An Intro to Network Analyzers

References:
•“Introduction to Wiresharkl”, Dr. Farid Farahmand, Fall 2014
•"Packet analyzer", Wikipedia, March 2013..
•“Wireshark User’s Guide”, For Wireshark 1.99.
•“Wireshark Installation & packet Chapter”, August 2011.
 Network Analysis & Sniffing
• Process of capturing, decoding, & analyzing
network traffic
– Why is the network slow
– What is the network traffic pattern
– How is the traffic being shared between nodes
• Also known as
– traffic analysis, protocol analysis, sniffing, packet
analysis, eavesdropping*, etc.

*Listen secretly to what is said in private! 2

 Network Analyzer
• A combination of hardware & • Common network analyzers
software tools what can detect, – Wireshark / Ethereal
decode, & manipulate traffic on – Windump
the network – Etherpeak
– Passive monitoring (detection) - – Dsniff
Difficult to detect
– & much more….
– Active (attack)
• Available both free &
commercially
• Mainly software-based (utilizing
OS & NIC)
– Also known as sniffer
Read: Basic Packet-Sniffer
– A program that monitors the Construction from the Ground Up!
data traveling through the by Chad Renfro
network passively Checkout his program: sniff.c

3
 Network Analyzer - Components
• Hardware • Capture driver
– NIC Card – capturing the data
– Buffer – or disk-based
memory • Real-time analysis
– Special hardware devices – analyzing the traffic in real
CRC & Parity Errors time; detecting any
Monitoring voltage intrusions
fluctuation • Decoder
Jitter (random timing – making data readable
variation)
Jabber (failure to handle
electrical signals) Capturing the data is easy!
The question is what to do with it!

4
 Who Uses Network Analyzers
• System administrators – Mapping the target
– Identify system network
problems & – Traffic pattern discovery
– Analyze performance – Actively break into the
network (backdoor
• Malicious individuals techniques)
(intruders)
• Test engineers
– Capture cleartext data
– Protocol analyzers can
– Passively collect data on
also generate traffic &
vulnerable protocols
thus act as the reference
• FTP , HTTP, IMAP, POP3,
rlogin, SNTP, etc. device
• Capture VoIP data

5
 Basic Operation
• Ethernet traffic is broadcast to all nodes on the same
segment
• Sniffer can capture all the incoming data when the
NIC is in promiscuous (not restricted to one port) mode:
– ifconfig eth0 promisc
– ifconfig eth0 –promisc
– Default setup is non-promiscuous
• restricted - only receives the data destined for the NIC
– Note: hub receives all the data!
• If switches are used the sniffer must perform port
spanning
– Also known as port mirroring
– The traffic to each port is mirrored to the sniffer
6
 Port Monitoring
• Assume the sniffer (@ port
5) is to monitor the data on
computer A (port 1).
• Port 5 needs first to be
spanned to port 1 (port
spanning).
• The sniffer can now
monitor the data destined
to Computer A.

7
 Review: Hub, Switch, & Span Port
• If you want to capture Ethernet traffic that is sent
by host A to host B, & both are connected to a
HUB,
• Just attach a sniffer to this hub.
• All other ports see the traffic between hosts A & B.

• On a SWITCH, after the host B MAC address is

learned, unicast traffic from A to B is only
forwarded to the B port.
• Therefore, the sniffer DOES NOT see this traffic:

• An extra feature is necessary that artificially copies

unicast packets that host A sends to the sniffer
port.
• Here, the sniffer is attached to a port that is
CONFIGURED to receive a copy of every packet
that host A sends. This port is called a SPAN port.

8
 Protecting Against - Sniffers
• Spoofing the MAC is often referred to changing the MAC
address (in Linux:)
– ifconfig eth0 down
– ifconfig eth0 hw ether 00:01:02:03:04:05
– ifconfig eth0 up
– Register the new MAC address by broadcasting it
• ping –c 1 –b 192.168.1.1
• To detect a sniffer (Linux)
– Download Promisc.c)
– ifconfig -a (search for promisc)
– ip link (search for promisc)
• To detect a sniffer (Windows)
– Download PromiscDetect Remember:
00:01:02:03:04:05 MAC
address (HWaddr)=
Vender Address + Unique NIC
#
 Protecting Against Sniffers
• Using switches can help Remember: Never use
• Use encryption unauthorized Sniffers at work!
 – Making the intercepted data unreadable
– Note: in many protocols the packet headers are clear text!
• VPNs use encryption & authorization for secure
communications
– VPN Methods
• Secure Shell (SSH): headers are not encrypted
• Secure Sockets Layer (SSL): high network level packet security;
headers are not encrypted
• IPsec: Encrypted headers but does not use TCP or UDP

What is Wireshark?
• Formerly called Ethereal – free with many features
• An open source program • Decodes over 750 protocols
Remember: You must have a network before you use
good understanding of the Sniffers effectively!
• Compatible with many other sniffers
• Plenty of online resources are available
• Supports command-line & graphical user interfaces (CLI, GUI)
– TSHARK (CLI) has three components
• Editcap
– similar to “Save As” to translate the format of captured packets
• Mergecap
– combines multiple saved captured files
• Text2pcap
– ASCII Hexdump captures & writes the data into a libpcap output file

