Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Analysis Using Wireshark for Beginners 22AF

Published byMarcus Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Packet Analysis Using Wireshark for Beginners 22AF"— Presentation transcript:

1 Packet Analysis Using Wireshark for Beginners 22AF
Lisa Bock Pennsylvania College of Technology Monday October 5, :30am - 10:45am Track AF | Level 1 | Atlantic VI

2 Learning Objectives Understand Traffic Capture and Analysis
Layers and Encapsulation Explore the Wireshark interface Examine Common Protocols TCP, HTTP, DNS, and FTP

3 Understand Traffic Capture and Analysis

4 Overview of Packet Analysis
Packet analysis uses a packet sniffer Monitor and troubleshoot network traffic As data flows across the network Sniffer captures each packet and decodes the packet's raw bits Showing the field values in the packet according to the appropriate RFC or other specification Lisa Bock

5 Uses for Packet Analysis
Analyze network problems Detect intrusion attempts Identify network misuse Content monitoring Assess bandwidth utilization Verify endpoint security status Gather network statistics Lisa Bock

6 Common Packet Analyzers
Cain and Abel Carnivore – now NarusInsight dSniff ettercap Ngrep OmniPeek Snoop Tcpdump Lisa Bock

7 Carnivore

8 Packet Capture Dependent on where you capture On a switch
Packet sniffer will see only data going to and from the switch to the capture device Lisa Bock

9 Packet Capture Traffic on a wired switch To see all traffic
Unicast, broadcast, or multicast. To see all traffic Port monitoring or SPAN Use a full duplex tap in line with traffic Lisa Bock

10 Layers and encapsulation

11 The OSI Model To understand packet analysis you must understand the encapsulation process Lisa Bock

12 The OSI Model A seven-layer representation
How data changes as each layer provides services to the next layer Data encapsulates Data de-encapsulates Lisa Bock

13 The OSI Model Data Frame Segment Packet PDU Bits MAC Port IP Address
Lisa Bock

14 Explore the Wireshark interface

15 Wireshark The tool for this lab is Wireshark
Download and install Wireshark Install WinPCap if you are using Windows Lisa Bock

16 Wireshark For a live capture Launch Wireshark
Go to -> Capture Interfaces Click the name of an interface Start capturing packets on that interface Lisa Bock

17 Wireshark Configure advanced features by clicking Options
Checkmark the interface you want to capture Configure advanced features by clicking Options Select the interface with active packet exchange Lisa Bock

18 The OSI Model In Wireshark, select any http frame and you will see the layers 2-7 Data Frame Segment Packet For a review go to Lisa Bock

19 Help in Wireshark Easily find help in Wireshark-including Sample Captures Lisa Bock

20 Capture Packets We will use pre-captured packets Review normal traffic
Lisa Bock

21 Capture Packets Once you open a capture you will see three panes:
Top: packet list of all of the packets received during the capture session Middle: details of a single frame Bottom: the bytes of a single frame Lisa Bock

22 Examine common protocols - TCP

23 A TCP Example Normal traffic Three-way handshake packets 1,2,3 Review
Port numbers Flags SEQ ACK numbers Stream index Lisa Bock

24 Examine common protocols - UDP

25 UDP Example Connectionless Transport Layer service
No handshake, sequencing or acknowledgement Few problems occur with UDP

26 UDP Applications Commonly used in video streaming and time-sensitive applications. Domain Name System (DNS) Routing Information Protocol (RIP) Voice over IP (VoIP) Trivial File Transfer Protocol (TFTP) Domain Host Configuration Protocol (DHCP)

27 Examine common protocols - DNS

28 DNS DNS is essential to any network
Converts host names (google.com) to an IP address ( ) Client sends query to DNS server for an IP address Server responds with information Or asks other DNS servers for the information

29 DNS Transfers name information between DNS servers
DNS uses TCP in a zone transfer Look up other host names such as mail exchange (MX) records

30 DNS All DNS packets have four (4) sections: Questions
Answer Resource Records Authority Resources Records Additional Resource Records

31 DNS Packet Structure - Flags
If RD is set, it directs the name server to pursue the query recursively. Lisa Bock

32 Examine common protocols FTP

33 FTP – Grab a Pic Purpose of FTP is to transfer files over TCP
Uses both ports 20 and 21 Command channel is designated on port 21 for the FTP server. To transfer data like directory contents or files, a secondary channel, port 20 is used. Lisa Bock

