packet analysis - course technology computing conference
DESCRIPTION
Packet Analysis - Course Technology Computing Conference Presenter: Lisa Bock - Pennsylvania College of Technology Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.TRANSCRIPT
![Page 1: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/1.jpg)
Packet AnalysisLisa BockPennsylvania College of Technology
![Page 2: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/2.jpg)
Topics Covered
• Overview of Packet Analysis• The OSI Model• The TCP/IP Protocol Suite
– Normal Network Communication - TCP and UDP• Abnormal Communication
– Scanning– Malware
![Page 3: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/3.jpg)
Overview of Packet Analysis• Packet analysis uses a packet sniffer, network monitor or
analyzer, to monitor and troubleshoot network traffic. • As data flows across the network, the sniffer captures
each packet decodes the packet's raw bits – Showing the field values in the packet according to the
appropriate RFC or other specifications.• The information can identify bottlenecks and help
maintain efficient network data transmission.
![Page 4: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/4.jpg)
Uses for Packet Analysis• Analyze network problems• Detect network intrusion attempts and network misuse • Perform regulatory compliance through content
monitoring perimeter and endpoint traffic• Monitor bandwidth utilization • Verify endpoint security status• Gather and report network statistics
![Page 5: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/5.jpg)
Common Packet Analyzers• Capsa Network Analyzer• Cain and Abel• Carnivore (FBI - monitors all of a target user's Internet traffic) • dSniff• ettercap• Microsoft Network Monitor• ngrep, Network Grep• OmniPeek• Snoop• Tcpdump• Wireshark (formerly known as Ethereal)• Xplico Open source Network Forensic Analysis Tool
![Page 6: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/6.jpg)
Xplico
![Page 7: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/7.jpg)
Packet Capture• Traffic captured is dependent on the placement of
the device.• On a switch, the packet sniffer will see only data
going to and from the switch to the capture device• Traffic seen will be unicast, broadcast, or multicast.• To see all traffic, port monitoring or SPAN on a switch
is used, or use a full duplex tap in line with traffichttp://wiki.wireshark.org/CaptureSetup/Ethernet
![Page 8: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/8.jpg)
The OSI Model
• In order to understand packet analysis you must understand the way data is prepared for transit.
• The OSI model, is a seven-layer representation of how data changes in form as each layer provides services to the next layer – Data encapsulates or de-encapsulates
![Page 9: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/9.jpg)
The OSI Model
MAC
Port
IP
Address
Data
Frame
Segment
Packet
PDU
Bits
![Page 10: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/10.jpg)
Wireshark• The tool we will use for demonstration is Wireshark
http://www.wireshark.org , formerly Ethereal, an open-source packet analyzer.
• Download and install Wireshark – make sure you install WinPCap (Windows Packet Capture) if you are using Windows
• For a live capture, launch Wireshark and click the name of an interface under Capture Interfaces to start capturing packets on that interface.
![Page 11: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/11.jpg)
Wireshark
Configure advanced features by clicking OptionsSelect the interface with active packet exchange
![Page 12: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/12.jpg)
The OSI Model
• In Wireshark, select any TCP frame and you will see the frame contents from layer 2-7
Data
Frame
Segment
Packet
For a review go to http://wiki.wireshark.org/Ethernet
![Page 13: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/13.jpg)
Help in Wireshark
Easily find help in Wireshark-including Sample Captures
![Page 14: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/14.jpg)
Capture Packets• We will be use pre-captured packets found in your
folder and review they normal traffic versus abnormal traffic
• Once you open a capture you will see three panes:– The Packet List view - a list of all of the packets received
during the capture session. – The middle window is the Details view.– The bottom is the individual Packet Bytes
![Page 15: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/15.jpg)
TCP Example
• Normal traffic• Three-way handshake packets 1,2,3• Review port numbers, flags, SEQ ACK numbers,
stream index• Packets 38-39 FIN packets• Packet 4 get image: File->export objects
http://www.symantec.com/connect/articles/studying-normal-traffic-part-three-tcp-headers
![Page 16: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/16.jpg)
![Page 17: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/17.jpg)
UDP Example Provides connectionless Transport Layer service
to other applications on the internet without having to go through a handshake or connection process.
It is a simple protocol and that does not provide any ordering or data integrity services.
UDP is an unreliable service. Few problems occur with UDP.
