand the OSI Model Part 2
Networking for Home and Small Businesses – Chapter 6
Lecture 6: TCP/IP Networking By: Adal Alashban
Computer Networks 9/17/2018 Computer Networks.
Networking for Home and Small Businesses – Chapter 6
CompTIA Security+ Study Guide (SY0-401)
Topic 5: Communication and the Internet
Communication Networks NETW 501 Tutorial 3
Computing Over Distance
Chapter 15 – Part 2 Networks The Internal Operating System
Lecture 2: Overview of TCP/IP protocol
Network Architecture Models
Networking for Home and Small Businesses – Chapter 6
OSI Reference Model Unit II
OSI Model 7 Layers 7. Application Layer 6. Presentation Layer
Objectives: 1.Identify different internet protocol (IP) 2.Configure sample of IP address 3.Appreciate and relate protocol in our life.
Presentation transcript:

An Intro to Network Analyzers References: “Introduction to Wiresharkl”, Dr. Farid Farahmand, Fall 2014 "Packet analyzer", Wikipedia, March 2013.. “Wireshark User’s Guide”, For Wireshark 1.99. “Wireshark Installation & packet Chapter”, August 2011.

Network Analysis & Sniffing Process of capturing, decoding, & analyzing network traffic Why is the network slow What is the network traffic pattern How is the traffic being shared between nodes Also known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping*, etc. *Listen secretly to what is said in private!

Checkout his program: sniff.c Network Analyzer A combination of hardware & software tools what can detect, decode, & manipulate traffic on the network Passive monitoring (detection) - Difficult to detect Active (attack) Available both free & commercially Mainly software-based (utilizing OS & NIC) Also known as sniffer A program that monitors the data traveling through the network passively Common network analyzers Wireshark / Ethereal Windump Etherpeak Dsniff & much more…. Read: Basic Packet-Sniffer Construction from the Ground Up! by Chad Renfro Checkout his program: sniff.c

Network Analyzer - Components Hardware NIC Card Buffer memory Special hardware devices CRC & Parity Errors Monitoring voltage fluctuation Jitter (random timing variation) Jabber (failure to handle electrical signals) Capture driver capturing the data or disk-based Real-time analysis analyzing the traffic in real time; detecting any intrusions Decoder making data readable Capturing the data is easy! The question is what to do with it!

Who Uses Network Analyzers System administrators Identify system problems & Analyze performance Malicious individuals (intruders) Capture cleartext data Passively collect data on vulnerable protocols FTP , HTTP, IMAP, POP3, rlogin, SNTP, etc. Capture VoIP data Mapping the target network Traffic pattern discovery Actively break into the network (backdoor techniques) Test engineers Protocol analyzers can also generate traffic & thus act as the reference device IMAP = Internet Message Access Protocol POP3 = Post Office Protocol version 3 (Internet email protocol) HTTP = Hypertext Transfer Protocol (world wide web protocol) SNTP = Simple Network Time Protocol

Basic Operation Ethernet traffic is broadcast to all nodes on the same segment Sniffer can capture all the incoming data when the NIC is in promiscuous (not restricted to one port) mode: ifconfig eth0 promisc ifconfig eth0 –promisc Default setup is non-promiscuous restricted - only receives the data destined for the NIC Note: hub receives all the data! If switches are used the sniffer must perform port spanning Also known as port mirroring The traffic to each port is mirrored to the sniffer Promiscuous = not restricted to one port (go to all port as in a Hub) Non-promiscuous = restricted to one port (as in a Switch) Sniffer on a switch need to have extra feature that artificially copies unicast packets that host sends to the sniffer port (port spaning). Span Terminology http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html#anc8

Port Monitoring Assume the sniffer (@ port 5) is to monitor the data on computer A (port 1). Port 5 needs first to be spanned to port 1 (port spanning). The sniffer can now monitor the data destined to Computer A.

Review: Hub, Switch, & Span Port If you want to capture Ethernet traffic that is sent by host A to host B, & both are connected to a HUB, Just attach a sniffer to this hub. All other ports see the traffic between hosts A & B. On a SWITCH, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer DOES NOT see this traffic:   An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port. Here, the sniffer is attached to a port that is CONFIGURED to receive a copy of every packet that host A sends. This port is called a SPAN port.

Protecting Against - Sniffers Spoofing the MAC is often referred to changing the MAC address (in Linux:) ifconfig eth0 down ifconfig eth0 hw ether 00:01:02:03:04:05 ifconfig eth0 up Register the new MAC address by broadcasting it ping –c 1 –b 192.168.1.1 To detect a sniffer (Linux) Download Promisc.c) ifconfig -a (search for promisc) ip link (search for promisc) To detect a sniffer (Windows) Download PromiscDetect Spoof = imitate, mock, deceive Sniffing can work if: the sniffing host is on the same Layer2 network the sniffing host does not have a firewall that blocks incoming icmp packets the sniffing host does the sniffing with an interface that has TCP/IP enabled, & thus is able to answer the ICMP packet. Remember: 00:01:02:03:04:05 MAC address (HWaddr)= Vender Address + Unique NIC #

Protecting Against Sniffers Using switches can help Use encryption Making the intercepted data unreadable Note: in many protocols the packet headers are clear text! VPNs use encryption & authorization for secure communications VPN Methods Secure Shell (SSH): headers are not encrypted Secure Sockets Layer (SSL): high network level packet security; headers are not encrypted IPsec: Encrypted headers but does not use TCP or UDP Remember: Never use unauthorized Sniffers at work!

