Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Packet Capture & Analysis
2
Why do we need to capture packets &
How is it relevant to security?
33
tcpdump• tcpdump is a command line utility to capture and
analyze network packets– From the man page:
44
tcpdump• tcpdump by default captures packets and prints it
out
-n: don’t translate numbers to names (bypass the default)
-i: interface to listen on
DNS queries
DNS responses
tcpdump –n –i en0 port 53
55
tcpdump• With the –w flag– you can write it to a file for later analysis
-w: write to a file (test_capture.pcap)
-c: packet count
tcpdump –n –i en0 –w test_capture.pcap –c 100
66
tcpdump• You can read packets from a file with the –r flag
-r: read from a file (test_capture.pcap)
port: only read packets that match the port#
tcpdump –r test_capture.pcap port 443
77
Examples
tcpdump –ni en0 host 10.10.10.10
tcpdump –ni en0 dst 10.10.10.10
tcpdump –ni en0 src 10.10.10.10
• Packets to or from a host
• Packets from:
• Packets to:
• Packets based on a protocoltcpdump –ni en0 tcp
88
• Only capture TCP packets with SYN flag set
• Capture ICMPv6 packets that are ONLY neighbor solicitations
Capture filters
tcpdump –ni en0 tcp[13]==2
tcpdump –ni en0 icmp6 and ip6[40] == 135
99
Reading tcpdump Output• UDP packets:
TimestampSource IP
Source portDst IP
Dst portQuery ID
DNS QueryQuery size
2 answers
1010
Reading tcpdump Output• TCP packets:
• Seen a “connection refused” error?
• You sent SYN, but the server responded with RST packet!
P – PUSH(.) - ACK
Length = 531-1Length – 1959-531
1111
Wireshark• Wireshark is a graphical network packet/protocol
analyzer
1212
Why Wireshark?• Network Admins use it:– to troubleshoot network problems
• Security Engineers use it:– to examine security problems
• Developers use it:– to debug protocol implementations
• People use it:– to learn network protocol internals
1313
What Wireshark isn’t• Not an intrusion detection system– Wont alert strange things in your network
• Will only ”read" packets– will not manipulate packets on the network
1414
How to Install• Straight forward– Download• https://www.wireshark.org/download.html
– Install• Just double-click and follow the instructions
1515
Capture Packets
Interface to capture on
Capture
1616
Capture Packets• Interface default in promiscuous mode
1717
Dashboard
Captured packets
Raw Data
Menu
1818
Filters• Capture filter– Only capture packets that match the expression• https://wiki.wireshark.org/CaptureFilters
1919
Filters• Display filter – Look for specifics: ports, protocols, etc.• Helps drill down to traffic of interest• >3000 protocols & ~250K fields (https://www.wireshark.org/docs/dfref/)
2020
Protocol Streams• Wireshark allows you to follow protocol streams– As seen by the application layer• Ex: may be you want to see a password in a telnet stream
2121
Protocol Streams
2222
Statistics menu• What protocols are used in your network?
Statistics -> Protocol Hierarchy
2323
• Which host is consuming your bandwidth?Statistics -> Conversations
Statistics menu
2424
Need CLI?• Where you don’t have a user interface– tshark is terminal version of Wireshark• Has all the options of Wireshark
– https://www.wireshark.org/docs/man-pages/tshark.html
2525
Exercise• Install Wireshark on your PC– https://www.wireshark.org/download.html
• Run Wireshark– Capture inbound/outbound traffic on your wireless NIC
• Download the pcap files from the lab wiki– Follow lab guide in this slide deck
2626
Exercise 1: Telnet• File– telnet.pcap
• Question– Reconstruct the telnet session
• Q1: Who logged into 192.168.0.1– Username __________, Password __________ .
• Q2: After logging in what did the user do?
2727
Exercise 2: Massive TCP SYN• File– SYN1.pcap and SYN2.pcap
• Question– Point the difference with them
• Q1: SYN1.pcap is a _________ attempt.• Q2: SYN2.pcap is a _________ attempt.
• Tip– Pay attention to Src IP
2828
Exercise 3: Employee gossip• File– chat.dmp
• Question– Q1: What kind protocol is used? _______– Q2: This is conversation between [email protected] and
[email protected]– Q3: What do they say about the Sys Admin?
• Tip– Use secure chat
2929
Ex 4: Suspicious FTP activity• File– ftp.pcap
• Question– Q1: What is the FTP server IP? ______ .– Q2: What is the client IP? ______ .– Q3: What is FTP Error Code 530? __________ .– Q4: What is 10.234.125.254 doing? ________.
• Tip– How many login error occur within a minute?
3030
Exercise 5: Unidentified Traffic• File– foobar.pcap
• Question– Q1: see what’s going on with wireshark gui
Statistics -> Conversation
– Q2: Which application use TCP/6346? • Check the web.
3131
Exercise 6: Covert channel• File– covertinfo.pcap
• Question– Take a closer look! This is not a typical ICMP Echo/Reply…– Q1: What kind of tool do they use? • Check the web.
– Q2: what other applications tunnel user traffic?
3232
Exercise 7: SIP• File– sip_chat.pcap
• Questions:– Q1: Can we listen to SIP voice?– Q2: How can we listen using Wireshark?
• Tip:– Use SIPS/SRTP