packets and protocols chapter two introducing wireshark

Packets and ProtocolsPackets and Protocols

Chapter TwoChapter Two

Introducing Introducing WiresharkWireshark

Packets and ProtocolsPackets and ProtocolsChapter 2Chapter 2

What is Wireshark?What is Wireshark?– An open source freeware licensed protocol An open source freeware licensed protocol

analyzeranalyzer– Works in promiscuous and non-promiscuous Works in promiscuous and non-promiscuous

modesmodes– Can capture data live or read it from a fileCan capture data live or read it from a file– Configurable GUI that is easy to readConfigurable GUI that is easy to read– Supports multiple capture file formats for Supports multiple capture file formats for

import and export (25 different formats)import and export (25 different formats)– Can capture wire or wireless dataCan capture wire or wireless data– Supports 750 protocols (we won’t cover them Supports 750 protocols (we won’t cover them

all)all)– Runs on over 20 different platformsRuns on over 20 different platforms

Jerry Combs invented Ethereal in Jerry Combs invented Ethereal in 1997 out of the need for an analysis 1997 out of the need for an analysis tool tool – 11stst version released in 1998 and was a version released in 1998 and was a

huge hithuge hit– Prior to this, Network General’s sniffer Prior to this, Network General’s sniffer

tool dominatedtool dominated


It’s primary strength is its large It’s primary strength is its large support of sniffer file formats and support of sniffer file formats and protocolsprotocols– There is a ridiculously large list of file formats and There is a ridiculously large list of file formats and

supported protocols on page 55-58supported protocols on page 55-58


The User interfaceThe User interface

Summary Pane:

• Packet number

• Time

• Source Address (SA)

• Destination Address (DA)

• Name of highest level protocol

• Information on highest level protocol



Detail Pane:

• Tree-like structure that details each layer of each packet

•Analyzes the packets within each protocol



Data Pane:

•Contains the raw data

•Data displayed in hex and in text


Analysis filtersAnalysis filters– The recommended technique is to The recommended technique is to

capture with no filters and then filter the capture with no filters and then filter the capture filecapture file

– There are many ways to filter this data There are many ways to filter this data either during the capture or during the either during the capture or during the displaydisplay


Internet Protocol (IP) Field Name Type

ip.addr Source or Destination Address IPv4 address

ip.checksum Header checksum Unsigned 16-bit integer

ip.checksum_bad Bad Header checksum Boolean

ip.dsfield Differentiated Services field Unsigned 8-bit integer

ip.dsfield.ce Explicit Congestion Notification Unsigned 8-bit integer

ip.dsfield.dscp Differentiated Services Codepoint Unsigned 8-bit integer

ip.dst Destination IPv4 address

ip.flags Flags Unsigned 8-bit integer

ip.flags.df Don’t fragment Boolean

ip.flags.mf More fragments Boolean

ip.frag_offset Fragment offset Unsigned 16-bit integer

ip.fragment IP Fragment Frame number

ip.fragment.error Defragmentation error Frame number

ip.fragment.multipletails Multiple tail fragments found Boolean


ip.fragment.overlap Fragment overlap Boolean

ip.fragment.toolongfragment Fragment too long Boolean

ip.fragments IP fragments No value

ip.hdr_len Header length Unsigned 8-bit integer

ip.id Identification Unsigned 16-bit integer

ip.len Total length Unsigned 16-bit integer

ip.proto Protocol Unsigned 8-bit integer

ip.reassembled_in Reassembled IP in frame Frame number

ip.src Source IPv4 address

ip.tos Type of service Unsigned 8-bit integer

ip.tos.cost Cost Boolean

ip.tos.delay Delay Boolean

ip.tos.precedence Precedence Unsigned 8-bit integer

ip.tos.reliability Reliability Boolean

ip.tos.throughput Throughput Boolean

ip.ttl Time-to-live Unsigned 8-bit integer

ip.version Version Unsigned 8-bit integer


ModifierModifier DesignatorDesignator SymbolSymbol

EqualEqual EQEQ ====

Not EqualNot Equal NENE !=!=

Greater ThanGreater Than GTGT >>

Less ThanLess Than LTLT <<

Greater than or Equal toGreater than or Equal to GEGE >=>=

Less than or Equal ToLess than or Equal To LELE <=<=

Filter modifiers


Supporting ProgramsSupporting Programs– T-SharkT-Shark

A command line version of WiresharkA command line version of Wireshark

– EditcapEditcapUsed to remove packets from a file, and to Used to remove packets from a file, and to

translate the format of capture files.translate the format of capture files.

