Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer.

Slides:



Advertisements
Similar presentations
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Advertisements

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 7 – Transport Layer Protocols
TELE202 Lecture 14 TCP/UDP (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »TCP/UDP (1) »Source: chapter 17 ¥This Lecture »TCP/UDP (2) »Source: chapter.
TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
source router Destination IP packet IP packet fragments Reassembly Required Fragments Created.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
CSCE 515: Computer Network Programming TCP Details Wenyuan Xu Department of Computer Science and Engineering.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
ECE Prof. John A. Copeland fax Office: Klaus 3362.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Gursharan Singh Tatla Transport Layer 16-May
1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2014.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Networking Basics CCNA 1 Chapter 11.
Practice 4 – traffic filtering, traffic analysis
Sniffer, tcpdump, Ethereal, ntop
Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Connection Establishment and Termination. Tcpdump tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 1 Essential TCP/IP Network Protocols and.
1 CSE 5346 Spring Network Simulator Project.
POSTECH 1/39 CSED702D: Internet Traffic Monitoring and Analysis James Won-Ki Hong Department of Computer Science and Engineering POSTECH, Korea
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
or call for office visit,
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
1 TCP ProtocolsLayer name DNSApplication TCP, UDPTransport IPInternet (Network ) WiFi, Ethernet Link (Physical)
COMP2322 Lab 6 TCP Steven Lee April 1, TCP Transmission Control Protocol Transport layer protocol User Datagram Protocol (UDP) is another one 2.
Traffic Analysis– Wireshark
Networks Problem Set 3 Due Nov 10 Bonus Date Nov 9
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016.
Lab 2: Packet Capture & Traffic Analysis with Wireshark
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
or call for office visit, or call Kathy Cheek,
CIT 384: Network Administration
or call for office visit,
Transport Layer.
TCP.
TCP.
© 2003, Cisco Systems, Inc. All rights reserved.
TCP.
TCP - Part I Karim El Defrawy
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Network Analyzer :- Introduction to Wireshark
Network Analyzer :- Introduction to Wireshark
PART 5 Transport Layer.
COEN 252 Computer Forensics
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Transport Protocols: TCP Segments, Flow control and Connection Setup
Transport Layer 9/22/2019.
Presentation transcript:

Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer Science University of Houston

Department of Computer Science, The University of Houston Overview TCP State Machine Three Ways Handshake TCPDump Wireshark 2

Department of Computer Science, The University of Houston TCP State Machine 3 closed listen SYN Rec’d established SYN sent Close wait Last ACK FIN wait 1 Fin wait 2 Time wait

Department of Computer Science, The University of Houston Server Side Passive Open 4 closed listen SYN Rec’d establishe d SYN sent Close wait Last ACK FIN wait 1 Fin wait 2 Time wait Passive open SYN / SYN+ACK ACK clientserver ACK SYN SYN+ACK

Department of Computer Science, The University of Houston Client Side Active Open 5 closed listen SYN Rec’d established SYN sent Close wait Last ACK FIN wait 1 Fin wait 2 Time wait SYN+ACK / ACK Active open/ SYN clientserver ACK SYN SYN+ACK

Department of Computer Science, The University of Houston Server Side Passive Close 6 closed listen SYN Rec’d established SYN sent Close wait Last ACK FIN wait 1 Fin wait 2 Time wait FIN / ACK Close / FIN ACK clientserver FIN+ACK ACK FIN

Department of Computer Science, The University of Houston Client Side Active Close 7 closed listen SYN Rec’d established SYN sent Close wait Last ACK FIN wait 1 FIN wait 2 Time wait clientserver FIN+ACK ACK FIN Close / FIN ACK FIN / ACK Timeout

Department of Computer Science, The University of Houston SYN Open 8 clientserver SYN SRC: 1234 DST: 80 Seq: 100 Ack: 0 ACK SYN SYN+ACK SYN, ACK SRC: 80 DST: 1234 Seq: 300 Ack: 101 ACK SRC: 1234 DST: 80 Seq: 101 Ack: 301

Department of Computer Science, The University of Houston SYN Close 9 clientserver FIN, ACK SRC: 1234 DST: 80 Seq: 101 Ack: 301 ACK SRC: 80 DST: 1234 Seq: 301 Ack: 102 ACK SRC: 1234 DST: 80 Seq: 102 Ack: 302 FIN+ACK ACK FIN FIN, ACK SRC: 80 DST: 1234 Seq: 301 Ack: 102

Department of Computer Science, The University of Houston Reliability through acknowledgement If sent data is not ack’ed, it is retransmitted Ack’s are piggy-backed on outgoing traffic Delayed Ack, wait ~200 ms for outgoing traffic 10

