1 / 25

Basic Wireshark Packet Analysis Common Lower-Layer Protocols ( ARP, IP, TCP, UDP, ICMP)

Basic Wireshark Packet Analysis Common Lower-Layer Protocols ( ARP, IP, TCP, UDP, ICMP). Ibnu Mubarok. Wireshark. Network Packet Capture Protocol Analyzer Open source Run on most Operating System. How Packet Analyzer Works. Collection Collects raw binary data from the wire

quynh
Download Presentation

Basic Wireshark Packet Analysis Common Lower-Layer Protocols ( ARP, IP, TCP, UDP, ICMP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Basic Wireshark Packet AnalysisCommon Lower-Layer Protocols(ARP, IP, TCP, UDP, ICMP) Ibnu Mubarok

  2. Wireshark • Network Packet Capture • Protocol Analyzer • Open source • Run on most Operating System

  3. How Packet Analyzer Works • Collection • Collects raw binary data from the wire • Usually, switch the interface to promiscuous mode • Conversion • Binary to readable form • Analysis

  4. Who use wireshark? • Network administrators use it to troubleshoot network problems • Network security engineers use it to examine security problems • Developers use it to debug protocol implementations • Testers use it to detect defects • People use it to learn network protocol internals

  5. Wireshark User Interface Packet List Packet Details Packet Bytes

  6. Address Resolution Protocol • ARP is a supported protocol in the data link layer, NOT data link layer protocol • used to translate protocol addresses to hardware interface addresses. (IP address to MAC address) • Why? Ethernet-based communication is going through MAC addresses • RARP --> from MAC address to IP address • Each node maintains the ARP Cache • It first looks in the cache to find requested translation • If the entry is not used for a period (10~15min), it is deleted

  7. ARP Mechanism

  8. ARP Security • There is no authentication who should reply a ARP request. • Any node can spoof a reply to an ARP Request • Receiving node will cache the reply • Overwrites existing entry • Adds entry if one does not exist

  9. ARP Header

  10. ARP in Wireshark • ARP Request - Reply

  11. Internet Protocol • IP is a connectionless, datagram-oriented, and packet forwarding protocol • IP sends a packet based on the destination IP address and routing information held internally within the protocol • Unreliable protocol • Best effort-delivery • Designed to be simple, efficient, and straightforward to implement

  12. IP Header • Service type field used by some routers when deciding how to forward datagram (quickest, cheapest, most reliable, or highest bandwidth) but also can set to No service type • IP options for routing preferences

  13. IP packet in Wireshark • TTL

  14. IP packet in Wireshark • IP Fragmentation

  15. Transmission Control Protocol • TCP is a connection oriented protocol • The client and server must establish a connection before any data can be transferred between them • TCP Provides reliability • TCP knows that data it sends received at the other end, and that is received correctly • TCP uses checksum on both header and data • TCP ensures data which arrives out of sequence is put back into order

  16. TCP Header

  17. TCP Handshake • Client send SYN packet • Server reply with SYN, ACK packets • Client send ACK packet

  18. TCP in Wireshark • TCP Handshake

  19. User Datagram Protocol • Transport Layer Protocol • Connectionless Protocol --> doesn’t provide reliable services • may arrive out of order, appear duplicated, or go missing without notice • Assumes error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. • Application Layer protocol which use UDP, typically have built-in reliability services to make the connection more reliable

  20. UDP Header • UDP header length is 8 bytes, consists of 4 fields • Source Port: Port used to transmit the packet • Destination Port: Port to which the packet will be transmitted • Packet Length: Length of the packet in bytes • Checksum: Used to ensure that the contents of the UDP header and data are intact upon arrival

  21. UDP in Wireshark • DNS Request

  22. Internet Control Message Protocol • Located in Network Layer • Protocol for diagnostic and utility tool • Provide information, the availability of devices, services, or routes on a TCP/IP network • it is not typically used to exchange data between systems

  23. ICMP Header • Type: Type or classification of the ICMP message • Code: Sub classification of the ICMP message • Checksum: to ensure ICMP Header & data are intact • Variable: a portion that depends on the Type and Code fields

  24. ICMP in Wireshark • Ping Request - Reply

  25. Thank you

More Related