Packets and Protocols (PowerPoint download)

Document Sample
Packets and Protocols (PowerPoint download) Powered By Docstoc
					Packets and Protocols

        Chapter Two

        Introducing
         Wireshark
               Packets and Protocols
                          Chapter 2
   What is Wireshark?
    – An open source freeware licensed protocol
      analyzer
    – Works in promiscuous and non-promiscuous
      modes
    – Can capture data live or read it from a file
    – Configurable GUI that is easy to read
    – Supports multiple capture file formats for
      import and export (25 different formats)
    – Can capture wire or wireless data
    – Supports 750 protocols (we won’t cover them
      all)
    – Runs on over 20 different platforms
            Packets and Protocols
                 Chapter 2
      Combs invented Ethereal in
 Jerry
 1997 out of the need for an analysis
 tool
  – 1st version released in 1998 and was a
    huge hit
  – Prior to this, Network General’s sniffer
    tool dominated
                 Packets and Protocols
                      Chapter 2
 It’sprimary strength is its large
  support of sniffer file formats and
  protocols
  – There is a ridiculously large list of file formats and
    supported protocols on page 55-58
                   Packets and Protocols
                        Chapter 2
 The     User interface

Summary Pane:
• Packet number
• Time
• Source Address (SA)
• Destination Address (DA)
• Name of highest level
protocol
• Information on highest
level protocol
                    Packets and Protocols
                         Chapter 2
 The     User interface

Detail Pane:
• Tree-like structure that
details each layer of each
packet
•Analyzes the packets within
each protocol
                  Packets and Protocols
                       Chapter 2
 The     User interface

Data Pane:


•Contains the raw data
•Data displayed in hex and
in text
             Packets and Protocols
                  Chapter 2
 Analysis   filters
  – The recommended technique is to
    capture with no filters and then filter the
    capture file
  – There are many ways to filter this data
    either during the capture or during the
    display
                            Packets and Protocols
                                 Chapter 2
Internet Protocol (IP)        Field Name                          Type
ip.addr                       Source or Destination Address       IPv4 address
ip.checksum                   Header checksum                     Unsigned 16-bit integer
ip.checksum_bad               Bad Header checksum                 Boolean
ip.dsfield                    Differentiated Services field       Unsigned 8-bit integer
ip.dsfield.ce                 Explicit Congestion Notification    Unsigned 8-bit integer
ip.dsfield.dscp               Differentiated Services Codepoint   Unsigned 8-bit integer
ip.dst                        Destination                         IPv4 address
ip.flags                      Flags Unsigned                      8-bit integer
ip.flags.df                   Don’t fragment                      Boolean
ip.flags.mf                   More fragments                      Boolean
ip.frag_offset                Fragment offset                     Unsigned 16-bit integer
ip.fragment                   IP Fragment                         Frame number
ip.fragment.error             Defragmentation error               Frame number
ip.fragment.multipletails     Multiple tail fragments found       Boolean
                        Packets and Protocols
                             Chapter 2
ip.fragment.overlap           Fragment overlap          Boolean
ip.fragment.toolongfragment   Fragment too long         Boolean
ip.fragments                  IP fragments              No value
ip.hdr_len                    Header length Unsigned    8-bit integer
ip.id                         Identification            Unsigned 16-bit integer
ip.len                        Total length              Unsigned 16-bit integer
ip.proto                      Protocol                  Unsigned 8-bit integer
ip.reassembled_in             Reassembled IP in frame   Frame number
ip.src                        Source                    IPv4 address
ip.tos                        Type of service           Unsigned 8-bit integer
ip.tos.cost                   Cost                      Boolean
ip.tos.delay                  Delay                     Boolean
ip.tos.precedence             Precedence                Unsigned 8-bit integer
ip.tos.reliability            Reliability               Boolean
ip.tos.throughput             Throughput                Boolean
ip.ttl                        Time-to-live              Unsigned 8-bit integer
ip.version                    Version                   Unsigned 8-bit integer
               Packets and Protocols
                    Chapter 2
 Filter modifiers
Modifier                   Designator   Symbol
Equal                           EQ       ==
Not Equal                       NE        !=
Greater Than                    GT         >
Less Than                       LT         <
Greater than or Equal to        GE       >=
Less than or Equal To           LE       <=
               Packets and Protocols
                    Chapter 2
 Supporting     Programs
  – T-Shark
    A   command line version of Wireshark
  – Editcap
     Used to remove packets from a file, and to
     translate the format of capture files.
  – Mergecap
     Merges   capture files together
  – Text2pcap
     Reads   text – converts to capture file
          Packets and Protocols
               Chapter 2
 Placement   of the sniffer is critical
Packets and Protocols
     Chapter 2
Packets and Protocols
     Chapter 2
Packets and Protocols
     Chapter 2
              Packets and Protocols
                   Chapter 2
   Remote
    Sniffer
    options




