Transcript Packets and Protocols - St. Clair County Community College

Packets and Protocols
Chapter One
Introduction
Packets and Protocols





Course title: Introduction to TCP/IP
Course No: CIS
Prerequisite: CIS
Credit Hrs: 4
Text Book: Wireshark and Ethereal -
Syngress
– We cannot troubleshoot networks until we
understand how they work. To know how
protocols work at their most basic level means
that you have a clear understanding of how
protocols and their associated packets work.
With this knowledge you will be able to
troubleshoot a myriad of network problems.
Packets and Protocols
 Class
structure - http://cis.sc4.edu/
 Start – 6:15
 Breaks – 2 –various times
 End – NLT 10:00
 Contact time – 5:25 – 6:15
 Instructor – John Kowalski
– [email protected]
Packets and Protocols
 Silly-bus
 Course
website
 Grading scale
 Slides
 Course outcomes
 White hat agreement
Packets and Protocols
1.
2.
3.
Name
Background/Experiences/Certifications,
etc?
What do you know about the use of
sniffers?
Packets and Protocols
 Network
analysis – defined
– The process of capturing network traffic
for the purpose of troubleshooting
network anomalies with various tools
and techniques.
 What
is a sniffer ?
– Technically it is a product produced by
NetScout
– It is a tool that converts bits and bytes
into a format that we can understand.
Packets and Protocols
 What
is a network analyzer
– Can be anything!
 Portable
laptop
 Dedicated hardware
 Generic PC used for packet captures
 What
does an analyzer tool look like?
Packets and Protocols
SUMMARY
DETAIL
DATA
Packets and Protocols

A packet analyzer is composed of
five basic components
1.
2.
3.
4.
5.
Hardware
Driver
Buffer
Real-Time Analysis Tool
Decode
Packets and Protocols

What is a protocol analysis tool used for?
–
–
–
–
–
–
–
–
Converting binary to English
Troubleshooting
Performance analysis
Logging traffic
Establishing benchmarks
Discovering faulty devices
Intrusion detection
Virus detection
Packets and Protocols
 The
Good, the Bad and the Ugly
– Like any tool the possibility for misuse
exists
 Hackers
can steal info
 The “curious” can snoop
 Passwords can be captured
 Learn what viruses would be most effective
 Learn IP addressing schemes for DOS
attacks
Packets and Protocols

Other network analyzers
–
–
–
–
–
–
–
–
–
–
WinDump
Network General Sniffer (now NetScout)
Network Monitor
EthehrPeek
TCP Dump
Snoop
Snort
Dsniff
Ettercap
Etc….
Packets and Protocols

How does a sniffer……sniff?
– All Ethernet enabled devices see all of the
traffic on “the wire”
– Ethernet is not a secure protocol so sniffers
are the perfect tool for troubleshooting

Normal NIC behavior
– Unicasts, bcasts, mcasts

Promiscuous mode
– All-Unicasts, all-bcasts, all-mcasts, all-traffic!
Packets and Protocols
It’s not for me!
End node in
Normal
mode
It’s not for me!
It’s not for me!
I have a packet
here for MAC
Address 103
MAC 100
MAC 101
MAC 102
ROUTER
MAC 103
That’s my
address!
MAC 104
It’s not for me!
Packets and Protocols
It’s not for me!
End node in
Promiscuous
mode
It’s not for me!
It’s not for me!
I have a packet
here for MAC
Address 103
MAC 100
MAC 101
MAC 102
ROUTER
MAC 103
That’s my
address!
MAC 104
It’s not my
address but I’ll
take it!
Packets and Protocols
A
word about MAC addresses
– Media Access Control Addresses:
 Are
unique
 Can be viewed by ipconfig (windows)
 Can be overridden (spoofing)
– DOS attack
– SYN attack
– Smurf Attack
 Consist
of an Organization Unique Identifier
– http://standards.ieee.org/regauth/oui/oui.txt
Local Area Networks
Ethernet address types




Addresses are 6 bytes long
Generally written in hexadecimal
Globally unique (unicast)
Aka – Burned-in-address
00.0C.12.34.AB.CD
FF.FF.FF.FF.FF.FF
00.00.01.10.45.G2
- Legal
- Legal
- Illegal
Packets and Protocols
 The
OSI Model
– A method of moving data from point to
point using seven distinct steps
 The
TCP/IP
– TCP/IP (aka DoD model) is newer and
only contains four layers
Moves
Data
Connects
processes
Provides
Services
Packets and Protocols
7 Application
Allows users to transfer files, send mail, etc.
Only layer that users can communicate with directly
Key features are ease of use and functionality
6 Presentation
Standardized data encoding and decoding
Data compression
Data encryption and decryption
5 Session
Manages user sessions
Reports upper-layer errors
Supports Remote Procedure Call activities
4 Transport
Connection management (e.g., TCP)
Error and flow control
Connectionless, unreliable (e.g., UDP)
3 Network
Internetwork packet routing
Minimizes subnet congestion
Resolves differences between subnets
2 Data Link
Network access control - MAC address
Packet framing
Error and flow control
1 Physical
Moves bits across a physical medium
Interface between network medium and network devices
Defines electrical and mechanical characteristics of LAN
Packets and Protocols
 OSI
vs. TCP Model
Packets and Protocols
The Physical Layer
The Physical Layer only transmits bits to,
and receives bits from, the physical
medium. It does not “see” the bits as
organized into meaningful patterns, such
as an address.
 The Physical Layer operates depending on
the chosen network topology.

