Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark

Similar documents
Practical Networking. Introduction

Packet Capture & Wireshark. Fakrul Alam

Packet Analysis - Wireshark

Packet Capture Wireshark Fakrul Alam

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Wireshark. Why we need to capture packet & how it s related to security? 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Muhammad Farooq-i-Azam CHASE-2006 Lahore

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

Packet Capturing with TCPDUMP command in Linux

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Network Analyzer :- Introduction to Wireshark

Module : ServerIron ADX Packet Capture

Using NAT in Overlapping Networks

TCPDUMP. Chia-Tien Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Experiment 2: Wireshark as a Network Protocol Analyzer

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Wireshark Tutorial. Chris Neasbitt UGA Dept. of Computer Science

NETWORK PACKET ANALYSIS PROGRAM

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Exploring TCP and UDP based on Kurose and Ross (Computer Networking: A Top-Down Approach) May 15, 2018

Wireshark: Network Forensic Exercise by Fakrul Alam, Bangladesh CERT

Lab I: Using tcpdump and Wireshark

4. What is the sequence number of the SYNACK segment sent by spinlab.wpi.edu to the client computer in reply to the SYN? Also Seq=0 (relative

Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

ECE 697J Advanced Topics in Computer Networks

K2289: Using advanced tcpdump filters

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Network and Security: Introduction

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

COMPUTER NETWORKS. CPSC 441, Winter 2016 Prof. Mea Wang Department of Computer Science University of Calgary

COMP2330 Data Communications and Networking

Network packet analyzer Wireshark

Announcements. IP Forwarding & Transport Protocols. Goals of Today s Lecture. Are 32-bit Addresses Enough? Summary of IP Addressing.

network security s642 computer security adam everspaugh

Introduction to TCP/IP networking

TCP Performance. EE 122: Intro to Communication Networks. Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Lab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace

EE 122: IP Forwarding and Transport Protocols

ITTC Communication Networks Laboratory The University of Kansas EECS 563 Introduction to Protocol Analysis with Wireshark

Network Model: Each layer has a specific function.

TCP = Transmission Control Protocol Connection-oriented protocol Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

CS 716: Introduction to communication networks. Instructor: Sridhar Iyer Demo by: Swati Patil IIT Bombay

Wire Shark Lab1. Intro

Troubleshooting High CPU Utilization Due to the IP Input Process

Wireshark intro. Introduction. Packet sniffer

Lecture 10: Protocol Design

Lab 1: Packet Sniffing and Wireshark

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Wireshark Lab: Getting Started v7.0

Sirindhorn International Institute of Technology Thammasat University

Page 1. Goals for Today" Discussion" Example: Reliable File Transfer" CS162 Operating Systems and Systems Programming Lecture 11

Introduction to Wireshark

Introduction to Troubleshooting TCP/IP Networks with Wireshark

Lab Assignment 3 for ECE374

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Material for the Networking lab in EITF25 & EITF45

So What is WireShark?

3. (a) What is bridge? Explain the operation of a LAN bridge from to (b) Explain the operation of transparent bridge.

CS 640 Introduction to Computer Networks Spring 2009

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Lab 4: Network Packet Capture and Analysis using Wireshark

Lab - Using Wireshark to Examine TCP and UDP Captures

Internet Protocol and Transmission Control Protocol

Command Line Review of Wireshark CLI Tools, tshark & more

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. Managing a HTTP request. transport session. Step 1 - opening transport

COMS3200/7201 Computer Networks 1 (Version 1.0)

ICS 451: Today's plan

IP Addressing, monitoring and packet analyzing

Fundamentals of Linux Platform Security

Fundamentals of Linux Platform Security. Hands-On Network Security. Roadmap. Security Training Course. Module 1 Reconnaissance Tools

Using Diagnostic Tools

Network Control, Con t

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

Wireshark Lab: Getting Started v7.0

Basic Reliable Transport Protocols

Wireshark Lab: Getting Started v6.0

New York University Computer Science Department Courant Institute of Mathematical Sciences

Wireshark Lab: Getting Started

Chapter 4 The Internet

Network sniffing packet capture and analysis

ch02 True/False Indicate whether the statement is true or false.

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

precise rules that govern communication between two parties TCP/IP: the basic Internet protocols IP: Internet protocol (bottom level)

Computer Networks Spring 2017 Homework 2 Due by 3/2/2017, 10:30am

CS395/495 Computer Security Project #2

521262S Computer Networks 2 (fall 2007) Laboratory exercise #4: Multimedia, QoS and testing

I Commands. iping, page 2 iping6, page 4 itraceroute, page 5 itraceroute6 vrf, page 6. itraceroute vrf encap vxlan, page 12

Introduction to Wireshark

Transport Layer TCP & UDP Week 7. Module : Computer Networks Lecturers : Lucy White Office : 324

LECTURE WK4 NETWORKING

Sirindhorn International Institute of Technology Thammasat University

TCP/IP Transport Layer Protocols, TCP and UDP

EMT2455 Data Communications 4. Network Layer. Dr. Xiaohai Li. Dept. of Computer Eng. Tech., NYCCT. Last Update: Nov.