![Page 18: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/18.jpg)
What uses UDP? Commonly used in video streaming and time-
sensitive applications. UDP Applications:
Domain Name System (DNS) Voice over IP (VoIP) Trivial File Transfer Protocol (TFTP) Domain Host Configuration Protocol (DHCP) Routing Information Protocol (RIP)
![Page 19: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/19.jpg)
DNS• Filter UDP and you will see the DNS packets• Convert symbolic host names such (google.com) to
an IP address (72.14.204.103)• Transfers name information between DNS servers
• DNS uses TCP in a zone transfer
• Look up other host names such as mail exchange (MX) records
• DNS is essential to any network
![Page 20: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/20.jpg)
Normal DNS Queries/Responses• Client sends query to DNS server for an IP address• Server responds with information it has or asks
other DNS servers for the information• All DNS packets have four (4) sections:
– Questions– Answer Resource Records– Authority Resources Records– Additional Resource Records
![Page 21: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/21.jpg)
DNS Packet Structure - Flags
If RD is set, it directs the name server to pursue the query recursively.
![Page 22: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/22.jpg)
• With Fast Flux, a fully qualified domain name will have multiple IP addresses assigned to it.
• It manipulate the way the domain name system works and takes advantage of the way load balancing is built into the domain name system.
• A botnet can be created with nodes that join and drop off the network and evade capture.
Fast Flux DNS Evasion
![Page 23: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/23.jpg)
Fast Flux DNS• Criminals use a sixty-second time-to-live (TTL) setting for
their DNS resource records and swapping the records' associated IP addresses in and out with extreme frequency.
![Page 24: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/24.jpg)
FTP – Grab a Pic• Purpose of FTP is to transfer files over TCP • Uses both ports 20 and 21
– Command channel is designated on port 21 for the FTP server.
– To transfer data like directory contents or files, a secondary channel, port 20 is used.
• Filter FTP-data traffic - then follow the TCP stream. Save as .jpg
![Page 25: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/25.jpg)
Reassemble the Streams
• Can reassemble and obtain content if data is not encrypted
• Filter ftp-data traffic• Right click follow TCP stream and save the file as
raw data and click save as mystery.jpg• Go to where you saved the file and open it!
![Page 26: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/26.jpg)
Internet Control Message Protocol
• ICMP is used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts.– Used to troubleshoot network issues– Not used to exchange data between systems
• ICMP is used by ping because it can generate echo-request/echo-reply query messages.
A Scout for IP!
![Page 27: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/27.jpg)
Internet Control Message Protocol• Four types of query messages that characterize the
output generated by the ping command. – Echo request/echo reply: Used to test reachability– Time stamp request/time stamp reply: Used to compute delay
between time stamps– Information request/information reply: Locates address of local
IP network– Subnet mask request/subnet mask reply: Subnet information is
exchange
![Page 28: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/28.jpg)
ICMP-Dest Unreachable
• RFC 792 –” ICMP is actually an integral part of IP, and must be implemented by every IP module.”
![Page 29: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/29.jpg)
ICMP Error Codes• Type 3 Destination Unreachable Codes
– 0 - Net Unreachable– 1 - Host Unreachable– 2 - Protocol Unreachable
• Type 5 Redirect Codes– 0 – Redirect Datagram for Network– 1 – Redirect Datagram for Host– 2 - Redirect Datagram for Type of Service
• Type 11 Time Exceeded Codes– 0 – TTL Exceeded– 1 – Fragment Reassembly Time Exceeded
• Type 12 Parameter Problem Codes– 0 – Pointer Indicates the Error– 1 – Missing Required Option– 2 - Bad Length
![Page 30: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/30.jpg)
ICMP - Errors
• Frame 5 Destination unreachable port unreachable snmp 161
• A response with a nested packet – We have the IP header to send the packet to the target – After the destination unreachable message returns it
sends back the IP header and 64 bits of original datagram• ICMP is used in reconnaissance by Kali Linux
http://it-ebooks.info/book/3000/
![Page 31: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/31.jpg)
BAD Connection• Diagnose performance problems
– Use Wireshark's expert system and coloring rules• High latency can be from:
– Processing delays– Distance– Queuing delays (BUFFERBLOAT)
• Buffers to fill up and remain full at congested links, contributing to excessive traffic delay and losing the ability to perform their intended function of absorbing bursts.
![Page 32: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/32.jpg)
Identify High Latency Times• In this trace file you can
identify delays– First filter on conversations
Go to-Statistics then Conversations
– Select IPv4 tab SORT Bytes A->B
– Right click Apply as a Filter ->Selected A->B
![Page 33: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/33.jpg)
Identify High Latency Times• Set the Time column to Seconds since Previously Displayed
Packet – Sort highest to lowest and you will see:– Retransmissions- Dup ACK’s, Keep-Alives
![Page 34: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/34.jpg)
Expert System• Using Wireshark’s Expert
System to help Identify problems– Clear filter– Lower left hand corner click
on the red circle to bring up the expert system
![Page 35: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/35.jpg)
Zero Window
• If the client advertizes a zero window, the application is unable to process quickly enough from the TCP receive buffers. Packet 298
![Page 36: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/36.jpg)
Network Scans
• Nmap is a tool used to discover hosts and services on a network, and create a "map" of the network.– It can be either legitimately or maliciously used to quickly
scan thousands of ports, and discrimination between ports in open, closed and filtered states.