Department of Computer Science, The University of Houston Data Flow 11 clientserver ACK, PSH SRC: 1234 DST: 80 Seq: 101 Ack: 301 ACK SRC: 80 DST: 1234 Seq: 301 Ack: 102 ACK SRC: 1234 DST: 80 Seq: 103 Ack: 302 ‘a’ ACK ‘b’ FIN, ACK SRC: 80 DST: 1234 Seq: 301 Ack: 104 ‘c’ ACK, PSH SRC: 1234 DST: 80 Seq: 102 Ack: 301

Department of Computer Science, The University of Houston Bulk Data Flow Sent & Ack’ed Sent, not Ack’ed Can Send ASAP Cannot Send Ack: 7 Win: 12

Department of Computer Science, The University of Houston TCPDump A Unix tool used to – gather data from the network, – decipher the bits, and – display the output in a semi coherent way. 13

Department of Computer Science, The University of Houston Software TCPDump: ftp://ftp.ee.lbl.gov/tcpdump.tar.zftp://ftp.ee.lbl.gov/tcpdump.tar.z Libpcap: ftp://ftp.ee.lbl.gov/libpcap.tar.z, a portable framework for capturing low-level network trafficftp://ftp.ee.lbl.gov/libpcap.tar.z An improved version: A Windows version: Wireshark: 14

Department of Computer Science, The University of Houston TCPDump Behavior Most OS requires root access to run the program. By default, it reads all network traffic from the interface. It writes the output to the console. Command line options are available to alter the default behavior. 15

Department of Computer Science, The University of Houston Filters Filter: can specify the records that you are interested in collecting. Filter Language: to denote the field(s) that should be examined if certain conditions are met. “tcpdump tcp” 16

Department of Computer Science, The University of Houston Options Filter can be stored in a file: -F filename Output Formats: – Readable (default format for console display) – Binary (default format for file storage, less space, faster) To write to a file: -w filename To read from a saved file: -r filename 17

Department of Computer Science, The University of Houston Sample Output 23:29: spider.3224 > servercentral.net.6020:. ack win :29: servercentral.net.6020 > spider.3224: P 36517:37969(1452) ack 1 win 5840 (DF) 23:29: daffy.pmatulis.homeunix.net.netbios-ns > netbios-ns: nbt-query-req-bcast 23:29: daffy.pmatulis.homeunix.net.netbios-ns > netbios-ns: nbt-query-req-bcast 23:29: mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-query-positive-resp (DF) 18

Department of Computer Science, The University of Houston Binary Format (Hex) e c0a8 011e c0a b6c8 a8de 621e 87db e f 23c3 8a2b 4ee7 dbf8 0d48 88e b f4 52c9 a05b 31d7 e3ae 1c62 2dbd d955 d604 b5d2 63d1 8fbc 4ab b c 70e0 a368 a03f 425b

Department of Computer Science, The University of Houston Data Selection To select the first “snaplen” bytes of the packet, use –s snaplen. – > tcpdump –s 1514 (max. Ethernet length + link layer header) – > tcpdump –s 68 (Just the headers) 20

Department of Computer Science, The University of Houston Sample Ethernet Packet Frame Header IP HeaderTCP HeaderTCP Data 14 bytes 20 bytes 20 bytes 14 bytes Ethernet Frame IP Datagram Embedded protocol (TCP, UDP, ICMP) 21

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Time Stamp hh:mm:ss followed by fraction of a second 23

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Source host name, or the IP number 24

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Source port number, or service 25

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Directional flow 26

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Destination host name 27

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Destination port number (21 for FTP) 28

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 TCP flag (S, Ack, F, R, P, urg,.) 29

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Beginning TCP sequence number. Ending TCP sequence number (data bytes) 30

Department of Computer Science, The University of Houston Understanding the Output 09:32:43: nmap.edu.1173 > dns.net.21 S : (0) win 512 Receiving buffer (window) size in bytes for this connection. 31

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Timestamp 15:22:

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Source address orac.erg.abdn.ac.uk 33

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Source port

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Destination address

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Destination port

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Protocol udp 37

Department of Computer Science, The University of Houston UDP datagram 15:22: orac.erg.abdn.ac.uk.1052 > : udp 110 Size

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Timestamp 16:23:

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Source address churchward.erg.abdn.ac.uk 40

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Source port

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Destination address gordon.erg.abdn.ac.uk 42

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Destination port

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) PUSH flag is set P 44

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Sequence number 12765: Contained data upto but not including Number of user data bytes (160) 45

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Details of acknowledgements 46

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Window size 47

Department of Computer Science, The University of Houston TCP datagram 16:23: churchward.erg.abdn.ac.uk > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack win (DF) Do not fragment 48

