PACKET SNIFFING

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Sniffing

3

Overview

• Basics– Promiscuous mode– Capture driver– TCPDump syntax

• Capture filter• Wireshark GUI• Display filter

4

Packet Sniffing• A.k.a. network analysis, protocol analysis, packet

analysis• The process of capturing network traffic and inspecting

it closely to determine what is happening on the network.

• Display network traffic in human readable format.• Can be a standalone hardware devices with

specialized software (http://www.cacetech.com/products/airpcap.htm?utm_source=Wireshark&utm_medium=banner&utm_term=horizontal&utm_campaign=Airpcap) or software application (sniffers)

5

Dangers of Sniffing• Many protocols were designed without security in mind.• Information such as user names and passwords are

transmitted in clear text, e.g., Telnet, SMTP, POP, IMAP, FTP, etc.

• If an attacker can capture the traffic used by these protocols, he/she can see this information easily.

• Sniffing takes place mainly in Layer 1. High level protocols have no way to detect the occurrence of sniffing. In other words, they won’t tell the user, “Your password has been sniffed!”

6

White-Hat Sniffer

• Many security tools capture network traffic and then extract information from the packets and look for malicious patterns in traffic.

• Snort – “Sniffer on Steroid”– Started as a sniffer– Has a packet sniffer, packet logger, and IDS

modes

7

Packet Sniffing

• Listens on or “sniffs” packet on a network segment.

• The network card (NIC) is in the promiscuous mode so that it sees all packets on the network wire, not just those addressed to the host on which it is installed.

8

Normal Mode

9

Promiscuous Mode

10

Passive vs Active Sniffing• Traditionally, sniffing has been straightforward and relatively easy

when computers were mostly connected to network hubs.• The increasing use of network switches changes the sniffing

landscape because in a switched network, the switch connects two computers whenever they need to communicate with each other (e.g., Alice to Bob in the previous figure). No other computers are involved and have visibility into this communication.

• A switch achieves this by keeping a table of mappings between MAC addresses of computers on the network and the switch ports to which they are connected.

• Broadcast only occurs the first time a computer contacts the switch to initiate communication with other computers.

11

Passive vs Active Sniffing• Switches enhance the defense against sniffing

because each broadcast domain is limited to between two computers.

• However, it still is possible to perform sniffing by attacking the switch.– MAC flooding forces a switch to revert to “hub mode” so

that all computers are within one broadcast domain again.– ARP poisoning tricks the switch into thinking that the

attacker computer is part of the legitimate communication.

12

Components of a Sniffer

• Capture driver• Buffer• Decoder

– Interprets binary information and then displays it in a readable format.

• Packet analyzer– Sniffers usually provide real-time analysis of

captured packets.

13

Capture Drivers• An operating system can handle the low level details

and modern Oses provide protocol stacks for network communications.

• However, to use the OS’ native network functionality for capturing involves complex interfaces and semantics.– Sniffers thus want direct access to handle the raw network

data, without interference from the OS’ protocol stacks.• Capture drivers must be installed before you can

install sniffers.

14

Capture Drivers• An operating system can handle the low-level details

and provides protocol stacks for network communications.

• However, to use the OS’ native network functionality for capturing involves complex interfaces and semantics.– Sniffers thus want direct access to handle the raw network

data, without interference from the OS’ protocol stacks.• Capture drivers must be installed before you can install

sniffers.

15

Capture Drivers

16

Capture Drivers• The Packet Capture (pcap) library provides a

common API for programmers.• Winpcap (Windows)

– Contains the Windows version of the well known libpcap Unix API.

– Packet capture and filtering engine of many open source and commercial network tools.

– http://www.winpcap.org/install/default.htm• Libpcap (Unix/Linux)

– http://www.tcpdump.org/

17

Wireshark• Wireshark

– Formerly Ethereal (http://www.ethereal.com/)– Why the change (

http://trends.newsforge.com/article.pl?sid=06/06/09/1349255&from=rss; http://www.internetnews.com/dev-news/article.php/3628426)

– Easier to read and understand output format.– Rich display filters.– Extensive support for many OSes, protocol formats and

media.• Obtaining Wireshark

– http://www.wireshark.org/download.html

18

TCPDump Syntax• Wireshark’s capture filters use the pcap library’s filter

mechanism. These filters are often called tcpdump filters.• The filter syntax itself is documented in the tcpdump

manual page (manpage). • Any program that uses pcap, like tcpdump or Wireshark,

can use this filter syntax.• Only packets that match the expression are

captured/displayed.– If no expression is given, all packets will be captured/displayed.

