Upload
doananh
View
236
Download
13
Embed Size (px)
Citation preview
DKT 224/3
DATA COMMUNICATION & NETWORK
LAB 2
NETWORK PROTOCOL ANALYZER –
SNIFFING AND IDENTIFY
PROTOCOL USED IN LIVE NETWORK
Lab #2
Lab #2 : Network Protocol Analyzer (Sniffing and Identify Protocol used in Live Network)
Objectives
Learn some basics of Ethernet
Sniffing packet and identify various packet types and protocol
Report Writing
Background
1. Getting Started
One’s understanding of network protocols can often be greatly deepened by “seeing protocols in
action” and by “playing around with protocols” – observing the sequence of messages exchanged
between two protocol entities, delving down into the details of protocol operation, and causing
protocols to perform certain actions and then observing these actions and their consequences. This
can be done in simulated scenarios or in a “real” network environment such as the Internet.
In these WIRESHARK labs, we’ll take the latter approach. You’ll be running various network
applications in different scenarios using a computer on your desk, at home, or in a lab. You’ll observe
the network protocols in your computer “in action,” interacting and exchanging messages with
protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an integral
part of these “live” labs. You’ll observe, and you’ll learn, by doing.
The basic tool for observing the messages exchanged between executing protocol entities is called a
packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being
sent/received from/by your computer. It will also typically store and/or display the contents of the
various protocol fields in these captured messages. A packet sniffer itself is passive. It observes
messages being sent and received by applications and protocols running on your computer, but never
sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer.
Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and
protocols executing on your machine.
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case,
Internet protocols) and applications (such as a web browser or ftp client) that normally run on your
computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the
usual software in your computer, and consists of two parts. The packet capture library receives a copy
of every link-layer frame that is sent from or received by your computer.
2
Lab #2
Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are
eventually encapsulated in link-layer frames that are transmitted over physical media such as an
Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper layer
protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus
gives you all messages sent/received from/by all protocols and applications executing in your
computer.
The second component of a packet sniffer is the packet analyzer, which displays the contents of all
fields within a protocol message. In order to do so, the packet analyzer must “understand” the
structure of all messages exchanged by protocols. For example, suppose we are interested in
displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet
analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an
Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment
within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP
message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for
example, knows that the first bytes of an HTTP message will contain the string “GET,” “POST,” or
“HEAD,”.
3
Lab #2
We will be using the Wireshark packet sniffer [http://www.wireshark.com] for these labs, allowing us
to display the contents of messages being sent/received from/by protocols at different levels of the
protocol stack. (Technically speaking, Wireshark (Ethereal) is a packet analyzer that uses a packet
capture library in your computer).
2. What is Wireshark (Ethereal)?
Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. It's also priced right: it's free!Wireshark (Ethereal) is a network packet analyzer or packet sniffer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark (Ethereal), all that has changed. Wireshark (Ethereal) is perhaps one of the best open source packet analyzers available today.
i. Some intended purposes
Here are some examples people use Wireshark (Ethereal) for:
network administrators use it to troubleshoot network problems
network security engineers use it to examine security problems
developers use it to debug protocol implementations
people use it to learn network protocol internals
ii. Features
• Live capture from many different network media
Despite its name, Ethereal can capture traffic from network media other than Ethernet. Which media
types are supported, depends on many things like the operating system you are using.
• Many protocol decoders
There are protocol decoders (or dissectors, as they are known in Ethereal) for a great many protocols.
A comprehensive list of all protocols and protocol fields can be found at
ttp://www.wireshark.com/docs/dfref/
• Open Source Software
Wireshark (Ethereal) is an open source software project, and is released under the GNU General
Public Licence (GPL). You can freely use Ethereal on any number of computers you like, without
worrying about license keys or fees or such. In addition, all source code is freely available under the
4
Lab #2
GPL. Because of that, it is very easy for people to add new protocols to Ethereal, either as plugins, or
built into the source, and they often do!
iii. What Wireshark is not
Just as with any tool, Wireshark can be used for some things and not others. Here is a list of some of
the things Wireshark cannot do:
1. It cannot be used to map out a network. Take a look at the NMAP tool for that functionality.
2. It does not generate network data – it is a passive tool. Tools like NMAP, ping, and traceroute
are examples of tools that generate network data. These tools are active.
3. It can only show detailed information about protocols it actually understands. The good news
is that it understands a great many protocols. It is also extensible, so you can add protocol
support for ones it doesn’t understand. Otherwise you will only be able to see a hexdump of
data it has captured.
4. It can only capture data as well as the OS\Interface\Interface driver supports. An example of
this is capturing data over wireless networks. This does not work well (or at all) for some
software and hardware combinations.
Practical work
Before you start wireshark you must log in as root. Ask the technician for root password. You
can start Wireshark by giving the command wireshark on the command line. This opens a
window, which is a GUI interface to wireshark's packet capture utility as shown in figure 2.
(You'll want to make this window bigger.)
5
Lab #2
Figure 2 : Wireshark window
To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window
similar to the one below:
6
Lab #2
Figure 3: Capture action window
If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid name-resolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below:
7
Lab #2
Figure 4: Capture data window
Interpreting the results
Each line in the top pane of the Wireshark window corresponds to a single packet seen on the
network. The default display shows the time of the packet (relative to the initiation of the
capture), the source and destination IP addresses, the protocol used and some information
about the packet. You can drill down and obtain more information by clicking on a row. This
causes the bottom two window panes to fill with information.
The middle pane contains drill-down details on the packet selected in the top frame. The "+"
icons reveal varying levels of detail about each layer of information contained within the
packet. In the example above, I've selected a DNS response packet. I've expanded the DNS
response (application layer) section of the packet to show that the original was requesting a
DNS resolution for www.cnn.com, and this response is informing us that the available IP
8
Lab #2
addresses include 64.236.91.21. The bottom window pane shows the contents of the packet
in both hexadecimal and ASCII representations.
Color is your friend when analyzing packets with Wireshark. Notice in the example above
that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter
blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark
includes a complex color-coding scheme (which you can customize). The default settings
appear below:
Figure 5: Capture data window
That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to
become an expert quickly is to get your hands dirty and start capturing network traffic. There's no
doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting
an intrusion. Remember, however, that you must always have permission from the network owner
before capturing traffic on any network.
9
Lab #2
Exercise 1:
Click on one of the HTTP packets and examine it in detail in the middle section of the Wireshark
window. You can confirm that the structure of the packet is HTTP data wrapped in a TCP segment,
which is wrapped in an IP datagram, which is wrapped in an Ethernet frame. If you click one of the
little triangles in front of the word "Ethernet", your view of the Ethernet header will be expanded to
show the content of the header. Similarly for the "Internet Protocol," "Transmission Control
Protocol," and "Hypertext Transfer Protocol" lines. If you click on any of the lines in the middle
section of the window, the corresponding data in the display in the bottom third of the window will be
highlighted. Based on all this, answer the following questions:
Question 1: What does an Ethernet address look like, and what is the Ethernet address of your
computer?
Question 2: How many bytes are there in an Ethernet header?
Question 3: What is the IP address of the server computer? How did you find this out by looking at
info in the packet?
Question 4: The HTTP server communicates on port 80. What port number on your computer was
used for the communication? How did you find this out?
Exercise 2:
Now, enter "not ip" as the display filter. This lets you see non-IP packets. What protocols do you see?
Describe some of the things that you can discover or guess about these protocols, just from
information available in the Wireshark window.
Exercise 3:
Close all internet browsers. Restart packet capturing. Open your terminal window. Ping the computer
next to you using this command: $ ping xx.xxx.x.xxx
Open your internet browser and go to http://www.wireshark.com/. Click on introduction option. Stop
the capture session. Trace back all of the activities that you have done starting from you ping the
computer next to you until you stop the capture session. Copy all of the activities that you have traced
and paste it in notepad. Print the result and attach it with your report.
10
Lab #2
Reference:
i. Ethereal User's Guide V2.00 for Ethereal 0.10.5 Richard Sharpe, NS
Computer Software and Services P/L Ed Warnicke, Ulf Lamping,
ii. http://www.wireshark.com/
11
Lab #2
Appendix
Wireshark Interface
The Wireshark interface is fairly simple considering what it can do.