Packets and Protocols
The Physical Layer cont.

A physical address is also referred to as a:
–
–
–
–

Hardware address
Adapter address
Network interface card (NIC) address
Medium Access Control (MAC) address
A physical address is required for network
devices to ultimately deliver information to
a given network node.
Packets and Protocols
The Data Link Layer

We can categorize physical addresses, for the purposes
of networking, into two general types:
– A LAN address is commonly found in an Ethernet or Token Ring
LAN environment.
– WAN addresses in High-Level Data Link Control (HDLC) or
frame relay network protocol addressing
–
Divided into two distinct parts
–
MAC
– The MAC address of the node – interfaces with lower layers
–
LLC
– Tags and identifies protocols - interfaces with upper layers
– Think of it as a universal adapter
Packets and Protocols
The Network Layer
A logical address is generally implemented
as a software entity rather than a
hardware entity.
 There are two primary types of logical
addresses, as follows:

– Network addresses, processed at the Network
Layer
– Port or process addresses, processed at the
Transport Layer
Packets and Protocols
The Transport Layer

The Well-Known Port
Numbers Table lists
some of the more
commonly used TCP
and User Datagram
Protocol (UDP)
addresses.
Packets and Protocols
The Transport Layer cont.
The Transport Layer is responsible not only
for application addressing, but also for
providing reliable communications over the
best effort Layer 3 protocols.
 The Transport Layer provides:

–
–
–
–
Flow control
Windowing
Data sequencing
Recovery
Packets and Protocols
The Transport Layer cont.

Two protocols most commonly associated
with layer 4
– TCP
 High
overhead
 Connection oriented
 Reliable
– UDP
 Low
overhead
 Connectionless
 Unreliable
 Fast
Packets and Protocols
The Session Layer
 The
Session Layer:
– establishes, manages, and terminates
sessions between applications.
– provides its services to the Presentation
Layer.
– synchronizes dialog between Presentation
Layer entities and manages their data
exchange.
Packets and Protocols
The Presentation Layer
 The
Presentation Layer:
– ensures that information sent by the
Application Layer of one system is
formatted in a manner in which the
destination system’s Application Layer
can read it.
– can translate between multiple data
representation formats, if necessary.
Packets and Protocols
The Application Layer

The Application Layer:
– is the layer closest to the user.
– provides user application services to application
processes outside the OSI model’s scope and
does not support the other layers.
– identifies and establishes the intended
communication partners availability,
synchronizes cooperating applications, and
establishes agreed procedures for application
error recovery and data integrity control.
– determines whether sufficient resources exist for
the intended communications.
Packets and Protocols
Packets and Protocols
Ethernet communication steps




Arbitration—Determines when it is
appropriate to use the physical medium
Addressing—Ensures that the correct
recipient(s) receives and processes the data
that is sent
Error detection—Determines whether the
data made the trip across the physical
medium successfully
Identification of the encapsulated data—
Determines the type of header that follows the
data link header
Packets and Protocols
CSMA/CD
CSMA
1.
Node Listens
2.
Node Sends Data
3.
Node Listens
CD
1.
Collision detected
2.
Nodes “back off”
3.
Node retransmits
Packets and Protocols
 Top
four protocols:
– IP
– ICMP
– TCP
– UDP
 While
there are certainly more than
four protocols these make up the
bulk of network traffic.
Packets and Protocols
 IP
– Connectionless
– Moves data from one layer three
address to another
 Several
fields:
– IPID Field
– Protocol
– TTL
– Source IP
– Destination IP
Packets and Protocols
 ICMP
– The “tattle tale” protocol
 Echo
– Request/reply
 Unreachable
– Destination
– Network
– Port
 Time
exceeded
– TTL
Packets and Protocols
 TCP
– The protocol you can count on
 Uses
–
–
–
–
include
Web
E-mail
FTP
SSH
 Reliable
– Ack
– Handshake
 Sequencing
– Disassembles and reassembles large payloads
Packets and Protocols
 UDP
– Quick but unreliable
 Guaranteed
there)
fast! (but not guaranteed to get
– Uses
 VoIP
 DHCP
 DNS
 Gaming
Packets and Protocols
Repeaters
 Repeaters are used to
– Amplify signals and pass them to other
network segments
– Packets are received, amplified and
retransmitted

Repeaters have limited abilities
– Repeaters cannot filter or error check packets
– They are physical level devices with no built in
algorithms
– Function is limited to digital signal
amplification
Packets and Protocols
Hubs

Hubs are multi-port repeaters
–
–
–
–
Multi-port repeaters are also known as Hubs
Connect workstations to the network
Hubs can have multiple port connections an be stacked
Use Twisted-pair cabling
Packets and Protocols
Bridge

