Lab 4: Network Packet Capture and Analysis using Wireshark

Similar documents
Week Date Teaching Attended 9 Mar 2013 Lab 9: Network Forensics

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Week Date Teaching Attended 3 Jan 2013 Lab 2: Windows Services/Toolkit

Protocol Analysis: Capturing Packets

Lab - Using Wireshark to Examine TCP and UDP Captures

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Experiment 2: Wireshark as a Network Protocol Analyzer


Lab Using Wireshark to Examine Ethernet Frames

Protocol Analysis: Capturing Packets

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Packet Analysis - Wireshark

Lab Using Wireshark to Examine Ethernet Frames

UNI CS 3470 Networking Project 5: Using Wireshark to Analyze Packet Traces 12

CS 356 Lab #1: Basic LAN Setup & Packet capture/analysis using Ethereal

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Packet Capture & Wireshark. Fakrul Alam

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Lab 1: Packet Sniffing and Wireshark

NETWORK PACKET ANALYSIS PROGRAM

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Activating Intrusion Prevention Service

OSI Transport Layer. objectives

Hands-On Ethical Hacking and Network Defense

Lab 8: Introduction to Pen Testing (HPING)

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Lab - Using Wireshark to Examine a UDP DNS Capture

4. What is the sequence number of the SYNACK segment sent by spinlab.wpi.edu to the client computer in reply to the SYN? Also Seq=0 (relative

Lab I: Using tcpdump and Wireshark

Packet Capture Wireshark Fakrul Alam

To use Snort for deep packet inspection, for log analysis, and to detect reconnaissance attacks from a Windows Application

TCP/IP Transport Layer Protocols, TCP and UDP

Wireshark Tutorial. Chris Neasbitt UGA Dept. of Computer Science

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Lab 6: Advanced Network Attack Analysis

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

9. Wireshark I: Protocol Stack and Ethernet

TECHNICAL INTRODUCTION...2 BRIEF TECHNICAL INTRODUCTION...2 SUPPORTED PROTOCOLS...2 High-Level Protocols...2 Low-Level Protocols...2 REQUIREMENTS...

Chapter 4. TCP / UDP Transport Protocol Overview

Lab - Using Wireshark to Examine a UDP DNS Capture

Networking Revision. TCP/IP Protocol Stack & OSI reference model. Basic Protocols. TCP/IP Model ANTHONY KAO NETWORKING FINAL EXAM SPRING 2014 REVISION

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

SQL Parsers with Message Analyzer. Eric Bortei-Doku

Wireshark. Why we need to capture packet & how it s related to security? 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

TCP /IP Fundamentals Mr. Cantu

King Fahd University of Petroleum & Minerals. Data Traffic Capture and Protocols Analysis using Sniffer Tool

06/02/ Local & Metropolitan Area Networks 0. INTRODUCTION. 1. History and Future of TCP/IP ACOE322

Lab Capturing and Analyzing Network Traffic

CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

ch02 True/False Indicate whether the statement is true or false.

Wireshark: Network Forensic Exercise by Fakrul Alam, Bangladesh CERT

Access Switch VLAN Y Y.1 /24

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

Wireshark Lab: HTTP SOLUTION

4. The transport layer

OSI Model. Teran Subasinghe MBCS, Bsc.(Hons) in Computer Science - University of Greenwich, UK

Exploring TCP and UDP based on Kurose and Ross (Computer Networking: A Top-Down Approach) May 15, 2018

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Wireshark HTTP. Introduction. The Basic HTTP GET/response interaction

Sharkin' Using Wireshark to find evil in packet captures. Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1, et cetera

CSC Network Security

Switching on our smartphone and sending an to a friend living 5000 km from our home is something that we take for granted, but that involves a

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Lab Exercise Protocol Layers

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Linux Networking: tcp. TCP context and interfaces

Interconnecting Networks with TCP/IP

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

5. Write a capture filter for question 4.

Communicating over the Network. Network Fundamentals. ITE PC v4.0 Chapter Cisco Systems, Inc. All rights reserved.

Defining Networks with the OSI Model. Module 2

TCP/IP Fundamentals. Introduction. Practice Practice : Name. Date Period

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

CCNA Exploration Network Fundamentals. Chapter 3 Application Layer Functionality and Protocols

COMP2330 Data Communications and Networking

Stateless Firewall Implementation

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

20-CS Cyber Defense Overview Fall, Network Basics

CNIT 121: Computer Forensics. 9 Network Evidence

CCNA 1 Final Exam Answers UPDATE 2012 eg.1

Laboratory Manual for CENG460 Communications Networks

8.9.2 Lab: Configure an Ethernet NIC to use DHCP in Windows Vista

Wireshark Lab: TCP v7.0

Lab Exercise UDP & TCP

JSON-RPC NETWORK PROTOCOL ANALYSIS USING WIRESHARK

OSI Transport Layer. Network Fundamentals Chapter 4. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

Capturing Network Traffic With Wireshark 2

Introduction to TCP/IP networking

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Chapter 8 roadmap. Network Security

TCP/IP Networking Basics

Managing SonicWall Gateway Anti Virus Service

Transcription:

Lab 4: Network Packet Capture and Analysis using Wireshark 4.1 Details Aim: To provide a foundation in network packet capture and analysis. You may be faced with network traffic analysis, from traffic captured yourself or monitoring data given to you by on-site IT staff. A popular tool for capture and analysis of network traffic is Wireshark (formerly known as Ethereal). 4.2 Wireshark The lab has two elements: the host machine (DESKTOP) and the Windows virtual image (WINDOWS2003) as shown in Figure 1. Host PC DESKTOP Windows XP PC VM Workstation Physical NIC 146.176.160.10 192.168.23.1 Network Traffic Virtual NIC 192.168.23.129 Web Server FTP Server Telnet Server WINDOWS2003 Server Wireshark Packet Analyser Figure 1 - Lab1 Architechture An overview of Windows XP commands, to assist with the lab, can be found at: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx The Wireshark User Guide, to assist with the lab, can be found at: http://www.wireshark.org/docs/wsug_html_chunked/ Network Security Packet Capture & Analysis Rich Macfarlane 1

4.2.1 Run the Windows Server 2003 virtual image (run the.vmx file, and power the virtual machine) Log in to the server using: Username: Administrator, Password: napier). Within the virtual image, open a command line window and determine the virtual servers IP address using the Windows command ipconfig. Similarly, from DESKTOP open a command line window and determine the IP Address of the host PC using the Windows ipconfig command. Complete the IP Addressing diagram in Figure 2, by filling in the IP addresses of the host PC, the virtual server and the network address which will be used to connect to the virtual image. Host PC DESKTOP Windows XP PC VM Workstation 192.168. Virtual NIC Physical NIC 146.176. 192.168. WINDOWS2003 Server Figure 2 - Lab1 IP Addressing L1.2 To check connectivity, from DESKTOP, ping WINDOWS2003, and vice-versa. Were the pings successful? YES/NO 4.2.3 From WINDOW2003, run the Wireshark application. When Wireshark is first run, a default, or blank window is shown. To list the available network interfaces, select the Capture- >Interfaces menu option as shown in Figure 3. Figure 3 - Wireshark Interfaces Network Security Packet Capture & Analysis Rich Macfarlane 2

Wireshark should display a popup window such as the one shown in Figure 4. To capture network traffic click the Start button for the network interface you want to capture traffic on. Note: The Packets column, to the left of the start button shows the total number of incoming packets for each interface. Figure 4 - Wireshark Interfaces Window 4.2.4 Generate some network traffic with a Web Browser from within WINDOWS2003. Your Wireshark window should show the traffic, and now look something like Figure 5. Note: The web browser produced traffic to and from port 80, which Wireshark interprets as HTTP in the Protocol column. Packet List Panel Packet Details Panel Packet Bytes Panel Figure 5 - Wireshark Capturing Traffic To stop the capture, select the Capture->Stop menu option, Ctrl+E, or the Stop toolbar button. What you have created is a Packet Capture or pcap, which you can now view and analyse using the Wireshark interface. The capture is split into 3 parts: 1. Packet List Panel this is a list of packets in the current capture. It colours the packets based on the protocol type. When a packet is selected, the details are shown in the two panels below. Network Security Packet Capture & Analysis Rich Macfarlane 3

2. Packet Details Panel this shows the details of the selected packet. It shows the different protocols making up the layers of data for this packet. Layers include Frame, Ethernet, IP, TCP/UDP/ICMP, and application protocols such as HTTP. 3. Packet Bytes Panel shows the packet bytes in Hex and ASCII encodings. Search through your capture, and find an HTTP packet containing a GET command. Click on the packet in the Packet List Panel. Then expand the HTTP layer in the Packet Details Panel, from the packet. From the Packet Details Panel, within the GET command, what is the value of the Host parameter? Can you see the Hex and ASCII showing the raw bytes in the Packet Bytes Panel? 4.2.5 A Packet Capture or pcap can be saved to disc, for later analysis. To save a capture, select File->Save As, and use the dialog box. This creates a.pcap file. This basic Save As saves all the captured packets to the file. Note: A.pcap file is a common format which many tools can read and write. For example a tcpdump or windump output file is in this format, and can be read into Wireshark for analysis. Other useful network forensic tools, which can operate on.pcap files, include NetworkMiner another capture and analysis tool, tcpstat - for generating capture statistics, and Snort for generating intrusion alerts from capture files. Network Security Packet Capture & Analysis Rich Macfarlane 4

Wireshark Analysis - Display Filters 4.2.6 Right click on the Source Port field in the Packet Details Panel. Select Apply as Filter- >Selected Wireshark automatically generates a Display Filter, and applies it to the capture. The filter is shown in the Filter Bar, below the button toolbar. Only packets captured with a Source Port of the value selected should be displayed. The window should be similar to that shown in Figure 6. This same process can be performed on most fields within Wireshark, and can be used to include or exclude traffic. Display Filter Bar Figure 6 - Filter Bar Network Security Packet Capture & Analysis Rich Macfarlane 5

Wireshark Analysis - TCP Conversations 4.2.7 Start a capture, and generate some Web traffic from the WINDOWS2003 virtual server, by going to www.schneier.com, and then stop the capture. Scroll back to the top of the capture trace. Find the first SYN packet, sent to the Web Server. This signifies the start of a TCP 3- way handshake. If your having trouble finding the first SYN packet, select the Edit->Find Packet menu option. Select the Display Filter radio button and enter a filter of tcp.flags. (at this point you should get a list of the flags to choose from). Choose the correct flag, tcp.flags.syn and add == 1. Hit the Find button, and the first SYN packet in the trace should be highlighted. Note: The Find Packet function can also be used to search for a Hex signature such as an attack signature, or to search for a string such as a protocol command - in a Packet Capture (pcap). Can you identify the rest of the TCP 3-way handshake easily? (if not read on) YES/NO 4.2.8 A quick way to create a Wireshark Display Filter to isolate a TCP stream is to right click on a packet in the Packet List Panel and select Follow TCP Stream. This creates an automatic Display Filter which displays packets from that TCP session only. It also pops up a session display window, containing an ASCII representation of the reassembled TCP session (client packets in red, server packets in blue). The window should look something like Figure 7Error! Reference source not found.. Network Security Packet Capture & Analysis Rich Macfarlane 6

Figure 7 - Follow TCP Stream This is very useful for viewing human readable protocol payloads of conversations, such as with the HTTP, SMTP, and FTP protocols. For example you can reconstruct web pages seen by a user, or view unencrypted email/im conversations. If you close the popup window. Wireshark now only shows the packets from the selected TCP Stream. You should be able to identify the 3-way handshake as the first three packets. From your Wireshark Capture, fill in the diagram below with the IP Addresses and Port Numbers for the Client and the Server For each packet in the TCP 3-way handshake, fill in the Sequence and Acknowledgement numbers, on the diagram below. Client Flags: SYN, Seq: Server IP Address: Port Number: Flags: SYN, ACK Seq:, Ack: Flags: ACK, Seq:, Ack: IP Address: Port Number: Network Security Packet Capture & Analysis Rich Macfarlane 7

4.2.9 Often captures should be saved to disc, for later analysis. To save a capture, select File- >Save As, and use the dialog box as normal. This creates a pcap file, which many tools read and write. For example a tcpdump output file is in this format and can be read into Wireshark for analysis. This saves all the captured packets to the file. Did you successfully save your capture to disc? Copy the Display Filter into the clipboard, and close and start Wireshark again, then reload the file. Was the whole capture saved or just the displayed packets? Paste the display filter back into the Filter Bar, and Apply it. To save only the displayed packets, select File->Save As again, but this time select the Displayed radio button rather than the default Captured. This creates a pcap file, with only the packets filtered by the current display filter. This can be useful when analysing large captures, as interesting packets can be saved Close and start Wireshark again, then reload the file. Was the whole capture saved or just the displayed packets? 4.2.10 Start another capture, and generate some Web traffic from the DESKTOP host, by going to www.schneier.com again, and then stop the capture. Scroll back to the top of the capture trace. Note: Some useful display filters can be found at: http://wiki.wireshark.org/displayfilters Create a display filter to show only web traffic involving the the DESKTOP host. What is the display filter? Network Security Packet Capture & Analysis Rich Macfarlane 8

Wireshark Analysis - Statistics 4.2.10 Wireshark provides a Statistics menu, which provides tools to help narrow the focus of a network forensic investigation, including overall statistics, conversations, and information on systems involved in the conversations. Start the capture, and generate some Web traffic by going to www.schneier.com, then stop the capture, and select the Statistics->Protocol Hierarchy menu option. A window similar to that shown in Figure 8 should be shown, displaying statictics about the pcap. Note that all the packets are L2 Ethernet (Local Area Network) packets, but at the network layer most of the packets are TCP, but some are UDP Figure 8 - Protocol Statistics What percentage of packets in your capture are TCP, and give an example of the higher level protocol which uses TCP? What percentage of packets in your capture are UDP, and give an example of the higher level protocol which uses UDP? (use Figure 9) Network Security Packet Capture & Analysis Rich Macfarlane 9

OSI Model TCP/IP Model Application Presentation Session Transport Network Data Link Physical HTTP, FTP, SMTP TCP, UDP IP, ICMP Ethernet, ATM Application Transport Internet Network Figure 9 - Network Model with Protocols 4.2.11 Select the Statistics->Flow Graph menu option. Choose General Flow and Network Source options, and click the OK button. A window similar to that shown in Figure 10 should be displayed, visualising the flow of traffic. Other useful options in the Statistics menu include the Statistics->IP Addresses option which categorises all IP Addresses traffic, in the current pcap capture. Figure 10 - Traffic Flow Graph Network Security Packet Capture & Analysis Rich Macfarlane 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback