Lab Module 3 Network Protocol Analysis with Wireshark



Similar documents
EKT 332/4 COMPUTER NETWORK

Lab VI Capturing and monitoring the network traffic

Introduction to Network Security Lab 1 - Wireshark

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

VisuSniff: A Tool For The Visualization Of Network Traffic

Configuring the WT-4 for ftp (Infrastructure Mode)

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

CONNECTING THE RASPBERRY PI TO A NETWORK

Packet Monitor in SonicOS 5.8

Connecting to and Setting Up a Network

Computer Networks/DV2 Lab

NETASQ SSO Agent Installation and deployment

Wireshark Tutorial. Figure 1: Packet sniffer structure

Wireless Encryption Protection

Configuring Network Address Translation (NAT)

Configuring the WT-4 for ftp (Ad-hoc Mode)

Lab Organizing CCENT Objectives by OSI Layer

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Introduction to Analyzer and the ARP protocol

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Solution of Exercise Sheet 5

Computer Networks I Laboratory Exercise 1

Follow these steps to prepare the module and evaluation board for testing.

Firewall VPN Router. Quick Installation Guide M73-APO09-380

SSVP SIP School VoIP Professional Certification

Modern snoop lab lite version

Multi-Homing Dual WAN Firewall Router

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

Access Point Configuration

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Capture and analysis of the network traffic with Wireshark

Packet Capture and Expert Troubleshooting with the Viavi Solutions T-BERD /MTS-6000A

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Network Forensics Network Traffic Analysis

Packet Sniffing with Wireshark and Tcpdump

Configuring the WT-4 for ftp (Ad-hoc Mode)

Intrusion Detection, Packet Sniffing

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

Volume. Instruction Manual

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Computer Networks/DV2 Lab

3.1 RS-232/422/485 Pinout:PORT1-4(RJ-45) RJ-45 RS-232 RS-422 RS-485 PIN1 TXD PIN2 RXD PIN3 GND PIN4 PIN5 T PIN6 T PIN7 R+ PIN8 R-

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

BR-800. ProHD Broadcaster. Easy Set-Up Guide V 1.01

Nokia Siemens Networks. CPEi-lte User Manual

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Administrator's Guide

Networking Security IP packet security

Wireless LAN Access Point. IEEE g 54Mbps. User s Manual

Wireshark Tutorial INTRODUCTION

BioStar Config Guide V1.0

Topics in Network Security

Configuration. Windows 98 and Me Configuration

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

Setting up a WiFi Network (WLAN)


Cornerstones of Security

Linksys E2500 Wireless-N Router Configuration Guide

StarMOBILE Network Configuration Guide. A guide to configuring your StarMOBILE system for networking

MN-700 Base Station Configuration Guide

Prestige 660R-6x Read Me First

Guideline for setting up a functional VPN

User s Manual TCP/IP TO RS-232/422/485 CONVERTER. 1.1 Introduction. 1.2 Main features. Dynamic DNS

Setting Up Scan to SMB on TaskALFA series MFP s.

Security. TestOut Modules

Lab Configuring Access Policies and DMZ Settings

NF1Adv VOIP Setup Guide (for Generic VoIP Setup)

Internet Guide. Prepared for 55 John Street

Linksys Gateway SPA2100-SU Manual

Computer Networking LAB 2 HTTP

This chapter describes how to set up and manage VPN service in Mac OS X Server.

LESSON Networking Fundamentals. Understand TCP/IP

DMZ Network Visibility with Wireshark June 15, 2010

Hallpass Instructions for Connecting to Mac with a Mac

enicq 5 System Administrator s Guide

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

CS5008: Internet Computing

Windows Firewall with Advanced Security Step-by-Step Guide - Deploying Firewall Policies

Web Browsing Examples. How Web Browsing and HTTP Works

Module 1: Reviewing the Suite of TCP/IP Protocols

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Technical Support Information Belkin internal use only

Prestige 314 Read Me First

4m. MONITORING OF ETHERNET/IP NETWORK TRAFFIC.

