Wireshark- Looking into the Packet. Henry A. McKelvey, MIS. Blacks in Technology

Similar documents
Experiment 2: Wireshark as a Network Protocol Analyzer

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

COMP2330 Data Communications and Networking

ECE4110 Internetwork Programming. Introduction and Overview

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Network Analyzer :- Introduction to Wireshark

TCP /IP Fundamentals Mr. Cantu

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

Lab - Using Wireshark to Examine a UDP DNS Capture

Lab - Using Wireshark to Examine a UDP DNS Capture

Material for the Networking lab in EITF25 & EITF45

Inside Products TCP Problem Finder Thinking Inside the Box

Lab Assignment 4 ECE374 Spring Posted: 03/22/18 Due: 03/29/18. In this lab, we ll take a quick look at the ICMP and IP protocols.

Chapter 20 Network Layer: Internet Protocol 20.1

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Hands-On Hacking Techniques 101

Problem Set 7 Due: Start of Class, November 2

TCP/IP Networking Basics

Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi.

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

This tutorial will help you in understanding IPv4 and its associated terminologies along with appropriate references and examples.

Wireshark Lab: Getting Started

The ACK and NACK of Programming

ITTC Communication Networks Laboratory The University of Kansas EECS 563 Introduction to Protocol Analysis with Wireshark

EE 610 Part 2: Encapsulation and network utilities

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Wireshark Lab: Getting Started v6.0

Network Model. Why a Layered Model? All People Seem To Need Data Processing

ELEC5616 COMPUTER & NETWORK SECURITY

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Packet Capturing with TCPDUMP command in Linux

ch02 True/False Indicate whether the statement is true or false.

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Wireshark Lab: Getting Started

Review of Important Networking Concepts

Internetworking models

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Lab: 2. Wireshark Getting Started

HPE Knowledge Article

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Position of IP and other network-layer protocols in TCP/IP protocol suite

User Datagram Protocol

Lecture (11) OSI layer 4 protocols TCP/UDP protocols

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

19: Networking. Networking Hardware. Mark Handley

Goals for Today s Class. EE 122: Networks & Protocols. What Global (non-digital) Communication Network Do You Use Every Day?

Computer Networks Security: intro. CS Computer Systems Security

Protocol Analysis: Capturing Packets

BIT RATE CALCULATION WITH BARIX DEVICES

(ICMP), RFC

CS4450. Computer Networks: Architecture and Protocols. Lecture 13 THE Internet Protocol. Spring 2018 Rachit Agarwal

REVIEW: A LOOK AT A PORTABLE USB3 NETWORK TAP WIRESHARK HEROES SERIES VISIT

Network Layer (1) Networked Systems 3 Lecture 8

TCP Performance Analysis Based on Packet Capture

UNIT IV -- TRANSPORT LAYER

ECE 158A: Lecture 7. Fall 2015

K2289: Using advanced tcpdump filters

Need For Protocol Architecture

Need For Protocol Architecture

WHITE PAPER: THE REALITY OF MEETING YOUR DATA VISUALIZATION DEMANDS! VISIT

Internet Control Message Protocol (ICMP), RFC 792. Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Connectionless and Connection-Oriented Protocols OSI Layer 4 Common feature: Multiplexing Using. The Transmission Control Protocol (TCP)

D-STAR Review & Final Exam

Lab Exercise Protocol Layers

Ethereal Lab: Getting Started

ECE 358 Project 3 Encapsulation and Network Utilities

SSC-D02 HOMEWORK 2. Jean-Yves Le Boudec. November 6, 2002

STEVEN R. BAGLEY PACKETS

Chapter 1 Introduction

Lab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace

Review of Important Networking Concepts. Recall the Example from last lecture

Networking Technologies and Applications

Wireshark Lab: Getting Started v7.0

NEW YORK CITY COLLEGE OF TECHNOLOGY/CUNY Computer Systems Technology Department

Wireshark Lab Ethernet And Arp Solution

PART X. Internetworking Part 1. (Concept, IP Addressing, IP Routing, IP Datagrams, Address Resolution)

SCTP. Stream Control Transmission Protocol. François Buntschu. Ecole d Ingénieurs et d Architectes de Fribourg HES-SO

Wireshark Lab: Getting Started v7.0

CPSC156a: The Internet Co-Evolution of Technology and Society. Lecture 4: September 16, 2003 Internet Layers and the Web

Introduction to TCP/IP networking

So What is WireShark?

CSCI-GA Operating Systems. Networking. Hubertus Franke

CSE/EE 461 The Network Layer. Application Presentation Session Transport Network Data Link Physical

Interface The exit interface a packet will take when destined for a specific network.

