1 / 30

Network Analysis & Sniffing

Department of Engineering Science EE 465 (CES 440) - Intro. to Networking & Network Management An Intro to Network Analyzers. Network Analysis & Sniffing. Process of capturing, decoding , & analyzing network traffic I nterested to know Why is the network slow

timothyc
Download Presentation

Network Analysis & Sniffing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Department of Engineering ScienceEE 465 (CES 440) - Intro. to Networking & Network Management An Intro to Network Analyzers

  2. Network Analysis & Sniffing • Process of capturing, decoding, & analyzing network traffic • Interested to know • Why is the network slow • What is the network traffic pattern & congestion • Source & destination of the packets • Security issues • How is the traffic being shared between nodes • Sniffing be used for both good & bad purposes • Also known as • traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping*, etc. • *Listen secretly to what is said in private!

  3. Network Analyzer • A combination of hardware & software tools that can detect, decode, & manipulatetraffic on the network • Passive monitoring (detection) - Difficult to detect • Active (attack) • Available both free & commercially • Mainly software-based (utilizing OS & NIC) • Also known as sniffer • A program that monitors the data traveling through the network passively • Common network analyzers • Wireshark / Ethereal • WinDump - Windows version of tcpdump, network analyzer for Unix • Dsniff– a set of password sniffing & network traffic analysis tool • Etherpeak & much more… Read: “Basic Packet-Sniffer Construction from the Ground Up” by Chad Renfro & checkout his program: sniff.c NIC = Network Interface Card

  4. Network Analyzer - Components • Hardware • NIC Card • Buffer • Memory (disk or ram) • Special hardware devices for • CRC & Parity Errors • Jitter (random timing variation) • Jabber (failure to handle electrical signals) • Capture driver • Capturing the data (storage based) • Real-time analysis • Analyze the traffic in real time • To detect intrusions • Decoder • Make data readable Capturing the data is easy! The question is what to do with it & how to analyze it effectively CRC = Cyclic Redundancy Checkc

  5. Who Uses Network Analyzers • System administrators • Identify system problems & • Analyze performance • Malicious individuals (intruders) • Capture cleartext data • Passively collect data on vulnerable protocols • FTP, HTTP, IMAP, POP3, rlogin, SNTP, etc. • Capture VoIP data • Mapping the target network • Traffic pattern discovery • Actively break into the network (backdoor techniques) • Test engineers • Protocol analyzers can also generate traffic & thus act as the reference device • IMAP = Internet Message Access Protocol • POP3=Post Office Protocol version 3 (Internet email protocol) • HTTP=Hypertext Transfer Protocol (web protocol) • SNTP= Simple Network Time Protocol (SNTP) is a protocol built on to top of TCP/IP to assume accurate time keeping with reference to radio, atomic, or other clocks located on the Internet & synchronize. Cleartext = not encrypted

  6. Basic Operation • Ethernet traffic is broadcast to all nodes on the same segment • Sniffer can capture all the incoming data when the NIC is in promiscuous(not restricted to one port) mode: • ifconfig eth0 promisc • Default setup is non-promiscuous • To restrict sniffer to receive data only destined for the NIC • ifconfig eth0 –promisc • If switches are used, the sniffer must perform port spanning • Also known as port mirroring • The traffic to each port is mirrored to the sniffer In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. restricted to one port (as in a Switch). Note: Packet sniffers operate in a promiscuous mode which listens to all packets weather or not the packet is destined for the machines MAC address.

  7. Review: Hub, Switch, & Span Port

  8. Port Monitoring • Assume the sniffer (@ port 5) is to monitor the data on computer A (port 1). • Port 5 needs first to be spanned to port 1 (port spanning). • The sniffer can now monitor the data destined to Computer A.

  9. Protecting Against Sniffers • Spoofing the MACis often referred to changing the MAC address (in Linux:) • ifconfig eth0 down • ifconfig eth0 hw ether 00:01:02:03:04:05 • ifconfig eth0 up • Register the new MAC address by broadcasting it • ping –c 1 –b 192.168.1.1 • To detect a sniffer (Linux) • Download Promisc.c • ifconfig -a (search for promisc) • ip link (search for promisc) • To detect a sniffer (Windows) • Download PromiscDetect ping –b Allows pinging a broadcast address. Remember: 00:01:02:03:04:05 is a sample 48-bit MAC (Medium Access Control) address MAC address (HWaddr)= OUI (higher 24 bits ) + Unique NIC # (lower 24 bits) OUI = Organizationally Unique Identifier= Vender Address, NIC = Network Interface Card See https://support.citrix.com/article/CTX116493

  10. Protecting Against Sniffers • Using switches(instead of hub) can help • Use data encryption if possible • Make the intercepted data unreadable Note: in many protocols the packet headers are clear text! • VPNs use encryption & authorization for secure communications • VPN Methods • Secure SHell(SSH): headers are not encrypted • Secure Sockets Layer (SSL): high network level packet security; headers are not encrypted • IPsec: Encrypted headers but does not use TCP or UDP Remember: Never use unauthorized sniffers at work!

  11. What is Wireshark? • Formerly called Ethereal • An open source program • Free with many features • Runs on Windows, Mac, & Ubuntu. • Decodes over 750 protocols. • Compatible with many other sniffers & plenty of online resources are available. • Wireshark software captures & examines a packet trace. • A packet trace is like a snapshot record of the traffic passing over the wire at an interface. • The packet trace records a timestamp for each packet, along with the bits that make up the packet • from the lower-layer headers to the higher-layer contents. • Wireshark provides a graphical display of the sequence of packets & color-codes the headers at each layer by their type. • It provides ways to filter & analyze packets for the user to investigate the behavior of network protocols. • It is widely used to troubleshoot networks. Remember: You must have a good understanding of the network before you use Wireshark & Sniffers effectively!

  12. How to Install Wireshark? • In Ubuntu screen, go to “Dash board” • Search for “Wireshark” & Install, or • Go to Firefox in UBUNTU & Google “Wireshark for Ubuntu 18.04” & follow the instruction • You can also download it using a “Terminal” page by command: sudo apt-get install wireshark • You can also download the Wireshark program from • www.wireshark.org/download.html • Requires to install capture drivers • monitor ports & capture all traveling packets

  13. What Does Wireshark Window Look Like? Menu Bar Tool Bar Filter Bar Top panel Packet List Frame view Middle panel Frame content, in HEX bottom panel

  14. Packet number 8 – BGP (Border Gateway Protocol) Protocol Tree Window: Details of the selected packet (#8) Raw data (content of packet # 8)

  15. Filtering BGP packets only

  16. How to Capture / Monitor Packets by Wireshark? • To capture, e.g.,6 ping packets at eth2 interface, invoke Wireshark. • You need to have root authority & for that, either • Open a Terminal page & enter “sudowireshark -i eth2 -c 6”, OR • Click the Wireshark icon on Ubuntu screen & use the “Capture Options • Interface, select “eth2” • Capture Filter, leave blank (or use “icmp” since only ping commands are being exchanged at eth2 • Stop Captureafter “6” packets. • Click “Start” & observe the Wireshark capturing the ping packets. You can go to site bellow to see some Wireshark screenshots. • Capture menu example: https://www.wireshark.org/docs/wsug_html_chunked/ChUseCaptureMenuSection.html#ChUseWiresharkCaptureMenu

  17. OSI Stack TCP/IP Stack Application File Transfer Protocol (FTP) RFC 959 Hypertext Transfer Protocol (HTTP) RFC 2616 Simple Mail Transfer Protocol (SMTP) RFC 821- 822 TELNET (Terminal Emulation) RFC 854, 861 Simple Network Management Protocol (SNMP)RFC 1441- 1452 Domain Name Syatem (DNS)RFC 1034- 1035 Video and Voice over IP Presentation .. Session Transmission Control Protocol (TCP) RFC 793, 1122, 1323 User Datagram Protocol (UDP), RFC 768 Transport Network Address Resolution ARP RFC 826 RARP RFC 903 Internet Protocol (IP) RFC 791 Internet Control Message Protocol (ICMP) RFC 792 Data Link Network Interface Cards: Ethernet, Token Ring, RFC 894, RFC 1042, RFC 1231 Physical Transmission Media: Twisted Pair, Coax, or Fiber Optics • Notes: • Other applications: Security, .. • Trivial FTP (TFTP, RFC 783) runs over UDP • Original RFCs are shown. For updated RFCs go to http://www.ietf.org Overview of OSI & TCP/IP Protocol Suites

