PACKET SNIFFING Dr. Andy Wu BCIS 4630 Fundamentals of IT Security

Sniffing 2

Overview Basics –Promiscuous mode –Capture driver –TCPDump syntax Capture filter Wireshark GUI Display filter 3

Packet Sniffing A.k.a. network analysis, protocol analysis, packet analysis The process of capturing network traffic and inspecting it closely to determine what is happening on the network. Display network traffic in human readable format. Can be a standalone hardware devices with specialized software ( ource=Wireshark&utm_medium=banner&utm_term=hor izontal&utm_campaign=Airpcap) or software application (sniffers) ource=Wireshark&utm_medium=banner&utm_term=hor izontal&utm_campaign=Airpcap 4

Dangers of Sniffing Many protocols were designed without security in mind. Information such as user names and passwords are transmitted in clear text, e.g., Telnet, SMTP, POP, IMAP, FTP, etc. If an attacker can capture the traffic used by these protocols, he/she can see this information easily. Sniffing takes place mainly in Layer 1. High level protocols have no way to detect the occurrence of sniffing. In other words, they won’t tell the user, “Your password has been sniffed!” 5

White-Hat Sniffer Many security tools capture network traffic and then extract information from the packets and look for malicious patterns in traffic. Snort – “Sniffer on Steroid” –Started as a sniffer –Has a packet sniffer, packet logger, and IDS modes 6

Packet Sniffing Listens on or “sniffs” packet on a network segment. The network card (NIC) is in the promiscuous mode so that it sees all packets on the network wire, not just those addressed to the host on which it is installed. 7

Normal Mode 8

Promiscuous Mode 9

Passive vs Active Sniffing Traditionally, sniffing has been straightforward and relatively easy when computers were mostly connected to network hubs. The increasing use of network switches changes the sniffing landscape because in a switched network, the switch connects two computers whenever they need to communicate with each other (e.g., Alice to Bob in the previous figure). No other computers are involved and have visibility into this communication. A switch achieves this by keeping a table of mappings between MAC addresses of computers on the network and the switch ports to which they are connected. Broadcast only occurs the first time a computer contacts the switch to initiate communication with other computers. 10

Passive vs Active Sniffing Switches enhance the defense against sniffing because each broadcast domain is limited to between two computers. However, it still is possible to perform sniffing by attacking the switch. –MAC flooding forces a switch to revert to “hub mode” so that all computers are within one broadcast domain again. –ARP poisoning tricks the switch into thinking that the attacker computer is part of the legitimate communication. 11

Components of a Sniffer Capture driver Buffer Decoder –Interprets binary information and then displays it in a readable format. Packet analyzer –Sniffers usually provide real-time analysis of captured packets. 12

Capture Drivers An operating system can handle the low level details and modern Oses provide protocol stacks for network communications. However, to use the OS’ native network functionality for capturing involves complex interfaces and semantics. –Sniffers thus want direct access to handle the raw network data, without interference from the OS’ protocol stacks. Capture drivers must be installed before you can install sniffers. 13

Capture Drivers An operating system can handle the low-level details and provides protocol stacks for network communications. However, to use the OS’ native network functionality for capturing involves complex interfaces and semantics. –Sniffers thus want direct access to handle the raw network data, without interference from the OS’ protocol stacks. Capture drivers must be installed before you can install sniffers. 14

Capture Drivers 15

Capture Drivers The Packet Capture (pcap) library provides a common API for programmers. Winpcap (Windows) –Contains the Windows version of the well known libpcap Unix API. –Packet capture and filtering engine of many open source and commercial network tools. – Libpcap (Unix/Linux) – 16

Wireshark –Formerly Ethereal ( –Why the change ( 5&from=rss; news/article.php/ ) 5&from=rsshttp:// news/article.php/ –Easier to read and understand output format. –Rich display filters. –Extensive support for many OSes, protocol formats and media. Obtaining Wireshark – 17

TCPDump Syntax Wireshark’s capture filters use the pcap library’s filter mechanism. These filters are often called tcpdump filters. The filter syntax itself is documented in the tcpdump manual page (manpage). Any program that uses pcap, like tcpdump or Wireshark, can use this filter syntax. Only packets that match the expression are captured/displayed. –If no expression is given, all packets will be captured/displayed. 18

Filters There are two types of filters in Wireshark –The Capture Filters work during packet capturing. They let you be selective in what kinds of packets to capture for analysis. This reduces the size of capture files and eliminates irrelevant packets (which can be numerous). On busy networks with slow computers, this may be the only way for the sniffer to catch up with the traffic. –The Display Filters work when you do analyses. They help to reduce the clutter in the interface and facilitates analysis. They don’t eliminate captured packets. You can see all captured packets again by taking away the filters. Important: The two types have different syntax! 19

Wireshark Capture Filters Wireshark’s capture filters use the libpcap library’s filter mechanism. These filters are often called tcpdump filters. The filter syntax itself is documented in the tcpdump manual page (manpage). Any program that uses libpcap, like tcpdump or Wireshark, can use this filter syntax. Only packets that match the expression are captured. 20

Capture Filter Examples To capture only those packets that originate from (or destined to) an IP address, use the src (or dst) keyword modifier, e.g., –src host (or src ) –dst host (or dst ) Packets can be filtered based on the MAC address by using the ether modifier, e.g., –ether host ff:ff:ff:ff:ff:ff (or ether dst host ff:ff:ff:ff:ff:ff) –ether src host 00:f9:06:aa:01:03 –ether src 00:f9:06:aa:01:03 21

Capture Filter Examples To capture packets sent from or to a certain port, –port 53 (all DNS traffic) –tcp port 53 (TCP DNS traffic only) –udp dst port 53 (queries sent to DNS server) –udp src port 53 (replies from DNS server) 22

