DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Transcription

1 DKT 224/3 DATA COMMUNICATION & NETWORK LAB 2 NETWORK PROTOCOL ANALYZER SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

2 Lab #2 2 Lab #2 : Network Protocol Analyzer (Sniffing and Identify Protocol used in Live Network) Objectives Learn some basics of Ethernet Sniffing packet and identify various packet types and protocol Report Writing Background 1. Getting Started One s understanding of network protocols can often be greatly deepened by seeing protocols in action and by playing around with protocols observing the sequence of messages exchanged between two protocol entities, delving down into the details of protocol operation, and causing protocols to perform certain actions and then observing these actions and their consequences. This can be done in simulated scenarios or in a real network environment such as the Internet. In these WIRESHARK labs, we ll take the latter approach. You ll be running various network applications in different scenarios using a computer on your desk, at home, or in a lab. You ll observe the network protocols in your computer in action, interacting and exchanging messages with protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an integral part of these live labs. You ll observe, and you ll learn, by doing. The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures ( sniffs ) messages being sent/received from/by your computer. It will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and protocols executing on your machine. Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case, Internet protocols) and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual software in your computer, and consists of two parts. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer.

3 Lab #2 3 Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all protocols and applications executing in your computer. The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields within a protocol message. In order to do so, the packet analyzer must understand the structure of all messages exchanged by protocols. For example, suppose we are interested in displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes of an HTTP message will contain the string GET, POST, or HEAD,.

4 Lab #2 4 We will be using the Wireshark packet sniffer [ for these labs, allowing us to display the contents of messages being sent/received from/by protocols at different levels of the protocol stack. (Technically speaking, Wireshark (Ethereal) is a packet analyzer that uses a packet capture library in your computer). 2. What is Wireshark (Ethereal)? Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connectionlevel information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. It's also priced right: it's free! Wireshark (Ethereal) is a network packet analyzer or packet sniffer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark (Ethereal), all that has changed. Wireshark (Ethereal) is perhaps one of the best open source packet analyzers available today. i. Some intended purposes Here are some examples people use Wireshark (Ethereal) for: network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals ii. Features Live capture from many different network media Despite its name, Ethereal can capture traffic from network media other than Ethernet. Which media types are supported, depends on many things like the operating system you are using. Many protocol decoders There are protocol decoders (or dissectors, as they are known in Ethereal) for a great many protocols. A comprehensive list of all protocols and protocol fields can be found at ttp:// Open Source Software Wireshark (Ethereal) is an open source software project, and is released under the GNU General Public Licence (GPL). You can freely use Ethereal on any number of computers you like, without

5 Lab #2 5 worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Ethereal, either as plugins, or built into the source, and they often do! iii. What Wireshark is not Just as with any tool, Wireshark can be used for some things and not others. Here is a list of some of the things Wireshark cannot do: 1. It cannot be used to map out a network. Take a look at the NMAP tool for that functionality. 2. It does not generate network data it is a passive tool. Tools like NMAP, ping, and traceroute are examples of tools that generate network data. These tools are active. 3. It can only show detailed information about protocols it actually understands. The good news is that it understands a great many protocols. It is also extensible, so you can add protocol support for ones it doesn t understand. Otherwise you will only be able to see a hexdump of data it has captured. 4. It can only capture data as well as the OS\Interface\Interface driver supports. An example of this is capturing data over wireless networks. This does not work well (or at all) for some software and hardware combinations. Practical work Before you start wireshark you must log in as root. Ask the technician for root password. You can start Wireshark by giving the command wireshark on the command line. This opens a window, which is a GUI interface to wireshark's packet capture utility as shown in figure 2. (You'll want to make this window bigger.)

6 Lab #2 6 Figure 2 : Wireshark window To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window similar to the one below:

7 Lab #2 7 Figure 3: Capture action window If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid nameresolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below:

8 Lab #2 8 Figure 4: Capture data window Interpreting the results Each line in the top pane of the Wireshark window corresponds to a single packet seen on the network. The default display shows the time of the packet (relative to the initiation of the capture), the source and destination IP addresses, the protocol used and some information about the packet. You can drill down and obtain more information by clicking on a row. This causes the bottom two window panes to fill with information. The middle pane contains drill-down details on the packet selected in the top frame. The "+" icons reveal varying levels of detail about each layer of information contained within the packet. In the example above, I've selected a DNS response packet. I've expanded the DNS response (application layer) section of the packet to show that the original was requesting a DNS resolution for and this response is informing us that the available IP

9 Lab #2 9 addresses include The bottom window pane shows the contents of the packet in both hexadecimal and ASCII representations. Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below: Figure 5: Capture data window That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become an expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network.

10 Lab #2 10 Exercise 1: Click on one of the HTTP packets and examine it in detail in the middle section of the Wireshark window. You can confirm that the structure of the packet is HTTP data wrapped in a TCP segment, which is wrapped in an IP datagram, which is wrapped in an Ethernet frame. If you click one of the little triangles in front of the word "Ethernet", your view of the Ethernet header will be expanded to show the content of the header. Similarly for the "Internet Protocol," "Transmission Control Protocol," and "Hypertext Transfer Protocol" lines. If you click on any of the lines in the middle section of the window, the corresponding data in the display in the bottom third of the window will be highlighted. Based on all this, answer the following questions: Question 1: What does an Ethernet address look like, and what is the Ethernet address of your computer? Question 2: How many bytes are there in an Ethernet header? Question 3: What is the IP address of the server computer? How did you find this out by looking at info in the packet? Question 4: The HTTP server communicates on port 80. What port number on your computer was used for the communication? How did you find this out? Exercise 2: Now, enter "not ip" as the display filter. This lets you see non-ip packets. What protocols do you see? Describe some of the things that you can discover or guess about these protocols, just from information available in the Wireshark window. Exercise 3: Close all internet browsers. Restart packet capturing. Open your terminal window. Ping the computer next to you using this command: $ ping xx.xxx.x.xxx Open your internet browser and go to Click on introduction option. Stop the capture session. Trace back all of the activities that you have done starting from you ping the computer next to you until you stop the capture session. Copy all of the activities that you have traced and paste it in notepad. Print the result and attach it with your report.

11 Lab #2 11 Reference: i. Ethereal User's Guide V2.00 for Ethereal Richard Sharpe, NS Computer Software and Services P/L Ed Warnicke, Ulf Lamping, ii.

12 Lab #2 12 Appendix Wireshark Interface The Wireshark interface is fairly simple considering what it can do. 1. Title bar this will contain different information depending on what Wireshark is doing. If it is capturing network data, it will show the interface that is in use. If it is displaying data from a previous capture, the name of the file containing the captured data will be shown (untitled is shown if a capture was performed, stopped and not saved). Otherwise it will show the application name: Wireshark Network Protocol Analyzer 2. Menu bar Menu bar providing access to application features a. File Functions for working with captured data such as saving and exporting to different file formats b. Edit Functions for finding packets, setting the time reference, and setting preferences c. View - Functions for modifying how Wireshark displays information such as which windows are open d. Go Functions for navigating to specific packets e. Capture Functions for starting and stopping captures, saving filters and working with network interfaces f. Analyze Functions for interpreting and filtering captured data g. Statistics Functions to statistically analyze captured data h. Help access to product help 3. Main tool bar Shortcuts to frequently used functions in the menu bar 4. Filter tool bar Quick access to filter functions 5. Packet list pane Displays all the packets in the current capture file. 6. Packet details pane Shows a more detailed view of the packet currently selected in the Packet List pane 7. Packet bytes pane A hexdump view of the packet currently selected in the Packet List pane 8. Status bar Provides informational messages and feedback to the user Sample Wireshark Capture In this example, I will start a Wireshark capture on my wired laptop interface. I will then launch Thunderbird to retrieve from Comcast and GMail 1. First launch Wireshark.

13 Lab # Then select Capture->Interfaces from the menu bar. 3. This will bring up the Interfaces dialog box. Select the interface you want to use. This is important since Wireshark (as with any protocol analyzer) can only capture data from a network it is physically connected to. I will be using the wired Ethernet adapter in my laptop so I will choose the Intel adapter in the list. Click the Start button. Capturing will now begin. After a short while, you will see the main Wireshark window (the packet list, detail and byte panes) fill with data. 4. Now I will launch Thunderbird and login to both my GMail and Comcast mail accounts. At this point I will wait for all my mail to download and then I will stop the network capture by selecting Capture->Stop from the menu bar. Click File and Save to save this capture to disk after all data is captured. 5. I have just captured two complete pop3 sessions with Wireshark. To single out the pop session information I will apply a filter. In the filter bar enter the following text and press the apply button: tcp.port eq 110. This will limit the display to traffic on tcp port 110 (the POP port). Also notice that Wireshark understands the Post Office Protocol, so it will interpret bits of information such as POP commands and even authentication information. I do not connect to the Comcast mail server using SSL so my password is contained in the trace in clear text. I had to choose this screenshot wisely! I ve actually used this to troubleshoot end user client connection problem to pop and imap servers. 6. Scrolling through the filtered captured data only shows a conversation between two hosts; my laptop and the Comcast mail server. What happened to gmail? Well, I use SSL with my GMail account and SSL POP connections are associated with port 995 not 110. In the filter bar enter the following text and press the apply button: tcp.port eq 995. This will show all the POP over SSL traffic. But notice that no other details are available about the application protocol. The protocols in use on port 995 are

14 Lab #2 14 TCP, SSL and TLS. You will see some packets dealing with key exchange, but that is all to do with the security negotiations associated with SSL\TLS. All the Application data is encrypted. Closing remarks This is only the tip of the iceberg. I do not have a need to use this tool very often, but when I do need it, it is there and it can be a life saver or a job saver. For more information on this tool visit the Wireshark website at The documentation on this site is quite extensive and should get you up to speed fairly quickly. Also check out the documentation for whatever protocol you are sniffing. For the internet protocols, the RFC s are a must read. You can find these at the Internet Engineering Task Force website at Finally, if you are sniffing an undocumented protocol like nrpc (used by Lotus Notes\Domino) you may want to spend time researching a similar protocol that is documented. This may help you to understand what you are seeing in Wireshark related to the undocumented protocol.