Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level 1 | Atlantic VI
Learning Objectives Understand Traffic Capture and Analysis Layers and Encapsulation Explore the Wireshark interface Examine Common Protocols TCP, HTTP, DNS, and FTP
Understand Traffic Capture and Analysis
Overview of Packet Analysis Packet analysis uses a packet sniffer Monitor and troubleshoot network traffic As data flows across the network Sniffer captures each packet and decodes the packet's raw bits Showing the field values in the packet according to the appropriate RFC or other specification Lisa Bock
Uses for Packet Analysis Analyze network problems Detect intrusion attempts Identify network misuse Content monitoring Assess bandwidth utilization Verify endpoint security status Gather network statistics Lisa Bock
Common Packet Analyzers Cain and Abel Carnivore – now NarusInsight dSniff ettercap Ngrep OmniPeek Snoop Tcpdump Lisa Bock
Carnivore
Packet Capture Dependent on where you capture On a switch Packet sniffer will see only data going to and from the switch to the capture device http://wiki.wireshark.org/CaptureSetup/Ethernet Lisa Bock
Packet Capture Traffic on a wired switch To see all traffic Unicast, broadcast, or multicast. To see all traffic Port monitoring or SPAN Use a full duplex tap in line with traffic http://wiki.wireshark.org/CaptureSetup/Ethernet Lisa Bock
Layers and encapsulation
The OSI Model To understand packet analysis you must understand the encapsulation process Lisa Bock
The OSI Model A seven-layer representation How data changes as each layer provides services to the next layer Data encapsulates Data de-encapsulates Lisa Bock
The OSI Model Data Frame Segment Packet PDU Bits MAC Port IP Address Lisa Bock
Explore the Wireshark interface
Wireshark The tool for this lab is Wireshark Download and install Wireshark Install WinPCap if you are using Windows http://www.wireshark.org Lisa Bock
Wireshark For a live capture Launch Wireshark Go to -> Capture Interfaces Click the name of an interface Start capturing packets on that interface Lisa Bock
Wireshark Configure advanced features by clicking Options Checkmark the interface you want to capture Configure advanced features by clicking Options Select the interface with active packet exchange Lisa Bock
The OSI Model In Wireshark, select any http frame and you will see the layers 2-7 Data Frame Segment Packet For a review go to http://wiki.wireshark.org/Ethernet Lisa Bock
Help in Wireshark Easily find help in Wireshark-including Sample Captures Lisa Bock
Capture Packets We will use pre-captured packets Review normal traffic Lisa Bock
Capture Packets Once you open a capture you will see three panes: Top: packet list of all of the packets received during the capture session Middle: details of a single frame Bottom: the bytes of a single frame Lisa Bock
Examine common protocols - TCP
A TCP Example Normal traffic Three-way handshake packets 1,2,3 Review Port numbers Flags SEQ ACK numbers Stream index Lisa Bock
Examine common protocols - UDP
UDP Example Connectionless Transport Layer service No handshake, sequencing or acknowledgement Few problems occur with UDP
UDP Applications Commonly used in video streaming and time-sensitive applications. Domain Name System (DNS) Routing Information Protocol (RIP) Voice over IP (VoIP) Trivial File Transfer Protocol (TFTP) Domain Host Configuration Protocol (DHCP)
Examine common protocols - DNS
DNS DNS is essential to any network Converts host names (google.com) to an IP address (72.14.204.103) Client sends query to DNS server for an IP address Server responds with information Or asks other DNS servers for the information
DNS Transfers name information between DNS servers DNS uses TCP in a zone transfer Look up other host names such as mail exchange (MX) records
DNS All DNS packets have four (4) sections: Questions Answer Resource Records Authority Resources Records Additional Resource Records
DNS Packet Structure - Flags If RD is set, it directs the name server to pursue the query recursively. Lisa Bock
Examine common protocols FTP
FTP – Grab a Pic Purpose of FTP is to transfer files over TCP Uses both ports 20 and 21 Command channel is designated on port 21 for the FTP server. To transfer data like directory contents or files, a secondary channel, port 20 is used. Lisa Bock
