Upload
lamphuc
View
255
Download
2
Embed Size (px)
Citation preview
8/8/2008
1
Drinking from the network hose
So What is WireShark?
• Packet sniffer/protocol analyzer• Open Source Network Tool• Latest version of the ethereal tool
8/8/2008
2
Source: www.fcc.gov
A packet is a “chunk” of data l d ienclosed in a wrapper
• What’s a network?• What’s an IP address?• What’s a MAC address?
Stuff we won’t cover
• What’s a router?• What do you mean capture?• Can this make Elite run faster?• What’s open source?• How can one man look so bald?
8/8/2008
3
Ok…why would I want to use it?• Analyze network problems (worms, viruses, malware, etc.)• Detect network intrusion attempts• Monitor network usage• Gather and report network statistics• Filter suspect content for management review• Spy on network users• Reverse engineer protocols and network applications• Debug client/server communicationsebug c e t/se e co u cat o s• Find chatty devices (like printers)• Find hacked computers on your network• Look for “heavy” users of the Internet• Find “missing” computers and devices• Determine network loads (after baselining of course)• Find misconfigured computers and devices• Identify non-used protocols that are turned on by accident• Learn more about how networks work• Identify application dependencies• Impress your friends with your inner geekdom
8/8/2008
4
libpcaplibpcap
Installation on Windows
• wireshark-setup.exe /S /desktopicon=yes /quicklaunchicon=no
N t B i i l d i t ll d ifNote: Be sure winpcap is already installed if you install by command line. During a GUI install, you have the option to install winpcap.
Help File• Version 1.0 of WireShark was recently
released. It is distributed with an older Helpfile (24665 ver 0.099.7). To get the latest help file, download it fromlatest help file, download it from www.wireshark.org separately.
8/8/2008
5
Installation on Linux
• CENTOS – yum install wireshark• Ubuntu – apt-get install wireshark• Red Hat – rpm –iv wireshark*rpm
• In most cases dependencies (like libpcap) are installed automatically…because Linux installers rock
tsharkC:\Program Files\Wireshark>tshark -helpTShark 1.0.0Dump and analyze network traffic.See http://www.wireshark.org for more information.
Copyright 1998-2008 Gerald Combs <[email protected]> and contributors.This is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:-i <interface> name or idx of interface (def: first non-loopback)-f <capture filter> packet filter in libpcap filter syntax-s <snaplen> packet snapshot length (def: 65535)-p don't capture in promiscuous mode-B <buffer size> size of kernel buffer (def: 1MB)-y <link type> link layer type (def: first appropriate)-D print list of interfaces and exit-L print list of link-layer types of iface and exit
Capture stop conditions:-c <packet count> stop after n packets (def: infinite)-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KBfiles:NUM - stop after NUM files
………..
8/8/2008
6
With traffic…
Summary Window
8/8/2008
7
Decode Window
HEX Window
Menu Bar
8/8/2008
8
Button Bar
Status Bar
8/8/2008
9
Status Bar
Location, Location, Location
Hub
8/8/2008
10
Hubs
• If you’re capturing on a hub you should see all traffic passing on layer 2 network
D l S d h b b d• Dual Speed hub = badThere are lots of issues with these due to internal caching of data. Stay away from them, or at least check the WireShark Wiki for ones that are known to work.
Switches• Switches isolate traffic• On a switch you will only see broadcast
traffic and traffic destined for the existing PCPC
• SPAN or Mirroring ports “copy” traffic from another port or group of ports
Switch with a SPAN port
8/8/2008
11
TAP
Which is better?
A h b TAP SPAN t?A hub, TAP or a SPAN port?
It dependsIt depends…
8/8/2008
12
HUBS
Switch
interface FastEthernet0/1port monitor FastEthernet0/2
VLAN Monitoring
interface FastEthernet0/1port monitor VLAN1
8/8/2008
13
Types of TAPs
• Copper & Optical• Conversion TAPs• Aggregator TAPs• Full-Duplex TAPs• Hub – Technically…a hub is a half duplex
TAP, but you may miss critical layer 1 events
Why to use a TAP• Physical layer errors aren’t seen by SPAN• SPAN increase the CPU on your switch• Timestamps are more accurate when using a
TAP• SPAN ports hide jitter (loss of synchronicity)• After 50% port utilization you begin to drop
packets (if you monitor both transmit & receive) – sometimes you can fix this
• They are non-intrusive• It makes you look really cool
ARP Cache Poisoning
8/8/2008
14
My rules of thumb
If you are concerned about a specific device, use a TAP.
If you want to see more then one device traffic use a SPAN port.
If it’s a busy line, use a TAP or you risk drops
Setting promiscuous mode
Simple Capture
8/8/2008
15
Capture Interfaces
Capture Options
Capture Filters (Pre-Filters)
• Capture filters (sometimes called pre-filters or ingress filters) watch all incoming traffic for specific patterns or characteristics Only data matching thecharacteristics. Only data matching the filter gets through
• The format is based on tcpdump filter language
8/8/2008
16
Capture Filter exampleshost 10.1.11.24This filter will capture all data where the ip address 10.1.11.24 appears in the packet source or
destination field.
host 192.168.0.1 and host 10.1.11.1This filter will capture all ip data between host 192.18.0.1 and 10.1.11.1.
tcp port httpThis filter will capture all http, (TCP port 80) traffic.
ipThis filer will capture all IP traffic, regardless of IP address.
not broadcast not multicastUh….hum….everything but broadcasts and multicasts ;)
ether host 00:04:13:00:09:a3All traffic from and to the MAC address defined above
Capture Filter
Capture Options
8/8/2008
17
Capture Interfaces
Interface Details: Characteristics
Interface Details: Statistics
8/8/2008
18
Interface Details: 802.3 (Ethernet)
Interface Details: Task Offload
Checksum
A checksum is a form of redundancy check, a simple way to protect the integrity of data by detecting errors in data that are sent through
space or time. It works by adding up the basic components of a message, typically the assorted bits, and storing the resulting value.
