1. Packets and Protocols Chapter Two Introducing Wireshark

2. Packets and Protocols Chapter 2  What is Wireshark? –An open source freeware licensed protocol analyzer –Works in promiscuous and non-promiscuous modes –Can capture data live or read it from a file –Configurable GUI that is easy to read –Supports multiple capture file formats for import and export (25 different formats) –Can capture wire or wireless data –Supports 750 protocols (we won’t cover them all) –Runs on over 20 different platforms

3.  Jerry Combs invented Ethereal in 1997 out of the need for an analysis tool –1 st version released in 1998 and was a huge hit –Prior to this, Network General’s sniffer tool dominated Packets and Protocols Chapter 2

4.  It’s primary strength is its large support of sniffer file formats and protocols –There is a ridiculously large list of file formats and supported protocols on page 55-58 Packets and Protocols Chapter 2

5.  The User interface Summary Pane: Packet number Time Source Address (SA) Destination Address (DA) Name of highest level protocol Information on highest level protocol Packets and Protocols Chapter 2

6.  The User interface Detail Pane: Tree-like structure that details each layer of each packet Analyzes the packets within each protocol Packets and Protocols Chapter 2

7.  The User interface Data Pane: Contains the raw data Data displayed in hex and in text Packets and Protocols Chapter 2

8.  Analysis filters –The recommended technique is to capture with no filters and then filter the capture file –There are many ways to filter this data either during the capture or during the display Packets and Protocols Chapter 2

9. Internet Protocol (IP)Field NameType ip.addrSource or Destination AddressIPv4 address ip.checksumHeader checksumUnsigned 16-bit integer ip.checksum_badBad Header checksumBoolean ip.dsfieldDifferentiated Services fieldUnsigned 8-bit integer ip.dsfield.ceExplicit Congestion NotificationUnsigned 8-bit integer ip.dsfield.dscpDifferentiated Services CodepointUnsigned 8-bit integer ip.dstDestinationIPv4 address ip.flagsFlags Unsigned8-bit integer ip.flags.dfDon’t fragmentBoolean ip.flags.mfMore fragmentsBoolean ip.frag_offsetFragment offsetUnsigned 16-bit integer ip.fragmentIP FragmentFrame number ip.fragment.errorDefragmentation errorFrame number ip.fragment.multipletailsMultiple tail fragments foundBoolean Packets and Protocols Chapter 2

10. ip.fragment.overlapFragment overlapBoolean ip.fragment.toolongfragmentFragment too longBoolean ip.fragmentsIP fragmentsNo value ip.hdr_lenHeader length Unsigned8-bit integer ip.idIdentificationUnsigned 16-bit integer ip.lenTotal lengthUnsigned 16-bit integer ip.protoProtocolUnsigned 8-bit integer ip.reassembled_inReassembled IP in frameFrame number ip.srcSourceIPv4 address ip.tosType of serviceUnsigned 8-bit integer ip.tos.costCostBoolean ip.tos.delayDelayBoolean ip.tos.precedencePrecedenceUnsigned 8-bit integer ip.tos.reliabilityReliabilityBoolean ip.tos.throughputThroughputBoolean ip.ttlTime-to-liveUnsigned 8-bit integer ip.versionVersionUnsigned 8-bit integer Packets and Protocols Chapter 2

11. ModifierDesignatorSymbol EqualEQ== Not Equal NE!= Greater Than GT> Less Than LT< Greater than or Equal to GE>= Less than or Equal To LE<= Filter modifiers Packets and Protocols Chapter 2

12.  Supporting Programs –T-Shark  A command line version of Wireshark –Editcap  Used to remove packets from a file, and to translate the format of capture files. –Mergecap  Merges capture files together –Text2pcap  Reads text – converts to capture file Packets and Protocols Chapter 2

13.  Placement of the sniffer is critical Packets and Protocols Chapter 2

17.  Remote Sniffer options

18.  General network troubleshooting 1. Recognize the symptoms 2. Define the problem 3. Analyze the problem 4. Isolate the problem 5. Identify and test the cause of the problem 6. Solve the problem 7. Verify that the problem has been solved Packets and Protocols Chapter 2

19.  General network troubleshooting 1. Recognize the symptoms Very few problems are found by the administrators Was a change made recently? What is happening right now that is different? Packets and Protocols Chapter 2

20.  General network troubleshooting 2. Define the problem It sounds obvious, but you must know what the problem is before you solve it. Single user? Multiple user? LAN or WAN (or both) Single/multiple applications affected? Packets and Protocols Chapter 2

21.  General network troubleshooting Analyze the problem Gather data What does work? Who does work? Why is it working? How does it differ? Packets and Protocols Chapter 2

22.  General network troubleshooting 4. Isolate the problem Isolation may be necessary so that the problem will not spread. Can you disconnect a server, a link, a firewall? Packets and Protocols Chapter 2