1. Title bar – this will contain different information depending on what Wireshark is doing. If it is capturing network data, it will show the interface that is in use. If it is displaying data from a previous capture, the name of the file containing the captured data will be shown (untitled is shown if a capture was performed, stopped and not saved). Otherwise it will show the application name: Wireshark Network Protocol Analyzer
2. Menu bar – Menu bar providing access to application features a. File – Functions for working with captured data such as saving and exporting
to different file formatsb. Edit – Functions for finding packets, setting the time reference, and setting
preferences c. View - Functions for modifying how Wireshark displays information such as
which windows are open d. Go – Functions for navigating to specific packets e. Capture – Functions for starting and stopping captures, saving filters and
working with network interfaces f. Analyze – Functions for interpreting and filtering captured data g. Statistics – Functions to statistically analyze captured data h. Help – access to product help
3. Main tool bar – Shortcuts to frequently used functions in the menu bar 4. Filter tool bar – Quick access to filter functions 5. Packet list pane – Displays all the packets in the current capture file. 6. Packet details pane – Shows a more detailed view of the packet currently selected in
the Packet List pane 7. Packet bytes pane – A hexdump view of the packet currently selected in the Packet
List pane 8. Status bar – Provides informational messages and feedback to the user
Sample Wireshark Capture
In this example, I will start a Wireshark capture on my wired laptop interface. I will then launch Thunderbird to retrieve email from Comcast and GMail
1. First launch Wireshark.
12
Lab #2
2. Then select Capture->Interfaces from the menu bar.
3. This will bring up the Interfaces dialog box. Select the interface you want to use.
This is important since Wireshark (as with any protocol analyzer) can only capture data from a network it is physically connected to. I will be using the wired Ethernet adapter in my laptop so I will choose the Intel adapter in the list. Click the ‘Start’ button. Capturing will now begin. After a short while, you will see the main Wireshark window (the packet list, detail and byte panes) fill with data.
4. Now I will launch Thunderbird and login to both my GMail and Comcast mail
accounts. At this point I will wait for all my mail to download and then I will stop the network capture by selecting Capture->Stop from the menu bar. Click File and Save to save this capture to disk after all data is captured.
5. I have just captured two complete pop3 sessions with Wireshark. To single out the
pop session information I will apply a filter. In the filter bar enter the following text and press the ‘apply’ button: tcp.port eq 110. This will limit the display to traffic on tcp port 110 (the POP port). Also notice that Wireshark “understands” the Post Office Protocol, so it will interpret bits of information such as POP commands and even authentication information. I do not connect to the Comcast mail server using SSL so my password is contained in the trace in clear text. I had to choose this screenshot wisely! I’ve actually used this to troubleshoot end user client connection problem to pop and imap servers.
6. Scrolling through the filtered captured data only shows a conversation between two
hosts; my laptop and the Comcast mail server. What happened to gmail? Well, I use SSL with my GMail account and SSL POP connections are associated with port 995 not 110. In the filter bar enter the following text and press the ‘apply’ button: tcp.port eq 995. This will show all the POP over SSL traffic. But notice that no other details are available about the application protocol. The protocols in use on port 995 are
13
Lab #2
TCP, SSL and TLS. You will see some packets dealing with key exchange, but that is all to do with the security negotiations associated with SSL\TLS. All the Application data is encrypted.
Closing remarks
This is only the tip of the iceberg. I do not have a need to use this tool very often, but when I do need it, it is there and it can be a life saver – or a job saver.
For more information on this tool visit the Wireshark website at www.wireshark.org. The documentation on this site is quite extensive and should get you up to speed fairly quickly.
Also check out the documentation for whatever protocol you are sniffing. For the internet protocols, the RFC’s are a must read. You can find these at the Internet Engineering Task Force website at www.ietf.org.
Finally, if you are sniffing an undocumented protocol like nrpc (used by Lotus Notes\Domino) you may want to spend time researching a similar protocol that is documented. This may help you to understand what you are seeing in Wireshark related to the undocumented protocol.
14