34 Reassemble the Streams
Can reassemble and obtain content if data is not encrypted Filter ftp-data traffic Right click follow TCP stream 74 and save the file as raw data and click save as mystery.jpg Go to where you saved the file and open it! Lisa Bock

35 Examine common protocols HTTP

36 HTTP 1.1

37 Hypertext Transfer Protocol
Actors in Web interaction HTML HTTP Browser and the Web Server HTTP is a stateless protocol Two types of HTTP messages Request and response HTTP is a stateless protocol - Server maintains no information about past client requests Client initiates a TCP connection for creating a socket that connects to a Web server using server port 80 Server accepts TCP connection from client HTTP messages are exchanged between browser (HTTP client) and Web server (HTTP server) TCP connection closed Web page consists of objects Object can be base HTML file, JPEG image, JavaScript, etc. Base HTML-file includes several referenced objects, such as images Each object is addressable by a URL Lisa Bock

38 Hypertext Transfer Protocol
Web page consists of objects Identified by a URL or URI Request line (GET or POST methods) Additional information about the request Status code line Header Fields Data HTTP is a stateless protocol - Server maintains no information about past client requests Client initiates a TCP connection for creating a socket that connects to a Web server using server port 80 Server accepts TCP connection from client HTTP messages are exchanged between browser (HTTP client) and Web server (HTTP server) TCP connection closed Web page consists of objects Object can be base HTML file, JPEG image, JavaScript, etc. Base HTML-file includes several referenced objects, such as images Each object is addressable by a URL Lisa Bock

39 HTTP Response Status Codes
2xx: Success 3xx: Redirection 4xx: Client Error 5xx: Server Error The first digit of the Status-Code defines the class of response. The last two digits do not have any categorization role. There are 5 values for the first digit: 1xx: Informational - Not used, but reserved for future use 2xx: Success - The action was successfully received, understood, and accepted. 3xx: Redirection - Further action must be taken in order to complete the request 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 5xx: Server Error - The server failed to fulfill an apparently valid request 200 OK The request has succeeded and the requested object appears later in this message 301 Moved Permanently The requested object has moved and its new location is specified later in this message 400 Bad Request The requested message was not understood by the server 404 Not Found The requested document was not found on this server 505 HTTP Version not supported The web server does not support the version of the request Lisa Bock

40 Kobe Questions? Lisa Bock

41 More Resources For more Packet Captures go to Wireshark Network Analysis, by Laura Chappell, Chappell Binding Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated Article on using Wireshark to troubleshoot Rational problems

42 On IBMi Install the QSPTLIB library which is available as a save file PTF V5R2M0 - SE06946 V5R3M0 - SE16633 V5R4M0 - SE24152 V6R1M0 - SE32507 V7R1M0 - SE45610 Use a binary FTP transfer and load the save file onto the IBMi system.

43 On IBMi Restore the library
RSTLIB SAVLIB(QSPTLIB) DEV(*SAVF) SAVF(QGPL/QSE45610) Run Trace Connection command (x's are the IP address of the remote system) TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(TRCCNNIP) SIZE(998000) TCPDTA(*N () () *N 'xxx.xxx.xxx.xxx')

44 On IBMi Turn off tracing. Output is a spooled file called QSYSPRT.
TRCCNN SET(*OFF) TRCTBL(TRCCNNIP) CCSID(*ASCII) Output is a spooled file called QSYSPRT. Run to access support tools menu: ADDLIBLE SPTLIB SPT

45 On IBMi Option 12 to displays the Communications Trace menu.
Option 15 to converts the spooled trace to a CAP file. CVTTRCCNN SPLF(QSYSPRT * *LAST) OUTF('/lisa_traces/mystery-trace.cap') Copy out to a machine running Wireshark

46 Lynda.com See my course on Lynda.com!
Troubleshooting your Network with Wireshark

Download ppt "Packet Analysis Using Wireshark for Beginners 22AF"

Similar presentations

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Chapter 7: Transport Layer

Chapter 7: Transport Layer
Lecture 7 Transport Layer

Lecture 7 Transport Layer
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.

Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
Network Services Networking for Home & Small Business.

Network Services Networking for Home & Small Business.
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Process-to-Process Delivery:

Process-to-Process Delivery:
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

Similar presentations

Ads by Google