A bridge provides for
–
–
–
–

Creation of a single “logical” LAN longer than any one cable
Offers electrical & traffic isolation between cable segments
Keeps local traffic local on the LAN
Forwards only necessary traffic on to the WAN
Bridges are protocol independent
–
–
–
–
Can support any protocol on the LAN
Most common use of a bridge is to filter traffic
Purpose is to separate LAN traffic based on MAC addresses
Supports asynchronous or synchronous WAN connections
Packets and Protocols
LAN Segmentation
Packets and Protocols
Transparent Bridges perform three functions:
1. Learn MAC addresses by examining the source MAC
address of each frame received by the bridge
2. Deciding when to forward a frame or when to filter (not
forward) a frame, based on the destination MAC address
3. Create a loop-free environment with other bridges by using
the Spanning Tree Protocol
• Ethernet bridges are known as TRANSPARENT BRIDGES
because they are invisible – or – transparent to the end devices
Packets and Protocols
•Bridges observe traffic as it passes and record the MAC addresses
•Bridges forward all broadcast and unknown unicast packets
Packets and Protocols
Switch (multi-port bridge)

Used to alleviate network congestion
– Divide networks into virtual LAN (VLAN) segments
– Ability to dedicate more bandwidth
– Function at data link layer of workgroups
– Function at Network layer of network backbones

Switches provide 100 Mbps ports for
user connections
– Ethernet switches have replaced bridges in large
networks
– Can also filter traffic based on MAC address
– Ethernet switches function as a repeater and a bridge
Packets and Protocols
Switches actually make packet analysis more difficult
Packets and Protocols
Router
Layer 3 device
 Interconnects networks
 A Layer 3 switch is a multi-port router

Packets and Protocols
Routers stop
the flow of
broadcasts
Packets and Protocols
How
many
collision
domains
are
there?
There are six collision domains
Packets and Protocols
 Firewalls
– Specialized devices
– Ability to examine packets at virtually
every layer of the OSI model
– Generally placed at the “edge” of the
network
– Offloads “policing” policies from the core
routers
Packets and Protocols
Typical
Switch
Port
Packets and Protocols
Spanned
Switch
Port
Sniffer PC
Packets and Protocols
Spanned
Uplink
Port
Sniffer PC
Internet
Placement of the sniffer is critical
Packets and Protocols
1 Gigabyte
1 Gigabyte
Disparate
Spanned
Ports
1 Gigabyte
100 Megabyte
This will work, but you are bound to loose some data1
Packets and Protocols
 Detecting
Sniffers on your network
– Look for DNS reverse lookups
 Sniffers
often used reverse lookups
– Send the pump-fake packet
 Look
for a RST packet
– Monitor hub ports
 Maintain
ports
physical security/disable unused
– Send a fake-arp
 Sniffers
respond to non-b-cast arp requests
Packets and Protocols
 Wireless
sniffer tools
– Netstumbler
 Network
scanner, not really a sniffer
– Kismet
 Good
all around open source all free tool
– Wireshark
 Sniffer;
does not show SSID/Signal strength
– CommView
 Commercial
wireless monitor for WiFi
– And others…(P36)
Packets and Protocols
 Commonly
– DHCP
– DNS
– NTP
– HTTP
– SMTP
seen protocols
Packets and Protocols

DHCP
– Used to give clients the necessary information
they need to function on the network
 IP
address
 Subnet mask
 DG
 WINS server
 DNS server
– Sniff for:
 The
last ACK packet to gather the most information
Packets and Protocols
 DNS
– Used to determine the IP address of a
hostname and visa-versa
 Uses
UDP port 53 – TCP for zone transfers
and packets >512k
 Used to remotely look up records in a DNS
database
– Sniff for:
 The
DNS response packet
Packets and Protocols
 NTP
– Used to reference a time source for
synchronization
 Uses
UDP port 123
 Uses a server/client model
– Sniff for:
 The
NTP response packet with the time and
synchronization packet in it.
Packets and Protocols
 HTTP
– Most commonly used protocol
– Payload is text data
 Uses
TCP port 80
 Uses a server/client model
– Sniff for:
 Uses
TCP, make sure the handshake takes
place, then look for data to follow
Packets and Protocols
 SMTP
– Used to transfer e-mail from place to
mail server to mail server and mail
server to client
 Uses
TCP port 25
 Payload is text data
– Non-textual data is converted to text via MIME
Packets and Protocols
 Protecting
your network from sniffers
Physical security is
the best method
Lock closets
Disable ports
Be alert for hubs,
WAPs etc
As a last resort, just make sure that whatever
is sniffed is useless to a hacker
Packets and Protocols
 How
to ward off the evil doers
– Use SSH – not TELNET
 SSH
encrypts it’s payload
– Use SSL – not HTTP
 SSL
encrypts HTTP data
– Use IPSec
 IPSec
is layer three encryption (tunneling)
– Use VPN
 VPN
encrypts data into IP tunnels (layer 2
tunneling)