Upload
marcus-strickland
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Packet Analysis Using Wireshark
for Beginners 22AFLisa Bock
Pennsylvania College of Technology
Monday October 5, 2015 9:30am - 10:45amTrack AF | Level 1 | Atlantic VI
Learning Objectives
• Understand Traffic Capture and Analysis• Layers and Encapsulation• Explore the Wireshark interface• Examine Common Protocols
– TCP, HTTP, DNS, and FTP
UNDERSTAND TRAFFIC CAPTURE AND ANALYSIS
Overview of Packet Analysis
• Packet analysis uses a packet sniffer• Monitor and troubleshoot network traffic• As data flows across the network
– Sniffer captures each packet and decodes the packet's raw bits
– Showing the field values in the packet according to the appropriate RFC or other specification
Uses for Packet Analysis
• Analyze network problems• Detect intrusion attempts • Identify network misuse • Content monitoring• Assess bandwidth utilization • Verify endpoint security status• Gather network statistics
Common Packet Analyzers
• Cain and Abel• Carnivore – now NarusInsight • dSniff• ettercap• Ngrep• OmniPeek• Snoop• Tcpdump
Carnivore
Packet Capture
• Dependent on where you capture• On a switch
– Packet sniffer will see only data going to and from the switch to the capture device
http://wiki.wireshark.org/CaptureSetup/Ethernet
Packet Capture
• Traffic on a wired switch– Unicast, broadcast, or multicast.
• To see all traffic– Port monitoring or SPAN – Use a full duplex tap in line with traffic
http://wiki.wireshark.org/CaptureSetup/Ethernet
LAYERS AND ENCAPSULATION
The OSI Model
To understand packet analysis you must understand the
encapsulation process
The OSI Model
• A seven-layer representation • How data changes as each layer
provides services to the next layer –Data encapsulates –Data de-encapsulates
The OSI Model
MAC
Port
IP
Address
Data
Frame
Segment
Packet
PDU
Bits
EXPLORE THE WIRESHARK INTERFACE
Wireshark
• The tool for this lab is Wireshark• Download and install Wireshark
– Install WinPCap if you are using Windows
http://www.wireshark.org
Wireshark
• For a live capture–Launch Wireshark –Go to -> Capture Interfaces–Click the name of an interface–Start capturing packets on that
interface
Wireshark
• Configure advanced features by clicking Options• Select the interface with active packet exchange
Checkmark the interface you want to capture
The OSI Model
• In Wireshark, select any http frame and you will see the layers 2-7
Data
Frame
Segment
Packet
For a review go to http://wiki.wireshark.org/Ethernet
Help in Wireshark
Easily find help in Wireshark-including Sample Captures
Capture Packets
• We will use pre-captured packets • Review normal traffic
Capture Packets
• Once you open a capture you will see three panes:– Top: packet list of all of the packets
received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame
EXAMINE COMMON PROTOCOLS - TCP
A TCP Example
• Normal traffic• Three-way handshake packets 1,2,3• Review
– Port numbers– Flags– SEQ ACK numbers– Stream index
EXAMINE COMMON PROTOCOLS - UDP
UDP Example
• Connectionless Transport Layer service • No handshake, sequencing or
acknowledgement• Few problems occur with UDP
UDP Applications
• Commonly used in video streaming and time-sensitive applications. – Domain Name System (DNS) – Routing Information Protocol (RIP)– Voice over IP (VoIP) – Trivial File Transfer Protocol (TFTP) – Domain Host Configuration Protocol (DHCP)
EXAMINE COMMON PROTOCOLS - DNS
DNS
• DNS is essential to any network• Converts host names (google.com) to
an IP address (72.14.204.103)• Client sends query to DNS server for
an IP address• Server responds with information
– Or asks other DNS servers for the information
DNS
• Transfers name information between DNS servers– DNS uses TCP in a zone transfer
• Look up other host names such as mail exchange (MX) records
DNS
• All DNS packets have four (4) sections:– Questions– Answer Resource Records– Authority Resources Records– Additional Resource Records
DNS Packet Structure - Flags
If RD is set, it directs the name server to pursue the
query recursively.
EXAMINE COMMON PROTOCOLS FTP
FTP – Grab a Pic
• Purpose of FTP is to transfer files over TCP • Uses both ports 20 and 21
– Command channel is designated on port 21 for the FTP server.
– To transfer data like directory contents or files, a secondary channel, port 20 is used.
Reassemble the Streams
• Can reassemble and obtain content if data is not encrypted
• Filter ftp-data traffic• Right click follow TCP stream 74 and save the file
as raw data and click save as mystery.jpg• Go to where you saved the file and open it!
EXAMINE COMMON PROTOCOLS HTTP
HTTP 1.1
Hypertext Transfer Protocol
Actors in Web interaction– HTML– HTTP– Browser and the Web Server
• HTTP is a stateless protocol • Two types of HTTP messages
– Request and response
Hypertext Transfer Protocol
Web page consists of objects Identified by a URL or URI
• Request line (GET or POST methods) • Additional information about the request• Status code line• Header Fields • Data
HTTP Response Status Codes
• 2xx: Success• 3xx: Redirection• 4xx: Client Error• 5xx: Server Error
QUESTIONS?
Kobe
More Resources
• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles
• Wireshark Network Analysis, by Laura Chappell, Chappell Binding
• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated
• Article on using Wireshark to troubleshoot Rational problems
On IBMi
• Install the QSPTLIB library which is available as a save file PTF– V5R2M0 - SE06946– V5R3M0 - SE16633– V5R4M0 - SE24152– V6R1M0 - SE32507– V7R1M0 - SE45610
• Use a binary FTP transfer and load the save file onto the IBMi system.
On IBMi
• Restore the library– RSTLIB SAVLIB(QSPTLIB) DEV(*SAVF)
SAVF(QGPL/QSE45610)
• Run Trace Connection command (x's are the IP address of the remote system)
TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(TRCCNNIP) SIZE(998000) TCPDTA(*N () () *N 'xxx.xxx.xxx.xxx')
On IBMi
• Turn off tracing.– TRCCNN SET(*OFF) TRCTBL(TRCCNNIP) CCSID(*ASCII)
• Output is a spooled file called QSYSPRT. • Run to access support tools menu:
– ADDLIBLE SPTLIB– SPT
On IBMi
• Option 12 to displays the Communications Trace menu.
• Option 15 to converts the spooled trace to a CAP file.– CVTTRCCNN SPLF(QSYSPRT * *LAST)
OUTF('/lisa_traces/mystery-trace.cap')• Copy out to a machine running Wireshark
Lynda.com
• See my course on Lynda.com!• Troubleshooting your Network with Wireshark