1 / 38

Packets and Protocols

Chapter Two Introducing Wireshark. Packets and Protocols. Packets and Protocols Chapter 2. What is Wireshark? An open source freeware licensed protocol analyzer Works in promiscuous and non-promiscuous modes Can capture data live or read it from a file Configurable GUI that is easy to read

mblackmon
Download Presentation

Packets and Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Two Introducing Wireshark Packets and Protocols

  2. Packets and ProtocolsChapter 2 What is Wireshark? An open source freeware licensed protocol analyzer Works in promiscuous and non-promiscuous modes Can capture data live or read it from a file Configurable GUI that is easy to read Supports multiple capture file formats for import and export (25 different formats) Can capture wire or wireless data Supports 750 protocols (we won’t cover them all) Runs on over 20 different platforms

  3. Jerry Combs invented Ethereal in 1997 out of the need for an analysis tool 1st version released in 1998 and was a huge hit Prior to this, Network General’s sniffer tool dominated Packets and ProtocolsChapter 2

  4. It’s primary strength is its large support of sniffer file formats and protocols There is a ridiculously large list of file formats and supported protocols on page 55-58 Packets and ProtocolsChapter 2

  5. The User interface Packets and ProtocolsChapter 2 Summary Pane: • Packet number • Time • Source Address (SA) • Destination Address (DA) • Name of highest level protocol • Information on highest level protocol

  6. The User interface Packets and ProtocolsChapter 2 Detail Pane: • Tree-like structure that details each layer of each packet • Analyzes the packets within each protocol

  7. The User interface Packets and ProtocolsChapter 2 Data Pane: • Contains the raw data • Data displayed in hex and in text

  8. Analysis filters The recommended technique is to capture with no filters and then filter the capture file There are many ways to filter this data either during the capture or during the display Packets and ProtocolsChapter 2

  9. Packets and ProtocolsChapter 2

  10. Packets and ProtocolsChapter 2

  11. Packets and ProtocolsChapter 2 Filter modifiers

  12. Supporting Programs T-Shark A command line version of Wireshark Editcap Used to remove packets from a file, and to translate the format of capture files. Mergecap Merges capture files together Text2pcap Reads text – converts to capture file Packets and ProtocolsChapter 2

  13. Placement of the sniffer is critical Packets and ProtocolsChapter 2

  14. Packets and ProtocolsChapter 2

  15. Packets and ProtocolsChapter 2

  16. Packets and ProtocolsChapter 2

  17. Packets and ProtocolsChapter 2 • Remote Sniffer options

  18. General network troubleshooting Packets and ProtocolsChapter 2 1. Recognize the symptoms 2. Define the problem 3. Analyze the problem 4. Isolate the problem 5. Identify and test the cause of the problem 6. Solve the problem 7. Verify that the problem has been solved

  19. General network troubleshooting Packets and ProtocolsChapter 2 1. Recognize the symptoms • Very few problems are found by the administrators • Was a change made recently? • What is happening right now that is different?

  20. General network troubleshooting Packets and ProtocolsChapter 2 2. Define the problem • It sounds obvious, but you must know what the problem is before you solve it. • Single user? Multiple user? • LAN or WAN (or both) • Single/multiple applications affected?

  21. General network troubleshooting Packets and ProtocolsChapter 2 • Analyze the problem • Gather data • What does work? • Who does work? • Why is it working? • How does it differ?

  22. General network troubleshooting Packets and ProtocolsChapter 2 4. Isolate the problem • Isolation may be necessary so that the problem will not spread. • Can you disconnect a server, a link, a firewall?

  23. General network troubleshooting Packets and ProtocolsChapter 2 5. Identify and test the cause of the problem • Can the test be done “live”? • Can the test be done in a lab setting • It is important to not make the problem worse.

  24. General network troubleshooting Packets and ProtocolsChapter 2 6. Solve the problem • Decide when the problem can be solved • Immediately? • Is a change window needed? • Who will need to be involved? • What teams? Management? SMEs?

  25. General network troubleshooting Packets and ProtocolsChapter 2 7. Verify that the problem has been solved • Test the solution • Monitor the solution to be sure it stays fixed • Document the problem!

  26. Packets and ProtocolsChapter 2 You must also wear many hats!

  27. Packets and ProtocolsChapter 2

  28. The blame-game “System administrators are notorious for asking if there is something wrong with the network, and network administrators are notorious for saying the problem is within the system” It is not enough to prove the network isn’t the problem; you often have to fix the problem no matter what it is or where it is. Packets and ProtocolsChapter 2

  29. When troubleshooting, start from layer one and work up the protocol stack How many are affected? Did this work before? If so what changed? Do you have network connectivity? Can you see the MAC address in the switch? Can you ping the device? Is TCP functioning? Is UDP functioning? Packets and ProtocolsChapter 2

  30. Scenario 1: SYN no SYN+ACK If your Wireshark capture shows that the client is sending a SYN packet, but no response is received from the server, the server is not processing the packet. It could be that a firewall between the two hosts is blocking the packet or that the server itself has a firewall running on it Scenario 2: SYN immediate response RST If your Wireshark capture shows that the server is responding with the reset (RST) flag, the destination server is receiving the packet but there is no application bound to that port. Make sure that your application is bound to the correct port on the correct IP address. Scenario 3: SYN SYN+ACK ACK Connection Closed If your Wireshark capture shows that the TCP connection is established and that it immediately closes, the destination server may be rejecting the client’s IP address due to security restrictions. On UNIX systems, check the tcpwrappers file at /etc/hosts.allow and /etc/hosts.deny and verify that you haven’t inadvertently blocked communication. Packets and ProtocolsChapter 2

  31. Using Wireshark for security administration Wireshark has the ability to re-assemble packets, which allows you to piece together the conversation Detecting unauthorized web access Detecting internet chat activity Detecting on-line gaming Packets and ProtocolsChapter 2

  32. Wireshark As a Network Intrusion Detection System Unauthorized connections Unauthorized sweeps Redirections to other ports/IPs RDP usage from outside Mikigo PC anywhere etc Packets and ProtocolsChapter 2

  33. Optimizing your protocol analyzer Have a fast enough PC CPU Memory Disk space Match the NIC speed/duplex with the source of the traffic being gathered Strip the extras down Failure to do so may result in lost data Don’t update list of packets in real time No name resolution Dump 1st using TCPDUMP/WINDUMP, Tshark then load into Wireshark Packets and ProtocolsChapter 2

  34. Advanced sniffing – Wireshark alternatives DSNIFF – Used to dissect IDs/PWs Packets and ProtocolsChapter 2 America Online (AOL) Instant Messenger (IM) (Citrix Winframe) ■ CVS ■ File Transfer Protocol (FTP) ■ HTTP ■ I Seek You (ICQ) ■ IMAP ■ IRC ■ Lightweight Directory Access Protocol (LDAP) ■ Remote Procedure Call (RPC) mount requests ■ Napster ■ Network News Transfer Protocol (NNTP) ■ Oracle SQL*Net ….and others

  35. Dsniff uses many techniques to gather PW data arpspoof – makes other devices think that your device is the default gateway dnsspoof – redirects responses to DNS servers mailsnarf – homes in on mail passwords webspy – allows you to eavesdrop on web sessions urlsnarf – saves all URLs crossing the wire Packets and ProtocolsChapter 2

  36. Other attacks MITM – Can defeat SSH/HTTPS Cracking – dictionary hacks, brute force ARP spoofing – substitute your MAC for the DG MAC and you become the DG MAC flooding – overloads switches so they act like hubs Routing hacks – send false routes (i.e. default route) Packets and ProtocolsChapter 2

  37. Protecting your network from sniffers Use switches, not hubs Shut down unused ports Do not allow more than one MAC per port Turn on port security (labor intensive) Physical security SSH Secure TELNET replacement SSL/HTTPS Secure replacement for HTTP Can be used as a VPN conduit PGP Works with S/MIME to secure e-mail Packets and ProtocolsChapter 2

  38. Sniffer detection IPCONFIG/IFCONFIG See if NIC is running in promiscuous mode DNS lookups Since sniffers can resolve DNS addresses, see who is doing most of your DNS lookups Latency A consistently slow PC could be slow because it is running sniffer software Bugs Sometimes sniffers display unique attributes NetMon NetMon can detect other NetMon applications Packets and ProtocolsChapter 2

More Related