180 likes | 469 Views
CS408 Lab1 Packet Analysis With Wireshark Instructor PhD Albert Levi. What is a Network Analyzer ?(a.k.a Packet sniffer ).
E N D
CS408 Lab1Packet Analysis With WiresharkInstructorPhD Albert Levi
What is a Network Analyzer?(a.k.a Packet sniffer) Packet sniffers are software programs that can see the traffic passing over a network or part of a network. As data streams travel over the network, the program captures each packet and eventually decodes its content following the RFC specification. Why do we need such an analysis? • Troubleshoot a network. • Detect network intrusion attempts. • Monitor the network usage and filter for suspicious content • Spy on other network users and collect their passwords.
How is it possible to capture other users packets? Ethernet was built around a "shared" principle: all machines on a local network share the same wire. So, all machines are able to "see" all the traffic on the same wire. Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it. It does this by ignoring all frames whose MAC address doesn't match. If you put your Ethernet Hardware into "promiscuous mode“, you will deactivate the mentioned “filter” and start accepting packets rather than discarding them...
What is an Ethernet MAC address? • MAC Adress is a 12-digit hex number (6 bytes), embedded in your ethernet card chipsets, that uniquely identifies you over the ethernet. • Example : 00:C0:49:A7:25:45 • Windows: • Run the program "ipconfig /all" from the command-line. To see the MAC address for your adapter. • Linux: • Run the program "ifconfig". To see the MAC address for your adapter.
What is an Ethernet MAC address? • MAC stands for Media Access Control. • The Ethernet MAC address is a 48 bit number. This number is broken down into two halves, the first 24-bits identify the vendor of the Ethernet board, the second 24-bits is a serial number assigned by the vendor. This sufficiently guarantees that no two Ethernet cards have the same MAC address. • Example MAC Adress is 00:C0:49:A7:25:45 • 00:C0:49 is Registered for the vendor U.S Robotics. This number is called OUI ("Organizationally Unique Identifier"). You can find the list of vendor/OUI codes at http://standards.ieee.org/regauth/oui/
How do hosts communicate over Ethernet? Each Host in the same ethernet network has an IP adress. Inorder to send data to a destination host, first we have to know the MAC Adress for the destination host. To get the IP adress of the destination, the source broadcasts an ARP packet over the network. ARP stands for Adress Resolution Protocol. (RFC 826)
ARP Overview All network hosts maintain their own ARP tables (caches) to reduce the ARP broadcast overhead. The table is as follows Simply Remeber this: ARP translates IP address into a physical MAC address. To see your computers ARP Cache type “arp –a” and hit enter
The Ethernet Frame Remember the 4 Layer Model, in each layer, the data coming from the upper layer is encapsulated into the current layers PDU. The Application data is sent to a host with the above encapsulation scheme.
The Ethernet Frame • There are two kinds of Ethernet framing in common use today. The "official" standard is IEEE 802.3 framing, but TCP/IP traffic on Ethernet is usually carried in DIX (Digital / Intel / Xerox) type II (usually written “Ethernet II" or just "DIX") frames. Other transport-independent protocols, may use 802.3. The two frame types can coexist on the same wire. • The Ethernet II “Header” simply consist of (omitting preamble) • Destination MAC Address • SourceMAC Address • Type Of Encapsulated Data
The Ethernet Frame Analysis with Wireshark The following ethereal screen shots are from the last frame containig HTTP response from a URL with the HTML data “ Hello CS 408”
The Ethernet Frame – IP Packet Bit 0: reserved, must be zero Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment. Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments. 010 =Dont fragment , Last Fragment
The Ethernet Frame – HTTP Header There is not much to say about HTTP header as its mostly ASCII. Observe that HTTP header is ending in two line-feeds (0D 0A 0D 0A) and then the data comes. <html><b> Hello CS 408 </b><html>