Packet Capture Wireshark

FakrulAlam

Why we need to capture packet & how it’s related to

security?

tcpdump Defini=on

tcpdumpisau0lityusedtocaptureandanalyzepacketsonnetworkinterfaces.Detailsaboutthesepacketscaneitherbedisplayedtothescreenortheycanbesavedtoafileforlateranalysis.tcpdumpu0lizesthelibpcaplibraryforpacketcapturing.

tcpdump command example

# tcpdump –nni eth0# tcpdump –nni eth0 host 10.10.10.10# tcpdump –nni eth0 dst host 10.10.10.10 and tcp # tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024

-nn=don’tuseDNStoresolveIPsanddisplayportno-i=interfacetowatchdst=watchonlytrafficdes0nedtoanet,hostorportsrc=watchonlytrafficwhosesrcisanet,hostorportnet=specifiesnetworkhost=specifieshostport=specifiesaportproto=protocolietcporudp

tcpdump command example

# tcpdump –nni eth0 –s0

# tcpdump –nni eth0 not port 22 –s0 –c 1000

# tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24

-s0=seIngsampleslengthto0meansusetherequiredlengthtocatchwholepacket-c=numberofpackets

tcpdump pcaps

# tcpdump –nni eth0 -w capture.pcap –vv –c 1000

# tcpdump –nni eth0 –r capture.pcap port 80

-wcapture.pcap=savecapturepackettocapture.pcap–vv=displaynumberofpacketcaptured-rcapture.pcap=readcapturefile-c=numberofpackets

tcpdump Output

IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 106, win 4092, options [nop,nop,TS val 376934736 ecr 854797891], length 0

IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 106:159, ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 159, win 4091, options [nop,nop,TS val 376934736 ecr 854797891], length 0

What is Wireshark?

• Wiresharkisanetworkpacket/protocolanalyzer.•  Anetworkpacketanalyzerwilltrytocapturenetworkpacketsandtriestodisplaythatpacketdataasdetailedaspossible.

• WiresharkisperhapsoneofthebestopensourcepacketanalyzersavailabletodayforUNIXandWindows.

About Wireshark

•  Formerlyknownas“Ethereal”•  Author,GeraldCombsquitNetworkIntegra0onServices•  Free

• Requirement•  Needtoinstallwinpcap•  Latestwiresharkinstallercontainswinpcap,don’tworry•  (OnWindowsVista)NeedAdministratorPrivilegetocapture

• GUI•  Drama0callyimproved

Why Wireshark

• networkadministratorsuseittotroubleshootnetworkproblems• networksecurityengineersuseittoexaminesecurityproblems• developersuseittodebugprotocolimplementa<ons• peopleuseittolearnnetworkprotocolinternals• Wiresharkisn'tanintrusiondetec0onsystem.• Wiresharkwillnotmanipulatethingsonthenetwork,itwillonly"measure"thingsfromit.

How to Install

• Verystraightforward•  Justdouble-clickandfollowtheinstruc0ons.

Capture

Dashboard Menu

Filter

CaptureData

RawData

Filters

• Capturefilter•  CaptureTrafficthatmatchcapturefilterrule•  savediskspace•  preventpacketloss

• Displayfilter•  Tweakappearance

Apply Filters

•  ip.addr==10.0.0.1[Setsafilterforanypacketwith10.0.0.1,aseitherthesourceordest]•  ip.addr==10.0.0.1&&ip.addr==10.0.0.2[setsaconversa0onfilterbetweenthetwodefinedIPaddresses]•  hdpordns[setsafiltertodisplayallhdpanddns]•  tcp.port==4000[setsafilterforanyTCPpacketwith4000asasourceordestport]•  tcp.flags.reset==1[displaysallTCPresets]•  hdp.request[displaysallHTTPGETrequests]•  tcpcontainsrviews[displaysallTCPpacketsthatcontaintheword‘rviews’.ExcellentwhensearchingonaspecificstringoruserID]•  !(arporicmpordns)[masksoutarp,icmp,dns,orwhateverotherprotocolsmaybebackgroundnoise.Allowingyoutofocusonthetrafficofinterest]

Follow TCP Stream

Follow TCP Stream •  Build TCP Stream

–  Select TCP Packet -> Follow TCP Stream

Use “Sta=s=cs”

• Whatprotocolisusedinyournetwork•  Sta0s0cs->ProtocolHierarchy

Use “Sta=s=cs”

• Whichhostmostchady•  Sta0s0cs->Conversa0ons

Need CLI?

•  Ifyous0cktocharacterbasedinterface,trytshark.exe• C:\programfiles\wireshark\tshark.exe

Tcpdump & Wireshark

•  tcpdump-i<interface>-s65535-w<some-file>•  -s<snaplen>:amountofbytescapturesforeachpacket•  -w<some-file>:writetherawpacketstoafile

Exercise

•  InstallWiresharkintoyourPC• RunwiresharkandCaptureinbound/outboundtraffic• Downloadcapturefilesfrom

•  Followtheinstructor'sguide.

Exercise 1: Good Old Telnet

•  File•  telnet.pcap

• Ques0on•  Reconstructthetelnetsession.

• Q1:Whologgedinto192.168.0.1•  Username__________,Password__________.

• Q2:Averloggedinwhatdidtheuserdo?•  Tip•  telnettrafficisnotsecure

Exercise 2: Massive TCP SYN

•  File•  massivesyn1.pcapandmassivesyn2.pcap

• Ques0on•  Pointthedifferencebetweenthem.

• Q1:massivesyn1.pcapisa_________adempt.• Q2:massivesyn2.pcapisa_________adempt.•  Tip

•  Payaden0ontoSrcIP

Exercise 3: ChaUy Employees

•  File•  chat.dmp

• Ques0on• Q1:Whatkindofprotocolisused?_______• Q2:Thisisaconversa0onbetween_____@hotmail.comand______@hotmail.com• Q3:Whatdotheysayaboutyou(sysadmin)?•  Tip

•  Yourchatcanbemonitoredbynetworkadmin.

Exercise 4: Suspicious FTP ac=vity

•  File•  vp1.pcap

• Ques0on•  Q1:10.121.70.151isFTP______.•  Q2:10.234.125.254isFTP______.•  Q3:FTPErrCode530means__________.•  Q4:10.234.125.254adempt________.

•  Tip•  Howmanyloginerroroccurwithinaminute?

Exercise 5: Uniden=fied Traffic

•  File•  Foobar.pcap

• Ques0on•  Q1:seewhat’sgoingonwithwiresharkgui

•  Sta0s0cs->Conversa0onList->TCP(*)•  Q2:Whichapplica0onuseTCP/6346?Checktheweb.

Exercise 6: Covert channel

•  File•  cover0nfo.pcap

• Ques0on•  Takeacloserlook!ThisisnotatypicalICMPEcho/Reply…•  Q1:Whatkindoftooldotheyuse?Checktheweb.•  Q2:Nameotherapplica0onwhichtunnelusertraffic.

Exercise 7: Analyze Malware

•  File•  malware.pcap

• Ques0ons:•  Q1:FindthebadHTTPtraffic•  Q2:IsthereanymalwareintheHTTPtraffic?•  Q3:Uploadonesamplemalwaretohdps://www.virustotal.com/

•  Doesallan0virusdetectthemalware?

•  Tips•  Filterwithhttp contains "in DOS mode”•  Exportallthefiles

Exercise 8: SIP

•  File•  sip_chat.pcap

• Ques0ons:•  Q1:CanwelistentoSIPvoice?•  Q2:How!!

LAB