Transcript Packet Analysis for Beginners

Packet Analysis Using Wireshark
for Beginners 22AF
Lisa Bock
Pennsylvania College of Technology
Monday October 5, 2015 9:30am - 10:45am
Track AF | Level 1 | Atlantic VI
Learning Objectives
•
•
•
•
Understand Traffic Capture and Analysis
Layers and Encapsulation
Explore the Wireshark interface
Examine Common Protocols
– TCP, HTTP, DNS, and FTP
UNDERSTAND TRAFFIC CAPTURE AND
ANALYSIS
Overview of Packet Analysis
• Packet analysis uses a packet sniffer
• Monitor and troubleshoot network traffic
• As data flows across the network
– Sniffer captures each packet and decodes the
packet's raw bits
– Showing the field values in the packet
according to the appropriate RFC or other
specification
Uses for Packet Analysis
•
•
•
•
•
•
•
Analyze network problems
Detect intrusion attempts
Identify network misuse
Content monitoring
Assess bandwidth utilization
Verify endpoint security status
Gather network statistics
Common Packet Analyzers
•
•
•
•
•
•
•
•
Cain and Abel
Carnivore – now NarusInsight
dSniff
ettercap
Ngrep
OmniPeek
Snoop
Tcpdump
Carnivore
Packet Capture
• Dependent on where you capture
• On a switch
– Packet sniffer will see only data going to
and from the switch to the capture
device
http://wiki.wireshark.org/CaptureSetup/Ethernet
Packet Capture
• Traffic on a wired switch
– Unicast, broadcast, or multicast.
• To see all traffic
– Port monitoring or SPAN
– Use a full duplex tap in line with traffic
http://wiki.wireshark.org/CaptureSetup/Ethernet
LAYERS AND ENCAPSULATION
The OSI Model
To understand packet analysis
you must understand the
encapsulation process
The OSI Model
• A seven-layer representation
• How data changes as each layer
provides services to the next layer
–Data encapsulates
–Data de-encapsulates
The OSI Model
PDU
Address
Data
Segment
Port
Packet
IP
Frame
Bits
MAC
EXPLORE THE WIRESHARK INTERFACE
Wireshark
• The tool for this lab is Wireshark
• Download and install Wireshark
–Install WinPCap if you are using
Windows
http://www.wireshark.org
Wireshark
• For a live capture
–Launch Wireshark
–Go to -> Capture Interfaces
–Click the name of an interface
–Start capturing packets on that
interface
Wireshark
Checkmark
the interface
you want to
capture
• Configure advanced features by clicking Options
• Select the interface with active packet exchange
The OSI Model
• In Wireshark, select any http frame and
you will see the layers 2-7
Frame
Packet
Segment
Data
For a review go to http://wiki.wireshark.org/Ethernet
Help in Wireshark
Easily find help in
Wireshark-including
Sample Captures
Capture Packets
• We will use pre-captured packets
• Review normal traffic
Capture Packets
• Once you open a capture you will see
three panes:
– Top: packet list of all of the packets
received during the capture session
– Middle: details of a single frame
– Bottom: the bytes of a single frame
EXAMINE COMMON PROTOCOLS - TCP
A TCP Example
• Normal traffic
• Three-way handshake packets 1,2,3
• Review
– Port numbers
– Flags
– SEQ ACK numbers
– Stream index
EXAMINE COMMON PROTOCOLS - UDP
UDP Example
• Connectionless Transport Layer service
• No handshake, sequencing or
acknowledgement
• Few problems occur with UDP
UDP Applications
• Commonly used in video streaming and
time-sensitive applications.
–
–
–
–
–
Domain Name System (DNS)
Routing Information Protocol (RIP)
Voice over IP (VoIP)
Trivial File Transfer Protocol (TFTP)
Domain Host Configuration Protocol (DHCP)
EXAMINE COMMON PROTOCOLS - DNS
DNS
• DNS is essential to any network
• Converts host names (google.com)
to an IP address (72.14.204.103)
• Client sends query to DNS server for
an IP address
• Server responds with information
– Or asks other DNS servers for the
information
DNS
• Transfers name information between DNS
servers
– DNS uses TCP in a zone transfer
• Look up other host names such as mail
exchange (MX) records
DNS
• All DNS packets have four (4) sections:
– Questions
– Answer Resource Records
– Authority Resources Records
– Additional Resource Records
DNS Packet Structure - Flags
If RD is set, it directs the
name server to pursue the
query recursively.
EXAMINE COMMON PROTOCOLS FTP
FTP – Grab a Pic
• Purpose of FTP is to transfer files over TCP
• Uses both ports 20 and 21
– Command channel is designated on port 21 for
the FTP server.
– To transfer data like directory contents or
files, a secondary channel, port 20 is used.
Reassemble the Streams
• Can reassemble and obtain content if data is not
encrypted
• Filter ftp-data traffic
• Right click follow TCP stream 74 and save the file
as raw data and click save as mystery.jpg
• Go to where you saved the file and open it!
EXAMINE COMMON PROTOCOLS HTTP
HTTP 1.1
Hypertext Transfer Protocol
 Actors in Web interaction
– HTML
– HTTP
– Browser and the Web Server
• HTTP is a stateless protocol
• Two types of HTTP messages
– Request and response
Hypertext Transfer Protocol
 Web page consists of objects
 Identified by a URL or URI
•
•
•
•
•
Request line (GET or POST methods)
Additional information about the request
Status code line
Header Fields
Data
HTTP Response Status Codes
•
•
•
•
2xx:
3xx:
4xx:
5xx:
Success
Redirection
Client Error
Server Error
QUESTIONS?
More Resources
• For more Packet Captures go to
http://www.netresec.com/?page=PcapFiles
• Wireshark Network Analysis, by Laura Chappell,
Chappell Binding
• Practical Packet Analysis: Using Wireshark to
Solve Real-World Network Problems, by Chris
Sanders, No Starch Press, Incorporated
• Article on using Wireshark to troubleshoot
Rational problems
On IBMi
• Install the QSPTLIB library which is
available as a save file PTF
–
–
–
–
–
V5R2M0
V5R3M0
V5R4M0
V6R1M0
V7R1M0
-
SE06946
SE16633
SE24152
SE32507
SE45610
• Use a binary FTP transfer and load the
save file onto the IBMi system.
On IBMi
• Restore the library
– RSTLIB SAVLIB(QSPTLIB) DEV(*SAVF)
SAVF(QGPL/QSE45610)
• Run Trace Connection command (x's are
the IP address of the remote system)
TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(TRCCNNIP) SIZE(998000)
TCPDTA(*N () () *N 'xxx.xxx.xxx.xxx')
On IBMi
• Turn off tracing.
– TRCCNN SET(*OFF) TRCTBL(TRCCNNIP) CCSID(*ASCII)
• Output is a spooled file called QSYSPRT.
• Run to access support tools menu:
– ADDLIBLE SPTLIB
– SPT
On IBMi
• Option 12 to displays the Communications
Trace menu.
• Option 15 to converts the spooled trace to
a CAP file.
– CVTTRCCNN SPLF(QSYSPRT * *LAST)
OUTF('/lisa_traces/mystery-trace.cap')
• Copy out to a machine running Wireshark
Lynda.com
• See my course on Lynda.com!
• Troubleshooting your Network with Wireshark