introduction to packet sniffing
TRANSCRIPT
-
8/6/2019 Introduction to Packet Sniffing
1/63
Introduction to Packet Sniffingusing Ethereal 0.10.9
Rob BerginNetwork Engineer
The Timberland Company
-
8/6/2019 Introduction to Packet Sniffing
2/63
Non-Technical
Currently Data just travels
around your network like a
train. With a packet sniffer, get
the ability to capture the dataand look inside the packets to
see what is actually moving
long the tracks.
-
8/6/2019 Introduction to Packet Sniffing
3/63
Technical
-
8/6/2019 Introduction to Packet Sniffing
4/63
Ethereal (and WinPcap)
Ethereal Application for Sniffing Packets
WinPcap open source library for packet capture
Operating System Windows & Unix/Linux
NPF device driver Network Driver
(WinPcap runs as a protocol driver like TCP.SYS)
Network Card Drivers
-
8/6/2019 Introduction to Packet Sniffing
5/63
WinPcap Architecture
Frame 1
WinPcap is an open source library for packet capture and network analysis for the
Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link
library (packet.dll), and a high-level and system-independent library (wpcap.dll,
based on libpcap version 0.6.2).
The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000,XP and 2003 the ability to capture and send raw data from a network card, with
the possibility to filter and store in a buffer the captured packets.
Packet.dll is an API that can be used to directly access the functions of the packet
driver, offering a programming interface independent from the Microsoft OS.
Wpcap.dll exports a set of high level capture primitives that are compatible with
libpcap, the well known Unix capture library. These functions allow to capturepackets in a way independent from the underlying network hardware and
operating system.
WinPcap is released under a BSD-style license.
-
8/6/2019 Introduction to Packet Sniffing
6/63
Ethereal Application
Requires WinPcap for Captures
Can run standalone to examine captures
-
8/6/2019 Introduction to Packet Sniffing
7/63
A Capture
Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6
Lets define a capture as a period of time that Ethereal
captured data frames.
Frames can be assembled to examine application traffic
-
8/6/2019 Introduction to Packet Sniffing
8/63
Recap
Packet Sniffing
Ethereal
Data Frame Architecture WinPcap
Network Capture
-
8/6/2019 Introduction to Packet Sniffing
9/63
Basic TCP/IP Stuff
-
8/6/2019 Introduction to Packet Sniffing
10/63
Interoperable TCP/IP
TCP/IP is Transmission Control Protocol/InternetProtocol) is a suite of network protocols.
TCP and IP are two separate protocols
TCP handles the data (HTTP vs. FTP vs. Telnet)
IP handles the data transmission (i.e. between routers).
TCP/IP protocols were designed to allow differentapplications running on dissimilar operating systems tocommunicate across a network.
-
8/6/2019 Introduction to Packet Sniffing
11/63
Watch your Headers
TCP / UDP
- Ports not Addresses
- Layer 4 not 3
- FTP uses 20 and 21
IP
- Addresses not Ports
- Layer 3 not 4
- 192.168.1.1 (octet)
-
8/6/2019 Introduction to Packet Sniffing
12/63
TCP
TCP is connection-oriented transport layer protocol
designed to provide a reliable connection for data
exchange between two systems.
TCP ensures that all packets are properly sequenced
and acknowledged and that a connection is established
before data is sent.
TCP provides it reliability through the use of an
acknowledgement orACK.
-
8/6/2019 Introduction to Packet Sniffing
13/63
TCP
If a receiving system had to send an ACK for every
packet, the result would be an incredible amount of
overhead for the network.
To reduce the overhead, a mechanism called
windowing is used.
Windowing is a method of flow control.
-
8/6/2019 Introduction to Packet Sniffing
14/63
TCP
The receiving system advertises a certain number ofpackets that it can receive at a time (input buffer size.)
The sending system watches for an ACK after thedesignated number of packets is sent.
If an ACK is not received, data will be retransmitted fromthe point of the last ACK.
-
8/6/2019 Introduction to Packet Sniffing
15/63
UDP
UDP (User Datagram Protocol) provides an unreliable,connectionless protocol to deliver packets.
This protocol allows messages, called datagrams, to besent without the overhead of ACKs, establishedconnections, and sequencing.
Applications that use UDP as their communications
mechanism include NFS (2049), TFTP (79), DNS (53)and Unreal Tournament (7777).
-
8/6/2019 Introduction to Packet Sniffing
16/63
IPv4
IP (Internet Protocol) is used to handle datagramservices between hosts.
IP handles the addressing, routing, and reassembly
IP addresses are 32 bits long, are organized into 4octets (8 bits) separated by periods
IPv4 address examples: 192.168.10.20.
IPv6 is a next generation form of addressing.
-
8/6/2019 Introduction to Packet Sniffing
17/63
IPv6
IP (Internet Protocol) is used to handle datagramservices between hosts.
IP handles the addressing, routing, and reassembly
IP addresses are 32 bits long, are organized into 4octets (8 bits) separated by periods
IPv4 address examples: 192.168.10.20.
IPv6 is a next generation form of addressing.
-
8/6/2019 Introduction to Packet Sniffing
18/63
What will IPv6 look like?IPv6 Addresses:
CDFE:910A:2356:5709:8475:1024:3911:2021
2080:0000:0000:0000:0090:7AEB:1000:123A
Combo IPv4 and IPv61800:0000:0000:7AEF:0000:0000:16.114.67.16
Compacted IPv6 Address:
2080:0:0:0:90:7AEB:1000:123A Legal compaction2080::90:7AEB:1000:123A Legal compaction
1800::7AEF:0:0:1072:4310 Legal compaction
-
8/6/2019 Introduction to Packet Sniffing
19/63
IPv4 vs. IPv6
IPv4 RFC came out in 1981.
