Introduction to Packet Sniffing

8/6/2019 Introduction to Packet Sniffing

1/63

Introduction to Packet Sniffingusing Ethereal 0.10.9

Rob BerginNetwork Engineer

The Timberland Company


2/63

Non-Technical

Currently Data just travels

around your network like a

train. With a packet sniffer, get

the ability to capture the dataand look inside the packets to

see what is actually moving

long the tracks.


3/63

Technical


4/63

Ethereal (and WinPcap)

Ethereal Application for Sniffing Packets

WinPcap open source library for packet capture

Operating System Windows & Unix/Linux

NPF device driver Network Driver

(WinPcap runs as a protocol driver like TCP.SYS)

Network Card Drivers


5/63

WinPcap Architecture

Frame 1

WinPcap is an open source library for packet capture and network analysis for the

Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link

library (packet.dll), and a high-level and system-independent library (wpcap.dll,

based on libpcap version 0.6.2).

The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000,XP and 2003 the ability to capture and send raw data from a network card, with

the possibility to filter and store in a buffer the captured packets.

Packet.dll is an API that can be used to directly access the functions of the packet

driver, offering a programming interface independent from the Microsoft OS.

Wpcap.dll exports a set of high level capture primitives that are compatible with

libpcap, the well known Unix capture library. These functions allow to capturepackets in a way independent from the underlying network hardware and

operating system.

WinPcap is released under a BSD-style license.


6/63

Ethereal Application

Requires WinPcap for Captures

Can run standalone to examine captures


7/63

A Capture

Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6

Lets define a capture as a period of time that Ethereal

captured data frames.

Frames can be assembled to examine application traffic


8/63

Recap

Packet Sniffing

Ethereal

Data Frame Architecture WinPcap

Network Capture


9/63

Basic TCP/IP Stuff


10/63

Interoperable TCP/IP

TCP/IP is Transmission Control Protocol/InternetProtocol) is a suite of network protocols.

TCP and IP are two separate protocols

TCP handles the data (HTTP vs. FTP vs. Telnet)

IP handles the data transmission (i.e. between routers).

TCP/IP protocols were designed to allow differentapplications running on dissimilar operating systems tocommunicate across a network.


11/63

Watch your Headers

TCP / UDP

- Ports not Addresses

- Layer 4 not 3

- FTP uses 20 and 21

IP

- Addresses not Ports

- Layer 3 not 4

- 192.168.1.1 (octet)


12/63

TCP

TCP is connection-oriented transport layer protocol

designed to provide a reliable connection for data

exchange between two systems.

TCP ensures that all packets are properly sequenced

and acknowledged and that a connection is established

before data is sent.

TCP provides it reliability through the use of an

acknowledgement orACK.


13/63

TCP

If a receiving system had to send an ACK for every

packet, the result would be an incredible amount of

overhead for the network.

To reduce the overhead, a mechanism called

windowing is used.

Windowing is a method of flow control.


14/63

TCP

The receiving system advertises a certain number ofpackets that it can receive at a time (input buffer size.)

The sending system watches for an ACK after thedesignated number of packets is sent.

If an ACK is not received, data will be retransmitted fromthe point of the last ACK.


15/63

UDP

UDP (User Datagram Protocol) provides an unreliable,connectionless protocol to deliver packets.

This protocol allows messages, called datagrams, to besent without the overhead of ACKs, establishedconnections, and sequencing.

Applications that use UDP as their communications

mechanism include NFS (2049), TFTP (79), DNS (53)and Unreal Tournament (7777).


16/63

IPv4

IP (Internet Protocol) is used to handle datagramservices between hosts.

IP handles the addressing, routing, and reassembly

IP addresses are 32 bits long, are organized into 4octets (8 bits) separated by periods

IPv4 address examples: 192.168.10.20.

IPv6 is a next generation form of addressing.


17/63

IPv6

IP (Internet Protocol) is used to handle datagramservices between hosts.

IP handles the addressing, routing, and reassembly

IP addresses are 32 bits long, are organized into 4octets (8 bits) separated by periods

IPv4 address examples: 192.168.10.20.

IPv6 is a next generation form of addressing.


18/63

What will IPv6 look like?IPv6 Addresses:

CDFE:910A:2356:5709:8475:1024:3911:2021

2080:0000:0000:0000:0090:7AEB:1000:123A

Combo IPv4 and IPv61800:0000:0000:7AEF:0000:0000:16.114.67.16

Compacted IPv6 Address:

2080:0:0:0:90:7AEB:1000:123A Legal compaction2080::90:7AEB:1000:123A Legal compaction

1800::7AEF:0:0:1072:4310 Legal compaction


19/63

IPv4 vs. IPv6

IPv4 RFC came out in 1981.

IPv6 RFC came out in 1998.

0

200

400

600

800

1000

1200

1400

1600

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

M

illions

Mobile

Subscribers

PCs Connected

to Web

Mobile

Internet

Users

Sources: ABN AMRO/IDC/Ovum


20/63

Recap

TCP vs. IP

Headers

TCP UDP

IP

IPv4 vs. IPv6


21/63

Ethereal Overview


22/63

View of Ethereal

Packet List

Packet Details

Packet Bytes


23/63

Packet List

Packet Order

Time Order

Source IP

Destination IP

Protocol

Information


24/63

Packet Details

Breakdown of the Frame, the Packet, the TCP portion

Source and Destination IP

Source and Destination TCP Ports


25/63

Packet Bytes

View of the data Hexidecimal and Raw Data


26/63

Ethereal Capture


27/63

Running Ethereal


28/63

Ethereal Analysis


29/63

Logging on to FTP Server


30/63

What Ethereal saw


31/63

What Ethereal saw


32/63

What Ethereal saw


33/63

What Ethereal saw


34/63

What Ethereal saw


35/63


36/63

Filtering!!!!


37/63

Saving Captures

Captured Views

Range of Packets

All Packets

Naming is critical: Was it the client?

Was it the Server?


38/63

After Filter/Save/Open


39/63

Time Column & Delta


40/63

FTP Only Filter


41/63

Ethereal Packet Analysis


42/63

What Username?


43/63

Is Password Required?


44/63

What Password?


45/63

Why cant I log in?


46/63

Follow the Stream


47/63

Advanced Filtering

Filter for just that stream

(ip.addr eq 207.46.133.140 and ip.addr eq 172.17.22.56) and

(tcp.port eq 21 and tcp.port eq 3511)

Filter for traffic between two hosts

ip.addr == 207.46.133.140 and ip.addr == 172.17.22.56

Filter for IP Traffic and removal of other trafficip and !(nbns) and !(msnms) and !(browser) and !(rip)


48/63

Summary Info


49/63

Ethereal: Encryption


50/63

HTTP


51/63

HTTPS


52/63

HTTP vs. HTTPS


53/63

HTTP vs. HTTPS


54/63

HTTP vs. HTTPS


55/63

TCP Stream vs. HTML Source


56/63

Ethereal: Miscellaneous


57/63

Protocol Hierarchy


58/63

I/O Graphing


59/63

HTTP Breakdown


60/63

Coloring Packets


61/63

Commercial Sniffers

Sniffer Pro

OmniPeek

Observer

IT Guru and ACE


62/63


63/63

Final Words

If you cant measure it, you cant manage it

- Peter Drucker

Date post:	08-Apr-2018
Category:	Documents
Upload:	sumit-soni
View:	240 times
Download:	0 times

Introduction to Packet Sniffing

Documents