What is Wireshark? Formerly called Ethereal An open source program Remember: You must have a good understanding of the network before you use Sniffers effectively! Formerly called Ethereal An open source program free with many features Decodes over 750 protocols Compatible with many other sniffers Plenty of online resources are available Supports command-line & graphical user interfaces (CLI, GUI) TSHARK (CLI) has three components Editcap similar to “Save As” to translate the format of captured packets Mergecap combines multiple saved captured files Text2pcap ASCII Hexdump captures & writes the data into a libpcap output file CLI = Command-Line Interface GUI = Graphical User Interface

Installing Wireshark Download the Wireshark program from www.wireshark.org/download.html , OR UBUNDU 14.04 Webpage Requires to install capture drivers monitor ports & capture all traveling packets

Installing Wireshark If you did not succeed, do the following. On UBUNTU screen go to the “Dash board” Search for “Wireshark” & Install, OR Go to Firefox in UBUNTU & Google “Wireshark for Ubuntu 14.04” & follow the instruction. You can also download it using a “Terminal” by command: sudo apt-get install wireshark If you could not see any interface for capturing, with the current configuration, you need “root” privileges to capture traffic with Wireshark (or dumpcap, for that matter). Here are the commands sudo -s usermod -a -G wireshark your-user- name chgrp wireshark /usr/bin/dumpcap chmod 4750 /usr/bin/dumpcap sudo = Super User Do You can safely run Wireshark to inspect, edit or filter packet dumps without root privileges, e.g., wireshark -i eth0 -c 5

Wireshark Window Menu Bar Tool Bar Filter Bar Packet List Frame view Go to “6.12. Time display formats & time references” of Wireshark guide. Use “View” to configure time format. Frame bytes (content)

Packet number 8 – BGP (Boarder Gateway Prot) Protocol Tree Window: Details of the selected packet (#8) Raw data (content of packet # 8)

Filtering BGP packets only Download the following files & copy them in your HW: bgp_test tcp_stream_analysis follow_tcp_stream

Ethernet & IEEE 802.3 Ethernet - most popular protocol standard to enable computer communication 2nd Layer protocol Based on shared medium & broadcasting Close to IEEE 802.3 Ethernet address is called MAC address 48 bit HW address coded in the RON of the NIC card 1st 24 bits represent the vender 2nd 24 bits represent the NIC Use: “arp –a” To get the Hardware address from IP address FSC = Frame Check Sequence SOF = Start of Frame Delimiter MAC = Medium Access Control, 6-byte hardware address RON = Routing Organization Number Length in IEEE802.3 - 0x0600 (12536) or less would mean length & above 0x600 would mean type with 1550 byte for max length of payload

Appendixes

TCP/IP Stack Link * Physical Application Transport Network Provides reliable end-to-end transport Can be connectionless (UDP) or connection oriented (TCP) Connection oriented requires ACK Network Logical addressing (IP, Internet protocol) Link * Frames & carries IP packets between adjacent network devices Physical * Data Link Layer (IEEE) has 2 sublayers: MAC (Medium Access Control): Physical addressing, moves packets from one NIC card to another LLC (Logical Link Control): Flow control, error control

Internet Packet (IP) Format Physical & Link Header L3 (Internet) Header L4 (Transport) header L5 (Application) header Data (digitized data, voice, video) Headers

More on Installing Wireshark Download the program from www.wireshark.org/download.html Requires to install capture drivers (monitor ports & capture all traveling packets) Linux: libpcap Windows: winpcap (www.winpcap.org) Typically the file is in TAR format (Linux) To install in Linux rpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install libpcap RPM) rpm –q libpcap (query libpcap RPM) tar –zxvf libpcap-0.9.5.tar.gz ./config make sudo make install

Appendix - Installing Wireshark Log in as the ‘root’ user Insert Fedora Code 4 Disk #4 Navigate to the following folder in the disk /Fedora/RPMS Locate packages ethereal—0.10.11.-2.i386.rpm ethereal-gnome-0.10.11-2.i386.rpm Copy the above packages to your system Change directory to the packages location cd <package_dir> Install Ethereal rpm –ivh ethereal—0.10.11.-2.i386.rpm Install Ethereal GNOME user Interface rpm –ivh ethereal-gnome-0.10.11-2.i386.rpm Packages that are needed for Installation Ethereal (available in Fedora Core 4 disk #4) ethereal—0.10.11.-2.i386.rpm Ethereal GNOME User Interface ethereal-gnome-0.10.11-2.i386.rpm

Appendix: Some Helpful References Wireshark capture https://wiki.wireshark.org/CaptureFilters Wireshark screenshots https://www.google.com/search?q=display+wireshark+screenshots&biw=1234&bih=920&tbm=isch&tbo=u&source=univ&sa=X&ved=0CBwQsARqFQoTCLPO5uKGmMgCFdI7iAodbY0ABw#imgrc=LTv96BTj4FElYM%3A Wireshark for TCP https://wiki.wireshark.org/Transmission_Control_Protocol https://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html Wireshark for TCP & UDP https://en.wikiversity.org/wiki/Wireshark/UDP Wireshark YouTube on filter https://www.youtube.com/watch?v=__SR6JO6l-A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.