                                   Sniffer PC
                             Running Windows RDP
               Packets and Protocols
                    Chapter 2
 General     network troubleshooting

1.   Recognize the symptoms
2.   Define the problem
3.   Analyze the problem
4.   Isolate the problem
5.   Identify and test the cause of the problem
6.   Solve the problem
7.   Verify that the problem has been solved
            Packets and Protocols
                 Chapter 2
 General   network troubleshooting

1. Recognize the symptoms
   •Very few problems are found by the
   administrators
   •Was a change made recently?
   •What is happening right now that is
   different?
                Packets and Protocols
                     Chapter 2
 General     network troubleshooting

2. Define the problem
   •It sounds obvious, but you must know
   what the problem is before you solve it.
     •Single user? Multiple user?
     •LAN or WAN (or both)
     •Single/multiple applications affected?
            Packets and Protocols
                 Chapter 2
 General   network troubleshooting

•Analyze the problem
  •Gather data
    •What does work?
    •Who does work?
    •Why is it working?
    •How does it differ?
            Packets and Protocols
                 Chapter 2
 General   network troubleshooting

4. Isolate the problem
   •Isolation may be necessary so that the
   problem will not spread.
   •Can you disconnect a server, a link, a
   firewall?
            Packets and Protocols
                 Chapter 2
 General   network troubleshooting

5. Identify and test the cause of the problem
   •Can the test be done “live”?
   •Can the test be done in a lab setting
     •It is important to not make the problem
     worse.
            Packets and Protocols
                 Chapter 2
 General   network troubleshooting

6. Solve the problem
   •Decide when the problem can be solved
     •Immediately?
     •Is a change window needed?
     •Who will need to be involved?
        •What teams? Management? SMEs?
             Packets and Protocols
                  Chapter 2
 General   network troubleshooting

7. Verify that the problem has been solved
   •Test the solution
   •Monitor the solution to be sure it stays
   fixed
   •Document the problem!
  Packets and Protocols
       Chapter 2




You must also wear many hats!
Packets and Protocols
     Chapter 2
            Packets and Protocols
                 Chapter 2
 The   blame-game
  – “System administrators are notorious
    for asking if there is something wrong
    with the network, and network
    administrators are notorious for saying
    the problem is within the system”
 Itis not enough to prove the
  network isn’t the problem; you often
  have to fix the problem no matter
  what it is or where it is.
                     Packets and Protocols
                          Chapter 2
   When troubleshooting, start from layer
    one and work up the protocol stack
    – How many are affected?
    – Did this work before?
          If   so what changed?
    –   Do you have network connectivity?
    –   Can you see the MAC address in the switch?
    –   Can you ping the device?
    –   Is TCP functioning? Is UDP functioning?
                      Packets and Protocols
                           Chapter 2
Scenario 1: SYN no SYN+ACK

   If your Wireshark capture shows that the client is sending a SYN packet,
   but no response is received from the server, the server is not processing
   the packet. It could be that a firewall between the two hosts is blocking
   the packet or that the server itself has a firewall running on it

Scenario 2: SYN immediate response RST

   If your Wireshark capture shows that the server is responding with the
   reset (RST) flag, the destination server is receiving the packet but there is
   no application bound to that port. Make sure that your application is bound
   to the correct port on the correct IP address.

