Transcript Comnet-Wireshark1

Communication Networks
Lab Session 1 :
Protocol Analysis using Wireshark
UNIVERSITEIT
GENT
Lab Session 1: Goals /Outline
1.
Operation of Wireshark and
illustration/discussion of Headers :




Ethernet Header
IP Header
TCP Header and TCP open/close
...
2.
Examples of how to use Wireshark to conduct
the exercises.
3.
Wireshark is a sniffer: security issue
4.
Individual Exercises: do it yourself
p. 2
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Wireshark

Wireshark: a freeware packet sniffer

www.wireshark.org



Used to be Ethereal
based on tcpdump
Functionality



Captures all packets on the wire
Analysis of the packet headers
Filtering is possible:



Based on sending, receiving hosts
Based on ports
Any other field of a packet
p. 3
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Goals /Outline
1.
Operation of Wireshark and
illustration/discussion of Headers :




Ethernet Header
IP Header
TCP Header and TCP open/close
...
2.
Examples of how to use Wireshark to conduct
the exercises.
3.
Wireshark is a sniffer: security issue
4.
Individual Exercises: do it yourself
p. 4
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: example 1

In General, you receive:




tracefile = file with a number of packets, sniffed on
a network
network topology
Questions to be solved, using the tracefile
First example

Try to find out which command has generated this
tracefile…
“Ping –c 4 caesar.intec.ugent.be”
p. 5
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: example 2

Next to the tracefile, we now also have the topology of the
network. This helps us to get the global picture.
p. 6
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: example 2 (cont’d)
p. 7
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: example 2 (cont’d)

GOAL : find-out the route to a destination
(and some additional info)






host running tracert sends IP-packet to destination with TTL = 1
first router : decrement TTL to 0, discard packet, ICMP time
exceeded back
hosts sends IP-packet to destination with TTL = 2
first router : decrement TTL to 1, second router : decrement TTL to 0,
discard packet, ICMP time exceeded back
…
Output:
C:\>tracert ugdns2.ugent.be
Tracing route to ugdns2.ugent.be [157.193.40.42]
over a maximum of 30 hops:
1
2
3
<1 ms
<1 ms
<1 ms
<1 ms
<1 ms
<1 ms
<1 ms
<1 ms
<1 ms
tacitus.intec.ugent.be [157.193.214.1]
157.193.212.254
ugdns2.ugent.be [157.193.40.42]
Trace complete.
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
p. 8
Lab Session 1: Goals /Outline
1.
Operation of Wireshark and
illustration/discussion of Headers :




Ethernet Header
IP Header
TCP Header and TCP open/close
...
2.
Examples of how to use Wireshark to conduct
the exercises.
3.
Wireshark is a sniffer: security issue
4.
Individual Exercises: do it yourself
p. 9
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Security Issues


Sniffing = Receiving all packets in the network
Ethernet Hub vs. Ethernet Switch !


Hub = broadcast
Switch = Unicast
p. 10
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Security Issues (ct’d)

Application Data is being sent in the packet



No encryption in IP/TCP … !
=> Sending is inherently insecure
Example:


Telnet session...
Solution: Encryption in the Application Layer

Example:


SSH session ...
Also for other protocols:

HTTP / HTTPS ; POP over SSL ; …
p. 11
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Goals /Outline
1.
Operation of Wireshark and
illustration/discussion of Headers :




Ethernet Header
IP Header
TCP Header and TCP open/close
...
2.
Examples of how to use Wireshark to conduct
the exercises.
3.
Wireshark is a sniffer: security issue
4.
Individual Exercises: do it yourself
p. 12
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Exercises

Two main parts:



Introductory Exercises



Introductory Exercises
Transport and Application Layer Traces
Based on labs of the book
Provide the option to capture yourself, or to use the precaptured files. The latter is recommended.
Transport and Application Layer Traces


House-tailored exercises
Only pre-captured files are provided.
p. 13
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN
Lab Session 1: Exercises (cont’d)

Preparation:


Get the capture files from the Minerva site
If necessary, download and install Wireshark from:


Start Wireshark:


Run -> Wireshark
Load capture files, answer the questions




http://www.wireshark.org/download.html (useful @ home)
You cannot capture yourself in the PC-rooms, you are not entitled
to sniff the network cards.
Disable name lookups !!
Following TCP stream may be useful
Practical



Solutions after this first Wireshark session will be online
Reminder: the second Wireshark session is without documentation,
and should be handed in.
You can work together with 2, not with 10
p. 14
Dept. of Information Technology - Ghent University
Vakgroep Informatietechnologie – Onderzoeksgroep IBCN