Analysing Various Packet Sniffing Tools

Transcription

1 Analysing Various Packet Sniffing Tools Inderjit Kaur 1, Harkarandeep Kaur 2, Er. Gurjot Singh 3 1, 2 Post Graduate, Department of Computer Science and Applications, KMV, Jalandhar, Punjab, India 3 Assistant Professor, Department of Computer Science and Applications, KMV, Jalandhar, Punjab, India 1 kaurinderjit35@gmail.com, 2 harkaranhothi@yahoo.com, 3 gurjotsingh52@yahoo.com Abstract: Packet sniffing is a technique of monitoring every packet on network. With the development and popularization of network technology, it is essential to secure the network technology becoming very essential because of the cyber attacks. We need to protection from unauthorized access and from hackers. Packet Sniffing is important in network monitoring to troubleshooting and to log network. Packet Sniffers are important for analysing over wire and wireless network. In this Paper, we focus on the basics of Packet Sniffing tools, how they work and their comparative study. Keyword: Packet Sniffer, Wireshark, Tcpdump, Nmap, Zenmap, Kismet, Caspa, Ntop, Dsniff, Cain and Abel, Etherape, Ethereal. I. INTRODUCTION Packet Sniffing is a methodology of monitoring every packet, which passes through the network. A packet sniffer can be a piece of software or hardware that examines all network traffic. The security threat showed by sniffers is their ability to capture all incoming and outgoing traffic, including clear-text passwords and usernames or other sensitive material [1]. There are so many commercial and non commercial tools are available that makes possible eavesdropping of network traffic [2]. In this paper we present practical approach to sniffing packets with some tools. This paper analyses the procedure of packet sniffing and packet logging. A. Working: When a computer sends a data to the network, it sends in the form of packets. These packets are the blocks of data that are actually directed to the certain deputed system. Every sent data has its receiving point. So, all the data are directly handled by specific computer. A system reads and receives only that data which is intended for it. The packet sniffing process involves a collaborate effort between the software and the hardware. This process is broken down into three steps. 1. Packet sniffer collects raw binary data from the wire. Normally this is done by switching the selected network Interface into unrestrained mode. 2. The collected binary data is converted into readable form. 3. The packet sniffer collected all data, verifies its protocol and begins its analysis [1]. IP and MAC address Packet Scanner Fig.1: Packet sniffer Fig.1 shows that with the help of ip and Mac address, we can gather the information of network traffic by using any packet scanner. II. NETWORK MONITORING TOOLS Network Traffic Information The packet sniffing tools analyse and filter the packets transmitted in the network. There are many packet sniffing tools. Some of them are as described as follows:- A. Wireshark: Wireshark is an open source packet filter. It is used for analyse the network traffic. Wireshark sees all traffic visible on that interface, not just traffic addressed to one of the interface s configured addresses and broadcast/multicast traffic. Wireshark is a tool that understands the structure of different networking protocols [3].Wireshark has the ability to capture all of those packets that are sent and received on the network and it can decode them for analysis. When you do anything on the Internet, such as browse websites, use VoIP, IRC etc, and the data is always converted into packets when it passes through your network interface or your LAN card. Wireshark will hunt for those packets in your TCP/ IP layer during the transmission and it will keep, and present this data, on GUI [4]. B. TCPDUMP: Tcpdump is a packet filter that runs on the command line interface. It displays TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Tcpdump run on the Unixlike operating systems: Linux, Solaris, BSD and Mac OS. Tcpdump analyses network behaviour, performance and applications that generate or receive network traffic [1]. TCPDUMP can do so many works like; TCPDUMP views the entire data portion of an Ethernet frame or other link layer protocol. TCPDUMP analyses and filter the IP packet and ARP packets or any protocol at a higher layer than Ethernet. C. Nmap: Nmap stands for network mapper. Nmap is an open source tool used to explore and audit the network. It can determine what hosts are available on the network, what services are enabled, operating system and the 65

2 version of the host,what type of firewalls are in place and many other aspects of the network using raw ip packets. Nmap is a command line tool. It can also be used by attackers to scan a network in order to harm it [5] NMAP can perform different types of scans such as: Connect SYN Stealth FIN, Xmas, Null Ping UDP Scan IP Protocol Scan ACK Scan Window Scan RPC Scan List Scan FTP Bounce D. Zenmap: Zenmap is a tool which is similar to nmap. It is an open source tool and easy to use as compared to nmap because it is on graphical user interface. The main difference between the nmap and zenmap is that nmap is command line and zenmap is GUI. Features of zenmap are as follows: a) Based on graphical user interface (GUI). b) Identifies the hosts on the network. c) Identifies the operating system. d) Easy to use as compared to nmap[6] The main thing about Zenmap is that it stores and sorts all the information gathered from any scans performed and allows us to build up a picture of our network. The easiest thing to do is a Ping scan to see what devices are alive on our network [7]. E. Kismet: Kismet is application is an open source wireless network analyser that run on Linux, UNIX and Mac OS X. It is not run on windows OS. Kismet is passive sniffer used to detect any wireless a/b/g protocol complaint network, even when the network has a non broadcasting hidden secure service set identifier. Kismet detects, log the IP range of any detected wireless network and reports it signal and noise levels. It can sniff all data packet from detected network. Kismet can be used to troubleshoot and optimize signals strength for access points and clients, as well as detect network intrusions. Kismet runs on GUI mode so it becomes very easy to use Kismet [8]. F. CASPA: CASPA runs on graphical user interface. It assists the user in the specification and in the analysis of cryptographic protocols. CASPA provides an editor for protocol specifications and offers a quick loading procedure for the protocols specified in underlying protocol libraries, and a convenient parsing procedure for userdefined protocol specifications. It gives us, the tool features of a graph management. This automatically generates and displays graphs. CASPA gives us a fully mechanized analyser that verifies secrecy and authenticity properties on a given graph and displays the results. More precisely, CASPA allows for analysing the security properties secrecy, weak authenticity, and strong authenticity [9]. G. Ntop: Ntop is a network traffic tool that tells us about the usage of the current network.using ntop helps us to better understand the status of the network. It displays a list of hosts that are currently using the network and shows information concerning the IP and Fiber Channel (FC) traffic generated by each host. NTOP is available for both UNIX as well as Win32-. NTOP supports the following protocols: TCP / UDP / ICMP (R)ARP IPX DLC APPLE TALK IPV4 / IPV6 NETBIOS AND MANY MORE [10]. H. Dsniff: DSNIFF is as password sniffer and a network traffic analysis tool. it can handle various protocols such as : FTP,SMTP,NNTP,HTTP,POP etc. It automatically detects each application protocol. Basically Dsniff is a collaboration of tools for auditing the network and penetration testing. This tool can be used for passive monitoring a network. it is a network sniffer but can also be used to disrupt the behaviour of switched network [11]. I. Cain and abel: Cain and Abel is basically a password recovery tool for MS-OS. It helps us to recover the passwords by sniffing the network. It can also crack encrypted passwords with the help of cryptanalysis attack, brute force attack etc. it is a powerful tool which deals with tough decryption algorithms. The latest version of this tool includes the features of ARP and man in middle attack. This tool can also capture and monitor the network traffic. 66

3 Features: It is capable for WEP cracking. It has the capability to record VoIP conversations It can do ARP spoofing. It can reveal the password boxes. It has the ability to crack SHA hashes. This tool is free to use [12]. J. Etherape: Etherape is packet filter tool which can also analyse the traffic. It was developed to use for UNIX. Etherape is free and open source software developed under GNU (General Public License). It displays the network traffic graphically. It shows us the colour-coded nodes and links with most used protocols. Traffic can be analyse end to end (IP) or port to port (TCP). It shows so many types of packets. Data view can be manipulated through a network filter. When we click on the node or link, it provides us the additional knowledge about protocols and network traffic. We can read the traffic from a file or on actual network. It handles the traffic on Ethernet, WLAN, VLAN and all other media. It supports both versions of internet protocols i.e. IPv4 and IPv6 [13]. K. EHTEREAL: Ethereal is a tool which is open source and is used to analyse the network traffic. It can also be called as packet sniffer. Ethereal is the original or real name of the wireshark tool [14].This tool is basically used to track and manage the network problems. Ethereal can run on different OS such as UNIX and windows. It can support more than 770 protocols. Disadvantage of this tool is that it cannot detect/troubleshoot the network problems. This tool is useful when we want to detect intrusion attempts. This tool is user friendly i.e. users can modify it according to their needs. Packets can be filtered after the capturing. Ethereal can be used in PPP, token ring, Ethernet etc [15]. B. Zenmap: Fig.2.NMAP III. ANALYSIS AND DISCUSSION In this section, we analyse network monitoring tools and how they sniff the packets in particular network. We work on monitoring tools like Wireshark, Nmap, Zenmap, Ethereal, and Etherape. A. NMAP: Nmap is a network mapper tool. It shows us the detail of a particular domain name and different ip addresses. We analyse the domain of google.com in the fig.2 and it shows the ip addresses of the domain google.com, open port. The command used is nmap v A that run on terminal in Ubuntu O.S. Fig.3 Zenmap Zenmap is graphical interface of Nmap. It shows us the details of open ports as well as close ports of a particular IP address. Zenmap was executed and tested with an ip address ( ) and the list of open and closed ports were generated. The snapshot for the same is shown in fig 3. 67

4 Tool s Name Table1. Analyzing different network monitoring tools Founder User interfac e Software license Wireshark Gerald Combs GUI Free Tcpdump Van Jacobson and team CLI Nmap Gordon Lyon CLI Zenmap Zenmap Team GUI Kismet Mike Kershaw (dragom) GUI Free GNU (general public ) GNU (general public) GPL Operating System Unix bases Caspa Colasoft LLC GUI Proprietary Microsoft Ntop Luca deri GUI GPLv3 Dsniff Dug Song CLI BSD Cain and Abel Massimiliano Montoro UNIX GUI Freeware Windows Etherape Juan Toledo GUI open Ethereal Gerald Combs CLI Both C. Wireshark UNIX Unix Wireshark is used to analyse the network traffic. It tells us about the source of the packet, its destination, protocol type, length, time.the above fig. 4 shows the result of network traffic filtered as per tcp. The following table1 shows the information about the various packet sniffing tools like their founder, about the user interface and operating system on which they easily execute. Wireshark is cross-, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. IV. CONCLUSION In this paper we analyse various packet sniffing tools that monitor network traffic transmitted between legitimate users or in the network. The packet sniffer is network monitoring tool. It is opted for network monitoring, traffic analysis, troubleshooting, penetration testing and many other purposes. There are many tools which are used for network traffic sniffing but there are some limitations regarding these packet sniffing tools i.e. some tools are only used for packet capturing without any kind of analysing them. Therefore we need some another tools. Some tools trace IP packets and some tools only capture TCP packets. At the end, we concluded that with these tools, we can do intrusion detection and penetration testing against particular network. V. REFERENCES [1 Pallavi Asrodia\* and Hemlata Patel, Analysis of Various Packet Sniffing Tools for Network Monitoring and Analysis, International Journal of Electrical, Electronics and Computer Engineering vol.1 no.1 pp (2012). [2] Rupam, Atul Verma and Ankita Singh, An Approach to Detect Packets Using Packet Sniffing, International Journal of Computer Science & Engineering Survey (IJCSES) Vol.4, No.3, June [3] Borja Merino Febrero, TRAFFIC ANALYSIS WITH WIRESHARK INTECO-CERT,Instituto Nacional de Tecnologias de la Comunicacion, February [4] Wolf-Bastian P ottner, and Lars Wolf, IEEE packet analysis with Wireshark and off-the-shelf hardware, Institute of Operating Systems and Computer Networks, Technische Universit at Braunschweig, Germany. Fig.4 Capturing tcp packets [5] Ekhator Stephen Aimuanmwosa, Evaluating Kismet and NetStumbler as Network Security Tools & Solutions, Blekinge Institute of Technology January

5 [6] Michael Backes, Stefan Lorenz, Matteo Maffei, and Kim Pecina Saarland University, Saarbrucken, Germany MPI-SWS, The CASPA Tool: Causality Abstraction for Security Protocol Analysis (Tool Paper). [7] Luca Deri and Stefano Suin, Practical Network Security: Experiences with ntop. 69