1 / 13

Network Security Lab 6 Background

Learn how to analyze DNS traffic using Wireshark, a network protocol analyzer. Explore various filters and techniques to extract relevant information from DNS queries and responses.

stroud
Download Presentation

Network Security Lab 6 Background

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network SecurityLab 6 Background CS161 Computer Security, Spring 2012 UC Berkeley --- Dawn Song

  2. Domain Name System • Hierarchical distributed naming scheme for mapping hostnames to IP addresses • Like the phonebook! • User Datagram Protocol (UDP) • port number 53 • DNS queries is a single UDP request from the client followed by a single UDP reply from the server. • DNS Protocol Overview • http://www.freesoft.org/CIE/Topics/77.htm

  3. Domain Name System

  4. Kaminsky Attack DNS Poisoning!

  5. Wireshark • Network protocol analyzer • PCAP trace format • Variety of languages have pcap libraries • Capture filters • Trace filters • Analyze TCP streams, HTTP traffic, ETC Example filtering HTTP and TCP traffic

  6. Wireshark Useful Filters • ip.addr== 10.0.0.1 • sets a filter for any packet with 10.0.0.1, as either the source or dest • ip.addr ==10.0.0.1 && ip.addr ==10.0.0.2 • sets a conversation filter between the two defined IP addresses • http or dns • sets a filter to display all http and dns • tcp.port ==4000 • sets a filter for any TCP packet with 4000 as a source or destport • tcp.flags.reset ==1 • displays all TCP resets http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html

  7. Wireshark Useful Filters • http.request displays all HTTP GET requests • tcp contains traffic displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID • !(arp or icmp or dns) masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest • udp contains 33:27:58 sets a filter for the HEX values of 0x33 0x27 0x58 at any offset • tcp.analysis.retransmission displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss

  8. Notes • Feel free to use any tools to analyze the data • Or, write your own! PCAP libraries for variety of popular languages. • Recall GET, POST, cookies and sessions • HTTP data may be gzipped! • A total of 3 questions • Work in pairs • Finish quickly and then work on project!

More Related