Scribd
Upload
31 views

Skillsoft Topic Transcript

The document discusses protocol analyzers and how they can be used to capture and analyze network traffic. It focuses on using Wireshark as an example protocol analyzer, demonstrating how to set it up and explaining the different sections of the Wireshark interface. It notes that protocol analyzers can be used for both legitimate network troubleshooting and security purposes as well as illegally by attackers to gather user credentials and other private information traversing networks.

Uploaded by

Sasi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
31 views

Skillsoft Topic Transcript

The document discusses protocol analyzers and how they can be used to capture and analyze network traffic. It focuses on using Wireshark as an example protocol analyzer, demonstrating how to set it up and explaining the different sections of the Wireshark interface. It notes that protocol analyzers can be used for both legitimate network troubleshooting and security purposes as well as illegally by attackers to gather user credentials and other private information traversing networks.

Uploaded by

Sasi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Topic Transcript

Protocol Analyzers

Learning Objective
After completing this topic, you should be able to
work with protocol analyzers

1.
[Topic title: Protocol Analyzers. The presenter is Michael Shannon.] Let's explore the concept of
protocol analyzers. And obviously, when we talk about protocols, we're really talking about the IP
family – IP version 4 and IP version 6 family of protocols. The ones that are used on the Internet
and that includes for wired networks and wireless networks as well. These are devices that capture
network traffic and give the participant the ability to analyze traffic moving between two or more
systems. Traffic can then be filtered and decoded to visualize what processes are occurring. And
this could be done for optimization of your network, for troubleshooting, for planning, for scaling up
or scaling out, and of course for security purposes. Protocol analyzers can be used to find network
bottlenecks. They can be used for troubleshooting processes and analyzing malicious malware
behavior. Advanced analyzers can also generate statistics and do trend analysis and network
optimization. All of these tools can be used for good purposes or bad purposes.

Crackers can use them to gather information or either extract or exfiltrate clear-text usernames and
passwords and other PII as part of their reconnaissance attack or the early phase of an advanced
persistent threat. [The Wireshack – Capture Interfaces dialog box appears. It includes the Input,
Output, and Options tabs. The Output tabbed page is open. It includes a File text box, adjacent to it
there is a Browse button. It also includes the pcap-ng and pcap radio buttons, and Create a new file
automatically after... check box. At the bottom, there are three buttons: Help, Close, and Start.]
Here we see Wireshark, for example, where you're beginning to set it up. How are you going to
capture your file, where you going to place it? Where do you want the output to be? A pcap-ng,
which is a newer format or traditional pcap format. You can also decide to create a new file after a
certain size. And, when you're done, click on Start. [Another screenshot appears.] Here we can see
Wireshark [window] is creating a pcap file called test. [It includes the menu bar, toolbar, and three
sections.] I want to highly recommend that you go and download the free Wireshark that's available
to you. You have a wide variety of action buttons across the top. Here [in the first section] we can
see our main window where we have the actual unique identifier that's assigned to these entries.
You also have a date and time stamp or a time stamp. You can see the source IP address,
destination IP address. Here we're looking primary at the TCP protocol and you can see
information.

You have a wide variety of ways to express this and filter out this information. [using the Expression
and Filter action buttons] Down here, [in the second section] we can see kind of it's broken down in
the OSI model, [The complete model is in the transcript for reference at the heading "OSI model".]
starting at Layer 2, and then going up to Layer 3 right there, Internet protocol, and then going up to
Layer 4, the Transmission Control Protocol – TCP. So this is going to be TCP traffic port 80, was
http, see your port numbers, your sequence numbers, your acknowledgement numbers. And then
down here [in the third section] is actually where we see the actual content or the packet dump. And
again, crackers can find information here that's in the clear like user names and passwords and
other PII. [A screenshot of Wireshack-Packet 2-demo window appears. It includes two sections.]
Another example of a Wireshark look and feel. Here [in the first section] we can see we're looking
at arp traffic and the contents of the packet that's selected will show up down here in this bottom
window. [or the second section. A screenshot of Protocol Analyzers appears. It includes the Filter
drop-down list box, and a table with the Date/Time, Dst, port, Host, and Info columns.] Here we see
more HTTP traffic. Okay, this is an http.request filter that's been applied. So we're filtering out just
this particular type of traffic. And you can see that since we're doing the filtering of just the request,
you can see that we're getting GET and POST information.

Your date and time stamp, your destination IP address and port and of course also, host
information as well. This is a great tool to use to actually examine different types of malware. And
you can go up to Wireshark's website at wireshark.org or other sites and you can get pcap and
pcap-ng files to see all different types of existing malware so you can kind of learn the behavior.
Obviously, you want to learn the behavior of how TCP, UDP, IP, and ICMP and other traffic operates
normally in a network but you also want to see how malicious traffic can affect your network as well.
And Wireshark is a great protocol analyzer. It isn't the only one. There's quite a few others up there,
but it's a great one to use and it's used in a ubiquitous fashion throughout the industry.

In this video, we talked about protocol analyzers. Specifically, we looked at the Wireshark protocol
analyzer.

OSI model:
Frame 36 (60 bytes on wire, 60 bytes captured)
Ehternet II, Src: Netgear_2d:75:9a (00:09:5b:2d:75:9a), Dst: 192.168.0.2 (00:0b:5d:20:cd:02)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3197 (3197), Seq: 20, Ack: 190, Len: 0
Source port: http (80)
Destination port: 3197 (3197)
Sequence number: 20 (relative sequence number)
Acknowledgement number: 190 (relative ack number)
Header length: 20 bytes

© 2018 Skillsoft Ireland Limited

You might also like