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

Jonathan Wald and Jason Zigelbaum (A project report written under the guidance of Prof.

Internet. Organization Addresses TCP/IP Protocol stack Forwarding. 1. Use of a globally unique address space based on Internet Addresses

CLIENT SERVER ARCHITECTURE:

CE3005: Computer Networks Laboratory 3 SNIFFING AND ANALYSING NETWORK PACKETS

The trace is here:

Chapter 7. Local Area Network Communications Protocols

LAB 1 HOW THE WEB WORKS

Sirindhorn International Institute of Technology Thammasat University

Flowreplay Design Notes

Transcription:

WIRESHARK- LOOKING INTO THE PACKET 1 Wireshark- Looking into the Packet Henry A. McKelvey, MIS Blacks in Technology

WIRESHARK- LOOKING INTO THE PACKET 2 Wireshark- Looking into the Packet Protocol Analysis is one of the best methods for troubleshooting network problems in and out of the cloud. Having designed, created and implemented technology for analyzing the cloud network. I think it is time to look at ways of defining the cloud from the inside out. One of the most interesting things about networks is that they usually tell you if there is a problem. Three basic issues occur with networks; slow throughput, no throughput, and corrupted data. Many things cause these issues to occur, and many events may occur because of these three issues, but these are the core. Incorrect configuration of switches/routers may cause these issues to occur. Incorrectly configured servers may also cause these issues to occur. The important thing is to be able to tell what is happening and why. This is where protocol analysis comes in. Protocol analyzers allows the network, or systems administrator to see what is occurring on the network, or what their systems are responding to and how. For instance, the protocol analyzer divides the transaction of packets up into usually 5-6 divisions of function based on the TCP/IP protocol stack.

WIRESHARK- LOOKING INTO THE PACKET 3 The Background First, you have Frame data (bytes on the wire) which constitutes the information linked to the Frame (Interface ID, Encapsulation Type, Time data, Frame Number, Frame Length, Protocols in Frame, etc...) This data can be used to help troubleshoot Layer 1 issues and situations if the network (Physical Layer) baseline is known. Second, you have the Data Link Layer data (Based on Encapsulation Type) which constitutes the information linked to the data link mode of your system, usually Ethernet, but can include Frame Relay, ATM, or other Layer two technologies. The sections covered in Ethernet are Source Media Access Control Address, Destination Media Access Control Address. Information gathered from Address Resolution Protocol (Source MAC Address, and Destination Internet Protocol Address linked to MAC Address, Source and Destination LG and IG bits used to show globally unique address and individual address positions (Extracted from the MAC Address) and then the Ether Type for Ethernet, this is 0x0800.

WIRESHARK- LOOKING INTO THE PACKET 4 Third, you have the Internet-working Layer data. This section includes the IP Version (4 or 6), header length, Differentiated Services, Explicit Congestion Notification (ECN), total length of packet, packet identification, flags (Reserved bit, Don t Fragment, More Fragments, Fragment Offset, Time To Live, Protocol (TCP/UDP), header checksum, checksum data, source and destination domain to IP link.) Fourth, you have the Transmission Control Protocol layer data, which gives you the source and destination port data, sequence number, acknowledgement number, header length, flags (reserved, nonce, congestion window reduced, ECN-echo, urgent, acknowledgement, push, reset, synchronization, and finish), window size, checksum, and analysis of sequence and acknowledgement length. Fifth, you have the data, which is sent or as it is called the payload. The data also includes its Now, you might ask, What is this review of the protocol stack for? Well it is to show you, the reader, that the protocol analyzer can contain data that you need to complete your work or at least tell you where a problem may exist. For instance, I was working on a project and one of the programmers was having a problem getting her program to run. The young woman was a pure programmer with no knowledge of network or other data resources experience. She knew how to program and that was it. Therefore, it was no surprise when she made a call to a process to execute a command on another system her program would fail. She traced the fault to a

WIRESHARK- LOOKING INTO THE PACKET 5 command that made a system call using a socket (IP Address: Port). She was told by her project manager to talk to one of the network people (me) about the issue, so what did I do. On her system, I installed a protocol analyzer and looked at her interface, just as expected the program could not locate the asset online. Therefore, I told her that the program was working fine and that before the system call she should write some code to do a resource check that would either put the program into a wait condition with periodic checks or throw an exception that states that the resource is busy and to try again later. She wrote the code to do both and when the remote system was back up and running the program ran without a problem. This is one example of how protocol analysis can be used to aid in network troubleshooting that extends into the realm of programming. The program was making use of cloud assets, which permitted the use of a protocol analyzer. Why is this important? As more programming ventures into remote or virtual connections, as in connecting to virtualized and cloud-based systems, the use of protocol analysis will become more commonplace. A once ignored facet of network troubleshoot is going to become a widely used method of verifying network connectivity of virtualized and cloud based systems. There are many Protocol analyzers out there and they all function in and about the same. However, there is a complexity involved with using a protocol analyzer to troubleshoot network wide issues and events. I experienced this while working at Verizon. I was helping a colleague troubleshoot a network problem, which required the use of multiple protocol analyzers installed to provide data as to correlate network events with network problems, using the multiple analysis

WIRESHARK- LOOKING INTO THE PACKET 6 systems was easy but correlating the data was not, because the units were not synced up and the data was captured at different times. It was during this comedy of errors that an idea emerged, that leads to a method being developed to provide correlation to the protocol analysis/ capture process. After some time and effort, we (Jimmie Peterman, Rosa Underwood, Emory Young, and I) developed a way to capture, and correlate data that could be used on Enterprise Networks to troubleshoot events in such a way a person could tell what was happening without having to have an extensive knowledge of the network. The method and device was the subject of patent application 20110317562 and the subsequent granting of United States Patent US8064350. Understanding the layout of the protocol analyzer is one thing, but looking at it for the data that can be harvested from a capture is the power of the analyzer. I have attached a file to this document to help you understand how read a protocol analyzer during a simple troubleshooting exercise that will be discussed in the latter part of this paper. For now let us discuss the technology of protocol analysis. The Technology To some of you this may appear to be a mundane exercise, but one thing I have seen consistently is the writing of programs for use on the Internet/Cloud and people having problems with the application of remote sockets. This is a problem made for the use of a protocol analyzer. There was a time where the protocol analyzer was used only for network troubleshooting. To use

WIRESHARK- LOOKING INTO THE PACKET 7 a protocol analyzer you had to invest in a system that may have cost thousands of dollars, but because of the open source movement, you now have a choice of free very well coded software based protocol analyzes such as Wireshark (I use this one so this will be about Wireshark). Like I had mentioned in the past your choices were limited to some very costly equipment such as the Hardware based Radcom Protocol Analyzer, Teledyne LeCroy Analyzer, and the HP/Agilent LAN Analyzer, on the software side you have EtherPeek and Agilent s analyzer software. The fact was to do protocol analysis you had to spend a lot of money, which put the proper troubleshooting of network problems out of the range of most small companies. Then the Security Administrator Tool for Analyzing Networks (SATAN) was invented. SATAN is a tool to help systems administrators. It recognizes several common networkingrelated security problems, and reports the problems without actually exploiting them (porcupine.org, 1995). SATAN permitted for the first time (open source tool wise) the viewing of network activity in response to network stimuli. This opened the door for other advancements such as Ethereal, which was the first full, featured open source protocol analyzer. Now, take into mind that it was not the first open source protocol analyzer, it was the first full featured protocol analyzer (there is a difference). Ethereal remained the number 1 free open source protocol analyzer for years, before finally being surpassed by Wireshark. Now, this is another gotcha Wireshark is Ethereal all grown up. Wireshark expanded on the feature sets of Ethereal and

WIRESHARK- LOOKING INTO THE PACKET 8 added a lot of support for other network technologies that were left out of the Ethereal feature set. Now since we all like free stuff, I am going to guess that Wireshark is looking good to you now as a possible alternative to the standard protocol analyzers. If so, go on line and download it. It will load two major pieces of code the first is the Wireshark package, which includes the analyzer and the protocol modules. The next piece of code is the subsystem that permits the capture of packets over the network interface, this code is called pcap (for UNIX/Linux) or to be more inclusive WinPcap (For Windows). I would be amiss if I did not discuss pcap and its role in the use of protocol analysis. Packet capture (pcap) is a command line tool that contains the APIs, which permit the capturing of packets over the network interface of a system. The program itself from what I know is written in C. This permits higher-level languages (Java, TCL,.Net, and other scripting type languages) to pass and receive variables/data-sets and to interact with the pcap program in an almost seamless fashion. In fact, on Linux and UNIX systems TCPDUMP uses the pcap library (libpcap) to provide packet capture output. *Note: The TCPDUMP group wrote pcap. Packet Capture (pcap) can be used as a standalone program or a wrapper (Ethereal, Wireshark) that permits GUI use of the library can access it. Many programs use the pcap library, which makes it one of the most used programs in the network arena.

