Packet Analysis Using Wireshark

for Beginners 22AFLisa Bock

Pennsylvania College of Technology

Monday October 5, 2015 9:30am - 10:45amTrack AF | Level 1 | Atlantic VI

Learning Objectives

• Understand Traffic Capture and Analysis• Layers and Encapsulation• Explore the Wireshark interface• Examine Common Protocols

– TCP, HTTP, DNS, and FTP

UNDERSTAND TRAFFIC CAPTURE AND ANALYSIS

Overview of Packet Analysis

• Packet analysis uses a packet sniffer• Monitor and troubleshoot network traffic• As data flows across the network

– Sniffer captures each packet and decodes the packet's raw bits

– Showing the field values in the packet according to the appropriate RFC or other specification

Uses for Packet Analysis

• Analyze network problems• Detect intrusion attempts • Identify network misuse • Content monitoring• Assess bandwidth utilization • Verify endpoint security status• Gather network statistics

Common Packet Analyzers

• Cain and Abel• Carnivore – now NarusInsight • dSniff• ettercap• Ngrep• OmniPeek• Snoop• Tcpdump

Carnivore

Packet Capture

• Dependent on where you capture• On a switch

– Packet sniffer will see only data going to and from the switch to the capture device

http://wiki.wireshark.org/CaptureSetup/Ethernet

Packet Capture

• Traffic on a wired switch– Unicast, broadcast, or multicast.

• To see all traffic– Port monitoring or SPAN – Use a full duplex tap in line with traffic

http://wiki.wireshark.org/CaptureSetup/Ethernet

LAYERS AND ENCAPSULATION

The OSI Model

To understand packet analysis you must understand the

encapsulation process

The OSI Model

• A seven-layer representation • How data changes as each layer

provides services to the next layer –Data encapsulates –Data de-encapsulates

The OSI Model

MAC

Port

IP

Address

Data

Frame

Segment

Packet

PDU

Bits

EXPLORE THE WIRESHARK INTERFACE

Wireshark

• The tool for this lab is Wireshark• Download and install Wireshark

– Install WinPCap if you are using Windows

http://www.wireshark.org

Wireshark

• For a live capture–Launch Wireshark –Go to -> Capture Interfaces–Click the name of an interface–Start capturing packets on that

interface

Wireshark

• Configure advanced features by clicking Options• Select the interface with active packet exchange

Checkmark the interface you want to capture

The OSI Model

• In Wireshark, select any http frame and you will see the layers 2-7

Data

Frame

Segment

Packet

For a review go to http://wiki.wireshark.org/Ethernet

Help in Wireshark

Easily find help in Wireshark-including Sample Captures

Capture Packets

• We will use pre-captured packets • Review normal traffic

Capture Packets

• Once you open a capture you will see three panes:– Top: packet list of all of the packets

received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame

EXAMINE COMMON PROTOCOLS - TCP

A TCP Example

• Normal traffic• Three-way handshake packets 1,2,3• Review

– Port numbers– Flags– SEQ ACK numbers– Stream index

EXAMINE COMMON PROTOCOLS - UDP

UDP Example

• Connectionless Transport Layer service • No handshake, sequencing or

acknowledgement• Few problems occur with UDP

UDP Applications

• Commonly used in video streaming and time-sensitive applications. – Domain Name System (DNS) – Routing Information Protocol (RIP)– Voice over IP (VoIP) – Trivial File Transfer Protocol (TFTP) – Domain Host Configuration Protocol (DHCP)

EXAMINE COMMON PROTOCOLS - DNS

DNS

• DNS is essential to any network• Converts host names (google.com) to

an IP address (72.14.204.103)• Client sends query to DNS server for

an IP address• Server responds with information

– Or asks other DNS servers for the information

DNS

• Transfers name information between DNS servers– DNS uses TCP in a zone transfer

• Look up other host names such as mail exchange (MX) records

DNS

• All DNS packets have four (4) sections:– Questions– Answer Resource Records– Authority Resources Records– Additional Resource Records

DNS Packet Structure - Flags

If RD is set, it directs the name server to pursue the

query recursively.

EXAMINE COMMON PROTOCOLS FTP

FTP – Grab a Pic

• Purpose of FTP is to transfer files over TCP • Uses both ports 20 and 21

– Command channel is designated on port 21 for the FTP server.

– To transfer data like directory contents or files, a secondary channel, port 20 is used.

Reassemble the Streams

• Can reassemble and obtain content if data is not encrypted

• Filter ftp-data traffic• Right click follow TCP stream 74 and save the file

as raw data and click save as mystery.jpg• Go to where you saved the file and open it!

EXAMINE COMMON PROTOCOLS HTTP

HTTP 1.1

Hypertext Transfer Protocol

Actors in Web interaction– HTML– HTTP– Browser and the Web Server

• HTTP is a stateless protocol • Two types of HTTP messages

– Request and response

Hypertext Transfer Protocol

Web page consists of objects Identified by a URL or URI

• Request line (GET or POST methods) • Additional information about the request• Status code line• Header Fields • Data

HTTP Response Status Codes

• 2xx: Success• 3xx: Redirection• 4xx: Client Error• 5xx: Server Error

QUESTIONS?

Kobe

More Resources

• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles

• Wireshark Network Analysis, by Laura Chappell, Chappell Binding

• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated

• Article on using Wireshark to troubleshoot Rational problems

On IBMi

• Install the QSPTLIB library which is available as a save file PTF– V5R2M0 - SE06946– V5R3M0 - SE16633– V5R4M0 - SE24152– V6R1M0 - SE32507– V7R1M0 - SE45610

• Use a binary FTP transfer and load the save file onto the IBMi system.

On IBMi

• Restore the library– RSTLIB SAVLIB(QSPTLIB) DEV(*SAVF)

SAVF(QGPL/QSE45610)

• Run Trace Connection command (x's are the IP address of the remote system)

TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(TRCCNNIP) SIZE(998000) TCPDTA(*N () () *N 'xxx.xxx.xxx.xxx')

On IBMi

• Turn off tracing.– TRCCNN SET(*OFF) TRCTBL(TRCCNNIP) CCSID(*ASCII)

• Output is a spooled file called QSYSPRT. • Run to access support tools menu:

– ADDLIBLE SPTLIB– SPT

On IBMi

• Option 12 to displays the Communications Trace menu.

• Option 15 to converts the spooled trace to a CAP file.– CVTTRCCNN SPLF(QSYSPRT * *LAST)

OUTF('/lisa_traces/mystery-trace.cap')• Copy out to a machine running Wireshark

Lynda.com

• See my course on Lynda.com!• Troubleshooting your Network with Wireshark