Wireshark. Why we need to capture packet & how it s related to security? 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Similar documents
Packet Analysis - Wireshark

Packet Capture & Wireshark. Fakrul Alam

Packet Capture Wireshark Fakrul Alam

Wireshark: Network Forensic Exercise by Fakrul Alam, Bangladesh CERT

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Introduction to Wireshark

Lab 4: Network Packet Capture and Analysis using Wireshark

Wireshark Tutorial. Chris Neasbitt UGA Dept. of Computer Science

Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark

Network Analyzer :- Introduction to Wireshark

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

ITTC Communication Networks Laboratory The University of Kansas EECS 563 Introduction to Protocol Analysis with Wireshark

Experiment 2: Wireshark as a Network Protocol Analyzer

So What is WireShark?

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

COMP2330 Data Communications and Networking

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Chapter 8 roadmap. Network Security

Introduction to Wireshark

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

NETWORK PACKET ANALYSIS PROGRAM

Lab - Using Wireshark to Examine TCP and UDP Captures

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

Packet Capturing with TCPDUMP command in Linux

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

5. Write a capture filter for question 4.

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Wireshark 101 Essential Skills for Network Analysis 2 nd Edition

History Page. Barracuda NextGen Firewall F

Agility2018-TCPdump Documentation

Article Number: 38 Rating: Unrated Last Updated: Thu, Apr 28, 2016 at 9:49 PM

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Packet Sniffing and Spoofing

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Exercises: Basics of Networking II Experiential Learning Workshop

Network Security Laboratory 23 rd May STATEFUL FIREWALL LAB

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Master Informatique NetArch Network Architecture. NetArch - Lab n 4. Transport Layer (1): TCP and UDP

Lab I: Using tcpdump and Wireshark

K2289: Using advanced tcpdump filters

Interconnecting Networks with TCP/IP

User Role Firewall Policy

CYBERSECURITY CHALLENGES FOR YOUR CLASSROOM:

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Working with. Working with Capture Files

Introduction to Troubleshooting TCP/IP Networks with Wireshark

ECE435: Network Engineering Homework 5 TCP. Due: Thursday, 18 October 2018, 3:30pm

Lab 1: Creating Secure Architectures (Revision)

Software Engineering 4C03 Answer Key

A quick tutorial on using tshark

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Lab 8: Introduction to Pen Testing (HPING)

Protocol Analysis: Capturing Packets

Error <Thin Client Users cannot Log On>

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

CCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11

CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

Unit 4: Firewalls (I)

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

About this Troubleshooting Checklist

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Protocol Analysis: Capturing Packets

Statistical Aspects of Intrusion Detection

Appendix B Policies and Filters

EMT2455 Data Communications 4. Network Layer. Dr. Xiaohai Li. Dept. of Computer Eng. Tech., NYCCT. Last Update: Nov.

Practical Networking. Introduction

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

GSS Administration and Troubleshooting

Exploring TCP and UDP based on Kurose and Ross (Computer Networking: A Top-Down Approach) May 15, 2018

Lab Configuring NAT Overload

The ACK and NACK of Programming

Network sniffing packet capture and analysis

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

521262S Computer Networks 2 (fall 2007) Laboratory exercise #4: Multimedia, QoS and testing

Hands-On Ethical Hacking and Network Defense

10 Defense Mechanisms

ch02 True/False Indicate whether the statement is true or false.

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Lab 1: Packet Sniffing and Wireshark

TCPDUMP. Chia-Tien Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Network packet analyzer Wireshark

Extended ACL Configuration Mode Commands

Computer Networks/DV2 Lab

Module : ServerIron ADX Packet Capture

Configuring Commonly Used IP ACLs

LAB THREE STATIC ROUTING

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

Integration Debugging Information

Troubleshooting High CPU Utilization Due to the IP Input Process

Layered Networking and Port Scanning

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. Project 2

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

SSH. What is Safely 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

UNI CS 3470 Networking Project 5: Using Wireshark to Analyze Packet Traces 12

CCNA Exploration Network Fundamentals

CSE / / 60567: Computer Security. Network Security 2

Transcription:

Wireshark 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: Issue Date: Revision: 1 Why we need to capture packet & how it s related to security? 1

tcpdump Definition tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis. tcpdump utilizes the libpcap library for packet capturing. tcpdump command example # tcpdump nni eth0 # tcpdump nni eth0 host 10.10.10.10 # tcpdump nni eth0 dst host 10.10.10.10 and proto tcp # tcpdump nni eth0 src net 10.10.10.0/24 and port tcp and portrange 1-1024 -nn = don t use DNS to resolve IPs and display port no -i = interface to watch dst = watch only traffic destined to a net, host or port src = watch only traffic whose src is a net, host or port net = specifies network host = specifies host port = specifies a port proto = protocol ie tcp or udp 2

