1 / 77

Wireshark Primer with an emphasis on WLAN’s

Wireshark Primer with an emphasis on WLAN’s. Gary Hampton Kentuckiana ISSA Workshop 3/12/2011. Outline. Objective Types of Sniffers Wireshark background 802.11 Physical Layer 802.11 MAC Layer 802.11 Security Capturing basics Wireless traces

jacob
Download Presentation

Wireshark Primer with an emphasis on WLAN’s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireshark Primerwith an emphasis on WLAN’s Gary Hampton Kentuckiana ISSA Workshop 3/12/2011

  2. Outline • Objective • Types of Sniffers • Wireshark background • 802.11 Physical Layer • 802.11 MAC Layer • 802.11 Security • Capturing basics • Wireless traces • How to’s: tcp stream, statistics, filters, profiles

  3. Objective • Improve your knowledge of Wireshark and how sniff traffic • Be able to create filters and navigate Wireshark • Improve your knowledge of the 802.11 protocol and wireless networking

  4. Types of sniffers • Specialty sniffers • Cain and Able • Dsniff • Tcpdump/windump • Device specific • Intrusion detection systems • Modern access points • Microsoft’s Netmon • Commercial grade • Wild Packet’s Omnipeek • NetScout • Wireshark • CACE Pilot (Wireshark interface); Riverbed Technology

  5. Why Wireshark? • Why use Wireshark? • Excellent price $0 • Full blown sniffer • Supports multiple file formats: • MS Netmon, Wild Packets, Sun Snoop, Kismet • Sharing traces with other work groups • When to use a commercial sniffer? • When sniffing large amounts of data (e.g. 1GB) • When presenting graphs and documents to upper level management

  6. Wireshark • Created by Gerald Combs • 1998 Ethereal • 2006 Cace Technologies “Wireshark” • Purchased by Riverbed Technology 2010 • Maintained by a group of developers today • Released under GNU General Public License (GNU GPL) • Free downloads available for Windows, Mac OS X, Linux, FreeBSD and U3 devices • www.wireshark.org/download.html • Graphical and command versions • Mailing list for new releases • www.wireshark.org/lists

  7. Wireshark Requirements • Any modern 32-bit/64-bit x86 or AMD processor • Minimum 128MB available RAM (more is better ) • 75MB available disk space • Network cards • Any Ethernet card supported by Windows • Wireless • Windows – AirPcap adaptors only • Linux – not all, but most Linux drivers will support monitor mode • http://wireless.kernel.org/en/users/drivers

  8. Uses for Wireshark • Troubleshoot performance issues • Identify device configuration issues • Identify malicious traffic • Perform intrusion detection • Evaluate response times • Baseline bandwidth usage • Identify application protocols and ports • Assess wireless networks

  9. What does it take to be good at analyzing traces? • Be familiar with the sniffer’s features • Be familiar with networking protocols • Your effectiveness is directly proportional • Research RFC’s, Google, etc. • Know your network and the applications that utilize it • Baseline

  10. 802.11 Physical Layer

  11. 802.11b/g/n 2.4GHz band • 3 non-overlapping channels in the 2.4GHz band • CSMA/CA • Unlicensed spectrum • Microwave ovens • Bluetooth • Wireless cameras • Cordless phones • Other 802.11 devices • Ham radio operators

  12. 802.11a/n 5 GHz band • Unlicensed National Information Infrastructure (U-NII) band • 12 non-overlapping channels in the 5 GHz band • In 2004, the FCC allocated the 5.32 – 5.745 GHz band, providing 12 additional channels • Devices must support IEEE 802.11h Dynamic Frequency Selection 2 and Transmit Power Control • Radar usage • Terminal Doppler Weather Radar (TDWR) operate between5.6 – 5.65 GHz • FCC recommends not using those channels when within 35km of a TDWR