Numeric Operators - Capture > Greater Than >= Greater Than or Equal To < Less Than <= Less Than or Equal To == (or =) Equal To != Not Equal To Bit-wise operators also available 23

Logical Operators - Capture Used to create complicated filters. –Operator not – reverses the value of a test. –Operator and –multiple conditions in a test are true. –Operator or – either one of the two conditions is true. Operators and and or have the same precedence; they are analyzed in the order that they are listed in the capture filter. –Use parentheses to have the conditions evaluated in the order that fits your needs. –(src and port 80) or port 20 (HTTP traffic on the host plus all FTP-data traffic on the network –Src and (port 80 or port 20) (HTTP and FTP-data traffic on the host only) Parentheses also can be used to make the filter easier to understand. 24

Logical Operators - Capture To capture any TCP or UDP packets with a source or destination port of 53 –port 53 To capture everything except for TCP or UDP packets with a source or destination port of 53 –not port 53 To capture telnet packets to or from the host –host and port telnet To combine a port telnet or port ssh test with a test for the host, you use and, but you also need to use parentheses: –host and ( port telnet or port ssh) 25

Protocol Keywords - Capture arp Address Resolution Protocol icmp Internet Control Message Protocol –For example, to capture all ICMP packets: icmp ip Internet Protocol ip6 Internet Protocol version 6 netbeui NetBIOS Extended User Interface tcp Transmission Control Protocol udp User Datagram Protocol 26

Saving Capture File Wireshark can save captured packets to a file in several different formats. –You can even choose to save all packets or a subset of the packets. These capture files can then be opened by the associated programs. –Compatible programs include TCPDump, Microsoft Network Monitor, Novell LANalyzer, etc. Select File | Save As. The Save Capture File As dialog box will appear. –This dialog box allows you to choose the file format and the location where you would like to save the file. 27

Wireshark Interface 28 Summary Protocol Tree Data View

Summary Pane Displays a summary of each packet in the capture, one per line. One or more columns of summary data for each packet will be displayed. Typical columns: –Frame Number. –The time from beginning of the capture to the time when the packet was captured (in seconds). –Highest level source address. This will frequently be the IP (Internet Protocol) source address, but may also be MAC or other addresses. –Destination address. –The highest level protocol decoded. –Information that was determined by the highest level decode to be useful or informative. 29

Protocol Tree Pane For each protocol there is a tree node summarizing the protocol, which can be expanded to provide the values in that protocol’s fields. For any given node that has a subtree, we can expand it’s subtree to reveal more information, or collapse it to only show the summary. When a field in the Protocol Tree Window is selected, the bytes corresponding to that field are highlighted in the Data View Window. 30

Data View Pane Contains a series of rows. Each row begins with a four-digit number representing the number of bytes the first octet in that row is offset from the beginning of the packet. This offset is then followed by sixteen two-character hexadecimal bytes. The last item in each row is a series of sixteen ASCII characters representing the same 16 bytes from the packet. Not all bytes are conveniently displayable in ASCII. For those bytes a period (.) is substituted as a placeholder. 31

Display Filters For almost every item you see in the protocol tree in the middle pane of Wireshark’s GUI, Wireshark has a field name that you can use in a display filter. If you highlight a field in the Wireshark GUI, Wireshark will provide the display-filter field name in the right-hand side of the status bar at the bottom of the GUI. 32

Filter Bar A display filter uses the TCPDump Syntax to define some conditions for including a packet the Summary Window. Only packets that match the display filter string will be displayed. 33

Display Filters > or gt Greater Than >= or ge Greater Than or Equal To < or lt Less Than <= or le Less Than or Equal To == or eq Equal To != or ne Not Equal To contains A string or byte string is found within another 34

Display Filter Examples Packets to (or from) a certain IP address (or host name) –ip.src == –ip.dst == 35

Logical Operators - Display Used to create complicated filters. –Operator not – reverses the value of a test. –Operator and – two conditions in a test are true. –Operator or – either one of the two conditions is true. Examples –ip.src == and ip.dst == –ip.addr == or ip.addr ==

Logical Operators - Display Operators and and or have the same precedence –They are analyzed in the order that they are listed in the capture filter. Use parentheses to have the conditions evaluated in the order that fits your needs. –not eth.dst eq ff:ff:ff:ff:ff:ff and ip.len gt 1000 All IP packets with a length greater than 1000 bytes but not a broadcast. No braodcast packets will be shown. –not (eth.dst eq ff:ff:ff:ff:ff:ff and ip.len gt 1000) All IP packets except those broadcast packets with a length greater than 1000 bytes. Broadcast packets with a length of 1000 bytes or less will be shown. 37

Filter Expression Dialog Box Wireshark provides a user interface to let you see the available protocols and fields and construct a display filter. From the Display Filter window, click the Add Expression button. Filter Express Dialog Box –On the left is a list of all protocols. –Each protocol that has fields can be opened by clicking on the square next to the protocol’s name. –A list of the protocol’s fields will be displayed. –When a field name is selected in the list, the relations that apply to that field are shown in the Relation list. The relations are: is present, ==, !=, >, =, <=, and contains. 38

Filter Expression Dialog Box The default relation is is present, which does not require any other value to compare against. But if you select another relation, one that does require a comparison value, then a Value text entry box appears to the right of the relation list. If the field can be sliced into ranges, then a Range text entry box appears under the Relation list. 39

Filter Expression Dialog Box 40

Filter Expression Dialog Box Once you click “Accept”, Wireshark will put the display filter in the Filter string text entry box of the Display Filter dialog box at the current location of your cursor. Thus, after creating one display filter, you could manually type a logical operator (and or or) into the Filter string text entry box and click Add Expression again. 41

Follow TCP Stream 42