Packets and Protocols - SC4 CIS Student Sites
Download
Report
Transcript Packets and Protocols - SC4 CIS Student Sites
Packets and Protocols
Chapter Two
Introducing
Wireshark
Packets and Protocols
Chapter 2
What is Wireshark?
– An open source freeware licensed protocol
analyzer
– Works in promiscuous and non-promiscuous
modes
– Can capture data live or read it from a file
– Configurable GUI that is easy to read
– Supports multiple capture file formats for
import and export (25 different formats)
– Can capture wire or wireless data
– Supports 750 protocols (we won’t cover them
all)
– Runs on over 20 different platforms
Packets and Protocols
Chapter 2
Jerry
Combs invented Ethereal in
1997 out of the need for an analysis
tool
– 1st version released in 1998 and was a
huge hit
– Prior to this, Network General’s sniffer
tool dominated
Packets and Protocols
Chapter 2
It’s
primary strength is its large
support of sniffer file formats and
protocols
– There is a ridiculously large list of file formats and
supported protocols on page 55-58
The
Packets and Protocols
Chapter 2
User interface
Summary Pane:
• Packet number
• Time
• Source Address (SA)
• Destination Address (DA)
• Name of highest level
protocol
• Information on highest
level protocol
The
Packets and Protocols
Chapter 2
User interface
Detail Pane:
• Tree-like structure that
details each layer of each
packet
•Analyzes the packets within
each protocol
The
Packets and Protocols
Chapter 2
User interface
Data Pane:
•Contains the raw data
•Data displayed in hex and
in text
Packets and Protocols
Chapter 2
Analysis
filters
– The recommended technique is to
capture with no filters and then filter the
capture file
– There are many ways to filter this data
either during the capture or during the
display
Packets and Protocols
Chapter 2
Internet Protocol (IP)
Field Name
Type
ip.addr
Source or Destination Address
IPv4 address
ip.checksum
Header checksum
Unsigned 16-bit integer
ip.checksum_bad
Bad Header checksum
Boolean
ip.dsfield
Differentiated Services field
Unsigned 8-bit integer
ip.dsfield.ce
Explicit Congestion Notification
Unsigned 8-bit integer
ip.dsfield.dscp
Differentiated Services Codepoint
Unsigned 8-bit integer
ip.dst
Destination
IPv4 address
ip.flags
Flags Unsigned
8-bit integer
ip.flags.df
Don’t fragment
Boolean
ip.flags.mf
More fragments
Boolean
ip.frag_offset
Fragment offset
Unsigned 16-bit integer
ip.fragment
IP Fragment
Frame number
ip.fragment.error
Defragmentation error
Frame number
ip.fragment.multipletails
Multiple tail fragments found
Boolean
Packets and Protocols
Chapter 2
ip.fragment.overlap
Fragment overlap
Boolean
ip.fragment.toolongfragment
Fragment too long
Boolean
ip.fragments
IP fragments
No value
ip.hdr_len
Header length Unsigned
8-bit integer
ip.id
Identification
Unsigned 16-bit integer
ip.len
Total length
Unsigned 16-bit integer
ip.proto
Protocol
Unsigned 8-bit integer
ip.reassembled_in
Reassembled IP in frame
Frame number
ip.src
Source
IPv4 address
ip.tos
Type of service
Unsigned 8-bit integer
ip.tos.cost
Cost
Boolean
ip.tos.delay
Delay
Boolean
ip.tos.precedence
Precedence
Unsigned 8-bit integer
ip.tos.reliability
Reliability
Boolean
ip.tos.throughput
Throughput
Boolean
ip.ttl
Time-to-live
Unsigned 8-bit integer
ip.version
Version
Unsigned 8-bit integer
Packets and Protocols
Chapter 2
Filter modifiers
Modifier
Equal
Designator
EQ
Symbol
==
Not Equal
Greater Than
Less Than
NE
GT
LT
!=
>
<
Greater than or Equal to
Less than or Equal To
GE
LE
>=
<=
Packets and Protocols
Chapter 2
Supporting
Programs
– T-Shark
A
command line version of Wireshark
– Editcap
Used
to remove packets from a file, and to
translate the format of capture files.
– Mergecap
Merges
capture files together
– Text2pcap
Reads
text – converts to capture file
Packets and Protocols
Chapter 2
Placement
of the sniffer is critical
Packets and Protocols
Chapter 2
Packets and Protocols
Chapter 2
Packets and Protocols
Chapter 2
Packets and Protocols
Chapter 2
Remote
Sniffer
options
Sniffer PC
Running Windows RDP
Packets and Protocols
Chapter 2
General
1.
2.
3.
4.
5.
6.
7.
network troubleshooting
Recognize the symptoms
Define the problem
Analyze the problem
Isolate the problem
Identify and test the cause of the problem
Solve the problem
Verify that the problem has been solved
Packets and Protocols
Chapter 2
General
network troubleshooting
1. Recognize the symptoms
•Very few problems are found by the
administrators
•Was a change made recently?
•What is happening right now that is
different?
Packets and Protocols
Chapter 2
General
network troubleshooting
2. Define the problem
•It sounds obvious, but you must know
what the problem is before you solve it.
•Single user? Multiple user?
•LAN or WAN (or both)
•Single/multiple applications affected?
Packets and Protocols
Chapter 2
General
network troubleshooting
•Analyze the problem
•Gather data
•What does work?
•Who does work?
•Why is it working?
•How does it differ?