19

Filters• There are two types of filters in Wireshark

– The Capture Filters work during packet capturing. They let you be selective in what kinds of packets to capture for analysis. This reduces the size of capture files and eliminates irrelevant packets (which can be numerous). On busy networks with slow computers, this may be the only way for the sniffer to catch up with the traffic.

– The Display Filters work when you do analyses. They help to reduce the clutter in the interface and facilitates analysis. They don’t eliminate captured packets. You can see all captured packets again by taking away the filters.

• Important: The two types have different syntax!

20

Wireshark Capture Filters

• Wireshark’s capture filters use the libpcap library’s filter mechanism. These filters are often called tcpdump filters.

• The filter syntax itself is documented in the tcpdump manual page (manpage).

• Any program that uses libpcap, like tcpdump or Wireshark, can use this filter syntax.

• Only packets that match the expression are captured.

21

Capture Filter Examples• To capture only those packets that originate from (or

destined to) an IP address, use the src (or dst) keyword modifier, e.g.,– src host 192.168.1.1 (or src 192.168.1.1)– dst host 192.168.1.255 (or dst 192.168.1.255)

• Packets can be filtered based on the MAC address by using the ether modifier, e.g.,– ether host ff:ff:ff:ff:ff:ff (or ether dst host ff:ff:ff:ff:ff:ff)– ether src host 00:f9:06:aa:01:03 – ether src 00:f9:06:aa:01:03

22

Capture Filter Examples

• To capture packets sent from or to a certain port, – port 53 (all DNS traffic)– tcp port 53 (TCP DNS traffic only)– udp dst port 53 (queries sent to DNS server)– udp src port 53 (replies from DNS server)

23

Numeric Operators - Capture

• > Greater Than• >= Greater Than or Equal To• < Less Than• <= Less Than or Equal To• == (or =) Equal To• != Not Equal To• Bit-wise operators also available

24

Logical Operators - Capture• Used to create complicated filters.

– Operator not – reverses the value of a test.– Operator and –multiple conditions in a test are true.– Operator or – either one of the two conditions is true.

• Operators and and or have the same precedence; they are analyzed in the order that they are listed in the capture filter.– Use parentheses to have the conditions evaluated in the order that fits

your needs.– (src 192.168.1.25 and port 80) or port 20 (HTTP traffic on the host

192.168.1.25 plus all FTP-data traffic on the network– Src 192.168.1.25 and (port 80 or port 20) (HTTP and FTP-data traffic on

the host 192.168.1.25 only)• Parentheses also can be used to make the filter easier to understand.

25

Logical Operators - Capture• To capture any TCP or UDP packets with a source or

destination port of 53– port 53

• To capture everything except for TCP or UDP packets with a source or destination port of 53– not port 53

• To capture telnet packets to or from the host www.unt.edu – host www.unt.edu and port telnet

• To combine a port telnet or port ssh test with a test for the www.unt.edu host, you use and, but you also need to use parentheses:– host www.unt.edu and ( port telnet or port ssh)

26

Protocol Keywords - Capture

• arp Address Resolution Protocol• icmp Internet Control Message Protocol

– For example, to capture all ICMP packets: icmp • ip Internet Protocol• ip6 Internet Protocol version 6• netbeui NetBIOS Extended User Interface• tcp Transmission Control Protocol• udp User Datagram Protocol

27

Saving Capture File• Wireshark can save captured packets to a file in several

different formats. – You can even choose to save all packets or a subset of the packets.

• These capture files can then be opened by the associated programs. – Compatible programs include TCPDump, Microsoft Network Monitor,

Novell LANalyzer, etc.• Select File | Save As. The Save Capture File As dialog box will

appear.– This dialog box allows you to choose the file format and the location

where you would like to save the file.

