Packet Capture Wireshark
FakrulAlam
Why we need to capture packet & how it’s related to
security?
tcpdump Defini=on
tcpdumpisau0lityusedtocaptureandanalyzepacketsonnetworkinterfaces.Detailsaboutthesepacketscaneitherbedisplayedtothescreenortheycanbesavedtoafileforlateranalysis.tcpdumpu0lizesthelibpcaplibraryforpacketcapturing.
tcpdump command example
# tcpdump –nni eth0# tcpdump –nni eth0 host 10.10.10.10# tcpdump –nni eth0 dst host 10.10.10.10 and tcp # tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024
-nn=don’tuseDNStoresolveIPsanddisplayportno-i=interfacetowatchdst=watchonlytrafficdes0nedtoanet,hostorportsrc=watchonlytrafficwhosesrcisanet,hostorportnet=specifiesnetworkhost=specifieshostport=specifiesaportproto=protocolietcporudp
tcpdump command example
# tcpdump –nni eth0 –s0
# tcpdump –nni eth0 not port 22 –s0 –c 1000
# tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24
-s0=seIngsampleslengthto0meansusetherequiredlengthtocatchwholepacket-c=numberofpackets
tcpdump pcaps
# tcpdump –nni eth0 -w capture.pcap –vv –c 1000
# tcpdump –nni eth0 –r capture.pcap port 80
-wcapture.pcap=savecapturepackettocapture.pcap–vv=displaynumberofpacketcaptured-rcapture.pcap=readcapturefile-c=numberofpackets
tcpdump Output
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], length 53
IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 106, win 4092, options [nop,nop,TS val 376934736 ecr 854797891], length 0
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 106:159, ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], length 53
IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack 159, win 4091, options [nop,nop,TS val 376934736 ecr 854797891], length 0
What is Wireshark?
• Wiresharkisanetworkpacket/protocolanalyzer.• Anetworkpacketanalyzerwilltrytocapturenetworkpacketsandtriestodisplaythatpacketdataasdetailedaspossible.
• WiresharkisperhapsoneofthebestopensourcepacketanalyzersavailabletodayforUNIXandWindows.
About Wireshark
• Formerlyknownas“Ethereal”• Author,GeraldCombsquitNetworkIntegra0onServices• Free
• Requirement• Needtoinstallwinpcap• Latestwiresharkinstallercontainswinpcap,don’tworry• (OnWindowsVista)NeedAdministratorPrivilegetocapture
• GUI• Drama0callyimproved
Why Wireshark
• networkadministratorsuseittotroubleshootnetworkproblems• networksecurityengineersuseittoexaminesecurityproblems• developersuseittodebugprotocolimplementa<ons• peopleuseittolearnnetworkprotocolinternals• Wiresharkisn'tanintrusiondetec0onsystem.• Wiresharkwillnotmanipulatethingsonthenetwork,itwillonly"measure"thingsfromit.
How to Install
• Verystraightforward• Justdouble-clickandfollowtheinstruc0ons.
Capture
Dashboard Menu
Filter
CaptureData
RawData
Filters
• Capturefilter• CaptureTrafficthatmatchcapturefilterrule• savediskspace• preventpacketloss
• Displayfilter• Tweakappearance
Apply Filters
• ip.addr==10.0.0.1[Setsafilterforanypacketwith10.0.0.1,aseitherthesourceordest]• ip.addr==10.0.0.1&&ip.addr==10.0.0.2[setsaconversa0onfilterbetweenthetwodefinedIPaddresses]• hdpordns[setsafiltertodisplayallhdpanddns]• tcp.port==4000[setsafilterforanyTCPpacketwith4000asasourceordestport]• tcp.flags.reset==1[displaysallTCPresets]• hdp.request[displaysallHTTPGETrequests]• tcpcontainsrviews[displaysallTCPpacketsthatcontaintheword‘rviews’.ExcellentwhensearchingonaspecificstringoruserID]• !(arporicmpordns)[masksoutarp,icmp,dns,orwhateverotherprotocolsmaybebackgroundnoise.Allowingyoutofocusonthetrafficofinterest]
Follow TCP Stream
Follow TCP Stream • Build TCP Stream
– Select TCP Packet -> Follow TCP Stream
Use “Sta=s=cs”
• Whatprotocolisusedinyournetwork• Sta0s0cs->ProtocolHierarchy
Use “Sta=s=cs”
• Whichhostmostchady• Sta0s0cs->Conversa0ons
Need CLI?
• Ifyous0cktocharacterbasedinterface,trytshark.exe• C:\programfiles\wireshark\tshark.exe
Tcpdump & Wireshark
• tcpdump-i<interface>-s65535-w<some-file>• -s<snaplen>:amountofbytescapturesforeachpacket• -w<some-file>:writetherawpacketstoafile
Exercise
• InstallWiresharkintoyourPC• RunwiresharkandCaptureinbound/outboundtraffic• Downloadcapturefilesfrom
• Followtheinstructor'sguide.
Exercise 1: Good Old Telnet
• File• telnet.pcap
• Ques0on• Reconstructthetelnetsession.
• Q1:Whologgedinto192.168.0.1• Username__________,Password__________.
• Q2:Averloggedinwhatdidtheuserdo?• Tip• telnettrafficisnotsecure
Exercise 2: Massive TCP SYN
• File• massivesyn1.pcapandmassivesyn2.pcap
• Ques0on• Pointthedifferencebetweenthem.
• Q1:massivesyn1.pcapisa_________adempt.• Q2:massivesyn2.pcapisa_________adempt.• Tip
• Payaden0ontoSrcIP
Exercise 3: ChaUy Employees
• File• chat.dmp
• Ques0on• Q1:Whatkindofprotocolisused?_______• Q2:[email protected][email protected]• Q3:Whatdotheysayaboutyou(sysadmin)?• Tip
• Yourchatcanbemonitoredbynetworkadmin.
Exercise 4: Suspicious FTP ac=vity
• File• vp1.pcap
• Ques0on• Q1:10.121.70.151isFTP______.• Q2:10.234.125.254isFTP______.• Q3:FTPErrCode530means__________.• Q4:10.234.125.254adempt________.
• Tip• Howmanyloginerroroccurwithinaminute?
Exercise 5: Uniden=fied Traffic
• File• Foobar.pcap
• Ques0on• Q1:seewhat’sgoingonwithwiresharkgui
• Sta0s0cs->Conversa0onList->TCP(*)• Q2:Whichapplica0onuseTCP/6346?Checktheweb.
Exercise 6: Covert channel
• File• cover0nfo.pcap
• Ques0on• Takeacloserlook!ThisisnotatypicalICMPEcho/Reply…• Q1:Whatkindoftooldotheyuse?Checktheweb.• Q2:Nameotherapplica0onwhichtunnelusertraffic.
Exercise 7: Analyze Malware
• File• malware.pcap
• Ques0ons:• Q1:FindthebadHTTPtraffic• Q2:IsthereanymalwareintheHTTPtraffic?• Q3:Uploadonesamplemalwaretohdps://www.virustotal.com/
• Doesallan0virusdetectthemalware?
• Tips• Filterwithhttp contains "in DOS mode”• Exportallthefiles
Exercise 8: SIP
• File• sip_chat.pcap
• Ques0ons:• Q1:CanwelistentoSIPvoice?• Q2:How!!
LAB