• By default, Nmap performs a SYN Scan, which works against any TCP stack.
![Page 37: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/37.jpg)
Nmap• Scanning can be used as a passive attack in the form of reconnaissance.
• After running a scan, the software will output results from the IP range
you selected:– PortslHosts - the results of the port scan, including the well-known services for
those ports. – Topology - an interactive view of the connections between hosts in a network. – Host Details – Details such as the number of ports, IP addresses, hostnames,
operating systems, and more.
![Page 38: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/38.jpg)
Scan – SYN• Same source and
destination IP address• Only the SYN flag is set• The destination port
numbers of each packet changes as it tries every port
http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
![Page 39: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/39.jpg)
Scan - ARP
• An arp-scan sends ARP packets to hosts on the local network and displays any responses that are received. – ARP packets are not routable
• An advantage of ARP scanning is discovering hosts behind a firewall
![Page 40: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/40.jpg)
Detecting an ARP Scan• Detecting can be difficult if the scanning software is not scanning at a
high speed• Below find a comparison of a normal capture to an ARP scan – the
right shows a higher packet rate
![Page 41: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/41.jpg)
SCAN - Port
• Full Connect Scan• TCP connect scan is the default TCP scan type when
SYN scan is not an option.• A TCP Reset response indicates the port is closed
![Page 42: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/42.jpg)
SCAN - Port• Packets 18, 19 and 20 we see an actual connection• Then it continues to attempt another connection in Packet
21
![Page 43: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/43.jpg)
SEC-Bittorrent• BitTorrent uses a distributed sloppy hash table (DHT) for storing peer
contact information for "trackerless" torrents.• DHT consists of a number of different queries and corresponding
responses. – Ping G used to check if a peer is available.– Find_node G used to find the contact information for a peer.– Get_peers G requests a list of peers which have pieces of the content.– Announce_peer G announces the contact information for the peer to the
network.Right click on packet 22 and follow
UDP Stream
![Page 44: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/44.jpg)
Ettercap
• Ettercap is an open source tool used to perform a man-in-the-middle attack in a switched environment
• Once Ettercap has inserted itself in the middle of a connection, it can capture and examine all communication between the two victims, and launch an attack - such as a DNS spoof
![Page 45: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/45.jpg)
SEC-ettercap-poisoner• Ettercap also has the ability to actively or passively
find other poisoners on the LAN.• This trace file has the signature of Ettercap’s 'Check
for Poisoner' function. – Go to the IP header - > ID field of a ping packets contains
the signature 0xe77e which is ‘ette’ in Leet speak– Systems that answer back with the same IP ID value are
most likely running Ettercap as well.
![Page 46: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/46.jpg)
Fragmentation Scanning • A scanning technique that fragments IP packets during the
port scan in an attempt to bypass some firewall devices.• Instead of just sending the probe packet, it is broken into a
couple of small IP fragments.• Splitting up the TCP header over several packets to make it
harder for packet filters and IDS to detect. – This method won't work with packet filters and firewalls that
queue IP fragments and can cause some systems to crash
![Page 47: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/47.jpg)
Fragmentation Scanning
• Not an attack tool itself, rather it is a technology that allows other attacks to avoid detection by network intrusion detection systems.
NOTE: Fragmentation of a packet should rarely occur since MTU discovery techniques now exist.
![Page 48: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/48.jpg)
SEC-nmap-fragscan• This trace file depicts a
system sending an IP fragment scan.
• If you examine the IP header, the protocol field indicates that TCP follows.
• Manually decode the TCP header to identify the purpose of the TCP packets.
Configure your
devices!
![Page 49: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/49.jpg)
SEC-nmap-ipscan• nmap-ipscan is an IP scan
used to determine what services are supported directly on top of the IP header. – IRDP, ICMP, EGP.
• Sort Info column heading to see a list of protocols queried.
![Page 50: Packet Analysis - Course Technology Computing Conference](https://reader030.vdocuments.net/reader030/viewer/2022020105/55559864d8b42a8e1f8b4ec4/html5/thumbnails/50.jpg)
More Resources • For more Packet Captures go to
http://www.netresec.com/?page=PcapFiles• Wireshark Network Analysis, by Laura Chappell,
Chappell Binding Paperback ISBN 978-1-893939-99-8• Practical Packet Analysis: Using Wireshark to Solve
Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated ISBN-13: 9781593272661 2010