11
 Installing Wireshark
• Download the Wireshark program from
– www.wireshark.org/download.html , OR
– UBUNDU 14.04 Webpage
– Requires to install capture drivers
• monitor ports & capture all traveling packets

12
 Installing Wireshark
• If you did not succeed, do the • If you could not see any
following. interface for capturing, with the
• On UBUNTU screen go to the current configuration, you need
“Dash board” “root” privileges to capture
traffic with Wireshark (or
– Search for “Wireshark” & Install,
OR
dumpcap, for that matter).
– Go to Firefox in UBUNTU & • Here are the commands
Google “Wireshark for Ubuntu sudo -s
14.04” & follow the instruction.
usermod -a -G wireshark your-user-
• You can also download it using a name
“Terminal” by command: chgrp wireshark /usr/bin/dumpcap
sudo apt-get install wireshark chmod 4750 /usr/bin/dumpcap

You can safely run Wireshark to inspect, edit or filter packet dumps without
root privileges, e.g., wireshark -i eth0 -c 5
13
 Wireshark Window
Menu Bar

Tool Bar

Filter Bar

Packet List

Frame view

Frame bytes
(content)

14
 Packet number 8 –
BGP (Boarder
Protocol Tree Window: Details Gateway Prot)
of the selected packet (#8)

Raw data (content

of packet # 8)

15
Filtering BGP
packets only

16
 Ethernet & IEEE 802.3
• Ethernet - most popular protocol
standard to enable computer
communication
– 2nd Layer protocol
– Based on shared medium &
broadcasting
– Close to IEEE 802.3
• Ethernet address is called MAC
address FSC = Frame Check Sequence
– 48 bit HW address coded in the SOF = Start of Frame Delimiter
RON of the NIC card MAC = Medium Access Control, 6-byte hardware address
– 1st 24 bits represent the vender
– 2nd 24 bits represent the NIC
• Use: “arp –a”
– To get the Hardware address
from IP address

17
 TCP/IP Stack
• Application
• Transport
– Provides reliable end-to-end transport
– Can be connectionless (UDP) or
connection oriented (TCP)
– Connection oriented requires ACK
• Network
– Logical addressing (IP, Internet protocol)
• Link *
– Frames & carries IP packets between
adjacent network devices
• Physical
* Data Link Layer (IEEE) has 2 sublayers:
• MAC (Medium Access Control): Physical
addressing, moves packets from one NIC
card to another
• LLC (Logical Link Control): Flow control,
error control
19
 Internet Packet (IP) Format

Physical &
L3 (Internet) L4 (Transport) L5 (Application)
Link Data (digitized data, voice, video)
Header header header
Header

Headers

20
 More on Installing Wireshark
• Download the program from
– www.wireshark.org/download.html
• Requires to install capture drivers (monitor ports & capture all traveling
packets)
– Linux: libpcap
– Windows: winpcap (www.winpcap.org)
• Typically the file is in TAR format (Linux)
• To install in Linux
– rpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install libpcap RPM)
– rpm –q libpcap (query libpcap RPM)
– tar –zxvf libpcap-0.9.5.tar.gz
– ./config
– make
– sudo make install

21
 Appendix - Installing Wireshark
• Log in as the ‘root’ user
• Insert Fedora Code 4 Disk #4
• Navigate to the following folder in the disk /Fedora/RPMS
• Locate packages
– ethereal—0.10.11.-2.i386.rpm
– ethereal-gnome-0.10.11-2.i386.rpm
• Copy the above packages to your system
• Change directory to the packages location
– cd <package_dir>
• Install Ethereal
– rpm –ivh ethereal—0.10.11.-2.i386.rpm
• Packages that are needed for
• Install Ethereal GNOME user Interface Installation
– rpm –ivh ethereal-gnome-0.10.11-2.i386.rpm • Ethereal (available in Fedora Core
4 disk #4)
– ethereal—0.10.11.-2.i386.rpm
• Ethereal GNOME User Interface
– ethereal-gnome-0.10.11-
2.i386.rpm

22
 Appendix: Some Helpful References
• Wireshark capture
– https://wiki.wireshark.org/CaptureFilters
• Wireshark screenshots
– https://www.google.com/search?q=display+wireshark+screenshots&biw=1234&bih=92
0&tbm=isch&tbo=u&source=univ&sa=X&ved=0CBwQsARqFQoTCLPO5uKGmMgCFdI7iA
odbY0ABw#imgrc=LTv96BTj4FElYM%3A
• Wireshark for TCP
– https://wiki.wireshark.org/Transmission_Control_Protocol
• Wireshark for TCP
– https://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html
• Wireshark for TCP & UDP
– https://en.wikiversity.org/wiki/Wireshark/UDP
• Wireshark YouTube on filter
– https://www.youtube.com/watch?v=__SR6JO6l-A

23