tcpdump command example # tcpdump nni eth0 s0 # tcpdump nni eth0 not port 22 s0 c 1000 # tcpdump nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24 -s0 = setting samples length to 0 means use the required length to catch whole packet -c = no to packets tcpdump pcaps # tcpdump nni eth0 -w capture.pcap vv c 1000 # tcpdump nni eth0 r capture.pcap and port 80 -w capture.pcap = save capture packet to capture.pcap vv = display number of packet captured -r caputre.pcap = read capture file -c = no to packets 3

tcpdump Output IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,ts val 854797891 ecr 376933204], length 53 IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 106, win 4092, options [nop,nop,ts val 376934736 ecr 854797891], length 0 IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 106:159, ack 1, win 67, options [nop,nop,ts val 854797891 ecr 376933204], length 53 IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 159, win 4091, options [nop,nop,ts val 376934736 ecr 854797891], length 0 What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows. 4

About Wireshark Formerly known as Ethereal Author, Gerald Combs quit Network Integration Services Free Requirement Need to install winpcap Latest wireshark installer contains winpcap, don t worry (On Windows Vista) Need Administrator Privilege to capture GUI Dramatically improved Why Wireshark network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals Wireshark isn't an intrusion detection system. Wireshark will not manipulate things on the network, it will only "measure" things from it. 5

How to Install Very straight forward Just double-click and follow the instructions. https://www.wireshark.org/download.html Capture 6

Dashboard Menu Filter Capture Data Raw Data Filters Capture filter Capture Traffic that match capture filter rule save disk space prevent packet loss Display filter Tweak appearance 7

Apply Filters ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest] ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses] http or dns [sets a filter to display all http and dns] tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port] tcp.flags.reset==1 [displays all TCP resets] http.request [displays all HTTP GET requests] tcp contains rviews [displays all TCP packets that contain the word rviews. Excellent when searching on a specific string or user ID]!(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest] Follow TCP Stream 8

Follow TCP Stream Build TCP Stream Select TCP Packet -> Follow TCP Stream Use Statistics What protocol is used in your network Statistics -> Protocol Hierarchy 9

Use Statistics Which host most chatty Statistics -> Conversations Need CLI? If you stick to character based interface, try tshark.exe C:\program files\wireshark\tshark.exe 10

Tcpdump & Wireshark tcpdump -i <interface> -s 65535 -w <some-file> Exercise Install Wireshark into your PC Run wireshark and Capture inbound/outbound traffic Download capture files from Follow the instructor's guide. 11

Exercise 1: Good Old Telnet File telnet.pcap Question Reconstruct the telnet session. Q1: Who logged into 192.168.0.1 Username, Password. Q2: After logged in what did the user do? Tip telnet traffic is not secure Exercise 2: Massive TCP SYN File massivesyn1.pcap and massivesyn2.pcap Question Point the difference with them. Q1: massivesyn1.pcap is a attempt. Q2: massivesyn2.pcap is a attempt. Tip Pay attention to Src IP 12

Exercise 3: Chatty Employees File chat.dmp Question Q1: What kind protocol is used? Q2: This is conversation between @hotmail.com and @hotmail.com Q3: What do they say about you(sysadmin)? Tip Your chat can be m onitored by network adm in. Exercise 4: Suspicious FTP activity File ftp1.pcap Question Q1: 10.121.70.151 is FTP. Q2: 10.234.125.254 is FTP. Q3: FTP Err Code 530 means. Q4: 10.234.125.254 attempt. Tip How many login error occur within a minute? 13

Exercise 5: Unidentified Traffic File Foobar.pcap Question Q1: see what s going on with wireshark gui Statistics -> Conversation List -> TCP (*) Q2: Which application use TCP/6346? Check the web. Exercise 6: Covert channel File covertinfo.pcap Question Take a closer look! T his is not a typical IC M P E cho/r eply Q1: What kind of tool do they use? Check the web. Q2: Name other application which tunneling user traffic. 14

Exercise 7: SIP File sip_chat.pcap Questions: Q1: Can we listen to SIP voice? Q2: How!! Virustotal https://www.virustotal.com/ Checking virus This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version. 30 15

LAB 32 16

Defense and Mitigation Community You can t do it all alone! 33 Defense and Mitigation Community and luckily, there is a great community providing services/tools, such as Security @ APNIC https://www.apnic.net/security Passive DNS by cert.at Panopticon Shared Proxy by circl.lu et al. openresolverproject.com / www.openresolver.nl n6 Reports by cert.pl CAP Reports by Team Cymru phishtank.com, spamcop.net Contacts contacts contacts and many more what else do you know / offer? 34 17

www.facebook.com/apnic www.twitter.com/apnic www.youtube.com/apnicmultimedia www.flickr.com/apnic www.weibo.com/apnicrir Issue Date: Revision: Thank You! END OF SESSION 36 36 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback