COMP416 Lab (1) Wireshark I. 23 September 2013

Similar documents
Network Security. Network Packet Analysis

Lab VI Capturing and monitoring the network traffic

Lab 1: Packet Sniffing and Wireshark

Wireshark. Fakrul (Pappu) Alam

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

Overview. Protocol Analysis. Network Protocol Examples. Tools overview. Analysis Methods

Performance Evaluation of Computer Networks

Lab - Using Wireshark to View Network Traffic

Safe network analysis

Lab Conducting a Network Capture with Wireshark

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Wireshark Lab: Assignment 1w (Optional)

DMZ Network Visibility with Wireshark June 15, 2010

Introduction to Analyzer and the ARP protocol

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

Introduction to Passive Network Traffic Monitoring

Network Trace Analysis

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

darkstat - a network traffic analyzer Introduction Installation LinuxFocus article number by Mario M.

Wireshark Tutorial INTRODUCTION

Network sniffing packet capture and analysis

Network sniffing packet capture and analysis

CSE 3214: Computer Network Protocols and Applications

Packet Sniffer A Comparative Study

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Ford ANX Troubleshooting Procedure for use by Trading Partners

Packet Sniffing with Wireshark and Tcpdump

Firewall Examples. Using a firewall to control traffic in networks

Juniper NetScreen 5GT

Analyze Traffic with Monitoring Interfaces and Packet Forwarding

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

Wireshark DNS. Introduction. nslookup

Troubleshooting TCP/IP Networks with Wireshark

Ethereal Lab: DNS. 1. nslookup

Collecting information

Wireshark Tutorial. Figure 1: Packet sniffer structure

Networks and Security Lab. Network Forensics

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Introduction to Network Security Lab 1 - Wireshark

TCP Packet Tracing Part 1

Sniffer s Network Packet Analyzer. Basics

Wireshark Lab: DNS. 1. nslookup

Solution of Exercise Sheet 5

Network Security: Workshop

New York University Computer Science Department Courant Institute of Mathematical Sciences

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Overview - Using ADAMS With a Firewall

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Monitor network traffic in the Dashboard tab

VisuSniff: A Tool For The Visualization Of Network Traffic

Lab 3.4.2: Managing a Web Server

Ethereal: Getting Started

Network Monitoring Tool with LAMP Architecture

Network Forensics Network Traffic Analysis

Cisco SA 500 Series Security Appliance

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Network Traffic Analysis

Introduction. Interoperability & Tools Group. Existing Network Packet Capture Tools. Challenges for existing tools. Microsoft Message Analyzer

EKT 332/4 COMPUTER NETWORK

TMS Phone Books Troubleshoot Guide

Topic 7 DHCP and NAT. Networking BAsics.

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

How to Make the Client IP Address Available to the Back-end Server

Network Analysis with isilk

Attack Lab: Attacks on TCP/IP Protocols

19. Exercise: CERT participation in incident handling related to the Article 13a obligations

Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led

High-Speed Network Traffic Monitoring Using ntopng. Luca

Computer Networks/DV2 Lab

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Wireshark Lab: DNS v6.01

Overview - Using ADAMS With a Firewall

Introduction to Wireshark Network Analysis

Tue Apr 19 11:03:19 PDT 2005 by Andrew Gristina thanks to Luca Deri and the ntop team

Socket = an interface connection between two (dissimilar) pipes. OS provides this API to connect applications to networks. home.comcast.

Network Agent Quick Start

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

HONE: Correlating Host activities to Network communications to produce insight

Dante a BSD licensed SOCKS implementation. Inferno Nettverk A/S. Bergen Linux User Group

ntopng: Realtime Network Traffic View

Websense Web Security Gateway: What to do when a Web site does not load as expected

Wireshark Deep packet inspection with Wireshark

BASIC ANALYSIS OF TCP/IP NETWORKS

Cisco RV 120W Wireless-N VPN Firewall

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Network Probe. Figure 1.1 Cacti Utilization Graph

Question: 3 When using Application Intelligence, Server Time may be defined as.

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Debug Failed to connect to server!

Cisco Configuring Commonly Used IP ACLs

Application-Centric Analysis Helps Maximize the Value of Wireshark

Introduction on Low level Network tools

Netflow Collection with AlienVault Alienvault 2013

Transcription:

COMP416 Lab (1) Wireshark I 23 September 2013

2 Before the lab Review the content of communication architecture. Review TCP/IP model and protocol suite. Understand data transferring, layering, and encapsulation/demultiplexing.

3 Content Data capture basis and tools Getting start with Wireshark Advanced usage Traffic and protocol analysis

4 Packet capture Why do we need to capture packets? troubleshoot network problems examine security problems debug protocol implementations learn network protocol internals

5 Packet capture tools/sniffers Classic tools WireShark (http://www.wireshark.org/) TCPDump (http://www.tcpdump.org/) Other tools Ettercap Dsniff Ntop KISMET WinDump Tshark

6 What is Wireshark? An open source packet analyzer capture network packets display that packet data Decode 1115 protocols (v1.4) Support command-line and GUI interfaces Run on many platforms, including Windows, OS X, Linux, and UNIX Many online resources Wireshark User s Guide (http://www.wireshark.org/docs/wsug_html_chunked/)

7 How does Wireshark work? Windows Linux Wireshark Winpcap libpcap

8 Libpcap and Winpcap Libpcap and winpcap are libraries for network traffic capture, provides the core functions of packet capturing Linux/Unix -> libpcap Windows -> winpcap Homepage of libpcap: http://www.tcpdump.org/ Homepage of winpcap: http://www.winpcap.org

9 TCPDump and WinDump Tcpdump Unix-based command-line tool used to analyze packets Including filtering to just capture the packets of interest Capture packets from interface specified using -i option Read packets from an existing trace file specified using -r option Save captured packets using -w option Homepage: http://www.tcpdump.org/ WinDump The Windows version of tcpdump Homepage: http://www.winpcap.org/windump/

10 Basic usage Tip: packet capture need root / administrator privileges Packet capture: select the right interface! Save / open trace

11 Advanced usage (1): filters Capture filters Only the packets meet the rule will be captured and decoded in Wireshark Syntax Specify protocols: ip, tcp, udp Specify host: host, dst, src More filters can be found: http://wiki.wireshark.org/capturefilters Display filters Do not affect captured packets Only determine whether or not to display some packets Syntax Useful: Follow TCP Stream More filters can be found: http://wiki.wireshark.org/displayfilters

12 Advanced usage (2) Follow a stream Stream: [IP address A, port A, IP address B, port B] Adjust the layout and columns Edit -> Preference Statistics Summary: general statistics about the current capture file Conversations: statistics of the captured conversations Conversation is the traffic between two specific endpoints Endpoints: traffic statistics of an end host IO Graphs: visualizing the number of packets in time

13 Analyze Web application The World Wide Web (WWW) is the most popular Internet application Answer the following question: What s the relationship between Web and HTTP? What type of protocol does HTTP belong to? What happen in the background when you access a Web site through a Web browser?

14 Exercise 1:analyze HTTP traffic Y:\Win32\WiresharkPortable Select the right interface Visit www.polyu.edu.hk After the page is fully loaded, stop capturing. Analyze HTTP traffic What have you observed? Write down the protocols you have observed Consider why you can observe so much traffic and protocols besides the HTTP traffic

15 Exercise 1 (cont d) Analyze HTTP traffic What s your HTTP request method? What s your HTTP request version? What s the status code in the response? What does it mean? Apply a display filter so that only HTTP packets are shown. How many HTTP requests have been sent to the Web server? Write down each request.

16 Exercise 2 Try to different capture filters How can I capture only HTTP traffic? How can I only capture only the traffic from/to a specified host? Visit http://www.polyu.edu.hk and analyze the HTTP traffic What s your IP address? What s the server s IP address? How many TCP connections were opened? Visit http://www.comp.polyu.edu.hk/test and analyze the HTTP traffic What s the difference as compared with the previous steps?

17 Exercise 2 (cont d) Visit http://www.oneprobe.org and analyze HTTP traffic What s the difference as compared with the previous steps? How many Web servers have you accessed? Write down the servers exact IP addresses. Explain this phenomenon.

18 Exercise 3 Delete the capture filter. Start a new capture. Visit http://hk.yahoo.com/. When the page is fully loaded, stop capturing. Compare the throughput between UDP and TCP in a time series.

19 Exercise 4 Start a new capture. Visit https://www.google.com.hk. When the page is fully loaded, stop capturing. Identify the HTTPS traffic. What s the default port of HTTPS? What can you see after applying follow the TCP stream? Write down the process of how an https connection is established.

20 Exercise 5 Visit http://www.facebook.com and analyze the HTTP traffic. Record the IP address of the Facebook server. Save the trace. Visit Facebook again at home, and compare the trace you obtained in campus. Record the IP address of the Facebook server. Is the IP address recorded at home the same as the one recorded in campus? If not, explain why.

21 Further reading CDN (content delivery network) http://www.nczonline.net/blog/2011/11/29/howcontent-delivery-networks-cdns-work/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information