An Introduction To Network Analyzers New

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 18

An introduction to Network

Analyzers

Dr. Farid Farahmand


3/23/2009
Network Analysis and Sniffing

 Process of capturing, decoding, and


analyzing network traffic
 Why is the network slow
 What is the network traffic pattern
 How is the traffic being shared between nodes
 Also known as
 traffic analysis, protocol analysis, sniffing, packet
analysis, eavesdropping*, etc.

*Listen secretly to what is said in private!


Network Analyzer
 A combination of hardware  Common network analyzers
and software tools what can  Wireshark / Ethereal
detect, decode, and  Windump
manipulate traffic on the  Etherpeak
network  Dsniff
 Passive monitoring (detection)
- Difficult to detect
 And much more….
 Active (attack)
 Available both free and
commercially
 Mainly software-based
(utilizing OS and NIC)
 Also known as sniffer Read: Basic Packet-Sniffer
Construction from the Ground Up!
 A program that monitors the
data traveling through the by Chad Renfro
network passively Checkout his program: sniff.c
Network Analyzer Capturing the data is easy!
Components The question is what to do with it!

 Hardware  Capture driver


 Special hardware devices  capturing the data
 Monitoring voltage  Buffer
fluctuation
 memory or disk-based
 Jitter (random timing
variation)  Real-time analysis
 Jabber (failure to handle  analyzing the traffic in
electrical signals) real time; detecting any
 CRC and Parity Errors intrusions
 NIC Card  Decoder
 making data readable
Who Uses Network Analyzers

 System administrators
 Understand system problems and performance
 Malicious individuals (intruders)
 Capture cleartext data
 Passively collect data on vulnerable protocols
 FTP, POP3, IMAP, SMATP, rlogin, HTTP, etc.
 Capture VoIP data
 Mapping the target network
 Traffic pattern discovery
 Actively break into the network (backdoor techniques)
Basic Operation
 Ethernet traffic is broadcasted to all nodes on the
same segment
 Sniffer can capture all the incoming data when the
NIC is in promiscuous mode:
 ifconfig eth0 promisc
 ifconfig eth0 –promisc
 Default setup is non-promiscuous (only receives the data
destined for the NIC)
 Remember: a hub receives all the data!
 If switches are used the sniffer must perform port
spanning
 Also known as port mirroring
 The traffic to each port is mirrored to the sniffer
Port Monitoring
Protecting Against Remember: 00:01:02:03:04:05
MAC address (HWaddr)=
Sniffers Vender Address + Unique NIC #

 Spoofing the MAC is often referred to changing the


MAC address (in Linux:)
 ifconfig eth0 down
 ifconfig eth0 hw ether 00:01:02:03:04:05
 ifconfig eth0 up
 Register the new MAC address by broadcasting it
 ping –c 1 –b 192.168.1.1
 To detect a sniffer (Linux)
 Download Promisc.c)
 ifconfig -a (search for promisc)
 ip link (search for promisc)
 To detect a sniffer (Windows)
 Download PromiscDetect
Protecting Against Sniffers
Remember: Never use
 Using switches can help unauthorized Sniffers at wok!
 Use encryption
 Making the intercepted data unreadable
 Note: in many protocols the packet headers are cleartext!
 VPNn use encryption and authorization for secure
communications
 VPN Methods
 Secure Shell (SSH): headers are not encrypted

 Secure Sockets Layer (SSL): high network level packet


security; headers are not encrypted
 IPsec: Encrypted headers but does not used TCP or UDP
What is Wireshark?
Remember: You must have a
good understanding of the
 Formerly called Ethereal network before you use
 An open source program Sniffers effectively!
 free with many features

 Decodes over 750 protocols


 Compatible with many other sniffers
 Plenty of online resources are available
 Supports command-line and GUI interfaces
 TSHARK (offers command line interface) has three components

 Editcap (similar to Save as..to translate the format of captured


packets)
 Mergecap (combine multiple saved captured files)
 Text2pcap (ASCII Hexdump captures and write the data into a
libpcap output file)
Installing Wireshark
 Download the program from
 www.wireshark.org/download.html

 Requires to install capture drivers (monitor ports and capture all


traveling packets)
 Linux: libpcap

 Windows: winpcap (www.winpcap.org)

 Typically the file is in TAR format (Linux)


 To install in Linux
 rpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install lipcap
RPM)
 rpm –q libpcap (query lipcap RPM)

 tar –zxvf libpcap-0.9.5.tar.gz

 ./config

 make

 sudo make install


Installing Wireshark
 Log in as the ‘root’ user
 Insert Fedora Code 4 Disk #4
 Navigate to the following folder in the disk /Fedora/RPMS
 Locate packages
 ethereal—0.10.11.-2.i386.rpm
 ethereal-gnome-0.10.11-2.i386.rpm
 Copy the above packages to your system
 Change directory to the packages location
 cd <package_dir>
 Install Ethereal
 rpm –ivh ethereal—0.10.11.-2.i386.rpm  Packages that are needed for
 Install Ethereal GNOME user Interface Installation
 rpm –ivh ethereal-gnome-0.10.11-2.i386.rpm  Ethereal (available in Fedora Core 4
disk #4)
 ethereal—0.10.11.-2.i386.rpm
 Ethereal GNOME User Interface
 ethereal-gnome-0.10.11-2.i386.rpm
Wireshark Window
Menu Bar

Tool Bar

Filter Bar
Summary
Window

Info
Field Protocol Tree Window

Disp.
Data View Window
Info field
Packet
number 8
– BGP
Protocol Tree (Boarder
Window: Gateway
Details of the Prot)
selected
packet (#8)

Raw data (content of


packet # 8)
Filtering
BGP
packets
only
We continue in the lab….

 Download the following files and copy them in


your HW:
 bgp_test
 tcp_stream_analysis
 follow_tcp_stream
A Little about Protocols…
 Protocols are standard for communications
 Ethernet is the most popular protocol standard to enable
computer communication
 Based on shared medium and broadcasting

 Ethernet address is called MAC address


 48 bit HW address coded in the RON of the NIC card

 The first 12 bits represent the vender

 The second 12 bits represent the serial number

 Use: arp –a

 Remember: IP address is logical addressing


 Network layer is in charge of routing

 Use: ipconfig
OSI Model
 Physical
 Data link; sublayers:
 MAC: Physical addressing: moving packets from one NIC
card to another
 LLC (Logical Link Control) Flow control and error control
 Network
 Logical addressing (IP protocol)
 Transport
 Provides reliable end-to-end transport
 Can be connectionless (UDP) or connection oriented (TCP)
 Connection oriented requires ACK

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy