Capture Filters - College of Business « UNT
Download
Report
Transcript Capture Filters - College of Business « UNT
BCIS 4630 Fundamentals of IT Security
PACKET SNIFFING
Dr. Andy Wu
Sniffing
2
Overview
• Basics
– Promiscuous mode
– Capture driver
– TCPDump syntax
• Capture filter
• Wireshark GUI
• Display filter
3
Packet Sniffing
• A.k.a. network analysis, protocol analysis, packet
analysis
• The process of capturing network traffic and inspecting
it closely to determine what is happening on the
network.
• Display network traffic in human readable format.
• Can be a standalone hardware devices with specialized
software
(http://www.cacetech.com/products/airpcap.htm?utm_s
ource=Wireshark&utm_medium=banner&utm_term=hor
izontal&utm_campaign=Airpcap) or software application
(sniffers)
4
Dangers of Sniffing
• Many protocols were designed without security in
mind.
• Information such as user names and passwords
are transmitted in clear text, e.g., Telnet, SMTP,
POP, IMAP, FTP, etc.
• If an attacker can capture the traffic used by these
protocols, he/she can see this information easily.
• Sniffing takes place mainly in Layer 1. High level
protocols have no way to detect the occurrence of
sniffing. In other words, they won’t tell the user,
“Your password has been sniffed!”
5
White-Hat Sniffer
• Many security tools capture network traffic
and then extract information from the
packets and look for malicious patterns in
traffic.
• Snort – “Sniffer on Steroid”
– Started as a sniffer
– Has a packet sniffer, packet logger, and IDS
modes
6
Packet Sniffing
• Listens on or “sniffs” packet on a network
segment.
• The network card (NIC) is in the
promiscuous mode so that it sees all
packets on the network wire, not just those
addressed to the host on which it is
installed.
7
Normal Mode
8
Promiscuous Mode
9
Passive vs Active Sniffing
• Traditionally, sniffing has been straightforward and relatively
easy when computers were mostly connected to network hubs.
• The increasing use of network switches changes the sniffing
landscape because in a switched network, the switch connects
two computers whenever they need to communicate with each
other (e.g., Alice to Bob in the previous figure). No other
computers are involved and have visibility into this
communication.
• A switch achieves this by keeping a table of mappings between
MAC addresses of computers on the network and the switch
ports to which they are connected.
• Broadcast only occurs the first time a computer contacts the
switch to initiate communication with other computers.
10
Passive vs Active Sniffing
• Switches enhance the defense against sniffing
because each broadcast domain is limited to
between two computers.
• However, it still is possible to perform sniffing by
attacking the switch.
– MAC flooding forces a switch to revert to “hub mode”
so that all computers are within one broadcast domain
again.
– ARP poisoning tricks the switch into thinking that the
attacker computer is part of the legitimate
communication.
11
Components of a Sniffer
• Capture driver
• Buffer
• Decoder
– Interprets binary information and then displays
it in a readable format.
• Packet analyzer
– Sniffers usually provide real-time analysis of
captured packets.
12
Capture Drivers
• An operating system can handle the low level
details and modern Oses provide protocol stacks
for network communications.
• However, to use the OS’ native network
functionality for capturing involves complex
interfaces and semantics.
– Sniffers thus want direct access to handle the raw
network data, without interference from the OS’
protocol stacks.
• Capture drivers must be installed before you can
install sniffers.
13
Capture Drivers
• An operating system can handle the low-level
details and provides protocol stacks for network
communications.
• However, to use the OS’ native network
functionality for capturing involves complex
interfaces and semantics.
– Sniffers thus want direct access to handle the raw
network data, without interference from the OS’
protocol stacks.
• Capture drivers must be installed before you can
install sniffers.
14
Capture Drivers
15
Capture Drivers
• The Packet Capture (pcap) library provides a
common API for programmers.
• Winpcap (Windows)
– Contains the Windows version of the well known
libpcap Unix API.
– Packet capture and filtering engine of many open
source and commercial network tools.
– http://www.winpcap.org/install/default.htm
• Libpcap (Unix/Linux)
– http://www.tcpdump.org/
16
Wireshark
• Wireshark
– Formerly Ethereal (http://www.ethereal.com/)
– Why the change
(http://trends.newsforge.com/article.pl?sid=06/06/09/134925
5&from=rss; http://www.internetnews.com/devnews/article.php/3628426)
– Easier to read and understand output format.
– Rich display filters.
– Extensive support for many OSes, protocol formats and
media.
• Obtaining Wireshark
– http://www.wireshark.org/download.html
17
TCPDump Syntax
• Wireshark’s capture filters use the pcap library’s
filter mechanism. These filters are often called
tcpdump filters.
• The filter syntax itself is documented in the
tcpdump manual page (manpage).
• Any program that uses pcap, like tcpdump or
Wireshark, can use this filter syntax.
• Only packets that match the expression are
captured/displayed.
– If no expression is given, all packets will be
captured/displayed.
18
Filters
• There are two types of filters in Wireshark
– The Capture Filters work during packet capturing. They let
you be selective in what kinds of packets to capture for
analysis. This reduces the size of capture files and
eliminates irrelevant packets (which can be numerous). On
busy networks with slow computers, this may be the only
way for the sniffer to catch up with the traffic.
– The Display Filters work when you do analyses. They help
to reduce the clutter in the interface and facilitates analysis.
They don’t eliminate captured packets. You can see all
captured packets again by taking away the filters.
• Important: The two types have different syntax!
19
Wireshark Capture Filters
• Wireshark’s capture filters use the libpcap
library’s filter mechanism. These filters are
often called tcpdump filters.
• The filter syntax itself is documented in the
tcpdump manual page (manpage).
• Any program that uses libpcap, like tcpdump
or Wireshark, can use this filter syntax.
• Only packets that match the expression are
captured.
20
Capture Filter Examples
• To capture only those packets that originate from (or
destined to) an IP address, use the src (or dst) keyword
modifier, e.g.,
– src host 192.168.1.1 (or src 192.168.1.1)
– dst host 192.168.1.255 (or dst 192.168.1.255)
• Packets can be filtered based on the MAC address by
using the ether modifier, e.g.,
– ether host ff:ff:ff:ff:ff:ff (or ether dst host ff:ff:ff:ff:ff:ff)
– ether src host 00:f9:06:aa:01:03
– ether src 00:f9:06:aa:01:03
21
Capture Filter Examples
• To capture packets sent from or to a certain
port,
– port 53 (all DNS traffic)
– tcp port 53 (TCP DNS traffic only)
– udp dst port 53 (queries sent to DNS server)
– udp src port 53 (replies from DNS server)
22
Numeric Operators - Capture
•
•
•
•
•
•
•
> Greater Than
>= Greater Than or Equal To
< Less Than
<= Less Than or Equal To
== (or =) Equal To
!= Not Equal To
Bit-wise operators also available
23
Logical Operators - Capture
• Used to create complicated filters.
– Operator not – reverses the value of a test.
– Operator and –multiple conditions in a test are true.
– Operator or – either one of the two conditions is true.
• Operators and and or have the same precedence; they are analyzed
in the order that they are listed in the capture filter.
– Use parentheses to have the conditions evaluated in the order that fits
your needs.
– (src 192.168.1.25 and port 80) or port 20 (HTTP traffic on the host
192.168.1.25 plus all FTP-data traffic on the network
– Src 192.168.1.25 and (port 80 or port 20) (HTTP and FTP-data traffic on
the host 192.168.1.25 only)
• Parentheses also can be used to make the filter easier to understand.
24
Logical Operators - Capture
• To capture any TCP or UDP packets with a source or
destination port of 53
– port 53
• To capture everything except for TCP or UDP packets
with a source or destination port of 53
– not port 53
• To capture telnet packets to or from the host www.unt.edu
– host www.unt.edu and port telnet
• To combine a port telnet or port ssh test with a test for
the www.unt.edu host, you use and, but you also need to
use parentheses:
– host www.unt.edu and ( port telnet or port ssh)
25
Protocol Keywords - Capture
• arp Address Resolution Protocol
• icmp Internet Control Message Protocol
– For example, to capture all ICMP packets: icmp
•
•
•
•
•
ip Internet Protocol
ip6 Internet Protocol version 6
netbeui NetBIOS Extended User Interface
tcp Transmission Control Protocol
udp User Datagram Protocol
26
Saving Capture File
• Wireshark can save captured packets to a file in several
different formats.
– You can even choose to save all packets or a subset of the
packets.
• These capture files can then be opened by the
associated programs.
– Compatible programs include TCPDump, Microsoft Network
Monitor, Novell LANalyzer, etc.
• Select File | Save As. The Save Capture File As dialog
box will appear.
– This dialog box allows you to choose the file format and the
location where you would like to save the file.