Anyone can later perform the same operation on the data, compare the result to the authentic checksum, and (assuming that the sums match)
conclude that the message was most likely not corrupted.
Source: Wikipedia.com
8/8/2008
19
Checksum offload
This can cause false positive i t k d Ifissues on some network cards. If
you see tons of incorrect checksum messages…turn off checksum
offload.
Turning off Checksum offloadOn Linux (as root)ethtool -K eth0 rx off tx off (choose correct network interface if not eth0)
On FreeBSD (as root):ifconfig em0 -rcxsum -tcxsum (choose correct network interface if not em0)
On MacOS (as root):sysctl -w net.link.ether.inet.apple_hwcksum_tx=0sysctl -w net.link.ether.inet.apple_hwcksum_rx=0
Turning off Checksum offload
8/8/2008
20
Stopping the Packet Capture
Filters
Display Filters (Post-Filters)
• Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the tracetrace
• Display filters use their own format and are much more powerful then capture filters
8/8/2008
21
Display Filter
Display Filter Examplesip.src==10.1.11.24 all ip traffic with the source address of 10.1.11.24
ip.addr==192.168.1.10 && ip.addr==192.168.1.20 Traffic which is between IP 192.168.1.10 and 192.168.1.20.
tcp.port==80 || tcp.port==3389 Traffic from any machine but it will only be TCP Port 80 (HTTP) or TCP Port 3389 (RDP)
!(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) Traffic except the traffic between these two machines.
(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && tcp.port==445 || tcp.port==139 SMB traffic between these two machines.
(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) DHCP Traffic between these two machines
Protocol Hierarchy
8/8/2008
22
Protocol Hierarchy
Follow TCP Stream
Follow TCP Streamred - stuff you sent blue - stuff you get
8/8/2008
23
Expert Info
Expert Info
Conversations
8/8/2008
24
Conversations
IOGraphs
IOGraphs
8/8/2008
25
IOGraphs
IOGraphs
IOGraphs
8/8/2008
26
Flow Graphs
Flow Graphs
Flow Graphs
8/8/2008
27
Right Click Filtering
Right Click FilteringPrepare loads the Display filter box, but doesn’t apply it
Apply load they filter AND applies it
Export HTTP
8/8/2008
28
Export HTTP Objects
Triggered Stops
Triggered Stops
8/8/2008
29
Service Response Time - SMB
Service Response Time - SMB
Service Response Time - SMB
8/8/2008
30
VOIP
VOIP Calls
VOIP Call Graph
8/8/2008
31
VOIP RTP Player
SIP Analysis
SIP Analysis
8/8/2008
32
HTTP Analysis
HTTP Analysis – Load Distribution
HTTP Analysis – Packet Counter
8/8/2008
33
HTTP Analysis – Requests
TroubleShooting TCP
• Latency• Loss• Jitter• Jabber• Small Packets
Latency
The time it takes for a packet to travel from point a to point b
L t i ft thLatency is often the cause of “slow” networks
8/8/2008
34
Troubleshooting TCP Latency
T1
T1 is the time it took from the moment the syn was sent until the client received the syn/ack
This time is due to the wire latency + processing time of the IP stack on the server
T2
T2 is the time it took from receiving the SYN/ACK until the ACK is sent.
This time is the processing time of the IP stack on the client
8/8/2008
35
T3
T3 is the time it took from sending the ACK until the clients sends a GET.
This time is the processing time of the application on the client
T4
T4 is the time it took from sending GET until an ACK is received at the client.
This time is due to wire latency.
T5
T5 is the time it took from getting the ACK until data is received at the client.
This time is due the server application.
8/8/2008
36
TIPS• Time #1 & #4 should be small on a LAN application. If not, check
your network path, nic settings and throughput.• Time #2 is the client ip stack. Should be minimal. If not, check the
driver.• Time #3 is the client application. This time will undoubtedly vary
greatly between packets Talk to your developers if you see andgreatly between packets. Talk to your developers if you see and issue here.
• Time #5 is the server application. This time will also vary greatly, but generally if #5 is huge and #4 is really, really small look at delays caused by the server application. Start troubleshooting on the server by looking at CPU, bandwidth, memory and disk IO.
Jitter
Jitter is an unwanted variation of one or more characteristics of a periodic signal in electronics and telecommunications. Jitter may be seen in characteristics such as themay be seen in characteristics such as the interval between successive pulses, or the amplitude, frequency, or phase of successive cycles.
Source: Wikipedia.com
Jitter
8/8/2008
37
Jitter
Jitter
Jitter
8/8/2008
38
LOSS
Um…lost packets ☺
Source: me
LOSS
Jabber
• Jabber occurs when there are excessively long packets from a network device.
• This isn’t very common on IP only networks but is very common onnetworks, but is very common on multiprotocol networks
• Simply check for packet size
8/8/2008
39
Packet Size
Packet Length
Improving WireShark Performance
• Don’t use capture filters• Increase your read buffer size• Don’t update the screen dynamically• Get a faster computer• Use a TAP• Don’t resolve names
8/8/2008
40
Thank you