1

Packet Capture & Analysis

2

Why do we need to capture packets &

How is it relevant to security?

33

tcpdump• tcpdump is a command line utility to capture and

analyze network packets– From the man page:

44

tcpdump• tcpdump by default captures packets and prints it

out

-n: don’t translate numbers to names (bypass the default)

-i: interface to listen on

DNS queries

DNS responses

tcpdump –n –i en0 port 53

55

tcpdump• With the –w flag– you can write it to a file for later analysis

-w: write to a file (test_capture.pcap)

-c: packet count

tcpdump –n –i en0 –w test_capture.pcap –c 100

66

tcpdump• You can read packets from a file with the –r flag

-r: read from a file (test_capture.pcap)

port: only read packets that match the port#

tcpdump –r test_capture.pcap port 443

77

Examples

tcpdump –ni en0 host 10.10.10.10

tcpdump –ni en0 dst 10.10.10.10

tcpdump –ni en0 src 10.10.10.10

• Packets to or from a host

• Packets from:

• Packets to:

• Packets based on a protocoltcpdump –ni en0 tcp

88

• Only capture TCP packets with SYN flag set

• Capture ICMPv6 packets that are ONLY neighbor solicitations

Capture filters

tcpdump –ni en0 tcp[13]==2

tcpdump –ni en0 icmp6 and ip6[40] == 135

99

Reading tcpdump Output• UDP packets:

TimestampSource IP

Source portDst IP

Dst portQuery ID

DNS QueryQuery size

2 answers

1010

Reading tcpdump Output• TCP packets:

• Seen a “connection refused” error?

• You sent SYN, but the server responded with RST packet!

P – PUSH(.) - ACK

Length = 531-1Length – 1959-531

1111

Wireshark• Wireshark is a graphical network packet/protocol

analyzer

1212

Why Wireshark?• Network Admins use it:– to troubleshoot network problems

• Security Engineers use it:– to examine security problems

• Developers use it:– to debug protocol implementations

• People use it:– to learn network protocol internals

1313

What Wireshark isn’t• Not an intrusion detection system– Wont alert strange things in your network

• Will only ”read" packets– will not manipulate packets on the network

1414

How to Install• Straight forward– Download• https://www.wireshark.org/download.html

– Install• Just double-click and follow the instructions

1515

Capture Packets

Interface to capture on

Capture

1616

Capture Packets• Interface default in promiscuous mode

1717

Dashboard

Captured packets

Raw Data

Menu

1818

Filters• Capture filter– Only capture packets that match the expression• https://wiki.wireshark.org/CaptureFilters

1919

Filters• Display filter – Look for specifics: ports, protocols, etc.• Helps drill down to traffic of interest• >3000 protocols & ~250K fields (https://www.wireshark.org/docs/dfref/)

2020

Protocol Streams• Wireshark allows you to follow protocol streams– As seen by the application layer• Ex: may be you want to see a password in a telnet stream

2121

Protocol Streams

2222

Statistics menu• What protocols are used in your network?

Statistics -> Protocol Hierarchy

2323

• Which host is consuming your bandwidth?Statistics -> Conversations

Statistics menu

2424

Need CLI?• Where you don’t have a user interface– tshark is terminal version of Wireshark• Has all the options of Wireshark

– https://www.wireshark.org/docs/man-pages/tshark.html

2525

Exercise• Install Wireshark on your PC– https://www.wireshark.org/download.html

• Run Wireshark– Capture inbound/outbound traffic on your wireless NIC

• Download the pcap files from the lab wiki– Follow lab guide in this slide deck

2626

Exercise 1: Telnet• File– telnet.pcap

• Question– Reconstruct the telnet session

• Q1: Who logged into 192.168.0.1– Username __________, Password __________ .

• Q2: After logging in what did the user do?

2727

Exercise 2: Massive TCP SYN• File– SYN1.pcap and SYN2.pcap

• Question– Point the difference with them

• Q1: SYN1.pcap is a _________ attempt.• Q2: SYN2.pcap is a _________ attempt.

• Tip– Pay attention to Src IP

2828

Exercise 3: Employee gossip• File– chat.dmp

• Question– Q1: What kind protocol is used? _______– Q2: This is conversation between _____@hotmail.com and

______@hotmail.com– Q3: What do they say about the Sys Admin?

• Tip– Use secure chat

2929

Ex 4: Suspicious FTP activity• File– ftp.pcap

• Question– Q1: What is the FTP server IP? ______ .– Q2: What is the client IP? ______ .– Q3: What is FTP Error Code 530? __________ .– Q4: What is 10.234.125.254 doing? ________.

• Tip– How many login error occur within a minute?

3030

Exercise 5: Unidentified Traffic• File– foobar.pcap

• Question– Q1: see what’s going on with wireshark gui

Statistics -> Conversation

– Q2: Which application use TCP/6346? • Check the web.

3131

Exercise 6: Covert channel• File– covertinfo.pcap

• Question– Take a closer look! This is not a typical ICMP Echo/Reply…– Q1: What kind of tool do they use? • Check the web.

– Q2: what other applications tunnel user traffic?

3232

Exercise 7: SIP• File– sip_chat.pcap

• Questions:– Q1: Can we listen to SIP voice?– Q2: How can we listen using Wireshark?

• Tip:– Use SIPS/SRTP