23.  General network troubleshooting 5. Identify and test the cause of the problem Can the test be done “live”? Can the test be done in a lab setting It is important to not make the problem worse. Packets and Protocols Chapter 2

24.  General network troubleshooting 6. Solve the problem Decide when the problem can be solved Immediately? Is a change window needed? Who will need to be involved? What teams? Management? SMEs? Packets and Protocols Chapter 2

25.  General network troubleshooting 7. Verify that the problem has been solved Test the solution Monitor the solution to be sure it stays fixed Document the problem! Packets and Protocols Chapter 2

26. You must also wear many hats!

27. Packets and Protocols Chapter 2

28.  The blame-game – –“System administrators are notorious for asking if there is something wrong with the network, and network administrators are notorious for saying the problem is within the system”  It is not enough to prove the network isn’t the problem; you often have to fix the problem no matter what it is or where it is. Packets and Protocols Chapter 2

29.  When troubleshooting, start from layer one and work up the protocol stack –How many are affected? –Did this work before?  If so what changed? –Do you have network connectivity? –Can you see the MAC address in the switch? –Can you ping the device? –Is TCP functioning? Is UDP functioning? Packets and Protocols Chapter 2

30. Scenario 1: SYN no SYN+ACK If your Wireshark capture shows that the client is sending a SYN packet, but no response is received from the server, the server is not processing the packet. It could be that a firewall between the two hosts is blocking the packet or that the server itself has a firewall running on it Scenario 2: SYN immediate response RST If your Wireshark capture shows that the server is responding with the reset (RST) flag, the destination server is receiving the packet but there is no application bound to that port. Make sure that your application is bound to the correct port on the correct IP address. Scenario 3: SYN SYN+ACK ACK Connection Closed If your Wireshark capture shows that the TCP connection is established and that it immediately closes, the destination server may be rejecting the client’s IP address due to security restrictions. On UNIX systems, check the tcpwrappers file at /etc/hosts.allow and /etc/hosts.deny and verify that you haven’t inadvertently blocked communication. Packets and Protocols Chapter 2

31.  Using Wireshark for security administration –Wireshark has the ability to re-assemble packets, which allows you to piece together the conversation  Detecting unauthorized web access  Detecting internet chat activity  Detecting on-line gaming Packets and Protocols Chapter 2

32.   Wireshark As a Network Intrusion Detection System – –Unauthorized connections – –Unauthorized sweeps – –Redirections to other ports/IPs – –RDP usage from outside   Mikigo   PC anywhere   etc Packets and Protocols Chapter 2

33.  Optimizing your protocol analyzer –Have a fast enough PC  CPU  Memory  Disk space –Match the NIC speed/duplex with the source of the traffic being gathered –Strip the extras down  Failure to do so may result in lost data –Don’t update list of packets in real time –No name resolution –Dump 1 st using TCPDUMP/WINDUMP, Tshark then load into Wireshark Packets and Protocols Chapter 2

34.  Advanced sniffing – Wireshark alternatives –DSNIFF – Used to dissect IDs/PWs America Online (AOL) Instant Messenger (IM) (Citrix Winframe) ■ CVS ■ File Transfer Protocol (FTP) ■ HTTP ■ I Seek You (ICQ) ■ IMAP ■ IRC ■ Lightweight Directory Access Protocol (LDAP) ■ Remote Procedure Call (RPC) mount requests ■ Napster ■ Network News Transfer Protocol (NNTP) ■ Oracle SQL*Net ….and others Packets and Protocols Chapter 2

35.  Dsniff uses many techniques to gather PW data –arpspoof – makes other devices think that your device is the default gateway –dnsspoof – redirects responses to DNS servers –mailsnarf – homes in on mail passwords –webspy – allows you to eavesdrop on web sessions –urlsnarf – saves all URLs crossing the wire Packets and Protocols Chapter 2

36.  Other attacks –MITM – Can defeat SSH/HTTPS –Cracking – dictionary hacks, brute force –ARP spoofing – substitute your MAC for the DG MAC and you become the DG –MAC flooding – overloads switches so they act like hubs –Routing hacks – send false routes (i.e. default route) Packets and Protocols Chapter 2

37.  Protecting your network from sniffers –Use switches, not hubs –Shut down unused ports –Do not allow more than one MAC per port –Turn on port security (labor intensive) –Physical security –SSH  Secure TELNET replacement –SSL/HTTPS  Secure replacement for HTTP  Can be used as a VPN conduit –PGP  Works with S/MIME to secure e-mail Packets and Protocols Chapter 2

38. Sniffer detection  IPCONFIG/IFCONFIG –See if NIC is running in promiscuous mode  DNS lookups –Since sniffers can resolve DNS addresses, see who is doing most of your DNS lookups  Latency –A consistently slow PC could be slow because it is running sniffer software  Bugs –Sometimes sniffers display unique attributes  NetMon –NetMon can detect other NetMon applications Packets and Protocols Chapter 2