TCP/IP Basis. OSI Model

MadCap Software. Upgrading Guide. Pulse

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Capture Pro Software FTP Server System Output

Configuring Global Protect SSL VPN with a user-defined port

Lab Conducting a Network Capture with Wireshark

Step-by-Step Configuration

Transcription:

Pacific Northwest National Laboratory Lab Module 3 Network Protocol Analysis with Wireshark NATO ASI on Energy Infrastructure Security October 2015 PNNL-#####

Lab Module 3 Network Protocol Analysis with Wireshark Introduction The Wireshark software is the most popular and well-known network protocol analyzer. It enables deep inspection of network traffic in over 1,000 protocols and is the de-facto standard across many industries and academia. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. 1 This module will introduce you to Wireshark and its use. For some, this may be a repeat bear with us. We will: set up Wireshark to listen to some network traffic from a few different sources (which will include a custom plugin that allows direct parsing of serial traffic), load sample captures of interesting or relevant protocols and examine them, and examine both un-encrypted and encrypted traffic side by side. Basic Functions The starting screen of Wireshark is shown in Figure 1. Figure 1: Wireshark Starting Screen 1 Source: https://www.wireshark.org/about.html 1

We are interested only in two sections: the Capture window on the top left and the Files window in the center. The other windows are there for both on- and offline help. Before a capture of network traffic can be started, Wireshark must be set to listen to the right networking interface. Click on Interface List to show what is available to Wireshark on this machine. You should see something like what is shown here in Figure 2. Figure 2: Capture Interfaces In this case, Figure 2 shows only one active interface. While more interfaces may be shown on your screen, select the Local Area Connection as shown. Now click Options to bring up the Capture Options screen shown in Figure 3. Figure 3: Capture Options Here, you can set up the Wireshark capture configuration in detail. You can choose more than one interface to listen to, apply capture filters, specify capture output files and how they are recorded, and you have some options regarding name resolution and display. For now, leave everything as it is and then click Start to begin capturing traffic. 2

Wireshark now should be displaying live traffic on the selected Ethernet interface. After you have let the traffic collect for a few seconds, click the red stop button at the top menu. You should see something similar to Figure 4 below. Figure 4: Captured Traffic The top half shows a chronological list of traffic packets on the network. This list can be resorted in many configurable ways. It might be useful to list the packets by source or destination address, or perhaps by protocol. The list displayed on the machine in front of you will probably include a few different protocols TCP/IP, UDP, QUIC, STP, and some others. Packet length and brief information is also given. The smaller center part of the window in Figure 4 provides more detailed information about each of the packets as they are selected. The different components of each packet are displayed in a hierarchical, expandable list. While the number of top-level components displayed may vary from packet to packet, the first one is always the packet wrapper frame containing information about the packet itself (metadata). This data is comprised of detailed time, packet travel duration, frame and capture lengths, and protocol(s) contained in the packet. The second top-level component will likely be the Ethernet II wrapper. It provides information on source and destination and which protocol is used within the Ethernet II-wrapped package. The third top-level component is probably another wrapper this time for the Internet Protocol Version 4. This metadata includes package length, flags, checksum, source and destination, and protocol used within the Internet Protocol Version 4-wrapped package. 3

After that, you may see a bigger variety of protocols in the top-level components perhaps UDP, TCP, HTTP, etc. The very bottom of the window shown in Figure 4 gives us the actual package contents in plain text or code (both hexadecimal and ASCII). This is a very powerful tool in protocol inspection and troubleshooting, microscopic packet analysis, and even debugging of network code. Next, we will inspect traffic on a wired connection to a Raspberry Pi microcomputer. If you have not already done so, connect the network cable between this machine and the Raspberry Pi for your station and ensure it is not currently powered up. Click the left-most button at the top of the Wireshark window to select a new capture interface. From the available options, choose the wired connection corresponding to the Raspberry Pi. Now connect the micro-usb connector to the Raspberry Pi to power it up. Select Start to begin capturing; stop the capture only after you have seen a few packets go by. Inspect the traffic. If you caught the Raspberry Pi during boot-up as you should have then you are now seeing much of the same type of traffic we saw on the local LAN or WiFi internet. You will also see some DHCP discovery requests and SSDP packages. A likely screen is shown in Figure 5. Next, we will use a custom plugin for Wireshark that allows us to inspect serial traffic directly. Figure 5: Raspberry Pi Traffic Capture 4

Next, we will take a look at how Wireshark handles encrypted versus un-encrypted traffic. We have already seen what unencrypted traffic looks like every single frame examined thus far has been unencrypted. We have been able to read it. We will open a sample capture file of encrypted SSL traffic and examine it without a key and then with a key. Some background on the protocol: Secure Socket Layer (SSL) provides secure communication between two hosts. It provides integrity, authentication and confidentiality. It is used most commonly in web browsers, but can be used with any protocol that uses TCP as the transport layer. SSL uses a variety of ports; some more well-known ones include 443 (http), 636 (ldap), 989-990 (ftp), and others. 2 Select File in the top level menu of Wireshark, then Open. Navigate to the \SSL sub-directory and open the file rsasnakeoil2.cap. Wireshark should be displaying 58 TCP packets that don t seem to contain anything useful. We see source and destination IP s and ports (take note of these!) and also some connection-establish requests, pushes, and acknowledges. Figure 6 shows what your screen may look like: Figure 6: Encrypted SSL traffic 2 https://wiki.wireshark.org/ssl 5