Packets and Protocols
Chapter 2
General
network troubleshooting
4. Isolate the problem
•Isolation may be necessary so that the
problem will not spread.
•Can you disconnect a server, a link, a
firewall?
Packets and Protocols
Chapter 2
General
network troubleshooting
5. Identify and test the cause of the problem
•Can the test be done “live”?
•Can the test be done in a lab setting
•It is important to not make the problem
worse.
Packets and Protocols
Chapter 2
General
network troubleshooting
6. Solve the problem
•Decide when the problem can be solved
•Immediately?
•Is a change window needed?
•Who will need to be involved?
•What teams? Management? SMEs?
Packets and Protocols
Chapter 2
General
network troubleshooting
7. Verify that the problem has been solved
•Test the solution
•Monitor the solution to be sure it stays
fixed
•Document the problem!
Packets and Protocols
Chapter 2
You must also wear many hats!
Packets and Protocols
Chapter 2
Packets and Protocols
Chapter 2
The
blame-game
– “System administrators are notorious
for asking if there is something wrong
with the network, and network
administrators are notorious for saying
the problem is within the system”
It
is not enough to prove the
network isn’t the problem; you often
have to fix the problem no matter
what it is or where it is.
Packets and Protocols
Chapter 2
When troubleshooting, start from layer
one and work up the protocol stack
– How many are affected?
– Did this work before?
If
–
–
–
–
so what changed?
Do you have network connectivity?
Can you see the MAC address in the switch?
Can you ping the device?
Is TCP functioning? Is UDP functioning?
Packets and Protocols
Chapter 2
Scenario 1: SYN no SYN+ACK
If your Wireshark capture shows that the client is sending a SYN packet,
but no response is received from the server, the server is not processing
the packet. It could be that a firewall between the two hosts is blocking
the packet or that the server itself has a firewall running on it
Scenario 2: SYN immediate response RST
If your Wireshark capture shows that the server is responding with the
reset (RST) flag, the destination server is receiving the packet but there is
no application bound to that port. Make sure that your application is bound
to the correct port on the correct IP address.
Scenario 3: SYN SYN+ACK ACK
Connection Closed If your Wireshark capture shows that the TCP
connection is established and that it immediately closes, the destination
server may be rejecting the client’s IP address due to security restrictions.
On UNIX systems, check the tcpwrappers file at /etc/hosts.allow and
/etc/hosts.deny and verify that you haven’t inadvertently blocked
communication.
Packets and Protocols
Chapter 2
Using
Wireshark for security
administration
– Wireshark has the ability to re-assemble
packets, which allows you to piece
together the conversation
Detecting
unauthorized web access
Detecting internet chat activity
Detecting on-line gaming
Packets and Protocols
Chapter 2
Wireshark
As a Network Intrusion
Detection System
– Unauthorized connections
– Unauthorized sweeps
– Redirections to other ports/IPs
– RDP usage from outside
Mikigo
PC
etc
anywhere
Packets and Protocols
Chapter 2
Optimizing your protocol analyzer
– Have a fast enough PC
CPU
Memory
Disk
space
– Match the NIC speed/duplex with the source of
the traffic being gathered
– Strip the extras down
Failure
to do so may result in lost data
– Don’t update list of packets in real time
– No name resolution
– Dump 1st using TCPDUMP/WINDUMP, Tshark then load
into Wireshark
Packets and Protocols
Chapter 2
Advanced sniffing – Wireshark alternatives
– DSNIFF – Used to dissect IDs/PWs
America Online (AOL) Instant Messenger (IM) (Citrix Winframe)
■ CVS
■ File Transfer Protocol (FTP)
■ HTTP
■ I Seek You (ICQ)
■ IMAP
■ IRC
■ Lightweight Directory Access Protocol (LDAP)
■ Remote Procedure Call (RPC) mount requests
■ Napster
■ Network News Transfer Protocol (NNTP)
■ Oracle SQL*Net
….and others
Packets and Protocols
Chapter 2
Dsniff uses many techniques to gather PW
data
– arpspoof – makes other devices think that
your device is the default gateway
– dnsspoof – redirects responses to DNS servers
– mailsnarf – homes in on mail passwords
– webspy – allows you to eavesdrop on web
sessions
– urlsnarf – saves all URLs crossing the wire
Packets and Protocols
Chapter 2
Other
attacks
– MITM – Can defeat SSH/HTTPS
– Cracking – dictionary hacks, brute force
– ARP spoofing – substitute your MAC for
the DG MAC and you become the DG
– MAC flooding – overloads switches so
they act like hubs
– Routing hacks – send false routes (i.e.
default route)
Packets and Protocols
Chapter 2
Protecting your network from sniffers
–
–
–
–
–
–
Use switches, not hubs
Shut down unused ports
Do not allow more than one MAC per port
Turn on port security (labor intensive)
Physical security
SSH
Secure
TELNET replacement
– SSL/HTTPS
Secure
replacement for HTTP
Can be used as a VPN conduit
– PGP
Works
with S/MIME to secure e-mail
Packets and Protocols
Chapter 2
Sniffer detection
IPCONFIG/IFCONFIG
– See if NIC is running in promiscuous mode
DNS lookups
– Since sniffers can resolve DNS addresses, see who is
doing most of your DNS lookups
Latency
– A consistently slow PC could be slow because it is
running sniffer software
Bugs
– Sometimes sniffers display unique attributes
NetMon
– NetMon can detect other NetMon applications