An Introduction to Network Analyzers New

8/8/2019 An Introduction to Network Analyzers New

1/18


2/18


3/18


4/18

Network AnalyzerComponents

HardwareSpecial hardwaredevices

Monitoring voltagefluctuationJitter (random timingvariation)Jabber (failure to handle

electrical signals)CRC and P arity Errors

NIC Card

Capture driver capturing the data

Buffer memory or disk-based

Real-time analysisanalyzing the traffic inreal time; detecting any

intrusionsDecoder

making data readable

Capturing the data is easy!The question is what to do with it!


5/18


6/18

B asic Operation

Ethernet traffic is broadcasted to all nodes on thesame segmentSniffer can capture all the incoming data when theNIC is in promiscuous mode:

ifconfig eth0 promiscifconfig eth0 promiscDefault setup is n o n- promiscuous (only receives the datadestined for the NIC)Remember: a hub receives all the data!

If switches are used the sniffer must perform portspanning

Also known as port mirroringThe traffic to each port is mirrored to the sniffer


7/18

P ort Monitoring


8/18

P rotecting Against

SniffersSpoofing the MAC is often referred to changing theMAC address (in Linux:)

ifconfig eth0 downifconfig eth0 hw ether 00:01:02:03:04:05ifconfig eth0 upRegister the new MAC address by broadcasting it

ping c 1 b 192.168.1.1To detect a sniffer (Linux)

Download Promisc.c )ifconfig -a (search for promisc )ip link (search for promisc )

To detect a sniffer (Windows)Download P romiscDetect

Remember: 00:01:02:03:04:05MAC address (HWaddr)=

Vender Address + Unique NIC #


9/18

P rotecting Against Sniffers

Using switches can helpUse encryption

Making the intercepted data unreadable

Note: in many protocols the packet headers are cleartext!VP Nn use encryption and authorization for securecommunications

VP N Methods

Secure Shell ( SSH): headers are not encryptedSecure Sockets Layer ( SSL): high network level packetsecurity; headers are not encryptedIP sec: Encrypted headers but does not used TC P or UD P

Remember: Never useunauthorized Sniffers at wok!


10/18

Wh at is W iresh ark?

Formerly called Ethe r eal An open source program

free with many featuresDecodes over 750 protocolsCompatible with many other sniffersP lenty of online resources are availableSupports command-line and GUI interfaces

TSHARK (offers command line interface) has three componentsEditcap (similar to Save as..to translate the format of capturedpackets)Mergecap (combine multiple saved captured files)Text2pcap (ASCII Hexdump captures and write the data into alibpcap output file)

Remember: You must have agood understanding of the

network before you useSniffers effectively!


11/18

I nstalling W iresh ark

Download the program fromwww.wireshark.org/download.html

Requires to install capture drivers (monitor ports and capture alltraveling packets)

Linux: libpcapWindows: winpcap (www.winpcap.org)

Typically the file is in TAR format (Linux)To install in Linux

rpm ivh libpcap-0.9.4-8.1.i.386.rpm (install lipcapRP M)

rpm q libpcap (query lipcap R P M)tar zxvf libpcap-0.9.5.tar.gz./configmakesudo make install


12/18

I nstalling W iresh ark

P ackages that are needed for InstallationEthereal (available in Fedora Core 4disk #4)

ethereal0.10.11.-2.i386.rpmEthereal GNOME User Interface

ethereal-gnome-0.10.11-2.i386.rpm

Log in as the root user Insert Fedora Code 4 Disk #4Navigate to the following folder in the disk /F edora /RPMSLocate packages

ethereal0.10.11.-2.i386.rpmethereal-gnome-0.10.11-2.i386.rpm

Copy the above packages to your systemChange directory to the packages location

cd Install Ethereal

rpm ivh ethereal0.10.11.-2.i386.rpmInstall Ethereal GNOME user Interface

rpm ivh ethereal-gnome-0.10.11-2.i386.rpm


13/18

W iresh ark W indow

Menu Bar

SummaryWindow

Tool Bar

F ilter Bar

InfoF ield

Disp.Info field

Protocol Tree Window

Data View Window


14/18

Packetnumber 8 BGP

(Boarder Gateway

Prot)

Protocol TreeWindow:Details of theselectedpacket (#8)

Raw data (content of packet # 8)


15/18


16/18

W e continue in t h e lab.

Download the following files and copy them inyour HW:

bgp_testtcp_stream_analysisfollow_tcp_stream


17/18

A Little about P rotocolsP

rotocols are standard for communicationsEthernet is the most popular protocol standard to enablecomputer communication

Based on shared medium and broadcastingEthernet address is called MAC address

48 bit HW address coded in the RON of the NIC card

The first 12 bits represent the vender The second 12 bits represent the serial number Use: arp a

Remember: I P address is logical addressingNetwork layer is in charge of routingUse: ipconfig


18/18

OS I Model

P hysicalData link; sublayers:

MAC: P hysical addressing: moving packets from one NICcard to another LLC (Logical Link Control) Flow control and error control

NetworkLogical addressing (I P protocol)

TransportP rovides reliable end-to-end transportCan be connectionless (UD P ) or connection oriented (TC P )Connection oriented requires ACK

Documents

An Introduction to Network Analyzers New