28

Wireshark Interface

Summary

Protocol Tree

Data View

29

Summary Pane• Displays a summary of each packet in the capture, one per

line. One or more columns of summary data for each packet will be displayed. Typical columns:– Frame Number.– The time from beginning of the capture to the time when the packet

was captured (in seconds). – Highest level source address. This will frequently be the IP (Internet

Protocol) source address, but may also be MAC or other addresses.– Destination address.– The highest level protocol decoded.– Information that was determined by the highest level decode to be

useful or informative.

30

Protocol Tree Pane

• For each protocol there is a tree node summarizing the protocol, which can be expanded to provide the values in that protocol’s fields.

• For any given node that has a subtree, we can expand it’s subtree to reveal more information, or collapse it to only show the summary.

• When a field in the Protocol Tree Window is selected, the bytes corresponding to that field are highlighted in the Data View Window.

31

Data View Pane• Contains a series of rows.• Each row begins with a four-digit number representing the

number of bytes the first octet in that row is offset from the beginning of the packet.

• This offset is then followed by sixteen two-character hexadecimal bytes.

• The last item in each row is a series of sixteen ASCII characters representing the same 16 bytes from the packet.

• Not all bytes are conveniently displayable in ASCII. For those bytes a period (.) is substituted as a placeholder.

32

Display Filters

• For almost every item you see in the protocol tree in the middle pane of Wireshark’s GUI, Wireshark has a field name that you can use in a display filter.

• If you highlight a field in the Wireshark GUI, Wireshark will provide the display-filter field name in the right-hand side of the status bar at the bottom of the GUI.

33

Filter Bar

• A display filter uses the TCPDump Syntax to define some conditions for including a packet the Summary Window.

• Only packets that match the display filter string will be displayed.

34

Display Filters

• > or gt Greater Than• >= or ge Greater Than or Equal To• < or lt Less Than • <= or le Less Than or Equal To• == or eq Equal To• != or ne Not Equal To• contains A string or byte string is found within

another

35

Display Filter Examples

• Packets to (or from) a certain IP address (or host name)– ip.src == 192.168.1.25– ip.dst == www.ethereal.com

36

Logical Operators - Display• Used to create complicated filters.

– Operator not – reverses the value of a test.– Operator and – two conditions in a test are true.– Operator or – either one of the two conditions is

true.• Examples

– ip.src == 192.168.1.1 and ip.dst == 192.168.1.25– ip.addr == 192.168.1.1 or ip.addr == 192.168.1.25

37

Logical Operators - Display• Operators and and or have the same precedence

– They are analyzed in the order that they are listed in the capture filter.

• Use parentheses to have the conditions evaluated in the order that fits your needs.– not eth.dst eq ff:ff:ff:ff:ff:ff and ip.len gt 1000

• All IP packets with a length greater than 1000 bytes but not a broadcast.

• No braodcast packets will be shown.– not (eth.dst eq ff:ff:ff:ff:ff:ff and ip.len gt 1000)

• All IP packets except those broadcast packets with a length greater than 1000 bytes.

• Broadcast packets with a length of 1000 bytes or less will be shown.

38

Filter Expression Dialog Box• Wireshark provides a user interface to let you see the

available protocols and fields and construct a display filter.• From the Display Filter window, click the Add

Expression button.• Filter Express Dialog Box

– On the left is a list of all protocols. – Each protocol that has fields can be opened by clicking on the

square next to the protocol’s name.– A list of the protocol’s fields will be displayed. – When a field name is selected in the list, the relations that apply to

that field are shown in the Relation list.• The relations are: is present, ==, !=, >, <, >=, <=, and contains.

39

Filter Expression Dialog Box• The default relation is is present, which does

not require any other value to compare against. • But if you select another relation, one that does

require a comparison value, then a Value text entry box appears to the right of the relation list.

• If the field can be sliced into ranges, then a Range text entry box appears under the Relation list.

40

Filter Expression Dialog Box

41

Filter Expression Dialog Box

• Once you click “Accept”, Wireshark will put the display filter in the Filter string text entry box of the Display Filter dialog box at the current location of your cursor.

• Thus, after creating one display filter, you could manually type a logical operator (and or or) into the Filter string text entry box and click Add Expression again.

42

Follow TCP Stream