27
Wireshark Interface
Summary
Protocol Tree
Data View
28
Summary Pane
• Displays a summary of each packet in the capture, one per
line. One or more columns of summary data for each packet
will be displayed. Typical columns:
– Frame Number.
– The time from beginning of the capture to the time when the
packet was captured (in seconds).
– Highest level source address. This will frequently be the IP
(Internet Protocol) source address, but may also be MAC or other
addresses.
– Destination address.
– The highest level protocol decoded.
– Information that was determined by the highest level decode to be
useful or informative.
29
Protocol Tree Pane
• For each protocol there is a tree node
summarizing the protocol, which can be
expanded to provide the values in that
protocol’s fields.
• For any given node that has a subtree, we can
expand it’s subtree to reveal more information,
or collapse it to only show the summary.
• When a field in the Protocol Tree Window is
selected, the bytes corresponding to that field
are highlighted in the Data View Window.
30
Data View Pane
• Contains a series of rows.
• Each row begins with a four-digit number representing
the number of bytes the first octet in that row is offset
from the beginning of the packet.
• This offset is then followed by sixteen two-character
hexadecimal bytes.
• The last item in each row is a series of sixteen ASCII
characters representing the same 16 bytes from the
packet.
• Not all bytes are conveniently displayable in ASCII. For
those bytes a period (.) is substituted as a placeholder.
31
Display Filters
• For almost every item you see in the
protocol tree in the middle pane of
Wireshark’s GUI, Wireshark has a field
name that you can use in a display filter.
• If you highlight a field in the Wireshark GUI,
Wireshark will provide the display-filter field
name in the right-hand side of the status
bar at the bottom of the GUI.
32
Filter Bar
• A display filter uses the TCPDump Syntax
to define some conditions for including a
packet the Summary Window.
• Only packets that match the display filter
string will be displayed.
33
Display Filters
•
•
•
•
•
•
•
> or gt Greater Than
>= or ge Greater Than or Equal To
< or lt Less Than
<= or le Less Than or Equal To
== or eq Equal To
!= or ne Not Equal To
contains A string or byte string is found within
another
34
Display Filter Examples
• Packets to (or from) a certain IP address
(or host name)
– ip.src == 192.168.1.25
– ip.dst == www.ethereal.com
35
Logical Operators - Display
• Used to create complicated filters.
– Operator not – reverses the value of a test.
– Operator and – two conditions in a test are true.
– Operator or – either one of the two conditions is
true.
• Examples
– ip.src == 192.168.1.1 and ip.dst == 192.168.1.25
– ip.addr == 192.168.1.1 or ip.addr == 192.168.1.25
36
Logical Operators - Display
• Operators and and or have the same precedence
– They are analyzed in the order that they are listed in the capture
filter.
• Use parentheses to have the conditions evaluated in the
order that fits your needs.
– not eth.dst eq ff:ff:ff:ff:ff:ff and ip.len gt 1000
• All IP packets with a length greater than 1000 bytes but not a
broadcast.
• No braodcast packets will be shown.
– not (eth.dst eq ff:ff:ff:ff:ff:ff and ip.len gt 1000)
• All IP packets except those broadcast packets with a length greater
than 1000 bytes.
• Broadcast packets with a length of 1000 bytes or less will be shown.
37
Filter Expression Dialog Box
• Wireshark provides a user interface to let you see the
available protocols and fields and construct a display
filter.
• From the Display Filter window, click the Add
Expression button.
• Filter Express Dialog Box
– On the left is a list of all protocols.
– Each protocol that has fields can be opened by clicking on the
square next to the protocol’s name.
– A list of the protocol’s fields will be displayed.
– When a field name is selected in the list, the relations that apply to
that field are shown in the Relation list.
• The relations are: is present, ==, !=, >, <, >=, <=, and contains.
38
Filter Expression Dialog Box
• The default relation is is present, which does
not require any other value to compare
against.
• But if you select another relation, one that
does require a comparison value, then a
Value text entry box appears to the right of the
relation list.
• If the field can be sliced into ranges, then a
Range text entry box appears under the
Relation list.
39
Filter Expression Dialog Box
40
Filter Expression Dialog Box
• Once you click “Accept”, Wireshark will put
the display filter in the Filter string text entry
box of the Display Filter dialog box at the
current location of your cursor.
• Thus, after creating one display filter, you
could manually type a logical operator (and
or or) into the Filter string text entry box
and click Add Expression again.
41
Follow TCP Stream
42