Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Similar documents
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

A Protocol Based Packet Sniffer

Lab VI Capturing and monitoring the network traffic

EKT 332/4 COMPUTER NETWORK

A Research Study on Packet Sniffing Tool TCPDUMP

Wireshark Tutorial INTRODUCTION

Network Security: Workshop

Introduction to Network Security Lab 1 - Wireshark

Figure 1. Wireshark Menu Bar

Ethereal: Getting Started

Wireshark Tutorial. Figure 1: Packet sniffer structure

Packet Sniffer Detection with AntiSniff

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Network Based Intrusion Detection Using Honey pot Deception

Wireshark Lab: Assignment 1w (Optional)

Packet Sniffer A Comparative Study

When Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING.

Lab 1: Packet Sniffing and Wireshark

New York University Computer Science Department Courant Institute of Mathematical Sciences

Packet Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers

Intrusion Detection, Packet Sniffing

Network Traffic Analysis and Intrusion Detection using Packet Sniffer

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

Introduction to Wireshark Network Analysis

Network Forensics: Log Analysis

Packet Sniffing with Wireshark and Tcpdump

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Computer Networks/DV2 Lab

Lab 1: Network Devices and Technologies - Capturing Network Traffic

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Chapter 14 Analyzing Network Traffic. Ed Crowley

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Transformation of honeypot raw data into structured data

A Review on Network Intrusion Detection System Using Open Source Snort

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Establishing a valuable method of packet capture and packet analyzer tools in firewall

Computer Networking LAB 2 HTTP

BASIC ANALYSIS OF TCP/IP NETWORKS

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Topics in Network Security

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Network Forensics Network Traffic Analysis

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Network Monitoring Tool with LAMP Architecture

How do I get to

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

2. HOW PACKET SNIFFER WORKS

Network Security Monitoring

Information Security. Training

ARP Storm Detection and Prevention Measures

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Computer Networks/DV2 Lab

Analysing Various Packet Sniffing Tools

Intrusion Detection in AlienVault

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

VisuSniff: A Tool For The Visualization Of Network Traffic

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Packet Capture and Expert Troubleshooting with the Viavi Solutions T-BERD /MTS-6000A

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Wireshark Quick-Start Guide. Instructions on Using the Wireshark Packet Analyzer

Traffic Analyzer Based on Data Flow Patterns

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

SURVEY OF INTRUSION DETECTION SYSTEM

Packet Sniffing and Spoofing Lab

Own your LAN with Arp Poison Routing

Modern snoop lab lite version

WHITE PAPER September CA Nimsoft For Network Monitoring

Cisco IOS Flexible NetFlow Technology

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Safe network analysis

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

How To Gather Log Files On A Pulse Secure Server On A Pc Or Ipad (For A Free Download) On A Network Or Ipa (For Free) On An Ipa Or Ipv (For An Ubuntu) On Your Pc

Guideline for setting up a functional VPN

Sniffer s Network Packet Analyzer. Basics

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Flow Analysis Versus Packet Analysis. What Should You Choose?

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Network Intrusion Detection Systems. Beyond packet filtering

Network Connect Performance Logs on MAC OS

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

Networks and Security Lab. Network Forensics

Taxonomy of Intrusion Detection System

Chapter 4 Customizing Your Network Settings

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

WiFi Security Assessments

Traffic Monitoring : Experience

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Network Probe User Guide

Intrusion Detection Systems (IDS)

Sniffing in a Switched Network

Linux Network Security

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Transcription:

1 st International Conference of Recent Trends in Information and Communication Technologies Detecting Threats in Network Security by Analyzing Network Packets using Wireshark Abdulalem Ali *, Arafat Al-Dhaqm, Shukor Abd Razak Faculty of Computing, University Technology of Malaysia Abstract Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. Computer networks have kept up growing in size, complexity and, overall, in the number of its users as well as being in a permanent evolution. Hence, Packet sniffers are useful for analyzing network traffic over wired or wireless networks. In this paper, security network protocol analyzer, wireshark, has been used to capture the data from Center of Information and Communication Technology (CICT) network traffic in Universiti Teknologi Malaysia. These data can be applied as a sample to test it by wireshark. Indeed, the data packets have obtained are malware and non-malware. The aim of this paper is to analyze these data in order to help network administrator to monitor any abnormal behavior in the network and log it. The information gathered from CICT and the data analyzed using matching algorithm. The results gave high implication in the analysis of network and increase significant essence in network security to detect any threats that violate system security. Keywords: Matching Algorithm Network Security; Wireshark;. 1. Introduction Packet Sniffing is a technique for monitoring every packet that crosses the network. A packet sniffer is the best open source software available that monitors network traffic. The security threat presented by sniffers is their ability to capture all incoming and outgoing traffic, including clear text passwords and usernames or other sensitive material. Sniffer is a program running in a network attached device that passively receives all data link layer frames passing through the device's network adapter. It is also known as network or protocol analyzer or Ethernet Sniffer. The packet sniffer captures the data that is addressed to other machines, saving it for later analysis. It can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic either in local area network or in host system [1]. In this paper, security network protocol analyzer wireshark has been used to capture the data from CICT network traffic. These data can be applied as a sample to test it by wireshark. Indeed, the data packets have obtained are malware and non-malware. *Corresponding author: almaldolah2012@gmail.com IRICT 2014 Proceeding 12 th -14 th September, 2014, Universiti Teknologi Malaysia, Johor, Malaysia

Abdulalem Ali et. al. /IRICT (2014) 508-515 509 The aim of this study is to analyze these data in order to help network administrator to monitor any abnormal behavior in the network and log it. The information gathered from CICT and the data were analyzed using open source tools. The rest of this paper is structured as follows. Section 2 presents tools for traffic analysis. Priciple of network sniffer in section 3. In Section 4, implementation of network sniffer. Methodology in section 5. In Section 6, The results. Finally, the conclusion is presented in Section 7. 2. Tools For Traffic Analysis Wireshark Previously known as Ethereal, Wireshark, as it is currently known, is a packet analyzer employed in analyzing troubleshooting of networks. The change of name was done in May, 2006 because of a trademark issue. Wireshark captures packets by means of PCAP. It is a cross-platform which is capable of running in various types of operating system that are Unix-like as well as Windows and Solaris. In Wireshark, it is not only the traffic meant for an address constructed for the particular interface that can be seen, but rather everyone is visible there [2]. This is possible because the user can make use of an interface allowing a loose mode. Figure.1: Wireshark tool. Wireshark makes it possible for the user to capture packets moving across the whole network on a given interface per time. The capture tool is one of the basic tools. The user is able to carry out the packet, and capture using the capturing menu which has a number of options to choose from based on the analysis desire. It is also possible for the analyst to set filters such that unwanted traffic that can be avoided during the capture [3]. Wireshark however, has a limitation in that it does not possess intrusion detection capability. The user gets no warning when an intruder tampers with something on the network and wireshark does not exercise control over the network. Space consumption is quite much with its 18MB file installation taking up to 81MB and 449MB respectively in Windows and Linux [4]. However, the Wireshark GUI is quite user friendly.

Abdulalem Ali et. al. /IRICT (2014) 508-515 510 Soft Perfect Network Protocol Analyzer (SPNPA) This is an advanced, professional analyzer. It analyzes data passing through the dial-up connection or the Ethernet card and presents it in comprehensible form. It is a practical tool for different network personnel or any user requiring a broad picture of personal network traffic. SPNPA results are very easy to understand and also allows for defrayments of network packets and reassembling into streams. CAPSA This is an indispensable tool for network administrators. It is a freeware, designed for personal use or small business and useful for network monitoring, diagnosis and troubleshooting. Packet capturing is real-time, forensics is reliable, monitoring is on 24/7 basis, protocol analysis is advanced and packet decoding is in-depth. 3. Principle of Network Sniffer Network sniffer uses the local media; the transforming data can be detected by any computer system. Data frame is received by each computer s Ethernet network adapter, generating either a data frame that is a match of its own hardware address or a broadcast frame. With the two data frame type, for Ethernet network adapter, the data are transformed into upper processing, whereas it discards the other types of frames. In promiscuous mode, the adapter can accept data transmission in every segment and transfer same to the OS for further treatment. Data transformed within the sharing network can be detected in network sniffer as shown in Figure 2[5]. Figure.2: Implementation of Network Sniffer 4. Implementation Of Network Sniffer For the completion of network data collection, setting of network detector are done in the physical segment and linked to export routers on the network. This way, detection of all packets in the network is possible. NICO and NICI are the two adapters with which the network detector is configured as a host. While the former serves as the communication interface, the latter is set as the promiscuous mode and linked to the router at the same hub shown Figure 3.

Abdulalem Ali et. al. /IRICT (2014) 508-515 511 Figure.3: Model of the Network Sniffing. Packer Sniffer A packet sniffer sniffs information passing through a system, and stores/presents the content of the fields in this message. It is the tool for monitoring communication between protocol entities. It is a passive tool; only observing communication without being responsible for initiating it; packets received are also not directly addressed to it, it only receives copies The typical packet sniffer set-up is shown in Figure 4 The protocols (IP) and applications are on the right. The sniffer is represented by the rectangular broken line. It is a mere addition to the regular computer software. It is made up of the packet capture library and the packet analyzer. The packet capture library receives a copy of information (link-layer frame) transmitted over the computer; encapsulation of information through higher layer protocols, e.g. DNS, HTTP, etc is done in link layer frames transmitted through physical media.. Figure 4. Packet Sniffer Structure The packet analyzer is the other component of the sniffer. It is responsible for displaying the contents of all fields in a protocol communication. To be able to do this, it must have an understanding of the structure of protocol communication. For example, if we intend to display the component fields of the communication on the HTTP protocol. The packet analyzer can identify the IP datagram format by comprehending the Ethernet frame format. It is also able to extract the TCP within the datagram. It is also able to comprehend HTTP protocol and will be able to identify the content of the first bytes of an HTTP message

Abdulalem Ali et. al. /IRICT (2014) 508-515 512 5. Methodology Data of computer send through the network in the form of packets. These packets are the group of data is actually directed to the certain designated system. In reality, most of data sent through the network which need to predefine it before send it to the destination and all the data are going directly to a particular computer. There are many examples of packet sniffing software available on the internet for free that can be run on different platforms including windows and Linux. In our experiment, wireshark network analyzer is the one that will use to sniff network traffic in CICT department. These data traffic will be examined and compared with one pattern or signature form in order to find any abnormal pattern in these data. Actually, two kinds of data have been getting, one malware and the other one nonmalware. So we are going to test these data using one software tool to analyze it. A. Sniffing Process Here we are going to talk in a brief about sniffing process and our analysis implemented by wireshark software. The following steps describe sniffing process base on [6]: Packet sniffer collects raw binary data from the wire. Typically, this is done by switching the selected network interface into promiscuous mode Captured binary data is converted into a readable form. Analysis of the captured and converted data. The packet sniffer takes the captured network data, verifies its protocol based on the information extracted, and begins its analysis of these protocols for specific features. 6. Results The data packets were obtained from CICT department. These data packets were already captured from the network by wireshark. The data can be classified into two type malware and non-malware. When the data packet was compared with signature used one software tool implemented via matching algorithm to give us analysis parameters. This software can be used to compare the payload data for the selected protocol with a particular pattern as shown in the Figure 5. In our experiment, we used TCP payload string and compared with the small size of the pattern. In each time we compared around five packets with a specific pattern or signature in one trial. Figure.5: Packet Comparison Software Implemented by Matching Algorithm

Abdulalem Ali et. al. /IRICT (2014) 508-515 513 In the above Figure 5, there are two input places, the first one is a load pattern input where you can type the specific signature pattern inside and in the second place for input is load string, this place can insert one or more packets to compare with pattern. After we insert the two inputs together, we press quick search algorithm button to get the following parameters from the software. First Testing using Malware Data Packets: We have two types of data packets which obtained from CICT organization, so that our experiment will be implemented in two stages. The first test is dealing with malware packet. Table 1 shows malware packages comparisons. Table 1. Number of Comparison Packets using Matching Algorithm No. Comparison Total Search Time No. Comparison Total Search Time I 537 0.047 608 0.034 n 606 0.047 343 0.0411 f a 236 0.031 265 0.011 In the above table, the data packets were tested three times, in the first comparison, we used five packets for TCP protocol to compare with signature (specific pattern). We observed that the number of comparisons is 537 and the time consuming is 0.047. In the second comparison, we used six data packets so that we observed that the number of comparisons is increased but the time still stable. In the third comparison, we decrease the data packet into four therefore we found the number of comparisons decreased also and the time for total search was decreased. 1500 1000 500 0 Malware Testing Packet 606 236 537 0.031 0.047 0.047 265 343 608 Series3 0.011 Series2 0.0411 0.034 Series1 No. Total Search No. Total Search Comparison Time Comparison Time Figure.6: Malware Testing Payload using Matching Algorithm We have observed that, from Figure 6, the graph starting point always from the total search time. The first line, the red line, indicates that the maximum number of comparisons reaches more than 1000 and the second line is the blue line reaches less

