DKT 224/3

DATA COMMUNICATION & NETWORK

LAB 2

NETWORK PROTOCOL ANALYZER –

SNIFFING AND IDENTIFY

PROTOCOL USED IN LIVE NETWORK

Lab #2

Lab #2 : Network Protocol Analyzer (Sniffing and Identify Protocol used in Live Network)

Objectives

Learn some basics of Ethernet

Sniffing packet and identify various packet types and protocol

Report Writing

Background

1. Getting Started

One’s understanding of network protocols can often be greatly deepened by “seeing protocols in

action” and by “playing around with protocols” – observing the sequence of messages exchanged

between two protocol entities, delving down into the details of protocol operation, and causing

protocols to perform certain actions and then observing these actions and their consequences. This

can be done in simulated scenarios or in a “real” network environment such as the Internet.

In these WIRESHARK labs, we’ll take the latter approach. You’ll be running various network

applications in different scenarios using a computer on your desk, at home, or in a lab. You’ll observe

the network protocols in your computer “in action,” interacting and exchanging messages with

protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an integral

part of these “live” labs. You’ll observe, and you’ll learn, by doing.

The basic tool for observing the messages exchanged between executing protocol entities is called a

packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being

sent/received from/by your computer. It will also typically store and/or display the contents of the

various protocol fields in these captured messages. A packet sniffer itself is passive. It observes

messages being sent and received by applications and protocols running on your computer, but never

sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer.

Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and

protocols executing on your machine.

Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case,

Internet protocols) and applications (such as a web browser or ftp client) that normally run on your

computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the

usual software in your computer, and consists of two parts. The packet capture library receives a copy

of every link-layer frame that is sent from or received by your computer.

2

Lab #2

Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are

eventually encapsulated in link-layer frames that are transmitted over physical media such as an

Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper layer

protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus

gives you all messages sent/received from/by all protocols and applications executing in your

computer.

The second component of a packet sniffer is the packet analyzer, which displays the contents of all

fields within a protocol message. In order to do so, the packet analyzer must “understand” the

structure of all messages exchanged by protocols. For example, suppose we are interested in

displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet

analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an

Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment

within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP

message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for

example, knows that the first bytes of an HTTP message will contain the string “GET,” “POST,” or

“HEAD,”.

3

Lab #2

We will be using the Wireshark packet sniffer [http://www.wireshark.com] for these labs, allowing us

to display the contents of messages being sent/received from/by protocols at different levels of the

protocol stack. (Technically speaking, Wireshark (Ethereal) is a packet analyzer that uses a packet

capture library in your computer).

2. What is Wireshark (Ethereal)?

Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. It's also priced right: it's free!Wireshark (Ethereal) is a network packet analyzer or packet sniffer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark (Ethereal), all that has changed. Wireshark (Ethereal) is perhaps one of the best open source packet analyzers available today.

i. Some intended purposes

Here are some examples people use Wireshark (Ethereal) for:

network administrators use it to troubleshoot network problems

network security engineers use it to examine security problems

developers use it to debug protocol implementations

people use it to learn network protocol internals

ii. Features

• Live capture from many different network media

Despite its name, Ethereal can capture traffic from network media other than Ethernet. Which media

types are supported, depends on many things like the operating system you are using.

• Many protocol decoders

There are protocol decoders (or dissectors, as they are known in Ethereal) for a great many protocols.

A comprehensive list of all protocols and protocol fields can be found at

ttp://www.wireshark.com/docs/dfref/

• Open Source Software

Wireshark (Ethereal) is an open source software project, and is released under the GNU General

Public Licence (GPL). You can freely use Ethereal on any number of computers you like, without

worrying about license keys or fees or such. In addition, all source code is freely available under the

4

Lab #2

GPL. Because of that, it is very easy for people to add new protocols to Ethereal, either as plugins, or

built into the source, and they often do!

iii. What Wireshark is not

Just as with any tool, Wireshark can be used for some things and not others. Here is a list of some of

the things Wireshark cannot do:

1. It cannot be used to map out a network. Take a look at the NMAP tool for that functionality.

2. It does not generate network data – it is a passive tool. Tools like NMAP, ping, and traceroute

are examples of tools that generate network data. These tools are active.

3. It can only show detailed information about protocols it actually understands. The good news

is that it understands a great many protocols. It is also extensible, so you can add protocol

support for ones it doesn’t understand. Otherwise you will only be able to see a hexdump of

data it has captured.

4. It can only capture data as well as the OS\Interface\Interface driver supports. An example of

this is capturing data over wireless networks. This does not work well (or at all) for some

software and hardware combinations.

Practical work

Before you start wireshark you must log in as root. Ask the technician for root password. You

can start Wireshark by giving the command wireshark on the command line. This opens a

window, which is a GUI interface to wireshark's packet capture utility as shown in figure 2.

(You'll want to make this window bigger.)

5

Lab #2

Figure 2 : Wireshark window

To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window

similar to the one below:

6

Lab #2

Figure 3: Capture action window

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid name-resolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below:

7

Lab #2

Figure 4: Capture data window

Interpreting the results

Each line in the top pane of the Wireshark window corresponds to a single packet seen on the

network. The default display shows the time of the packet (relative to the initiation of the

capture), the source and destination IP addresses, the protocol used and some information

about the packet. You can drill down and obtain more information by clicking on a row. This

causes the bottom two window panes to fill with information.

The middle pane contains drill-down details on the packet selected in the top frame. The "+"

icons reveal varying levels of detail about each layer of information contained within the

packet. In the example above, I've selected a DNS response packet. I've expanded the DNS

response (application layer) section of the packet to show that the original was requesting a

DNS resolution for www.cnn.com, and this response is informing us that the available IP

8

Lab #2

addresses include 64.236.91.21. The bottom window pane shows the contents of the packet

in both hexadecimal and ASCII representations.

Color is your friend when analyzing packets with Wireshark. Notice in the example above

that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter

blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark

includes a complex color-coding scheme (which you can customize). The default settings

appear below:

Figure 5: Capture data window

That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to

become an expert quickly is to get your hands dirty and start capturing network traffic. There's no

doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting

an intrusion. Remember, however, that you must always have permission from the network owner

before capturing traffic on any network.

9

Lab #2

Exercise 1:

Click on one of the HTTP packets and examine it in detail in the middle section of the Wireshark

window. You can confirm that the structure of the packet is HTTP data wrapped in a TCP segment,

which is wrapped in an IP datagram, which is wrapped in an Ethernet frame. If you click one of the

little triangles in front of the word "Ethernet", your view of the Ethernet header will be expanded to

show the content of the header. Similarly for the "Internet Protocol," "Transmission Control

Protocol," and "Hypertext Transfer Protocol" lines. If you click on any of the lines in the middle

section of the window, the corresponding data in the display in the bottom third of the window will be

highlighted. Based on all this, answer the following questions:

Question 1: What does an Ethernet address look like, and what is the Ethernet address of your

computer?

Question 2: How many bytes are there in an Ethernet header?

Question 3: What is the IP address of the server computer? How did you find this out by looking at

info in the packet?

Question 4: The HTTP server communicates on port 80. What port number on your computer was

used for the communication? How did you find this out?

Exercise 2:

Now, enter "not ip" as the display filter. This lets you see non-IP packets. What protocols do you see?

Describe some of the things that you can discover or guess about these protocols, just from

information available in the Wireshark window.

Exercise 3:

Close all internet browsers. Restart packet capturing. Open your terminal window. Ping the computer

next to you using this command: $ ping xx.xxx.x.xxx

Open your internet browser and go to http://www.wireshark.com/. Click on introduction option. Stop

the capture session. Trace back all of the activities that you have done starting from you ping the

computer next to you until you stop the capture session. Copy all of the activities that you have traced

and paste it in notepad. Print the result and attach it with your report.

10

Lab #2

Reference:

i. Ethereal User's Guide V2.00 for Ethereal 0.10.5 Richard Sharpe, NS

Computer Software and Services P/L Ed Warnicke, Ulf Lamping,

ii. http://www.wireshark.com/

11

Lab #2

Appendix

Wireshark Interface

The Wireshark interface is fairly simple considering what it can do.

1. Title bar – this will contain different information depending on what Wireshark is doing. If it is capturing network data, it will show the interface that is in use. If it is displaying data from a previous capture, the name of the file containing the captured data will be shown (untitled is shown if a capture was performed, stopped and not saved). Otherwise it will show the application name: Wireshark Network Protocol Analyzer

2. Menu bar – Menu bar providing access to application features a. File – Functions for working with captured data such as saving and exporting

to different file formatsb. Edit – Functions for finding packets, setting the time reference, and setting

preferences c. View - Functions for modifying how Wireshark displays information such as

which windows are open d. Go – Functions for navigating to specific packets e. Capture – Functions for starting and stopping captures, saving filters and

working with network interfaces f. Analyze – Functions for interpreting and filtering captured data g. Statistics – Functions to statistically analyze captured data h. Help – access to product help

3. Main tool bar – Shortcuts to frequently used functions in the menu bar 4. Filter tool bar – Quick access to filter functions 5. Packet list pane – Displays all the packets in the current capture file. 6. Packet details pane – Shows a more detailed view of the packet currently selected in

the Packet List pane 7. Packet bytes pane – A hexdump view of the packet currently selected in the Packet

List pane 8. Status bar – Provides informational messages and feedback to the user

Sample Wireshark Capture

In this example, I will start a Wireshark capture on my wired laptop interface. I will then launch Thunderbird to retrieve email from Comcast and GMail

1. First launch Wireshark.

12

Lab #2

2. Then select Capture->Interfaces from the menu bar.

 3. This will bring up the Interfaces dialog box. Select the interface you want to use.

This is important since Wireshark (as with any protocol analyzer) can only capture data from a network it is physically connected to. I will be using the wired Ethernet adapter in my laptop so I will choose the Intel adapter in the list. Click the ‘Start’ button. Capturing will now begin. After a short while, you will see the main Wireshark window (the packet list, detail and byte panes) fill with data.

 4. Now I will launch Thunderbird and login to both my GMail and Comcast mail

accounts. At this point I will wait for all my mail to download and then I will stop the network capture by selecting Capture->Stop from the menu bar. Click File and Save to save this capture to disk after all data is captured.

 5. I have just captured two complete pop3 sessions with Wireshark. To single out the

pop session information I will apply a filter. In the filter bar enter the following text and press the ‘apply’ button: tcp.port eq 110. This will limit the display to traffic on tcp port 110 (the POP port). Also notice that Wireshark “understands” the Post Office Protocol, so it will interpret bits of information such as POP commands and even authentication information. I do not connect to the Comcast mail server using SSL so my password is contained in the trace in clear text. I had to choose this screenshot wisely! I’ve actually used this to troubleshoot end user client connection problem to pop and imap servers.

 6. Scrolling through the filtered captured data only shows a conversation between two

hosts; my laptop and the Comcast mail server. What happened to gmail? Well, I use SSL with my GMail account and SSL POP connections are associated with port 995 not 110. In the filter bar enter the following text and press the ‘apply’ button: tcp.port eq 995. This will show all the POP over SSL traffic. But notice that no other details are available about the application protocol. The protocols in use on port 995 are

13

Lab #2

TCP, SSL and TLS. You will see some packets dealing with key exchange, but that is all to do with the security negotiations associated with SSL\TLS. All the Application data is encrypted.

Closing remarks

This is only the tip of the iceberg. I do not have a need to use this tool very often, but when I do need it, it is there and it can be a life saver – or a job saver.

For more information on this tool visit the Wireshark website at www.wireshark.org. The documentation on this site is quite extensive and should get you up to speed fairly quickly.

Also check out the documentation for whatever protocol you are sniffing. For the internet protocols, the RFC’s are a must read. You can find these at the Internet Engineering Task Force website at www.ietf.org.

Finally, if you are sniffing an undocumented protocol like nrpc (used by Lotus Notes\Domino) you may want to spend time researching a similar protocol that is documented. This may help you to understand what you are seeing in Wireshark related to the undocumented protocol.

14