Scenario 3: SYN SYN+ACK ACK

   Connection Closed If your Wireshark capture shows that the TCP
   connection is established and that it immediately closes, the destination
   server may be rejecting the client’s IP address due to security restrictions.
   On UNIX systems, check the tcpwrappers file at /etc/hosts.allow and
   /etc/hosts.deny and verify that you haven’t inadvertently blocked
   communication.
            Packets and Protocols
                 Chapter 2
      Wireshark for security
 Using
 administration
  – Wireshark has the ability to re-assemble
    packets, which allows you to piece
    together the conversation
     Detecting unauthorized web access
     Detecting internet chat activity

     Detecting on-line gaming
               Packets and Protocols
                    Chapter 2
 WiresharkAs a Network Intrusion
 Detection System
  – Unauthorized connections
  – Unauthorized sweeps
  – Redirections to other ports/IPs
  – RDP usage from outside
     Mikigo

     PC    anywhere
     etc
                    Packets and Protocols
                         Chapter 2
   Optimizing your protocol analyzer
    – Have a fast enough PC
        CPU
        Memory
        Disk   space
    – Match the NIC speed/duplex with the source of
      the traffic being gathered
    – Strip the extras down
        Failure   to do so may result in lost data
          – Don’t update list of packets in real time
          – No name resolution
          – Dump 1st using TCPDUMP/WINDUMP, Tshark then load
            into Wireshark
                   Packets and Protocols
                        Chapter 2
   Advanced sniffing – Wireshark alternatives
    – DSNIFF – Used to dissect IDs/PWs
    America Online (AOL) Instant Messenger (IM) (Citrix Winframe)
    ■ CVS
    ■ File Transfer Protocol (FTP)
    ■ HTTP
    ■ I Seek You (ICQ)
    ■ IMAP
    ■ IRC
    ■ Lightweight Directory Access Protocol (LDAP)
    ■ Remote Procedure Call (RPC) mount requests
    ■ Napster
    ■ Network News Transfer Protocol (NNTP)
    ■ Oracle SQL*Net

    ….and others
               Packets and Protocols
                    Chapter 2
   Dsniff uses many techniques to gather PW
    data
    – arpspoof – makes other devices think that
      your device is the default gateway
    – dnsspoof – redirects responses to DNS servers
    – mailsnarf – homes in on mail passwords
    – webspy – allows you to eavesdrop on web
      sessions
    – urlsnarf – saves all URLs crossing the wire
            Packets and Protocols
                 Chapter 2
 Other   attacks
  – MITM – Can defeat SSH/HTTPS
  – Cracking – dictionary hacks, brute force
  – ARP spoofing – substitute your MAC for
    the DG MAC and you become the DG
  – MAC flooding – overloads switches so
    they act like hubs
  – Routing hacks – send false routes (i.e.
    default route)
                     Packets and Protocols
                          Chapter 2
   Protecting your network from sniffers
    –   Use switches, not hubs
    –   Shut down unused ports
    –   Do not allow more than one MAC per port
    –   Turn on port security (labor intensive)
    –   Physical security
    –   SSH
          Secure   TELNET replacement
    – SSL/HTTPS
          Secure replacement for HTTP
          Can be used as a VPN conduit

    – PGP
          Works    with S/MIME to secure e-mail
                  Packets and Protocols
                       Chapter 2
Sniffer detection
 IPCONFIG/IFCONFIG
    – See if NIC is running in promiscuous mode
   DNS lookups
    – Since sniffers can resolve DNS addresses, see who is
      doing most of your DNS lookups
   Latency
    – A consistently slow PC could be slow because it is
      running sniffer software
   Bugs
    – Sometimes sniffers display unique attributes
   NetMon
    – NetMon can detect other NetMon applications

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:4/22/2012
language:English
pages:38