  18. App TCP Send primitive Deliver primitive NL DL DT Phy Appendix – TCP Exchanges Data

  19. Appendix - TCP/IP Stack • Application– contains application • Transport– carries each application • Provides reliable end-to-end transport • Can be connectionless (UDP) or connection oriented (TCP) • Connection oriented requires ACK • Network- carries packet from source to destination • Logical addressing (IP, Internet Protocol) • Link - carries IP packets between adjacent network devices in a frame • Physical - carries the bits • IEEE Link Layer ) has 2 sublayers: • MAC (Medium Access Control): Hardware address - moves packets from one NIC card to another • LLC (Logical Link Control): Flow control, Error control

  20. Properties of Layers of TCP/IP Stack • Ethernet header & Trailer = 8(preamble) + 6(Source MAC) + 6(Destination MAC) +2 (Type) +4 (FCS) = 26 Octets • IEEE 802.2 LLC header & Trailer = 8(preamble & SOF) + 6(Source MAC) + 6(Destination MAC) +2 (Length) + 4(LLC) + 4(FCS) = 30 Octets

  21. Review for Midterm Exam • Midterm exam, Wednesday, 10/9/19, @9AM • Closed Book, Closed Notes, No Cell Phone, 100 points, 60 minutes • Go through the slides & video clips we went through in the class. • Study your graded reports esp. the intro paragraph & my comments. • Will have several questions on Linux commands. • For ifconfig, ping, wiresharkcommands explain • what they are, • what they do, • what protocol they use, & • how they are applied. • Distinguish between IP & Ethernet or MAC addressing • How to attach an ip address to an Ethernet port? • How to change the Read/Write/Execute permissions of files & folders? • How to make a file executable? • Write a program/script in Linux. • What does protocol analyzer do (monitor, capture, decode, analyze) in detail? • What are the advantages & disadvantages of hubs and switches in detail? • What does a switch do to make reduce unnecessary broadcasting frames to all ports? • Data units of each layer of TCP/IP protocol stack.

  22. Review for Midterm Exam (cont.) • Capabilities & advantages/disadvantages of TCP. • Capabilities & advantages/disadvantages of UDP. • URL and its components (name, address, protocol). • Addressing in all layers – local or remote. • For DNS & HTTP explain • what they do, • what service they provide • what protocol carries them, and • what server port they use to access? • Take an application, how is it encapsulated in detail as it goes from the application layer to the physical layer of the TCP/IP stack? For practical exam • Perform one of the experiments we did so far, 30 min • For # of octets of each field, high-light the field in the middle panel and check the high-lighted area in the lower panel. • For the Hex or Text value of the any field, high-light the field in the middle panel and check the high-lighted Hex or text value in the lower panel.

  23. Wireshark Display of Hex & Text Value of a Field

  24. Appendix - Ethernet & IEEE 802.3 • Ethernet - most popular protocol standard to enable computer communication • 2nd Layer protocol • Based on shared medium & broadcasting • Close to IEEE 802.3 • Ethernet address is called MAC address • 48 bit HW address coded in the Network Interface Card (NIC) • 1st 24 bits represent the vender • 2nd 24 bits represent the NIC • To get the Hardware address from IP address, use “arp –a” FSC = Frame Check Sequence (to check bit errors) SOF = Start of Frame Delimiter (to start the frame) Type defines the protocol Ethernet is carrying, 0x800 for IP, 0x0806 for ARP, 0x0810 for VLAN-tagged frame IEEE802.1Q Length includes IEEE802.2 LLC bytes & data bytes MAC = Medium Access Control, 6-byte hardware address:

  25. Appendix - Internet Packet (IP) Format Physical & Link Header L3 (Internet) Header L4 (Transport) header L5 (Application) header Data (digitized data, voice, video) • Headers L3 (IP) Header

  26. Appendix –ARP Packet Format

  27. Appendix – TCP Segment Format L4 Header: (TCP) Options field can be up to 40 Octets (320 bits) long. The length is determined by the “Data Offset” field. https://en.wikipedia.org/wiki/Transmission_Control_Protocol L4 Header: User Datagram (UDP)

  28. ASCII (American Standard Code for Information Interchange) Table https://en.wikipedia.org/wiki/ASCII

  29. Extended ASCII Table https://en.wikipedia.org/wiki/ASCII

  30. References • “Introduction to Wiresharkl”, Dr. Farid Farahmand, Fall 2014 • "Packet analyzer", Wikipedia, March 2013.. • “Wireshark User’s Guide”, For Wireshark 1.99. • “Wireshark Installation & packet Chapter”, August 2011. • https://www.wireshark.org/docs/wsug_html_chunked/ChUseCaptureMenuSection.html#ChUseWiresharkCaptureMenu for capture menu.

More Related