ethereal (network protocol analyzer) 2006. 5. 9 백 일 우 [email protected]
TRANSCRIPT
2
Install – Winpcap (1/2)
‘Winpcap’ ‘ethereal’ 순서로 설치 Winpcap (Windows Packet Cature Library) http://winpcap.polito.it/
3
Install – Winpcap (2/2)
4
Install – Ethereal (1/3)
http://www.ethereal.com
5
Install – Ethereal (2/3)
6
Install – Ethereal (3/3)
7
Packet capture – Intro (1/4)
Packet sniffer structure
kernel
8
Packet capture – Intro (2/4)
Packet sniffer Linux - tcpdump
Shell 에서 명령어 형태로 packet capture
9
Packet capture – Intro (3/4)
Ethereal Open source (Freeware) Compiled wirth GTK, Glib, libpcap 다양한 platform 지원
MAC OS X Windows Linux, Fedora (OS 설치시 선택 가능 ) FreeBSD Solaris
10
Packet capture – Intro (4/4)
Supported protocols ‘Help’ ‘supported protocols’ 605 개의 protocol 지원
11
User Interface
Ethereal (1/8)
12
Ethereal (2/8)
User Interface (con’t)
Layer 2Layer 3Layer 4Layer 7
13
Ethereal (3/8)
Menu
Start a capture
Open a capture file
Save a capture file
Stop
Reload this capture file
Print packet
Find packet
Find the previous matching packet
Find the next matching packet
Go to the packet number
Go to the first packet
Go to the last packet
Zoom in/out
Zoom 100%
Edit capture filter
Edit/apply display filter
Edit coloring rule
Edit preference
14
Ethereal (4/8)
Filter menu
Open the “display filter” dialog
Enter a display filter Add an expression to this filter string
Apply this filter string to the display
Clear this filter string
15
Ethereal (5/8)
Capture options
Interface 선택
Buffer size 설정각 packet 의 capture size 제한
적용할 Capture filter 설정
저장할 file name
Packet capture를 멈출 조건을
설정
Real-time 으로 packet list 를 update
가장 최근에 capture 된 list 로 auto-scrolling
MAC address 의 vendor 표시
Network layer 에서의 name resolution
Ex> domain name
16
Ethereal (6/8)
Packet capture 예제
17
Ethereal (7/8)
‘Statistics’ ‘Summary’
18
Ethereal (8/8)
‘Statistics’ ‘Protocol hierarchy statistics’
19
Follow tcp stream – (1/2)
20
Follow tcp stream – (2/2)
21
Display filter
기본 문법
정의 표현
And &&, and
Or ||, or
Not !, not
Equal ==, eq
Not equal !=, ne
Greater than >, gt
Less than <, lt
Greater than or equal to >=, ge
Less than or equal to <=, le
22
23
Filter command – (1/9)
Ethernet (eth) eth.addr : source or destination MAC address eth.dst : destination MAC address eth.src : source MAC address eth.type : type (ARP : 0x0806, IP : 0x0800)
Destination addr Source addr type
6 byte 6 byte 2byte
Ethernet frame format
24
Filter command – (2/9)
Ethernet frame capture 예제
Destination addr Source addr type
6 byte 6 byte 2byte
Ethernet frame format
25
Filter command – (3/9)
IP (ip) ip.addr : source 와 destination IP address ip.src : source IP address ip.dst : destination IP address ip.version : IP version ip.protocol : next level protocol Ip.ttl : TTL(time to live)
IP datagram header
26
Filter command – (4/9)
IP packet capture 예제
IP datagram header
27
Filter command – (5/9)
TCP (tcp) tcp.srcport : source port tcp.dstport : destination port tcp.port : source/destination port tcp.seq : sequence number tcp.ack : acknowledgement number tcp.len : segment length
TCP header format
28
Filter command – (6/9)
TCP packet capture 예제
TCP header format
29
Filter command – (7/9)
UDP (udp) udp.srcport udp.dstport udp.port udp.length
UDP header format
30
Filter command – (8/9)
Echo (echo) echo.request echo.response
MSN messenger (msnms)
31
Filter command – (9/10)
HTTP (http) http.request http.response
32
Filter command 예제
#1 : 220.67.124.138~220.67.124.170 의 IP Packet 을 capture
33
Filter command 예제
#2 : MSN messenger (login 의 경우 )