IPv6 RFC came out in 1998.
0
200
400
600
800
1000
1200
1400
1600
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004
M
illions
Mobile
Subscribers
PCs Connected
to Web
Mobile
Internet
Users
Sources: ABN AMRO/IDC/Ovum
-
8/6/2019 Introduction to Packet Sniffing
20/63
Recap
TCP vs. IP
Headers
TCP UDP
IP
IPv4 vs. IPv6
-
8/6/2019 Introduction to Packet Sniffing
21/63
Ethereal Overview
-
8/6/2019 Introduction to Packet Sniffing
22/63
View of Ethereal
Packet List
Packet Details
Packet Bytes
-
8/6/2019 Introduction to Packet Sniffing
23/63
Packet List
Packet Order
Time Order
Source IP
Destination IP
Protocol
Information
-
8/6/2019 Introduction to Packet Sniffing
24/63
Packet Details
Breakdown of the Frame, the Packet, the TCP portion
Source and Destination IP
Source and Destination TCP Ports
-
8/6/2019 Introduction to Packet Sniffing
25/63
Packet Bytes
View of the data Hexidecimal and Raw Data
-
8/6/2019 Introduction to Packet Sniffing
26/63
Ethereal Capture
-
8/6/2019 Introduction to Packet Sniffing
27/63
Running Ethereal
-
8/6/2019 Introduction to Packet Sniffing
28/63
Ethereal Analysis
-
8/6/2019 Introduction to Packet Sniffing
29/63
Logging on to FTP Server
-
8/6/2019 Introduction to Packet Sniffing
30/63
What Ethereal saw
-
8/6/2019 Introduction to Packet Sniffing
31/63
What Ethereal saw
-
8/6/2019 Introduction to Packet Sniffing
32/63
What Ethereal saw
-
8/6/2019 Introduction to Packet Sniffing
33/63
What Ethereal saw
-
8/6/2019 Introduction to Packet Sniffing
34/63
What Ethereal saw
-
8/6/2019 Introduction to Packet Sniffing
35/63
-
8/6/2019 Introduction to Packet Sniffing
36/63
Filtering!!!!
-
8/6/2019 Introduction to Packet Sniffing
37/63
Saving Captures
Captured Views
Range of Packets
All Packets
Naming is critical: Was it the client?
Was it the Server?
-
8/6/2019 Introduction to Packet Sniffing
38/63
After Filter/Save/Open
-
8/6/2019 Introduction to Packet Sniffing
39/63
Time Column & Delta
-
8/6/2019 Introduction to Packet Sniffing
40/63
FTP Only Filter
-
8/6/2019 Introduction to Packet Sniffing
41/63
Ethereal Packet Analysis
-
8/6/2019 Introduction to Packet Sniffing
42/63
What Username?
-
8/6/2019 Introduction to Packet Sniffing
43/63
Is Password Required?
-
8/6/2019 Introduction to Packet Sniffing
44/63
What Password?
-
8/6/2019 Introduction to Packet Sniffing
45/63
Why cant I log in?
-
8/6/2019 Introduction to Packet Sniffing
46/63
Follow the Stream
-
8/6/2019 Introduction to Packet Sniffing
47/63
Advanced Filtering
Filter for just that stream
(ip.addr eq 207.46.133.140 and ip.addr eq 172.17.22.56) and
(tcp.port eq 21 and tcp.port eq 3511)
Filter for traffic between two hosts
ip.addr == 207.46.133.140 and ip.addr == 172.17.22.56
Filter for IP Traffic and removal of other trafficip and !(nbns) and !(msnms) and !(browser) and !(rip)
-
8/6/2019 Introduction to Packet Sniffing
48/63
Summary Info
-
8/6/2019 Introduction to Packet Sniffing
49/63
Ethereal: Encryption
-
8/6/2019 Introduction to Packet Sniffing
50/63
HTTP
-
8/6/2019 Introduction to Packet Sniffing
51/63
HTTPS
-
8/6/2019 Introduction to Packet Sniffing
52/63
HTTP vs. HTTPS
-
8/6/2019 Introduction to Packet Sniffing
53/63
HTTP vs. HTTPS
-
8/6/2019 Introduction to Packet Sniffing
54/63
HTTP vs. HTTPS
-
8/6/2019 Introduction to Packet Sniffing
55/63
TCP Stream vs. HTML Source
-
8/6/2019 Introduction to Packet Sniffing
56/63
Ethereal: Miscellaneous
-
8/6/2019 Introduction to Packet Sniffing
57/63
Protocol Hierarchy
-
8/6/2019 Introduction to Packet Sniffing
58/63
I/O Graphing
-
8/6/2019 Introduction to Packet Sniffing
59/63
HTTP Breakdown
-
8/6/2019 Introduction to Packet Sniffing
60/63
Coloring Packets
-
8/6/2019 Introduction to Packet Sniffing
61/63
Commercial Sniffers
Sniffer Pro
OmniPeek
Observer
IT Guru and ACE
-
8/6/2019 Introduction to Packet Sniffing
62/63
-
8/6/2019 Introduction to Packet Sniffing
63/63
Final Words
If you cant measure it, you cant manage it
- Peter Drucker