Reassemble the Streams Can reassemble and obtain content if data is not encrypted Filter ftp-data traffic Right click follow TCP stream 74 and save the file as raw data and click save as mystery.jpg Go to where you saved the file and open it! Lisa Bock
Examine common protocols HTTP
HTTP 1.1
Hypertext Transfer Protocol Actors in Web interaction HTML HTTP Browser and the Web Server HTTP is a stateless protocol Two types of HTTP messages Request and response HTTP is a stateless protocol - Server maintains no information about past client requests Client initiates a TCP connection for creating a socket that connects to a Web server using server port 80 Server accepts TCP connection from client HTTP messages are exchanged between browser (HTTP client) and Web server (HTTP server) TCP connection closed Web page consists of objects Object can be base HTML file, JPEG image, JavaScript, etc. Base HTML-file includes several referenced objects, such as images Each object is addressable by a URL Lisa Bock
Hypertext Transfer Protocol Web page consists of objects Identified by a URL or URI Request line (GET or POST methods) Additional information about the request Status code line Header Fields Data HTTP is a stateless protocol - Server maintains no information about past client requests Client initiates a TCP connection for creating a socket that connects to a Web server using server port 80 Server accepts TCP connection from client HTTP messages are exchanged between browser (HTTP client) and Web server (HTTP server) TCP connection closed Web page consists of objects Object can be base HTML file, JPEG image, JavaScript, etc. Base HTML-file includes several referenced objects, such as images Each object is addressable by a URL Lisa Bock
HTTP Response Status Codes 2xx: Success 3xx: Redirection 4xx: Client Error 5xx: Server Error The first digit of the Status-Code defines the class of response. The last two digits do not have any categorization role. There are 5 values for the first digit: 1xx: Informational - Not used, but reserved for future use 2xx: Success - The action was successfully received, understood, and accepted. 3xx: Redirection - Further action must be taken in order to complete the request 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 5xx: Server Error - The server failed to fulfill an apparently valid request 200 OK The request has succeeded and the requested object appears later in this message 301 Moved Permanently The requested object has moved and its new location is specified later in this message 400 Bad Request The requested message was not understood by the server 404 Not Found The requested document was not found on this server 505 HTTP Version not supported The web server does not support the version of the request Lisa Bock
Kobe Questions? Lisa Bock
More Resources For more Packet Captures go to http://www.netresec.com/?page=PcapFiles Wireshark Network Analysis, by Laura Chappell, Chappell Binding Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated Article on using Wireshark to troubleshoot Rational problems
On IBMi Install the QSPTLIB library which is available as a save file PTF V5R2M0 - SE06946 V5R3M0 - SE16633 V5R4M0 - SE24152 V6R1M0 - SE32507 V7R1M0 - SE45610 Use a binary FTP transfer and load the save file onto the IBMi system.
On IBMi Restore the library RSTLIB SAVLIB(QSPTLIB) DEV(*SAVF) SAVF(QGPL/QSE45610) Run Trace Connection command (x's are the IP address of the remote system) TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(TRCCNNIP) SIZE(998000) TCPDTA(*N () () *N 'xxx.xxx.xxx.xxx')
On IBMi Turn off tracing. Output is a spooled file called QSYSPRT. TRCCNN SET(*OFF) TRCTBL(TRCCNNIP) CCSID(*ASCII) Output is a spooled file called QSYSPRT. Run to access support tools menu: ADDLIBLE SPTLIB SPT
On IBMi Option 12 to displays the Communications Trace menu. Option 15 to converts the spooled trace to a CAP file. CVTTRCCNN SPLF(QSYSPRT * *LAST) OUTF('/lisa_traces/mystery-trace.cap') Copy out to a machine running Wireshark
Lynda.com See my course on Lynda.com! Troubleshooting your Network with Wireshark