Select Edit in the top level menu of Wireshark, then Preferences. On the left side of the new window, expand Protocols and navigate down to SSL and select it. Click on Edit next to RSA keys list (see Figure 7). Figure 7: SSL Preferences On yet another new window, click on New. Enter the following: IP address: Port: Protocol: Key File: Password: 127.0.0.1 (The same address as in the captured TCP packets!) (Just a local loopback) 443 (Same port as in the captured TCP packets) http Click on the button Wireshark, then navigate to the \SSL subfolder and open rsasnakeoil2.key leave blank Click OK, then Apply, then OK. Select OK one more time. The Wireshark display has changed a bit now that we have applied the right private key. The number of packets in the list is still 58. However, now only 25 of them show up as TCP. Eleven packets are SSLv2/v3 communications; the packets we earlier saw having ACK, SYN, and connection requests. This is the continued communication between the two SSL hosts that ensures the encrypted communication. Finally, there are 22 HTTP packets. Those are the now-decrypted contents that SSL delivered. We see some standard web traffic GET s for pictures, icons, text, etc. Figure 8 below shows what your display may look like. This concludes our brief look at encrypted traffic. Next, we will open up a few prepared sample captures to look at some common protocols. HTTP: Open the file Http.cap in the Pcaps folder. Your display should look similar to Figure 9. There are some DNS packets (for ads!), a lot of TCP ACK and SEQ packages, and then the HTTP packets themselves with their contents some text or html, pictures, and icons. The bottom of Figure 9 shows the contents of an HTTP package responsible for retrieving an online ad. 6

Figure 8: Decrypted SSL Traffic 7

Figure 9: HTTP Sample Capture WPA: Open the file wpa-induction.cap in the \Pcaps directory. This sample capture is a very lengthy induction process for WPA (Wi-Fi Protected Access). When first opened, you should see something similar to what is shown in Figure 10. There are a lot of beacon frames, some unrecognized frames, and generally nothing usable. Let s apply the WPA key. Select Edit->Preferences->Protocols->IEEE 802.11. Click Edit at Decryption Keys, then select New. Change the key type to wpa-pwd and enter Induction for the key. Click OK, Apply, OK, OK. We still see a large number of beacon frames, but now we do get to see some useful content as well. Starting at around packet 100, there are some Apple Talk packets, some DHCP and ICMPv6 packets. Contents of those packets are now visible thanks to decrypting them. 8

Figure 10: Encrypted WPA-Induction Next we will examine a variety of other, often less common protocols DNP3, IEC61850, and others. These protocols are however, prevalent in modern energy and utility infrastructure; industries which have generated a lot of attention in cybersecurity news in recent years. DNP3: Open the file dnp3_read.pcap. This sample capture is the read request of a DNP3 session. This is shown in Figure 11. In the top half, you see many TCP packets that serve mostly for connection requests, acknowledges and so on. There is one DNP 3.0 packet, however. The bottom half of Figure 11 shows the contents of that packet. The majority shown are wrapper frames. The actual DNP3 contents are at the very bottom. We can see a read request for a specific data object (object 60, variable 02, hex 0x3c02). 9

Figure 11: DNP3 Read Request IEC-61850: Open the file IEC61850.cap in the \Pcap directory. This sample capture is of an IEC-61850 session, specifically GOOSE (Generic Object-Oriented Substation Events). The protocol is used in energy transmission and delivery infrastructure, some energy generation technology, and in oil and gas (limited). It is a self-describing, XML based protocol first defined in the IEC standard 61850. Figure 12 shows the capture file open in Wireshark. Notice that there are some Telnet and TCP packets, but they are irrelevant to this discussion. The only two GOOSE packets are from two different Schweitzer Engineering Laboratories relays. The contents of one of the GOOSE packets is shown in the bottom half of Figure 12. The packet identifies the specific device 61850 data block, device ID (SEL_351_1), and which dataset to transmit. This is followed by the dataset itself, which follows the protocol language. IEC-61850 traffic can be challenging to debug due to differing MAC addresses, broadcast MAC s, and difficulties in addressing and/or requesting the right data blocks. Some vendors do not support all data blocks. Using Wireshark to inspect the packets at a low level can help tremendously in the troubleshooting process and allows a much faster homing-in on the problem. 10

Figure 12: IEC-61850 GOOSE Capture 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information