1. WIRESHARK Lab#3

2. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net.  Grabs packets not destined for system  used by hackers sysadmins Law enforcement agencies

3. Wireshark  Wireshark is a powerful protocol analyzer (and sniffer) that can be used by network professionals to troubleshoot and analyze network traffic under great scrutiny.  Since the information revealed by Wireshark can be used to either attack or defend a network, administrators should learn how to use it so that they are aware of what potential attackers can see  Wireshark is a utility that will help you to look at how various protocols work.

4. Scanning Your Own Network  Will provide you with “hackers view” into your network  Will illustrate the most visible vulnerabilities  Scan from both “internal” and “external” vantage points

5. Protocols  Internet Control Message Protocol (ICMP) is a transport protocol used between different devices on a network to help the network know a bit more about what is happening and why it might be happening.  User Datagram Protocol (UDP) :  is a connectionless transport protocol used to send small amounts of data,  typically where the order of transmission does not matter  or where the timeliness of the traffic is more important than the completeness of the traffic (for example, audio).  Transmission Control Protocol (TCP)  is a connection-oriented protocol between two or more computers.  a reliable connection must be established before data is transmitted.  The process of two devices establishing this connection with TCP is called the three-way handshake.

6. Tcp three-way handshake

7. TCP packet Data offset Unused U A P R S F R C S S Y I G K H T NN Window Source Port Urgent Pointer Sequence Number Acknowledgement Number Options Padding Data 4 8 16 32 Destination Port Checksum

8. IP Packet VersionLengthType of Srvc Total Length Identification Flags Fragment Offset Time to live Protocol Header Checksum Source Address Destination Address Options Data 4 8 16 19 32

9.  Wireshark’s main screen is separated into three sections:  Packet list  Tree view section  Data view section

10.  http://wiki.wireshark.org/CaptureFilters http://wiki.wireshark.org/CaptureFilters  http://www.wireshark.org/docs/wsug_html_chunke d/ChWorkBuildDisplayFilterSection.html http://www.wireshark.org/docs/wsug_html_chunke d/ChWorkBuildDisplayFilterSection.html not icmp.resp_in and icmp.type==8 ll icmp requests where wireshark doesn't have the according response inside the capture file ip.addr ==x.x.x.xSets a filter for any packet with x.x.x.x, as either the source or destination IP address. ip.addr ==x.x.x.x && ip.addr ==x.x.x.x Sets a conversation filter between the two IP addresses. Tcp,htto,dns,Sets a filter based on protocol. tcp.port==xxxSets filters based on TCP port numbers. http.requestSets a filter for all HTTP GET and POST requests. This will show webpages being accessed for the most part here.HTTP tcp contains xxxSet a filter based on a string you provide and searches TCP packets for that string. If you were looking for a specific item or user name you knew was appearing in the packet, this is a filter you could use. !(arp or icmp or dns)his filter format is designed to filter out certain types of protocols you might not want. In my example, we have ARP, ICMP, and DNS—all of which are broadcasts—to hide. This lets our eyes work on other things.

12. Lab Exercises

14. Wireshark Color Coding  You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.