– MergecapMergecapMerges capture files togetherMerges capture files together

– Text2pcapText2pcapReads text – converts to capture fileReads text – converts to capture file


Placement of the sniffer is criticalPlacement of the sniffer is critical



Remote Remote Sniffer Sniffer optionsoptions

Sniffer PCRunning Windows RDP

General network troubleshootingGeneral network troubleshooting

1. Recognize the symptoms2. Define the problem3. Analyze the problem4. Isolate the problem5. Identify and test the cause of the problem6. Solve the problem7. Verify that the problem has been solved



1. Recognize the symptoms•Very few problems are found by the administrators•Was a change made recently?•What is happening right now that is different?



2. Define the problem•It sounds obvious, but you must know what the problem is before you solve it.

•Single user? Multiple user?•LAN or WAN (or both)•Single/multiple applications affected?



•Analyze the problem•Gather data

•What does work?•Who does work?•Why is it working?•How does it differ?



4. Isolate the problem•Isolation may be necessary so that the problem will not spread.•Can you disconnect a server, a link, a firewall?



5. Identify and test the cause of the problem•Can the test be done “live”? •Can the test be done in a lab setting

•It is important to not make the problem worse.



6. Solve the problem•Decide when the problem can be solved

•Immediately?•Is a change window needed?•Who will need to be involved?

•What teams? Management? SMEs?



7. Verify that the problem has been solved•Test the solution•Monitor the solution to be sure it stays fixed•Document the problem!



You must also wear many hats!

The blame-gameThe blame-game– “System administrators are notorious for

asking if there is something wrong with the network, and network administrators are notorious for saying the problem is within the system”

It is not enough to prove the network It is not enough to prove the network isn’t the problem; you often have to isn’t the problem; you often have to fix the problem no matter what it is fix the problem no matter what it is or where it is.or where it is.


When troubleshooting, start from layer When troubleshooting, start from layer one and work up the protocol stackone and work up the protocol stack– How many are affected?How many are affected?– Did this work before?Did this work before?

If so what changed?If so what changed?

– Do you have network connectivity?Do you have network connectivity?– Can you see the MAC address in the switch?Can you see the MAC address in the switch?– Can you ping the device?Can you ping the device?– Is TCP functioning? Is UDP functioning?Is TCP functioning? Is UDP functioning?


Scenario 1: SYN no SYN+ACK

If your Wireshark capture shows that the client is sending a SYN packet, but no response is received from the server, the server is not processing the packet. It could be that a firewall between the two hosts is blocking the packet or that the server itself has a firewall running on it

Scenario 2: SYN immediate response RST

If your Wireshark capture shows that the server is responding with the reset (RST) flag, the destination server is receiving the packet but there is no application bound to that port. Make sure that your application is bound to the correct port on the correct IP address.

Scenario 3: SYN SYN+ACK ACK

Connection Closed If your Wireshark capture shows that the TCP connection is established and that it immediately closes, the destination server may be rejecting the client’s IP address due to security restrictions. On UNIX systems, check the tcpwrappers file at /etc/hosts.allow and /etc/hosts.deny and verify that you haven’t inadvertently blocked communication.


Using Wireshark for security Using Wireshark for security administrationadministration– Wireshark has the ability to re-assemble Wireshark has the ability to re-assemble

packets, which allows you to piece packets, which allows you to piece together the conversationtogether the conversationDetecting unauthorized web accessDetecting unauthorized web accessDetecting internet chat activityDetecting internet chat activityDetecting on-line gamingDetecting on-line gaming


Wireshark As a Network Intrusion Detection System– Unauthorized connections– Unauthorized sweeps– Redirections to other ports/IPs– RDP usage from outside

MikigoPC anywhereetc


Optimizing your protocol analyzerOptimizing your protocol analyzer– Have a fast enough PCHave a fast enough PC

CPUCPU MemoryMemory Disk spaceDisk space

– Match the NIC speed/duplex with the source of Match the NIC speed/duplex with the source of the traffic being gatheredthe traffic being gathered

– Strip the extras downStrip the extras down Failure to do so may result in lost dataFailure to do so may result in lost data

– Don’t update list of packets in real timeDon’t update list of packets in real time– No name resolutionNo name resolution– Dump 1Dump 1stst using TCPDUMP/WINDUMP, Tshark then load using TCPDUMP/WINDUMP, Tshark then load

into Wiresharkinto Wireshark


Advanced sniffing – Wireshark alternativesAdvanced sniffing – Wireshark alternatives– DSNIFF – Used to dissect IDs/PWsDSNIFF – Used to dissect IDs/PWs

America Online (AOL) Instant Messenger (IM) (Citrix Winframe)■ CVS■ File Transfer Protocol (FTP)■ HTTP■ I Seek You (ICQ)■ IMAP■ IRC■ Lightweight Directory Access Protocol (LDAP)■ Remote Procedure Call (RPC) mount requests■ Napster■ Network News Transfer Protocol (NNTP)■ Oracle SQL*Net

….and others


Dsniff uses many techniques to gather PW Dsniff uses many techniques to gather PW datadata– arpspoof – makes other devices think that your arpspoof – makes other devices think that your

device is the default gatewaydevice is the default gateway– dnsspoof – redirects responses to DNS serversdnsspoof – redirects responses to DNS servers– mailsnarf – homes in on mail passwordsmailsnarf – homes in on mail passwords– webspy – allows you to eavesdrop on web webspy – allows you to eavesdrop on web

sessionssessions– urlsnarf – saves all URLs crossing the wireurlsnarf – saves all URLs crossing the wire


Other attacksOther attacks– MITM – Can defeat SSH/HTTPSMITM – Can defeat SSH/HTTPS– Cracking – dictionary hacks, brute forceCracking – dictionary hacks, brute force– ARP spoofing – substitute your MAC for ARP spoofing – substitute your MAC for

the DG MAC and you become the DGthe DG MAC and you become the DG– MAC flooding – overloads switches so MAC flooding – overloads switches so

they act like hubsthey act like hubs– Routing hacks – send false routes (i.e. Routing hacks – send false routes (i.e.

default route)default route)


Protecting your network from sniffersProtecting your network from sniffers– Use switches, not hubsUse switches, not hubs– Shut down unused portsShut down unused ports– Do not allow more than one MAC per portDo not allow more than one MAC per port– Turn on port security (labor intensive)Turn on port security (labor intensive)– Physical securityPhysical security– SSHSSH

Secure TELNET replacementSecure TELNET replacement– SSL/HTTPSSSL/HTTPS

Secure replacement for HTTPSecure replacement for HTTP Can be used as a VPN conduitCan be used as a VPN conduit

– PGPPGP Works with S/MIME to secure e-mailWorks with S/MIME to secure e-mail


Sniffer detectionSniffer detection IPCONFIG/IFCONFIGIPCONFIG/IFCONFIG

– See if NIC is running in promiscuous modeSee if NIC is running in promiscuous mode DNS lookupsDNS lookups

– Since sniffers can resolve DNS addresses, see who is Since sniffers can resolve DNS addresses, see who is doing most of your DNS lookupsdoing most of your DNS lookups

LatencyLatency– A consistently slow PC could be slow because it is A consistently slow PC could be slow because it is

running sniffer softwarerunning sniffer software BugsBugs

– Sometimes sniffers display unique attributesSometimes sniffers display unique attributes NetMonNetMon

– NetMon can detect other NetMon applications NetMon can detect other NetMon applications


packets and protocols chapter two introducing wireshark

Documents

text packets

capture filethere

format of capture files

multiple user

user interfacesummary

user interfacedetail

user interfacedata pane

single user