Traffic Analysis with Ethereal
Traffic Analysis What is Traffic Analysis? Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network. -Ethereal Packet Sniffing. Rockland, MA: Syngress Publishing, Inc., 2004 Traffic analysis, network analysis, protocol analysis, packet analysis and packet sniffing all typically refer to the same thing
Traffic Analysis Reason to analyze traffic Legitimate Illegitimate Identify network or communication issues Monitor network performance Verify network security Track communication transactions Log network traffic Discover source of unwanted traffic Discover compromised workstations Ensure users are adhering to AUP Illegitimate Capture passwords Capture network information Read confidential information Determine network information
Network Analyzers – What’s Available? Differences are usually in the features. EtherPeek Windows 2000/NT Server Network Monitor Network Associates Sniffer and SnifferPro Network Instruments Observer Ethereal Packetyzer Features can include: Number of protocols supported User interface Graphing and statistical analysis Expert analysis features
Ethereal Features Installation Free (Open source software) Runs on multiple platforms Supports over 480 protocols Reads capture files from other products (MS Network Monitor, TCPdump, Sniffer, Novell Lanalyzer) Installation 1. WinPcap : http://winpcap.polito.it 2. Ethereal : http://www.ethereal.com
Exercise 1: Installing ethereal Install WinPcap and Ethereal to your PC. http://www.ethereal.com Files to download WinPcap_3_0.exe ethereal-setup-0.10.5a.exe Run Ethereal.
Exercise 2: Capturing packets 1.From the main window, select "Capture:Start ". 2.This displays the following “Capture Preferences” window: • Select "Capture packets in promiscuous mode". • Select "Update list of packets in real time". • Select "Automatic scrolling in live capture". 3. Starting the traffic capture: Start the packet capture by clicking “OK” in the “Capture Preferences” window. 4. Generating traffic: In a separate window on your PC, execute a ping command to a target. ping –c <local network address> Observe the output in the ethereal main window. Click and highlight a captured packet in the ethereal window, and view the headers of the captured traffic. 5. Stopping the traffic capture: Click "Stop" in the window "Ethernet Capture". 6. Saving captured traffic
Understanding ethereal Overview of Packet Info Click on one of these lines or fields and watch the packet being highlighted below. Details about header of Packet highlighted. Info about packet and Its contents.
Exercise 3: Filtering Ethereal uses the libpcap filter lanaguage for capture filters. Example 1: A capture filter for telnet traffic to and from a particular host tcp port 23 and host 141.223.14.147 Example 2: A capture filter for all udp traffic from non-local udp and src net !141.223.162 Filtering rules