Packet Analysis - Wireshark

Similar documents
Packet Capture & Wireshark. Fakrul Alam

Wireshark. Why we need to capture packet & how it s related to security? 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Packet Capture Wireshark Fakrul Alam

Wireshark: Network Forensic Exercise by Fakrul Alam, Bangladesh CERT

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Introduction to Wireshark

Lab 4: Network Packet Capture and Analysis using Wireshark

Wireshark Tutorial. Chris Neasbitt UGA Dept. of Computer Science

Network Analyzer :- Introduction to Wireshark

So What is WireShark?

ITTC Communication Networks Laboratory The University of Kansas EECS 563 Introduction to Protocol Analysis with Wireshark

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

Packet Capturing with TCPDUMP command in Linux

COMP2330 Data Communications and Networking

Experiment 2: Wireshark as a Network Protocol Analyzer

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

NETWORK PACKET ANALYSIS PROGRAM

Lab - Using Wireshark to Examine TCP and UDP Captures

Packet Sniffing and Spoofing

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

TCPDUMP. Chia-Tien Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

5. Write a capture filter for question 4.

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Article Number: 38 Rating: Unrated Last Updated: Thu, Apr 28, 2016 at 9:49 PM

Introduction to Wireshark

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Exercises: Basics of Networking II Experiential Learning Workshop

A quick tutorial on using tshark

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Protocol Analysis: Capturing Packets

Lab I: Using tcpdump and Wireshark

K2289: Using advanced tcpdump filters

Interconnecting Networks with TCP/IP

Wireshark 101 Essential Skills for Network Analysis 2 nd Edition

Lab Configuring NAT Overload

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

CYBERSECURITY CHALLENGES FOR YOUR CLASSROOM:

Exploring TCP and UDP based on Kurose and Ross (Computer Networking: A Top-Down Approach) May 15, 2018

Module : ServerIron ADX Packet Capture

GSS Administration and Troubleshooting

Agility2018-TCPdump Documentation

Master Informatique NetArch Network Architecture. NetArch - Lab n 4. Transport Layer (1): TCP and UDP

History Page. Barracuda NextGen Firewall F

CCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11

About this Troubleshooting Checklist

Protocol Analysis: Capturing Packets

CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

Chapter 8 roadmap. Network Security

EMT2455 Data Communications 4. Network Layer. Dr. Xiaohai Li. Dept. of Computer Eng. Tech., NYCCT. Last Update: Nov.

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Practical Networking. Introduction

Network sniffing packet capture and analysis

ECE435: Network Engineering Homework 5 TCP. Due: Thursday, 18 October 2018, 3:30pm

Introduction to Troubleshooting TCP/IP Networks with Wireshark

Network packet analyzer Wireshark

CSE / / 60567: Computer Security. Network Security 2

Computer Networks/DV2 Lab

Inspection of Inter-Subnet traffic in AWS VPC using CloudGuard

86 - Network DiagnosticsTools

CSc 450/550: Computer Communications and Networks (Summer 2007)

Working with. Working with Capture Files

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

FortiTester Handbook VERSION 2.4.1

Network Security Laboratory 23 rd May STATEFUL FIREWALL LAB

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. Project 2

Troubleshooting High CPU Utilization Due to the IP Input Process

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Error <Thin Client Users cannot Log On>

Appendix B Policies and Filters

CS519: Computer Networks. Lecture 5, Part 1: Mar 3, 2004 Transport: UDP/TCP demux and flow control / sequencing

Lab 1: Creating Secure Architectures (Revision)

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Lab 8: Introduction to Pen Testing (HPING)

Assignment 2 TCP/IP Vulnerabilities

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Extended ACL Configuration Mode Commands

Hands-On Ethical Hacking and Network Defense

Software Engineering 4C03 Answer Key

LAB THREE STATIC ROUTING

Lab 2: Creating Secure Architectures

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Computer Security II Lab Network Security

COM-407: TCP/IP NETWORKING. With Solutions

Introduction to SITL. Objective

Week Date Teaching Attended 9 Mar 2013 Lab 9: Network Forensics

Network Traffic Analysis - Course Outline

Lab 1: Packet Sniffing and Wireshark

UNI CS 3470 Networking Project 5: Using Wireshark to Analyze Packet Traces 12

User Role Firewall Policy

Statistical Aspects of Intrusion Detection

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

Sirindhorn International Institute of Technology Thammasat University

DGW PCM Traces. All Mediatrix Units. v

Transcription:

Packet Analysis - Wireshark Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea

Why do we need to capture packet & how is it relevant to security?

tcpdump tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis (-w option). tcpdump utilizes the libpcap library for packet capturing.