WIRESHARK- LOOKING INTO THE PACKET 9 Now since we have discussed the histories of Wireshark and Pcap, let s get into the actual use technology embodied by these two programs. When used in unison the two programs are able to provide information as to the condition of the packets in a network. The next part of this three-part blog will be how Wireshark works. I will be examining a way of troubleshooting a web site problem using two Protocol Analyzers. This method will be based on a system that I helped design and was the topic of US patent # 7,899,323, MULTI-INTERFACE PROTOCOL ANALYSIS SYSTEM. Now take into mind that I will not be doing the full implementation of patent #7,899,323 just a subset that will permit me to show how to use Wireshark and TCPDUMP to troubleshoot problems in the cloud. The Application This is the fun part; first we need to know what a good web site session looks like using Wireshark. This paper has attached to it a file containing a Wireshark capture of a good web site session to www.google.com and other sites. The start of all troubleshooting begins with the development of a baseline capture to level-set readings. This is done to provide a comparison between a good reading and a possible bad reading. I will use a real life problem I experienced troubleshooting a problem on an executive s computer at a company where I use to work. Starting off here is an analog of a baseline capture file:

WIRESHARK- LOOKING INTO THE PACKET 10 To use this file you must first have Wireshark and WinPcap installed on your Windows machine. If you do not have it please install it now. If you have Linux it will come with your Linux distribution if not use one of the two methods of installation on the Wireshark web site to install Wireshark on your Linux or Windows machine. Once Wireshark and Pcap are installed. Click on the Baseline.pcap file. This will open the file up in you Wireshark program. At this point the output will look like this: (See Next Page) Figure 2

WIRESHARK- LOOKING INTO THE PACKET 11 Wireshark Capture without Network Layer Decode This will give you the raw TCP\IP data without decoding it for URL viewing. To allow network decoding to take place, follow these instructions: 1) On the menu bar item View 2) Select Name Resolution 3) Click on Enable for Network Layer 4) On menu bar click on Reload symbol The screen should now look like this:

WIRESHARK- LOOKING INTO THE PACKET 12 Figure 3 Wireshark Capture with Network Layer Decode Notice in Figure 2 on line 4 you have the IP address of 75.75.75.75, then on line 4 of Figure 3 you have the domain name of cdns.comcast.net this shows that the system decoded the IP Address into its domain name equivalent. This is vital in troubleshooting this problem. Since this is the baseline we can consider this file to be good in comparison to the next capture (The infected machine). (See Figure 4)

WIRESHARK- LOOKING INTO THE PACKET 13 The infected machine has the following problem. When the user selects www.google.com they are sent to a failsafe page for yahoo.com. This in and of itself is no problem but it denotes a possible issue with web site locals. The following is a lesson in how to use protocol analysis to solve this problem. The following is a copy of the infected.pcap file: From your machine open up the infected.pcap file Click on the infected.pcap file. This will open the file up on your Wireshark program. At this point the output will look like this: (See Next Page):

WIRESHARK- LOOKING INTO THE PACKET 14 Figure 4 Wireshark Capture without Network Layer Decode This will give you the raw TCP\IP data without decoding it for URL viewing. To allow network decoding to take place, follow these instructions: 1) On the menu bar item View 2) Select Name Resolution

WIRESHARK- LOOKING INTO THE PACKET 15 3) Click on Enable for Network Layer 4) On menu bar click on Reload symbol The screen should now look like this: Figure 5

WIRESHARK- LOOKING INTO THE PACKET 16 Wireshark Capture with Network Layer Decode If you notice what is happening on the wireshark screen it is telling you that the IP Address of 98.139.144.130 is connected to the yahoo.com site and not the google.com. By performing an nslookup on the infected machine you get this: Figure 6 nslookup of Google on the Infected Machine

WIRESHARK- LOOKING INTO THE PACKET 17 Taking into mind what is happening; here we can see that the nameserver lookup and the domain name that occurred as the result of the web search are not the same. In fact the IP Addresses to google.com are in the 75.125.131.xxx range. Performing nslookup on your machine you get: Figure 7 nslookup of Google and Yahoo on the Baseline Machine

WIRESHARK- LOOKING INTO THE PACKET 18 Using simple logic at this point you can surmise something other than the nslookup is supplying the errant IP Address, the question is what can do this? Granted this was a simple problem, but it shows the use of Wireshark in proving there was a problem within the system. In conclusion, it can be said that wireshark is one of the most useful tools in finding out what problems may exists on your network. However there are many features that Wireshark has which must be learnt to master this tool. Here is some suggested reading material and web sites for those who may want to develop further skill in using Wireshark: http://www.wiresharktraining.com/ http://www.amazon.com/s/?ie=utf8&keywords=wireshark&tag=googhydr- 20&index=aps&hvadid=21387143575&hvpos=1t1&hvexid=&hvnetw=g&hvrand=1041059935155915014 7&hvpone=&hvptwo=&hvqmt=b&hvdev=c&ref=pd_sl_2789p0sl8p_b Read and enjoy using Wireshark.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback