Overview. Protocol Analysis. Network Protocol Examples. Tools overview. Analysis Methods



Similar documents
Introduction to Passive Network Traffic Monitoring

COMP416 Lab (1) Wireshark I. 23 September 2013

Network Traffic Analysis

Network Security. Network Packet Analysis

TCP Packet Tracing Part 1

Packet Sniffing with Wireshark and Tcpdump

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

Network Packet Analysis and Scapy Introduction

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Wireshark. Fakrul (Pappu) Alam

tcpdump: network traffic capture

Lab VI Capturing and monitoring the network traffic

EE984 Laboratory Experiment 2: Protocol Analysis

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

Host Fingerprinting and Firewalking With hping

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Linux MDS Firewall Supplement

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

CS197U: A Hands on Introduction to Unix

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Lab Conducting a Network Capture with Wireshark

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Solution of Exercise Sheet 5

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Websense Web Security Gateway: What to do when a Web site does not load as expected

Chapter 14 Analyzing Network Traffic. Ed Crowley

Introduction to Network Security Lab 1 - Wireshark

Networks and Security Lab. Network Forensics

How do I get to

Firewall Examples. Using a firewall to control traffic in networks

Introduction to Analyzer and the ARP protocol

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

Project 2: Firewall Design (Phase I)

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Wireshark Deep packet inspection with Wireshark

Host Discovery with nmap

Safe network analysis

Sniffer s Network Packet Analyzer. Basics

VisuSniff: A Tool For The Visualization Of Network Traffic

Penetration Testing with Kali Linux

Network sniffing packet capture and analysis

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

How to protect your home/office network?

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Cisco Configuring Commonly Used IP ACLs

Exercise 7 Network Forensics

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

New York University Computer Science Department Courant Institute of Mathematical Sciences

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

How To Analyze Bacnet (Bacnet) On A Microsoft Computer (Barcnet) (Bcfnet) And Get A Better Understanding Of The Protocol (Bafnet) From A Microsatellite) (Malware)

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

1. LAB SNIFFING LAB ID: 10

Unix System Administration

Wireshark Lab: Assignment 1w (Optional)

PktFilter A Win32 service to control the IPv4 filtering driver of Windows 2000/XP/Server

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Network sniffing packet capture and analysis

Linux MPS Firewall Supplement

Chapter 11 Phase 5: Covering Tracks and Hiding

Packet Capture, Filtering and Analysis

Firewalls 1 / 43. Firewalls

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Who s Doing What? Analyzing Ethernet LAN Traffic

Wireshark Tutorial INTRODUCTION

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

Network Security: Workshop

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Linux Routers and Community Networks

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

+ iptables. packet filtering && firewall

Strategies to Protect Against Distributed Denial of Service (DD

Packet Sniffer A Comparative Study

Packet Sniffing and Spoofing Lab

Policy Based Forwarding

NfSen Plugin Supporting The Virtual Network Monitoring

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Networks & Security Course. Web of Trust and Network Forensics

Firewall Stateful Inspection of ICMP

FIREWALL AND NAT Lecture 7a

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Network Management and Debugging. Jing Zhou

Network Analysis with isilk

Craig Pelkie Bits & Bytes Programming, Inc. craig@web400.com

Network Monitoring Tool with LAMP Architecture

Appendix. Web Command Error Codes. Web Command Error Codes

Transcription:

Overview Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony Joseph Examples of network protocols Protocol Analysis Verify Correctness Analyze performance Better understanding of existing protocols Optimization and debugging of new protocols Tools tcpdump & tshark Wireshark 1 2 Network Protocol Examples Defines the rules of exchange between a pair (or more) machines over a communication network HTTP (Hypertext Transfer Protocol) Defines how web pages are fetched and sent across a network TCP (Transmission Control Protocol) Provides reliable, in-order delivery of a stream of bytes Your protocol here Protocol Analysis Verify correctness Debug/detect incorrect behavior Analyze performance Gain deeper understanding of existing protocols by seeing how they behave in actual use 3 4 Analysis Methods Instrument the code Difficult task, even for experienced network programmers Tedious and time consuming Use available tools tcpdump / tshark Wireshark ipsumdump Write your own tool libpcap 5 Tools overview Tcpdump Unix-based command-line tool used to intercept packets o Including filtering to just the packets of interest Reads live traffic from interface specified using -i option or from a previously recorded trace file specified using -r option o You create these when capturing live traffic using -w option Tshark Tcpdump-like capture program that comes w/ Wireshark Very similar behavior & flags to tcpdump Wireshark GUI for displaying tcpdump/tshark packet traces 6 1

Tcpdump example Ran tcpdump on the machine danjo.cs.berkeley.edu First few lines of the output: 01:46:28.808262 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.cs.berkeley.edu.ssh: P 1:49(48) ack 1380 win 16560 7 What does a line convey? Timestamp This Source is an IP host Source packet name port number (22) 01:46:28.808262 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 Destination host name Destination port number TCP specific information Different output formats for different packet types 8 Similar Output from Tshark Demo 1 Basic Run 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502 9 Syntax: tcpdump [options] [filter expression] Run the following command on the machine c199.eecs.berkeley.edu: tcpdump Observe the output 10 Filters Demo 2 We are often not interested in all packets flowing through the network Use filters to capture only packets of interest to us 1. Capture only udp packets tcpdump udp 2. Capture only tcp packets tcpdump tcp 11 12 2

Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) tcpdump udp dst port 53 2. Capture only UDP packets with source port 53 (DNS replies) tcpdump udp src port 53 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) 13 tcpdump udp port 53 Demo 2 (contd.) 1. Capture only packets destined to quasar.cs.berkeley.edu tcpdump dst host quasar.cs.berkeley.edu 2. Capture both DNS packets and TCP packets to/from quasar.cs.berkeley.edu tcpdump (tcp and host quasar.cs.berkeley.edu) or udp port 53 14 How to write filters Refer cheat sheet slides at the end of this presentation Refer the tcpdump/tshark man page 15 Running tcpdump Requires superuser/administrator privileges EECS instructional accounts You have access to setuid versions of tcpdump/tshark /share/b/ee122/tcpdump /share/b/ee122/{i86pc,sun4u}/bin/tshark here too /bin/bash alias tcpdump= /share/b/ee122/tcpdump Only works on Solaris 10 machines listed at http://inst.eecs.berkeley.edu/cgi-bin/clients.cgi?choice=servers Non EECS instructional accounts tcpdump, tshark & wireshark work on many different operating Wireshark systems Download the version for your personal desktop/laptop from http://www.tcpdump.org, http://www.winpcap.org/windump/ 16 Security/Privacy Issues Wireshark System Overview Tcpdump/tshark/wireshark allow you to monitor other people s traffic WARNING: Do NOT use these to violate privacy or security Use filtering to restrict packet analysis to only the traffic associated with your assignment. E.g., for project #1: tcpdump s 0 w all_pkts.trace tcp port 7788 17 18 3

Wireshark Interface Demonstration Questions? 19 20 Other Useful Tools IPsumdump Handy Swiss army knife for displaying in ASCII fields of interest in packet trace files http://www.cs.ucla.edu/~kohler/ipsumdump/ For instructions to use IPsumdump on EECS instructional accounts, see slide Appendix: IPsumdump on EECS instructional accounts Libpcap Unix packet capture library on which tcpdump/tshark are built http://www.tcpdump.org/ Assignment Requirements tcpdump -w <dump_file_name> -s 0 options must be used for the traces submitted as part of the assignments tshark doesn t require -s 0 (default) Appropriately name each dump file you submit and briefly describe what each dump file contains/illustrates in the README file associated with the assignment submission 21 22 Cheat Sheet Commonly Used Tcpdump Options -n Don t convert host addresses to names. Avoids DNS lookups. It can save you time. -w <filename> Write the raw packets to the specified file instead of parsing and printing them out. Useful for saving a packet capture session and running multiple filters against it later -r <filename> Read packets from the specified file instead of live capture. The file should have been created with w option -q Quiet output. Prints less information per output line Cheat Sheet Commonly Used Options (contd.) -s 0 tcpdump usually does not analyze and store the entire packet. This option ensures that the entire packet is stored and analyzed. NOTE: You must use this option while generating the traces for your assignments. (Default in tshark) -A (or X in some versions) Print each packet in ASCII. Useful when capturing web pages. NOTE: The contents of the packet before the payload (for example, IP and TCP headers) often contain unprintable ASCII characters which will cause the initial part of each packet to look like rubbish 23 24 4

Cheat Sheet Writing Filters (1) Cheat Sheet Writing Filters (2) Specifying the hosts we are interested in dst host <name/ip> src host <name/ip> host <name/ip> (either source or destination is name/ip) Specifying the ports we are interested in dst port <number> src port <number> port <number> 25 Makes sense only for TCP and UDP packets Specifying ICMP packets icmp Specifying UDP packets udp Specifying TCP packets tcp 26 Cheat Sheet Writing Filters (2) Combining filters and (&&) or ( ) not (!) Example: All tcp packets which are not from or to host quasar.cs.berkeley.edu tcpdump tcp and! host quasar.cs.berkeley.edu Lots of examples in the EXAMPLES section of Appendix: IPsumdump on EECS instructional accounts Download and untar the latest IPsumdump source distribution from http://www.cs.ucla.edu/~kohler/ipsumdump/ Set the following PATH and LD_LIBRARY_PATH environment variables by using setenv or export (bash shell) setenv PATH /usr/ccs/bin:$path setenv LD_LIBRARY_PATH /usr/sww/lib Run./configure followed by make. The executable is created in the src/ subdirectory Use ipsumdump to analyze trace files generated by tcpdump (using w option). For example: ipsumdump -r tracefile -s --payload prints the source and payload of the packets in tracefile in an easy-to-read format (Note, these instructions are from Fall 2006 - let us know if you encounter problems with them) 27 28 the man page 5