Network Security: Workshop
Protocol Analyzer Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network decodes,, or dissects,, the data packets of common protocols and displays the network traffic in human- readable format Can be a standalone hardware device with specialized software, or it can simply be software that you install on your desktop or laptop 2
WireShark what is it good for Troubleshooting problems on the network Analyze performance to discover bottlenecks Network intrusion detection Logging network traffic for forensics and evidence Analyzing the operations of applications Discovering a faulty network card Discovering the origin of a Denial of Service (DoS( DoS) ) attack Detecting spyware. Detecting a compromised computer Validating compliance with company policy As an educational resource when learning about protocols For reverse-engineering engineering protocols in order to write clients and supporting programs 3
WireShark What not so good about it Capturing clear-text usernames and passwords Compromising proprietary information Capturing and replaying Voice over IP telephone conversations Mapping a network Passive OS fingerprinting 4
5
Ethernet historic assumptions All computers on the local network segment share the same cable broadcast Each packet has a header,, which is like an envelope containing the addresses of both the destination and source machine 6
Ethernet historic assumptions All of the other computers on the network segment see each packet, but if they are not the intended receiver They will disregard and discard it, unless a computer is running a sniffer Promiscuous mode NIC captures all of the traffic on the segment regardless of who it is being sent to 7
Ethernet Today Most Ethernet today do not share bus. Each computer in the network gets it own intended packets (and broadcasts) Promiscuous mode (should) not be relevant 8
So who's who? Each network component has a unique Media Access Control (MAC) address MAC is the individual identifier of each component MAC are (supposed) to be hard coded 48 bits 12 digit hexadecimal number 24 first bits identify the vendor 24 last bits identify are the serial 9
A little hardware Hub blindly forwards the information to all other computers connected to it This creates one-large broadcast (collision) domain Creates performance issue and sniffing very easy Switch looks at the packet header to locate the destination MAC address Maintains a list of all MAC addresses It can forward packets to specific ports This narrows the collision domain,, or broadcast domain to a single port 10
Lets not forget Port mirroring/spanning To mirror ports, you need to configure the switch to duplicate the traffic from a port you want to monitor to another port you are connected to with your sniffer Here an idea. Port mirror your uplink 11
Lets get down to business Wireshark down and dirty
WireShark FKA Ethereal GNU General Public License (GPL) It works in promiscuous and non promiscuous modes Captures data from Network or file Displays Data in ASCII/hex/C array Multi platform Supports hundreds of protocols Command line compatibilities 13
Capture and display filters The capture filter syntax follows the same syntax that Tcpdump uses from the libpcap library Display filters provide a powerful syntax to sort on traffic that is already captured 14
Capture and display filters Eq == Ne!= Gt > Lt < Ge >= Le <= And && Or Xor ^^ Not! [i:j]] i = start_offset,, j = length [i-j]] i = start_offset,, j = end_offset,, inclusive. [i] i = start_offset,, length = 1 [:j] start_offset = 0, length = j [i:] start_offset = i, end_offset = end_of_field 15
16
Filter Bar The Filter bar allows you to enter a filter string restricting which packets are displayed in the Summary Window To apply a filter, you have to enter the desired string into the Filter: Filter: text field and press Enter (or click the Apply button) Filter strings are case-sensitive sensitive Previously used filters can be easily recalled using the drop-down down list 17
Summary Window Columns Frame number The time from beginning of the Highest level source address. This will This field contains information that was within the capture. capture to the time when the frequently be the IP (Internet Highest determined level by destination the highest address. level Typically the highest level packet protocol This will was Protocol) source address, but may also be frequently decode to be the useful IP destination or informative as part decoded. Examples include captured user (in level seconds). the Media Access Control (MAC) address, of a summary but may for this also packet. protocols such as HyperText Transfer be the MAC Protocol address (HTTP), for layer File 2 (L2) Transfer Ethernet protocols, address for L2 Ethernet protocols, or Protocol or other address (FTP), Simple types for Mail other Transfer other address types for other protocols Protocol protocols (SMTP). (IPX, AppleTalk, etc ). (IPX, AppleTalk, etc). 18
Protocol tree window For each protocol there is a tree node summarizing the protocol, which can be expanded to provide the values in that protocol s s fields. The Protocol tree window allows you to examine the tree created by wireshark from decoding a packet. 19
20
Data view window Each row begins with a four-digit number representing the number of bytes the first octet in that row is offset from the beginning of the packet An octet is eight bits or one byte or two hexadecimal also known as hex digits The offset is then followed by sixteen two-character hexadecimal bytes The last item in each row is a series of sixteen ASCII characters representing the same 16 bytes from the packet. Not all bytes are conveniently displayable in ASCII. For those bytes a period (.) is substituted as a placeholder. 21
Bytes nr (in hex) between First Octet in Row and the Packet Beginning Data bytes (hex) Data Bytes (in ASCII) 22
Statistics Statistics Statistics We sniffed, captured and now what? 23
Statistics Summary Show information about the data captured Protocol hierarchy Display a hierarchical tree of protocol statistics Conversations Display a list of conversations (traffic between two endpoints) Endpoints Display a list of endpoints (traffic to/from an address) IO graph Display user specified graphs (e.g. the number of packets in the course of time) 24
Conversation List Statistics Display a list of conversations Endpoint List Display a list of endpoints Service Response Time Display the time between a request and the corresponding response ANSI, BOOTP-DHCP DHCP Display protocol specific statistics windows 25
Summary 26
Protocol Hierarchy 27
Conversation A network conversation is the traffic between two specific endpoints. For example, an IP conversation is all the traffic between two IP addresses. 28
End-point For each supported protocol, a tab is shown in this window. The tab labels shows the number of endpoints captured. If no endpoints of a specific protocol were captured, the tab label will be grayed out Each row in the list shows the statistical values for exactly one endpoint. 29
IO graph User configurable graph of the captured network packets. You can define up to five differently colored graphs. 30
What now? homework Download the dump files Follow the instructions Explain what is in each dump? enjoy 31