Department of Computer Science, The University of Houston Time Stamps -t suppresses the timestamp output – orac.erg.abdn.ac.uk.1052 > : udp 597 -tt gives an unfomatted time stamp, this value is a count in seconds from the OS clock initial value – orac.erg.abdn.ac.uk.1052 > : udp 520 -tttt gives the interval between the packet recieved and the previous packet – orac.erg.abdn.ac.uk.1052 > : udp orac.erg.abdn.ac.uk.1052 > : udp

Department of Computer Science, The University of Houston Addresses and Ports To capture all traffic with host churchward as source or destination address – tcpdump host churchward To capture all traffic with the tcp or udp, source or destination port number 53 – tcpdump port 53 To capture all traffic with the source address churchward – tcpdump src host churchward 50

Department of Computer Science, The University of Houston Addresses and Ports To capture all trafffic with the destination tcp or udp port 53 – tcpdump dst port 53 To capture all TCP traffic with the source address churchward – tcpdump tcp src host churchward To capture all trafffic with the destination udp port 53 – tcpdump udp dst port 53 51

Department of Computer Science, The University of Houston Logical Operators Expressions can be combined using AND and OR with the additional use of NOT. – tcpdump src host churchward and udp dst port 53 – tcpdump dst or dst – tcpdump dst and not src

Department of Computer Science, The University of Houston TCPDump Flags SYN (S): session establishment request ACK (ack): acknowledge the receipt of data. May piggyback with other flags. FIN (F): session termination request. RESET (R): immediately abort the session. PUSH (P): Send the data out immediately. Responsiveness over efficiency. 53

Department of Computer Science, The University of Houston TCPDump Flags URGENT (urg): An urgent data that should take precedence over other data. (For example, a Control-C to abort an FTP download.) Placeholder (.) : No flag is set. Note: The six flags are not necessarily exclusive. It is very common to see P and A together. 54

Department of Computer Science, The University of Houston Wireshark Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. 55

Department of Computer Science, The University of Houston Basic WIRESHARK features WIRESHARK supports hundreds of protocols Live capture and offline analysis Multiplatform support: Windows, Linux, Solaris, MAC Multi-media support: Ethernet, ATM etc. Rich VOIP analysis Captured data browsing in GUI or in TTY mode (TSHARK) R/W many different capture file formats: tcpdump (libpcap), MS Network Monitor, Network General Sniffer®, RADCOM WAN/LAN Analyzer and many others. Output can be exported to XML, PostScript® or simple text 56

Department of Computer Science, The University of Houston Basic Network packet capturing-1 When you activate the WIRESHARK you get the following view 57

Department of Computer Science, The University of Houston Basic Network packet capturing -2 58

Department of Computer Science, The University of Houston Basic Network packet capturing -3 59

Department of Computer Science, The University of Houston Basic Network packet capturing -4 60

Department of Computer Science, The University of Houston WIRESHARK preferences The GUI can be changed for – GUI layout – Columns – Time format – Coloring preferences – Field values for specific protocols – ……. Different profiles can be defined and saved 61

Department of Computer Science, The University of Houston Basic displayed/captured packet manipulations Forcing a protocol to an unknown protocol packet Marking a packet or a group of packets Saving all or part of the captured packets Exporting a trace Printing all or part of the captured packets 62

Department of Computer Science, The University of Houston Display filtering By arranging the display sort field/order changed – Sort order of time/packet number – Sort order per IP/MAC address of source/destination – Sort order per protocol By marking specific packets manually By configuring filters for – Address – Protocol – Protocol field value – Frame length – String 63

Department of Computer Science, The University of Houston Display filtering- by changing display sort order 64

Department of Computer Science, The University of Houston Some simple filter examples ip.addr == ip.src != sip.Method==REGISTER h263.unrestricted_motion_vector == 0 sip.from.addr == h245.masterSlaveDetermination 65

Department of Computer Science, The University of Houston Capture filtering When capturing packets they are stored in temporary files on the computer We can configure WIRESHARK to capture packets directly to a single or multiple files For heavy traffic network capturing or long time capturing the file/buffer sizes might overwhelm the computer or might even crash it. To prevent accumulating huge file/files if we know what we are looking for we should apply capture filtering 66

Department of Computer Science, The University of Houston Capture filtering 67

Department of Computer Science, The University of Houston Statistics menu – Statistics  Summary 68

Department of Computer Science, The University of Houston Other Tools Ethereal – Free – Can be used for Windows or Unix Etherape – Like Ethereal, GUI Snort – Open source – Capable of real-time traffic analysis and logging 69

Department of Computer Science, The University of Houston Snort A straight packet sniffer like tcpdump A packet logger A full blown network intrusion detection system 70

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.