Transcription:

Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony Joseph 1

Some slides added from Fei Xu's slides, Small modifications by Dr. Enis Karaarslan

Overview Examples of network protocols Protocol Analysis Verify Correctness Analyze performance Better understanding of existing protocols Optimization and debugging of new protocols Tools tcpdump & tshark Wireshark 3

Network Protocol Examples Defines the rules of exchange between a pair (or more) machines over a communication network HTTP (Hypertext Transfer Protocol) Defines how web pages are fetched and sent across a network TCP (Transmission Control Protocol) Provides reliable, in-order delivery of a stream of bytes Your protocol here 4

Protocol Analysis Verify correctness Debug/detect incorrect behavior Analyze performance Gain deeper understanding of existing protocols by seeing how they behave in actual use 5

Analysis Methods Instrument the code Difficult task, even for experienced network programmers Tedious and time consuming Use available tools tcpdump / tshark Wireshark ipsumdump Write your own tool libpcap 6

Tools overview Tcpdump Unix-based command-line tool used to intercept packets o Including filtering to just the packets of interest Reads live traffic from interface specified using i option or from a previously recorded trace file specified using r option o You create these when capturing live traffic using w option Tshark Tcpdump-like capture program that comes w/ Wireshark Very similar behavior & flags to tcpdump Wireshark GUI for displaying tcpdump/tshark packet traces 7

Tcpdump example Ran tcpdump on the machine danjo.cs.berkeley.edu First few lines of the output: 01:46:28.808262 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.cs.berkeley.edu.ssh: P 1:49(48) ack 1380 win 16560 8

What does a line convey? Timestamp This Source is an IP host Source packet name port number (22) 01:46:28.808262 IP danjo.cs.berkeley.edu.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 Destination host name Destination port number TCP specific information Different output formats for different packet types 9

Similar Output from Tshark 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502 10

Demo 1 Basic Run Syntax: tcpdump [options] [filter expression] Run the following command on the machine c199.eecs.berkeley.edu: Observe the output tcpdump 11

Filters We are often not interested in all packets flowing through the network Use filters to capture only packets of interest to us 12

Demo 2 1. Capture only udp packets tcpdump udp 2. Capture only tcp packets tcpdump tcp 13

Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) tcpdump udp dst port 53 2. Capture only UDP packets with source port 53 (DNS replies) tcpdump udp src port 53 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) tcpdump udp port 53 14

Demo 2 (contd.) 1. Capture only packets destined to quasar.cs.berkeley.edu tcpdump dst host quasar.cs.berkeley.edu 2. Capture both DNS packets and TCP packets to/from quasar.cs.berkeley.edu tcpdump (tcp and host quasar.cs.berkeley.edu) or udp port 53 15

How to write filters Refer cheat sheet slides at the end of this presentation Refer the tcpdump/tshark man page 16

Running tcpdump Requires superuser/administrator privileges tcpdump, tshark & wireshark work on many different operating systems Download the version for your personal desktop/laptop from http://www.tcpdump.org, http://www.winpcap.org/windump/ http://www.wireshark.org 17

Security/Privacy Issues Tcpdump/tshark/wireshark allow you to monitor other people s traffic WARNING: Do NOT use these to violate privacy or security Use filtering to restrict packet analysis to only the traffic associated with your assignment. E.g., for project #1: tcpdump s 0 w all_pkts.trace tcp port 7788 18

What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows.

Install under Windows Download Install

Install under Debian/ Ubuntu # apt-get install wireshark

Wireshark System Overview 22

Configuration This checkbox allows you to specify that Wireshark should put the interface in promiscuous mode when capturing. If you do not specify this, Wireshark will only capture the packets going to or from your computer (not all packets on your LAN segment).

TURN PROMISCUOUS MODE OFF! IF YOU'RE AT WORK, YOUR NETWORK ADMINISTRATOR MAY SEE YOU RUNNING IN PROMISCUOUS MODE AND SOMEBODY MAY DECIDE TO FIRE YOU FOR THAT.

Wireshark Interface 25

Demonstration Questions? 26

More resource http://wiki.wireshark.org http://wiki.wireshark.org/samplecaptures Search wireshark tutorial

Other Useful Tools IPsumdump Handy Swiss army knife for displaying in ASCII fields of interest in packet trace files http://www.cs.ucla.edu/~kohler/ipsumdump/ For instructions to use IPsumdump on EECS instructional accounts, see slide Appendix: IPsumdump on EECS instructional accounts Libpcap Unix packet capture library on which tcpdump/tshark are built http://www.tcpdump.org/ 28

Assignment Requirements tcpdump -w <dump_file_name> -s 0 options must be used for the traces submitted as part of the assignments tshark doesn t require -s 0 (default) Appropriately name each dump file you submit and briefly describe what each dump file contains/illustrates in the README file associated with the assignment submission 29

Cheat Sheet Commonly Used Tcpdump Options -n Don t convert host addresses to names. Avoids DNS lookups. It can save you time. -w <filename> Write the raw packets to the specified file instead of parsing and printing them out. Useful for saving a packet capture session and running multiple filters against it later -r <filename> Read packets from the specified file instead of live capture. The file should have been created with w option -q Quiet output. Prints less information per output line 30

Cheat Sheet Commonly Used Options (contd.) -s 0 tcpdump usually does not analyze and store the entire packet. This option ensures that the entire packet is stored and analyzed. NOTE: You must use this option while generating the traces for your assignments. (Default in tshark) -A (or X in some versions) Print each packet in ASCII. Useful when capturing web pages. NOTE: The contents of the packet before the payload (for example, IP and TCP headers) often contain unprintable ASCII characters which will cause the initial part of each packet to look like rubbish 31

Cheat Sheet Writing Filters (1) Specifying the hosts we are interested in dst host <name/ip> src host <name/ip> host <name/ip> (either source or destination is name/ip) Specifying the ports we are interested in dst port <number> src port <number> port <number> Makes sense only for TCP and UDP packets 32

Cheat Sheet Writing Filters (2) Specifying ICMP packets icmp Specifying UDP packets udp Specifying TCP packets tcp 33

Cheat Sheet Writing Filters (2) Combining filters and (&&) or ( ) not (!) Example: All tcp packets which are not from or to host quasar.cs.berkeley.edu tcpdump tcp and! host quasar.cs.berkeley.edu Lots of examples in the EXAMPLES section of the man page 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback