Network sniffing packet capture and analysis



Similar documents
Network sniffing packet capture and analysis

tcpdump: network traffic capture

Lab VI Capturing and monitoring the network traffic

Introduction to Network Security Lab 1 - Wireshark

Figure 1. Wireshark Menu Bar

Introduction to Passive Network Traffic Monitoring

Network Traffic Analysis

COMP416 Lab (1) Wireshark I. 23 September 2013

Network Security: Workshop

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

A Research Study on Packet Sniffing Tool TCPDUMP

EKT 332/4 COMPUTER NETWORK

Lab 1: Packet Sniffing and Wireshark

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Packet Sniffer Detection with AntiSniff

Packet Sniffing with Wireshark and Tcpdump

Linux Network Security

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

A Protocol Based Packet Sniffer

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Introduction on Low level Network tools

Topics in Network Security

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Safe network analysis

Firewalls. October 23, 2015

Information Security Training. Assignment 1 Networking

Wireshark Tutorial. Figure 1: Packet sniffer structure

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Introduction to Wireshark Network Analysis

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Course Title: Penetration Testing: Security Analysis

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Sniffer s Network Packet Analyzer. Basics

How To Analyze Bacnet (Bacnet) On A Microsoft Computer (Barcnet) (Bcfnet) And Get A Better Understanding Of The Protocol (Bafnet) From A Microsatellite) (Malware)

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

Computer Networks/DV2 Lab

Wireshark Tutorial INTRODUCTION

VisuSniff: A Tool For The Visualization Of Network Traffic

Unix System Administration

Network Monitoring Tool with LAMP Architecture

TCP Packet Tracing Part 1

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

1. LAB SNIFFING LAB ID: 10

Project 2: Firewall Design (Phase I)

CS197U: A Hands on Introduction to Unix

Evidence Acquisition. Network Forensics. Jae Woong Joo

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Ethereal: Getting Started

Introduction to Analyzer and the ARP protocol

Wireshark Lab: Assignment 1w (Optional)

BASIC ANALYSIS OF TCP/IP NETWORKS

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Transformation of honeypot raw data into structured data

Solution of Exercise Sheet 5

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Overview. Protocol Analysis. Network Protocol Examples. Tools overview. Analysis Methods

Sniffing in a Switched Network

Wireless Traffic Analysis. Kelcey Tietjen DF Written Report 10/03/06

EE984 Laboratory Experiment 2: Protocol Analysis

Module 1: Reviewing the Suite of TCP/IP Protocols

Packet Monitor in SonicOS 5.8

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

INTRUSION DETECTION SYSTEMS and Network Security

Packet Sniffing and Spoofing Lab

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Packet Sniffer A Comparative Study

Network Security Management

Intrusion Detections Systems

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

New York University Computer Science Department Courant Institute of Mathematical Sciences

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Intrusion Detection, Packet Sniffing

Network Connect Performance Logs on MAC OS

Wireshark. Fakrul (Pappu) Alam

DMZ Network Visibility with Wireshark June 15, 2010

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Network Agent Quick Start

Who s Doing What? Analyzing Ethernet LAN Traffic

Network Monitoring and Traffic Analysis

Measurement Study of Wuala, a Distributed Social Storage Service

Transcription:

Network sniffing packet capture and analysis October 2, 2015 Administrative submittal instructions answer the lab assignment s 13 questions in numbered list form, in a Word document file. (13 th response is to embed a screenshot graphic.) email to csci530l@usc.edu exact subject title must be snifflab deadline is start of your lab session the following week reports not accepted (zero for lab) if late you did not attend the lab (except DEN or prior arrangement) email subject title deviates 1

DETER preparations coming soon next lecture topic will be done on DETER so will most of those remaining thereafter you have an account created recently you received an advisory email at that time familiarization option if you are unfamiliar with DETER mechanics, set up and use a simple experiment as outlined at the get/use an account link on our website Adjusted lab calendar no earlier lab due next week app security is due 10/16 instead (except, performance of that lab for the Monday lab group is still next Monday 10/5) no current lab performed next week packet sniffing performed week of 10/12 instead no lab lecture next week I m going fishing, see you on 10/16 with Prof Mirkovic 2

Capture-the the-flag exercise Prof Mirkovic will introduce CTF at our next meeting 10/16 (I will also attend) it extends over a period of weeks she will appear at our lecture meetings briefly during that period to guide the CTF while I will introduce the further topics Packet sniffer A tool that captures, interprets, and stores network packets for analysis also known as network sniffer network monitor packet capture utility protocol analyzer is intimately network-y 3

Sniffing in security context an introductory counterpoint conventional wisdom hacking is emblematic of poplular security talk and is all about the outside menace popular conculsion: security is about networks reality the outside is there but don t forget the inside too!! does security vanish when net cable unplugged? Half of security unrelated to nets purely local dimensions physical security BIOS/bootloader security filesystem permissions execution jails encrypted filesystems etc network aspects packet sniffing remote backup and logging port scanning tunnels but today s topic is in the network category 4

Wireshark product background principal author Gerald Combs original name ethereal (changed 2006, legal reasons) open source equivalent linux, Windows, Apple versions Related software pcap the underlying library pcap captures the packets Wireshark displays them (graphically) tcpdump rides on pcap like Wireshark displays what pcap captures (character mode) very widespread others tshark, character mode version in Wireshark s stable Network Monitor - Microsoft snoop - Sun Microsystems ettercap snort 5

netcat product background a general purpose client and server there s more than one (hobbit s, GNU s) different authors different features different syntax cryptcat adds filestream en/de-cryption for you to generate something to send a server in this exercise ssh secure shell creates an encrypted network conversation for you to compare with an unencrypted one in this exercise by capturing both 6

Foundation concept: frames are what Wireshark is for capturing a.k.a. packets, datagrams, segments, protocol data units they come in nested groups Nesting / successive enveloping Russian laquer dolls 7

How data gets enveloped Packets Packets have detailed structure 8

Packets have detailed structure Wireshark knows the structures for ~1400 protocols turns byte dump into intelligible decode, in the details pane Wireshark interface components packet list pane packet details pane packet 6 s details packet bytes pane packet 6 s bytes 9

Stack correlation application transport network data link physical highest-layer protocol that each packet contains Wireshark taps interfaces probe takes measurement where it is sees whatever is at the interface (e.g, NIC) sees nothing else does not see what s on the network limits value on host connected to a switch (versus a hub) 10

It s s 70 o in L.A. No, it s 70 o right here There s s a port scan on the network wire shark No, there s a port scan right here 11

Two what-to to-capture restrictions Involuntary: can t capture what doesn t appear on the interface in the first place Voluntary: packet filter expressions Packet filter expressions using address primitives host 200.2.2.1 src host 200.2.2.2 dst host 200.2.2.2 ip[16]>=224 ip[2:2]>512 ether[0]&1=1 12

Packet filter expressions using protocol primitives ip tcp udp icmp Booleans and or not 13

2 different filters, 2 different syntaxes capture filters (during capture) shares same syntax as tcpdump uses display filters (after the fact) Wireshark s own syntax can auto-generate filter expression from a model packet ( give me the expression for a packet like this one ) These syntaxes semantically same enter display filter here while displaying enter capture filter here before capturing 14

Wireshark SSL decrypt feature (given key!) with key without key but where do we get the key? info If you want to see network traffic besides your own make sure NIC is in promiscuous mode operate in a network with a hub, not a switch not your choice if you re not net admin use a switch with a management port that receives all traffic sniff by remote access on computers at other places in the network, save the capture to a file, transfer the file to Wireshark 15

info http://www.wireshark.org/ http://wiki.wireshark.org/ Packet Sniffing In a Switched Environment https://www.sans.org/reading-room/whitepapers/networkdevs/packetsniffing-switched-environment-244 SSL/TLS: What's Under the Hood https://www.sans.org/reading-room/whitepapers/authentication/ssl-tlswhats-hood-34297 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information