tcpdump command example # tcpdump nni eth0 # tcpdump nni eth0 host 10.10.10.10 # tcpdump nni eth0 dst host 10.10.10.10 and proto tcp # tcpdump nni eth0 src net 10.10.10.0/24 and port tcp and portrange 1-1024 -nn = don t use DNS to resolve IPs and display port no -i = interface to watch dst = watch only traffic destined to a net, host or port src = watch only traffic whose src is a net, host or port net = specifies network host = specifies host port = specifies a port proto = protocol (Ex: tcp or udp)

tcpdump command example # tcpdump nni eth0 -s0 # tcpdump nni eth0 not port 22 -s0 -c 1000 # tcpdump nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24 -s0 (snaplength) = setting samples length to 0 means use the required length to catch whole packet (default 260KB) -c = packet count

tcpdump pcaps # tcpdump -nni eth0 -w capture.pcap -vv -c 1000 # tcpdump -nni eth0 -r capture.pcap and port 80 -w capture.pcap = write captured packets to capture.pcap file, rather than printing out vv (more verbose) = Ex: display number of packets captured -r capture.pcap = read packets from capture file, which was created with a w option -c = no to packets

tcpdump Output IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,ts val 854797891 ecr 376933204], length 53 IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 106, win 4092, options [nop,nop,ts val 376934736 ecr 854797891], length 0 IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 106:159, ack 1, win 67, options [nop,nop,ts val 854797891 ecr 376933204], length 53 IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 159, win 4091, options [nop,nop,ts val 376934736 ecr 854797891], length 0

What is Wireshark? Wireshark is a network packet/protocol analyzer A network packet analyzer will try to capture network packets and display the packet details Wireshark is perhaps one of the best known open source packet analyzers available today for any operating system

About Wireshark Formerly known as Ethereal Author, Gerald Combs quit Network Integration Services FREE! Requirement Need to install winpcap Latest wireshark installer contains winpcap, don t worry (On Windows Vista) Need Administrator Privilege to capture GUI Dramatically improved

Why Wireshark network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals Wireshark isn't an intrusion detection system Wireshark will not manipulate packets on the network; it will only read" packets.

How to Install Very straight forward Just double-click and follow the instructions

Capture

Dashboard Menu Filter Capture Data Raw Data

Filters Capture filter Capture traffic that matches the capture filter rule saves disk space Display filter Tweak appearance

Apply Filters ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest] ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses] http or dns [sets a filter to display all http and dns] tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port] tcp.flags.reset==1 [displays all TCP resets] http.request [displays all HTTP GET requests] tcp contains rviews [displays all TCP packets that contain the word rviews. Excellent when searching on a specific string or user ID]!(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

Follow TCP Stream

Follow TCP Stream Build TCP Stream Select TCP Packet -> Follow TCP Stream

Use Statistics What protocol is used in your network Statistics -> Protocol Hierarchy

Use Statistics Which host is most chatty Statistics -> Conversations

Need CLI? If you stick to character based interface, try tshark.exe C:\program files\wireshark\tshark.exe

Exercise Install Wireshark into your PC Run Wireshark Capture inbound/outbound traffic Download captured (pcap) files from the lab website Follow instructor's guide

Exercise 1: Good Old Telnet File telnet.pcap Question Reconstruct the telnet session Q1: Who logged into 192.168.0.1 Username, Password. Q2: After logging in what did the user do? Tip telnet traffic is not secure

Exercise 2: Massive TCP SYN File massivesyn1.pcap and massivesyn2.pcap Question Point the difference with them. Q1: massivesyn1.pcap is a attempt. Q2: massivesyn2.pcap is a attempt. Tip Pay attention to Src IP

Exercise 3: Chatty Employees File chat.dmp Question Q1: What kind protocol is used? Q2: This is conversation between @hotmail.com and @hotmail.com Q3: What do they say about you(sysadmin)? Tip Your chat can be monitored by network admin.

Ex 4: Suspicious FTP activity File ftp.pcap Question Q1: 10.121.70.151 is FTP. Q2: 10.234.125.254 is FTP. Q3: FTP Err Code 530 means. Q4: 10.234.125.254 attempt. Tip How many login error occur within a minute?

Exercise 5: Unidentified Traffic File Foobar.pcap Question Q1: see what s going on with wireshark gui Statistics -> Conversation List -> TCP (*) Q2: Which application use TCP/6346? Check the web.

Exercise 6: Covert channel File covertinfo.pcap Question Take a closer look! This is not a typical ICMP Echo/Reply Q1: What kind of tool do they use? Check the web. Q2: what other applications tunnel user traffic?

Exercise 7: SIP File sip_chat.pcap Questions: Q1: Can we listen to SIP voice? Q2: How?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback