Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Intro to Network Analyzers

Published byBeryl Daniels Modified over 7 years ago

Similar presentations

Presentation on theme: "An Intro to Network Analyzers"— Presentation transcript:

1 An Intro to Network Analyzers
References: “Introduction to Wiresharkl”, Dr. Farid Farahmand, Fall 2014 "Packet analyzer", Wikipedia, March “Wireshark User’s Guide”, For Wireshark 1.99. “Wireshark Installation & packet Chapter”, August 2011.

2 Network Analysis & Sniffing
Process of capturing, decoding, & analyzing network traffic Why is the network slow What is the network traffic pattern How is the traffic being shared between nodes Also known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping*, etc. *Listen secretly to what is said in private!

3 Checkout his program: sniff.c
Network Analyzer A combination of hardware & software tools what can detect, decode, & manipulate traffic on the network Passive monitoring (detection) - Difficult to detect Active (attack) Available both free & commercially Mainly software-based (utilizing OS & NIC) Also known as sniffer A program that monitors the data traveling through the network passively Common network analyzers Wireshark / Ethereal Windump Etherpeak Dsniff & much more…. Read: Basic Packet-Sniffer Construction from the Ground Up! by Chad Renfro Checkout his program: sniff.c

4 Network Analyzer - Components
Hardware NIC Card Buffer memory Special hardware devices CRC & Parity Errors Monitoring voltage fluctuation Jitter (random timing variation) Jabber (failure to handle electrical signals) Capture driver capturing the data or disk-based Real-time analysis analyzing the traffic in real time; detecting any intrusions Decoder making data readable Capturing the data is easy! The question is what to do with it!

5 Who Uses Network Analyzers
System administrators Identify system problems & Analyze performance Malicious individuals (intruders) Capture cleartext data Passively collect data on vulnerable protocols FTP , HTTP, IMAP, POP3, rlogin, SNTP, etc. Capture VoIP data Mapping the target network Traffic pattern discovery Actively break into the network (backdoor techniques) Test engineers Protocol analyzers can also generate traffic & thus act as the reference device IMAP = Internet Message Access Protocol POP3 = Post Office Protocol version 3 (Internet protocol) HTTP = Hypertext Transfer Protocol (world wide web protocol) SNTP = Simple Network Time Protocol

6 Basic Operation Ethernet traffic is broadcast to all nodes on the same segment Sniffer can capture all the incoming data when the NIC is in promiscuous (not restricted to one port) mode: ifconfig eth0 promisc ifconfig eth0 –promisc Default setup is non-promiscuous restricted - only receives the data destined for the NIC Note: hub receives all the data! If switches are used the sniffer must perform port spanning Also known as port mirroring The traffic to each port is mirrored to the sniffer Promiscuous = not restricted to one port (go to all port as in a Hub) Non-promiscuous = restricted to one port (as in a Switch) Sniffer on a switch need to have extra feature that artificially copies unicast packets that host sends to the sniffer port (port spaning). Span Terminology

7 Port Monitoring Assume the sniffer port 5) is to monitor the data on computer A (port 1). Port 5 needs first to be spanned to port 1 (port spanning). The sniffer can now monitor the data destined to Computer A.

8 Review: Hub, Switch, & Span Port
If you want to capture Ethernet traffic that is sent by host A to host B, & both are connected to a HUB, Just attach a sniffer to this hub. All other ports see the traffic between hosts A & B. On a SWITCH, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer DOES NOT see this traffic: An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port. Here, the sniffer is attached to a port that is CONFIGURED to receive a copy of every packet that host A sends. This port is called a SPAN port.

9 Protecting Against - Sniffers
Spoofing the MAC is often referred to changing the MAC address (in Linux:) ifconfig eth0 down ifconfig eth0 hw ether 00:01:02:03:04:05 ifconfig eth0 up Register the new MAC address by broadcasting it ping –c 1 –b To detect a sniffer (Linux) Download Promisc.c) ifconfig -a (search for promisc) ip link (search for promisc) To detect a sniffer (Windows) Download PromiscDetect Spoof = imitate, mock, deceive Sniffing can work if: the sniffing host is on the same Layer2 network the sniffing host does not have a firewall that blocks incoming icmp packets the sniffing host does the sniffing with an interface that has TCP/IP enabled, & thus is able to answer the ICMP packet. Remember: 00:01:02:03:04:05 MAC address (HWaddr)= Vender Address + Unique NIC #

10 Protecting Against Sniffers
Using switches can help Use encryption Making the intercepted data unreadable Note: in many protocols the packet headers are clear text! VPNs use encryption & authorization for secure communications VPN Methods Secure Shell (SSH): headers are not encrypted Secure Sockets Layer (SSL): high network level packet security; headers are not encrypted IPsec: Encrypted headers but does not use TCP or UDP Remember: Never use unauthorized Sniffers at work!

11 What is Wireshark? Formerly called Ethereal An open source program
Remember: You must have a good understanding of the network before you use Sniffers effectively! Formerly called Ethereal An open source program free with many features Decodes over 750 protocols Compatible with many other sniffers Plenty of online resources are available Supports command-line & graphical user interfaces (CLI, GUI) TSHARK (CLI) has three components Editcap similar to “Save As” to translate the format of captured packets Mergecap combines multiple saved captured files Text2pcap ASCII Hexdump captures & writes the data into a libpcap output file CLI = Command-Line Interface GUI = Graphical User Interface

12 Installing Wireshark Download the Wireshark program from
, OR UBUNDU Webpage Requires to install capture drivers monitor ports & capture all traveling packets

13 Installing Wireshark If you did not succeed, do the following.
On UBUNTU screen go to the “Dash board” Search for “Wireshark” & Install, OR Go to Firefox in UBUNTU & Google “Wireshark for Ubuntu ” & follow the instruction. You can also download it using a “Terminal” by command: sudo apt-get install wireshark If you could not see any interface for capturing, with the current configuration, you need “root” privileges to capture traffic with Wireshark (or dumpcap, for that matter). Here are the commands sudo -s usermod -a -G wireshark your-user- name chgrp wireshark /usr/bin/dumpcap chmod 4750 /usr/bin/dumpcap sudo = Super User Do You can safely run Wireshark to inspect, edit or filter packet dumps without root privileges, e.g., wireshark -i eth0 -c 5

14 Wireshark Window Menu Bar Tool Bar Filter Bar Packet List Frame view
Go to “6.12. Time display formats & time references” of Wireshark guide. Use “View” to configure time format. Frame bytes (content)

15 Packet number 8 – BGP (Boarder Gateway Prot)
Protocol Tree Window: Details of the selected packet (#8) Raw data (content of packet # 8)

16 Filtering BGP packets only
Download the following files & copy them in your HW: bgp_test tcp_stream_analysis follow_tcp_stream

17 Ethernet & IEEE 802.3 Ethernet - most popular protocol standard to enable computer communication 2nd Layer protocol Based on shared medium & broadcasting Close to IEEE 802.3 Ethernet address is called MAC address 48 bit HW address coded in the RON of the NIC card 1st 24 bits represent the vender 2nd 24 bits represent the NIC Use: “arp –a” To get the Hardware address from IP address FSC = Frame Check Sequence SOF = Start of Frame Delimiter MAC = Medium Access Control, 6-byte hardware address RON = Routing Organization Number Length in IEEE802.3 - 0x0600 (12536) or less would mean length & above 0x600 would mean type with 1550 byte for max length of payload

18 Appendixes

19 TCP/IP Stack Link * Physical Application Transport Network
Provides reliable end-to-end transport Can be connectionless (UDP) or connection oriented (TCP) Connection oriented requires ACK Network Logical addressing (IP, Internet protocol) Link * Frames & carries IP packets between adjacent network devices Physical * Data Link Layer (IEEE) has 2 sublayers: MAC (Medium Access Control): Physical addressing, moves packets from one NIC card to another LLC (Logical Link Control): Flow control, error control

20 Internet Packet (IP) Format
Physical & Link Header L3 (Internet) Header L4 (Transport) header L5 (Application) header Data (digitized data, voice, video) Headers

21 More on Installing Wireshark
Download the program from Requires to install capture drivers (monitor ports & capture all traveling packets) Linux: libpcap Windows: winpcap ( Typically the file is in TAR format (Linux) To install in Linux rpm –ivh libpcap i.386.rpm (install libpcap RPM) rpm –q libpcap (query libpcap RPM) tar –zxvf libpcap tar.gz ./config make sudo make install

22 Appendix - Installing Wireshark
Log in as the ‘root’ user Insert Fedora Code 4 Disk #4 Navigate to the following folder in the disk /Fedora/RPMS Locate packages ethereal— i386.rpm ethereal-gnome i386.rpm Copy the above packages to your system Change directory to the packages location cd <package_dir> Install Ethereal rpm –ivh ethereal— i386.rpm Install Ethereal GNOME user Interface rpm –ivh ethereal-gnome i386.rpm Packages that are needed for Installation Ethereal (available in Fedora Core 4 disk #4) ethereal— i386.rpm Ethereal GNOME User Interface ethereal-gnome i386.rpm

23 Appendix: Some Helpful References
Wireshark capture Wireshark screenshots Wireshark for TCP Wireshark for TCP & UDP Wireshark YouTube on filter

Download ppt "An Intro to Network Analyzers"

Similar presentations

Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
1 Fall 2005 Internetworking: Concepts, Architecture and TCP/IP Layering Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Internetworking: Concepts, Architecture and TCP/IP Layering Qutaibah Malluhi CSE Department Qatar University.
OSI Model.

OSI Model.
An introduction to Network Analyzers Dr. Farid Farahmand 3/23/2009.

An introduction to Network Analyzers Dr. Farid Farahmand 3/23/2009.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.

Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Presentation on Osi & TCP/IP MODEL

Presentation on Osi & TCP/IP MODEL
Computer Networks.  The OSI model is a framework containing seven layers that defines the protocols and devices used at each stage of the process when.

Computer Networks.  The OSI model is a framework containing seven layers that defines the protocols and devices used at each stage of the process when.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.

1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.

Similar presentations

Ads by Google