Abdulalem Ali et. al. /IRICT (2014) 508-515 514 than 600. The minimum number of comparisons was represented by the green line which indicates the lowest number, 236.the Second Testing using Non-Malware Data Packets: The second test in our experiments was non malware data packets in order to compare with specific pattern. Table 2 shows the non-malware packages comparisons using match algorithm. Table 2. Non-Malware packages Comparisons using Match Algorithm No. Comparison Total Search Time No. Comparison Total Search Time 343 0.031 963.0359 780 0.047 1046 0.0391 870 0.063 1160 0.0453 In the first comparison, we used five data packets, then in the second comparison we used six packets in one times, and in the third comparison we used four packets in order to compare with specific pattern. 4000 2000 0 Non-Malware Testing Packet 8700.063 780 3430.047 0.031 1160 1046 0.0453 9630.0391 0.0359 Series3 Series2 Series1 Figure 7. Non-Malware Packages Testing using Matching Algorithm Figure 7 shows three lines, the green line indicates the maximum number of comparisons and consuming time was about 0.0453. Then, it was followed by the red line that represented the second highest number after green line and consumed time for total search around 0.0391. The third line was the blue line that indicated the lowest number of comparisons and lowest time consumed. We observed that the highest point was 1160 and the lowest point was 343.

Abdulalem Ali et. al. /IRICT (2014) 508-515 515 7. Conclusion One of the significant methods in network security nowadays is to use the network traffic analyzer in order to reveal any abnormal behaviour in the data transfer over the network. Network analyzer tools can be used to monitor and troubleshoot the network. Network administrator do not only use these tools to fix any violation in network system but also to avoid network failure and detect security vulnerabilities. Network sniffer is one of the passive attacks that can sniff the traffic and analyze it. Unlike network sniffing, it is a sniffer detector tools that can discover any sniffing attack through the network and prevent it. Sniffing network traffic is an illegitimate process unless if it used for security purpose. Two types of data analysis have been tested for packets malware and no-malware. Comparisons between packets have been made that uses different techniques depending on what administrator wants. The results showed that while we used the small size of patterns to compare within a group of packets for more than five packets, it will give us more satisfied results and the make network analysis more efficient. References [1] Ansari, S., Rajeev S.G., Chandrasekhar H.S., "Packet Sniffing: A Brief Introduction", IEEE Potentials, Jan. 2003, Volume: 21 Issue: 5, pp: 17-19 (2003). [2] Dabir, A., Matrawy, A. "Bottleneck Analysis of Traffic Monitoring Using Wireshark", 4 th International Conference on Innovations in Information Technology, 2007, IEEE Innovations '07, 18-20 Nov. (2007), Page(s): 158-162(2007). [3] Dulal C., et al.. Ethereal vs. tcpdump: A comparative study on packet sniffing tools for educational purpose. Journal of Computing Sciences in Colleges archive, Volume 20(4), pp 169-176, (2005 [4] All about Wireshark [Online] Available http://www.wireshark.org/. [5] Lida, Z., Jiguang, L. "The Analysis of Technology in Detection and Undetection with Network Sniffer ", Journal of Zhongnan University for Nationalities,NO.9.2003.(in Chinese) [6] BoYu "Based on the network sniffer implement network monitoring. International Conference on Computer Application and System Modeling (ICCASM 2010)Volume: 7,2010, Page(s): V7-1-V7-3(2010). IEEE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information