EH-Net

 ::)

Packet Capture and Traffic Analysis
This session is intended to help new or beginning network administrators learn how to use packet capture software for basic network troubleshooting and traffic analysis. It will cover both installation and use of packet capture software and the fundamentals of basic network traffic analysis, including identifying communication issues, monitoring network performance, verifying network security and tracking communication transactions.

Objectives
Define traffic analysis
Identify reasons for traffic analysis
Your responsibilities
Packet capture software
Installation
Capture packets
Analyze packets
What Is Traffic Analysis?

“Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network.”– Orebaugh, Angela. Ethereal Packet Sniffing. Rockland, MA: Syngress Publishing, Inc., 2004.

Note: Traffic analysis, network analysis, protocol analysis, packet analysis and packet sniffing all typically refer to the same thing.

Reasons to Analyze Traffic
Legitimate
Identify network or communication issues
Monitor network performance
Verify network security
Track communication transactions
Log network traffic
Discover source of unwanted traffic
Discover compromised workstations
Ensure users are adhering to AUP
Illegitimate
Capture passwords
Capture network information
Read confidential information
Determine network information
Back to Top

What do you need to know?
You don't have to be an expert. You can get a good idea of what might be causing a network problem simply by looking at the packets.

You do need to know the following information for your network: – Network layout - network diagram
– Server information
– Application information
– IP address information


You also need to have a basic understanding of network communication: – Protocols (TCP/IP, HTTP, DNS)
– MAC addresses
– IP addresses
– TCP is connection-oriented
– UDP is connectionless


Ethernet breaks information into packets. Each packet has a header with important information, such as source and destination.

Packets are sent and only the destination device responds.

MAC addresses and IP addresses can be spoofed.

How Packet Capture Works
Collects packets without modifying them.Promiscuous mode - Receives all traffic, not just traffic for that machine.


You can only capture traffic from the network you are on. - Flat network
- Switched network
- Port mirroring 


Your Responsibilities
Notify administration and users.

Add a disclaimer to your AUP.
"For security or maintenance purposes, equipment and network traffic may be monitored at any time."

Back to Top

Network Analyzers -- What's Available?
SecurityFocus
www.securityfocus.org/tools/category/4

Differences are usually in the features.

EtherPeek
Windows 2000/NT Server Network Monitor
Network Associates Sniffer and SnifferPro
Network Instruments Observer
Ethereal
Packetyzer
Features can include:

Number of protocols supported
User interface
Graphing and statistical analysis
Expert analysis features
Ethereal
Features:

Free (Open source software)
Runs on multiple platforms
Supports over 480 protocols
Reads capture files from other products (MS Network Monitor, TCPdump, Sniffer, Novell Lanalyzer)
Installation
Installation is a two step process.

WinPcap
Ethereal
Note: Ethereal may be installed without WinPcap, but only saved capture files can be read.

WinPcap installation
WinPcap: the Free Packet Capture Architecture for Windows
http://winpcap.polito.it
Also found at Ethereal ( http://www.ethereal.com)

Download and run the executable (WinPcap 3.0 for Windows).
Follow the instructions on the screen.
Note: You must have rights to install new drivers and be logged in as administrator or have administrative rights.

By default, WinPcap installs in C:\Program Files\WinPCap\.

Install Ethereal
Ethereal
http://www.ethereal.com

Download and run the executable (Ethereal-setup-0.10.2.exe).
Follow the instructions on screen.
Note: The first time you execute Ethereal (or any other WinPcap-based application) you must be logged in with administrative rights so the driver will be installed on the system.

By default Ethereal installs to C:\Program Files\Ethereal\.

Ethereal's Main Window
Menu bar
Tool bar
Summary Window or Packet View (top)
Protocol Detail or Tree View (middle)
Data View (bottom)
Filter Bar
Information Field
Summary Window
One-line summary of each packet. Default fields include:

No.
Time
Source
Destination
Protocol
Info
Note: You can change the default fields under Edit > Preferences.

Back to Top

Time Display Options
View/Time Display Format

Time of day
Date and time of day
Seconds since beginning of capture
Seconds since previous frame
Note: Only one option can be selected at a time.

Depending on your reasons for packet capture, you may want to change this parameter.

Protocol Detail
Detailed decode of the packet highlighted in the Summary Window. It displays a one-line summary of each layer in the protocol stack.

Example: Frame, Ethernet II, Internet Protocol, Transmission Control Protocol

Data View
Displays raw data of the packet highlighted in the Summary Window in hexadecimal and ASCII format.

Displays data in two rows.

Bytes corresponding to those highlighted in the Summary Window are also highlighted in the Data View window.

Note: Not all bytes are conveniently displayable in ASCII.

Menu Bar
File
Edit
View
Capture
Analyze
Statistics
Help
Tool Bar
Start a new live capture
Open a capture file
Save this capture file
Close this capture file
Capturing Packets
Determine where to place the sniffer on your network. What are you trying to accomplish?

If you are on a switched network and there is a problem, pick a segment where you can capture traffic related to the problem. Note: Remember you must be on the same segment.

Capture menu – Start
Capture Preferences menu
Back to Top

Capture Preferences Menu
Capture Interface. Select your preferred capture interface. Default value: first non-loopback interface.
Capture packets in promiscuous mode. If this option is not set to promiscuous mode, you will only capture packets going to or from your own computer.
Limit each packet to ____ bytes. Capture only the specified portion of the packet.
Capture Filter. Specify a capture filter. Default value: no filter


Capture File File. Specify the file name to use when you save the capture. Default value: blank.


Capture Limits
Stop capture after __ packets.
Stop capture after __ kilobytes.
Stop capture after __ seconds.


Display Options
Update list of packets in real time. Selected captures are displayed in the packet list pane in real time.
Automatic scrolling. Selected captures will scroll the packet list pane so you are always looking at the last packet captured.


Name Resolution
Enable MAC name resolution. Translates the first three bytes into Manufacturer Name
Enable network name resolution. Translates the IP address into DNS domain name. (Note: Triggers DNS lookup requests.)
Enable transport name resolution. Translates port numbers into protocols.

Back to Top

Analyze Packets
What information do you want to retrieve?
Traffic from a specific IP address
Unauthorized protocols (FTP)
Top talkers
Traffic to a specific Internet address
Specific data
Follow TCP streams
Highlight TCP packet/select Follow TCP Stream. Displays data as the application layer would see it.

Filters
Configuring filters is outside the scope of this presentation.

Ethereal has the ability to use both capture and display filters. Capture filters sort traffic being captured.
Display filters sort traffic that is already captured.


Packetyzer
Packetyzer is a Windows interface for Ethereal.

Network Chemistry. Packetyzer - Packet Analyzer for Windows. 2004.
http://www.networkchemistry.com/products/packetyzer/

Distributed with WinPcap and Ethereal

Free

Unauthorized Packet Capture
Can you protect your network?

Use switches

Encryption - SSH
- IPSec
- PGP (e-mail)

Back to Top

Follow-up Assignment
Download and install Ethereal.

Formulate a “capture statement.” What do you want to find out?


Do you want to identify what traffic is crossing your network?
Identify unauthorized protocols?
Identify top talkers?
Other?
Create a network diagram and determine the best place to capture traffic that is related to your “statement.”

Create and save three capture files.

Limit capture files to 1000 packets.
Capture network traffic during different times of the day.
Analyze the traffic you captured.

What protocols do you see?
Can you find any unauthorized traffic?
Can you identify the two top talkers?
Follow a TCP stream (HTTP) and save it as a file.
Write a brief description of what you found through network analysis.

Great addition to the community. Let me look at it a little more closely, and we'll consider possibly turning it into an article. What do you think?

Don

PS - The Board entitled:

News Items and General Discussion About EH-Net

Is about EH-Net, the site, news about the site, comments and feedback about the site, etc. Looking at your other recent post, I'm thinking this belongs in the Ethical Hacking Section. As for the other post, we already had a post like it in Ethical Hacking>CEH>v5, so I merged it with that thread.

Another useful tool for traffic analysis is snort. Snort can help by identifying suspect signatures in your packet captures, which is a whole lot easier than interpreting half a million captured packets.

Jim

This is just a beginner video.  I know I don’t have money to buy tools for learn. You can learn without spending money. Please let me know how much you like.
 "The more you read the more you learn" somebody said that

I said the more you play or crash the more you learn -Kurt

-peace

1) Socket Programming Basics
http://www.security-freak.net/sockets/socket-programming.html (http://www.security-freak.net/sockets/socket-programming.html)

2) Packet Sniffing using Raw Sockets
http://www.security-freak.net/raw-sockets/raw-sockets.html

3) Packet Injection using Raw Sockets
http://www.security-freak.net/packet-injection/packet-injection.html (http://www.security-freak.net/packet-injection/packet-injection.html)

4) Architecture of A Proactive Security Tool
http://www.security-freak.net/architecture/architecture.html (http://www.security-freak.net/architecture/architecture.html)

5) Encryption Basics using RC4
http://www.security-freak.net/encryption/encryption-rc4.html (http://www.security-freak.net/encryption/encryption-rc4.html)

6) How do WORMS work?
http://www.security-freak.net/worms/worms.html (http://www.security-freak.net/worms/worms.html)

7) Madwifi-NG Wireless Driver Compilation Basics
http://www.security-freak.net/tools/sohail/madwifi-driver-building/madwifi-driver-presentation.html (http://www.security-freak.net/tools/sohail/madwifi-driver-building/madwifi-driver-presentation.html)
http://www.security-freak.net/tools/sohail/madwifi-compilation-1/madwifi-compilation.html (http://www.security-freak.net/tools/sohail/madwifi-compilation-1/madwifi-compilation.html)
http://www.security-freak.net/tools/sohail/madwifi-compilation-2/madwifi-compilation-2.html
http://www.security-freak.net/tools/sohail/madwifi-compilation-3/madwifi-compilation-3.html (http://www.security-freak.net/tools/sohail/madwifi-compilation-3/madwifi-compilation-3.html)
http://www.security-freak.net/tools/sohail/wireshark-wireless/wireshark-wireless.html (http://www.security-freak.net/tools/sohail/wireshark-wireless/wireshark-wireless.html)

8) Tutorials on commonly used Security Tools
http://www.security-freak.net/tools/nmap/nmap.html (http://www.security-freak.net/tools/nmap/nmap.html)
http://www.security-freak.net/tools/dig/dig.html (http://www.security-freak.net/tools/dig/dig.html)
http://www.security-freak.net/tools/nc/nc.html (http://www.security-freak.net/tools/nc/nc.html)
http://www.security-freak.net/tools/amit/airdecap-ng/airdecap-ng.html (http://www.security-freak.net/tools/amit/airdecap-ng/airdecap-ng.html)
http://www.security-freak.net/tools/ngrep/ngrep.html (http://www.security-freak.net/tools/ngrep/ngrep.html)
http://www.security-freak.net/tools/wireshark/wireshark.html (http://www.security-freak.net/tools/wireshark/wireshark.html)
http://www.security-freak.net/tools/nbtscan/nbtscan.html (http://www.security-freak.net/tools/nbtscan/nbtscan.html)
http://www.security-freak.net/tools/amit/airodump-ng/airodump-ng.html (http://www.security-freak.net/tools/amit/airodump-ng/airodump-ng.html)
http://www.security-freak.net/tools/amit/airodump-ng/airodump-ng.html (http://www.security-freak.net/tools/amit/airodump-ng/airodump-ng.html)
http://www.security-freak.net/tools/amit/pcap2air-airbase/pcap2air.html (http://www.security-freak.net/tools/amit/pcap2air-airbase/pcap2air.html)
http://www.security-freak.net/tools/amit/pcap2air-airbase/pcap2air.html (http://www.security-freak.net/tools/amit/pcap2air-airbase/pcap2air.html)
http://www.security-freak.net/tools/amit/prism-strip/prism-strip-airbase.html (http://www.security-freak.net/tools/amit/prism-strip/prism-strip-airbase.html)
http://www.security-freak.net/tools/amit/simple-replay-airbase/simple-replay.html (http://www.security-freak.net/tools/amit/simple-replay-airbase/simple-replay.html)

It just needs a minor update, in that Ethereal is now WireShark. Has been for quite a while. Just run it through Word or something, and do a Find and replace; "Ethereal" for "Wireshark".  Piece a cake.


Also, I have a little program I use that might come in handy. It's called, "Dude", ["The Dude"], and it DRAWS a neat little network diagram for you, if you ever get as lazy as me.
http://www.MikroTik.com/dude

(Capitalization in the URL really means nothing, all URLS are lower case as far as a DNS server goes; but that's how THEY spell it, go figure.... ???)
Manual for the Dude is at:
http://wiki.mikrotik.com/wiki/Dude_usage_notes

 

Hi,
Just discovered this site and...  congratulations.

I'm looking for a driver for PEEK protocol or enabling monitoring (is it the same?) on my wifi device:

SIEMENS Gigaset USB Adapter 108

Can someone help me?
Thx

Here ya go:

http://aircrack-ng.org/doku.php?id=downloads&s=peek%20drivers

Brian

Hi all,
other interesting (open source) tools for traffic analysis and traffic reconstruction are:
  http://code.google.com/p/netanalyzer/
  http://www.packet-o-matic.org/
  http://networkminer.wiki.sourceforge.net/NetworkMiner
  http://www.xplico.org
  http://msnshadow.blogspot.com/
  http://www.pyflag.net/cgi-bin/moin.cgi

Someone knows other tools similar at these for extraction (decoding) of network traffic?