  13. Spectrum Analyzers • Kismet (not a SA, but can identify AP’s) • WIDS/WIPS/modern AP’s • Metageek • Wi-Spy - Chanalzer • Berkley Varitronics Systems • Bumblebee • Air Magnet • Spectrum XT • Cisco • Spectrum Expert • Anritsu/Tektronix/HP/Bird Technologies

  14. Anritsu Spectrum Analyzer

  15. Anritsu Spectrum Analyzer

  16. 802.11 MAC Layer

  17. Frame Comparison 802.3 Frame 802.11 Frame

  18. 802.11 Frame Control Fields • Version – specifies the protocol number. • Type – Specifies frame type (Mgmt, Control or Data) • Subtype – e.g. association, CTS

  19. 802.11 Frame Control Fields continued • To DS/From DS • To DS set -> to the wired network • From DS set -> from the wired network • Both bits set -> wireless bridge (WDS network) • Both bits cleared -> ad-hoc network

  20. 802.11 Frame Control Fields continued • MF – More fragments • Retry • Pwr – Power mgmt • More – More data • W – WEP

  21. 802.11 Power Management • CAM (Continuous awareness mode): Radio never shuts down. Provides best network performance, uses the most battery power • PSP 1: Excellent network performance, uses less battery power • PSP 2: Great network performance, uses less battery power • PSP 3: Good network performance, uses less battery power • PSP 4: Adequate network performance, uses less batterypower • PSP 5: Acceptable network performance, uses the least battery power

  22. 802.11 Frame To DS/From DS bits • To DS/From DS • To DS set -> to the wired network • From DS set -> from the wired network • Both bits set -> wireless bridge (WDS network) • Both bits cleared -> ad-hoc network

  23. Address order - infrastructure

  24. 802.11 MAC Frames • ManagementUsed for connecting and disconnecting from the WLAN. Includes beacons, probes, authentication and association request/responses. • ControlUsed to acknowledge receipt of data (Data-ACK, RTS-CTS-Data-ACK, CTS-Data-ACK). • DataThe only frames that include an encrypted payload in a WLAN. Encapsulates user data over the WLAN (e.g. IP and ARP traffic).

  25. Client Association

  26. 802.11 Security

  27. Encryption and Authentication Options • WPA-PSK and WPA2-PSK • Used a hierarchy of keys (see the in depth security slides at the end of this presentation for more information) • WPA-PSK and WPA2-PSK both use the 4-way handshake to generate the Pair wise Transient Key. • Pair wise Master Keys are the same for all systems on the same WPA-PSK or WPA2-PSK network • If you capture the 4-way handshake (EAPOL protocol) and know the PSK and SSID, Wireshark can decrypt WPA and WPA2 PSK packets • WPA and WPA2 Enterprise • Uses 802.1x with EAP (Extensible Authentication Protocol) to authenticate client (supplicant) and access point (authenticator) instead of PSK • Uses per user, per session keys; therefore Wireshark and sniffers in general, cannot decrypt packets • See security slides at the end of the presentation for more information

  28. Sample WPA 4-way Handshake

  29. Capture basics

  30. Wireshark capture flow • Libpcap – link layer interface for capturing on Linux or Unix (tcpdump) • WinPcap – Windows port of libpcap • AirPcap – link layer interface and network adaptor to capture 802.11 traffic on Windows

  31. Capturing wireless traffic • Determine location for sniffer(s) • Select the appropriate interface and data capturing options • Performance issues • Disable, update list of packets in real time • Disable network name resolution • Reduce # of columns • Disclaimer • Only capture traffic on networks that you have permission to do so.

  32. Where do I place the sniffer?

  33. Sniffing wired traffic • Hub • Switched networks • Hub • Port Mirroring/Port Spanning • Taps

  34. Promiscuous mode 802.11 adaptor only captures packets of the SSID the adaptor has joined. Monitor mode The driver does not make the adaptor a member of any SSID on the network. All packets of all SSID’s from the currently selected channel are captured. Windows – must use AirPcap from CACE Technologies Linux – most Linux drivers support monitor mode Sniffing Wireless traffic

  35. Wireshark Startup Capture area Filesarea Online Help

  36. Wireshark Layout Filter toolbar Wireless Toolbar Packet List Packet Details Packet Bytes Status bar

  37. Capture Interfaces

  38. Capture Filters • Limit the packets saved while capturing traffic • Helpful when capturing traffic on a busy network or focusing on a specific problem • Problems: • You cannot get the discarded packets back • No error checking on syntax like display filters • Filter options: Type, Direction, and Protocol • Tcp – filters on TCP traffic • Ether src 00:A0:F8:12:34:56 – traffic from Ethernet address • host www.cnn.com – capture traffic to/from cnn.com

  39. Setting up profiles • Wireshark allows you to configure profiles for displaying different uses. E.g. analyzing WLAN traces. • Edit->configuration profiles->new->enter profile name (e.g. WLAN) • Any capture or displayed filters, column changes will be saved under this profile when it is in use

  40. Statistical Analysis Summary Provides summary of sniffer trace: • Date, length • Capture format • Packet and byte counts • Time elapsed • Capture filters used

  41. Protocol Hierarchy Statistics • Displays a list of the types traffic and percentage. • Used to identify anomalies and suspect traffic. • Example: wpa-induction.pcap • Statistics->Protocol Hierarchy

  42. Identifying top talkers • Conversations statistics will list pairs of devices that are communication with each other • Open trace wlan-ap-problem.pcap • Statistics->conversations • Select WLAN tab • End points is similar, but only shows a single end point or node.

  43. Basic Display Filters • Display.field.name operator value • Operators • eq, == Equal • ne, != Not Equal • gt, > Greater than • lt, < Less than • ge >= Greater than or Equal to • le, <= Less than or Equal to • contains, Contains specified data • AND, && • OR, || • Negate, NOT or !

  44. Coloring Rules for traffic • Color rules are used to help make reading the traces easier and identify problems. • Example • Open airodrop-ng2 trace and add the coloring rules: • View->coloring rules->new->name and filter expression->choose colors: • Deauthentication frames • Wlan.fc.type_subtype eq 12 • Packet retries • Wlan.fc.retry eq 1 • Affects load time for traces

  45. IO Graphs • Allows Wireshark to graphical depict traffic flow trends. • Used to identify network performance issues • TCP round trip time (data – ACK) • Open the wlan-signalissue trace • Statistics ->IO graph • Add filter for signal strength • Ppi.80211-common.dbm.antsignal

  46. Decrypting Frames • Wireshark can decrypt WEP, WPA-PSK and WPA2-PSK • If using driver, then only WEP can be decrypted • Trace must include the 4-way handshake frames to derive PTK to decrypt • Open trace wpa-induction • Verify 4-way handshake was captured in the trace • Apply protocol filter “EAPOL” and select Apply

  47. Decrypting Frames continued • Clear the EAPOL filter • Edit->preferences->protocols->IEEE 802.11 • Enter PSK and SSID in format wpa-pwd:PSK:SSID • Wpa-pwd:Induction:Coherer • Check “enable decryption” • May have to toggle the “ignore vendor specfic HT elements” and “assume packets have FCS” • Select “Apply” and “OK” • Open the Protocol Hierarchy Statistics, and note the additional protocols that are listed.

  48. DWEP client unable to connect to the AP • Open the tulcsp1 trace file • Examine the beacon frame #2 • What channel is the AP on? • What is the data rate for the beacon? • What type of security is in use? • Set filter to not show beacons • !wlan.fc.type_subtype eq 8 • Examine the association/authentication process, why does the client not associate? • Hint: Look at frames 12 and 15

  49. Example:Slow Response problem w/wireless terminals

  50. PS-Poll and round trip response

More Related