Packet Capture and Traffic Analysis
This session is intended to help new or beginning network administrators learn how to use packet capture software for basic network troubleshooting and traffic analysis. It will cover both installation and use of packet capture software and the fundamentals of basic network traffic analysis, including identifying communication issues, monitoring network performance, verifying network security and tracking communication transactions.
Objectives
Define traffic analysis
Identify reasons for traffic analysis
Your responsibilities
Packet capture software
Installation
Capture packets
Analyze packets
What Is Traffic Analysis?
“Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network.”– Orebaugh, Angela. Ethereal Packet Sniffing. Rockland, MA: Syngress Publishing, Inc., 2004.
Note: Traffic analysis, network analysis, protocol analysis, packet analysis and packet sniffing all typically refer to the same thing.
Reasons to Analyze Traffic
Legitimate
Identify network or communication issues
Monitor network performance
Verify network security
Track communication transactions
Log network traffic
Discover source of unwanted traffic
Discover compromised workstations
Ensure users are adhering to AUP
Illegitimate
Capture passwords
Capture network information
Read confidential information
Determine network information
Back to Top
What do you need to know?
You don't have to be an expert. You can get a good idea of what might be causing a network problem simply by looking at the packets.
You do need to know the following information for your network: – Network layout - network diagram
– Server information
– Application information
– IP address information
You also need to have a basic understanding of network communication: – Protocols (TCP/IP, HTTP, DNS)
– MAC addresses
– IP addresses
– TCP is connection-oriented
– UDP is connectionless
Ethernet breaks information into packets. Each packet has a header with important information, such as source and destination.
Packets are sent and only the destination device responds.
MAC addresses and IP addresses can be spoofed.
How Packet Capture Works
Collects packets without modifying them.Promiscuous mode - Receives all traffic, not just traffic for that machine.
You can only capture traffic from the network you are on. - Flat network
- Switched network
- Port mirroring
Your Responsibilities
Notify administration and users.
Add a disclaimer to your AUP.
"For security or maintenance purposes, equipment and network traffic may be monitored at any time."
Back to Top
Network Analyzers -- What's Available?
SecurityFocus
www.securityfocus.org/tools/category/4Differences are usually in the features.
EtherPeek
Windows 2000/NT Server Network Monitor
Network Associates Sniffer and SnifferPro
Network Instruments Observer
Ethereal
Packetyzer
Features can include:
Number of protocols supported
User interface
Graphing and statistical analysis
Expert analysis features
Ethereal
Features:
Free (Open source software)
Runs on multiple platforms
Supports over 480 protocols
Reads capture files from other products (MS Network Monitor, TCPdump, Sniffer, Novell Lanalyzer)
Installation
Installation is a two step process.
WinPcap
Ethereal
Note: Ethereal may be installed without WinPcap, but only saved capture files can be read.
WinPcap installation
WinPcap: the Free Packet Capture Architecture for Windows
http://winpcap.polito.itAlso found at Ethereal (
http://www.ethereal.com)
Download and run the executable (WinPcap 3.0 for Windows).
Follow the instructions on the screen.
Note: You must have rights to install new drivers and be logged in as administrator or have administrative rights.
By default, WinPcap installs in C:\Program Files\WinPCap\.
Install Ethereal
Ethereal
http://www.ethereal.com Download and run the executable (Ethereal-setup-0.10.2.exe).
Follow the instructions on screen.
Note: The first time you execute Ethereal (or any other WinPcap-based application) you must be logged in with administrative rights so the driver will be installed on the system.
By default Ethereal installs to C:\Program Files\Ethereal\.
Ethereal's Main Window
Menu bar
Tool bar
Summary Window or Packet View (top)
Protocol Detail or Tree View (middle)
Data View (bottom)
Filter Bar
Information Field
Summary Window
One-line summary of each packet. Default fields include:
No.
Time
Source
Destination
Protocol
Info
Note: You can change the default fields under Edit > Preferences.
Back to Top
Time Display Options
View/Time Display Format
Time of day
Date and time of day
Seconds since beginning of capture
Seconds since previous frame
Note: Only one option can be selected at a time.
Depending on your reasons for packet capture, you may want to change this parameter.
Protocol Detail
Detailed decode of the packet highlighted in the Summary Window. It displays a one-line summary of each layer in the protocol stack.
Example: Frame, Ethernet II, Internet Protocol, Transmission Control Protocol
Data View
Displays raw data of the packet highlighted in the Summary Window in hexadecimal and ASCII format.
Displays data in two rows.
Bytes corresponding to those highlighted in the Summary Window are also highlighted in the Data View window.
Note: Not all bytes are conveniently displayable in ASCII.
Menu Bar
File
Edit
View
Capture
Analyze
Statistics
Help
Tool Bar
Start a new live capture
Open a capture file
Save this capture file
Close this capture file
Capturing Packets
Determine where to place the sniffer on your network. What are you trying to accomplish?
If you are on a switched network and there is a problem, pick a segment where you can capture traffic related to the problem. Note: Remember you must be on the same segment.
Capture menu – Start
Capture Preferences menu
Back to Top
Capture Preferences Menu
Capture Interface. Select your preferred capture interface. Default value: first non-loopback interface.
Capture packets in promiscuous mode. If this option is not set to promiscuous mode, you will only capture packets going to or from your own computer.
Limit each packet to ____ bytes. Capture only the specified portion of the packet.
Capture Filter. Specify a capture filter. Default value: no filter
Capture File File. Specify the file name to use when you save the capture. Default value: blank.
Capture Limits
Stop capture after __ packets.
Stop capture after __ kilobytes.
Stop capture after __ seconds.
Display Options
Update list of packets in real time. Selected captures are displayed in the packet list pane in real time.
Automatic scrolling. Selected captures will scroll the packet list pane so you are always looking at the last packet captured.
Name Resolution
Enable MAC name resolution. Translates the first three bytes into Manufacturer Name
Enable network name resolution. Translates the IP address into DNS domain name. (Note: Triggers DNS lookup requests.)
Enable transport name resolution. Translates port numbers into protocols.
Back to Top
Analyze Packets
What information do you want to retrieve?
Traffic from a specific IP address
Unauthorized protocols (FTP)
Top talkers
Traffic to a specific Internet address
Specific data
Follow TCP streams
Highlight TCP packet/select Follow TCP Stream. Displays data as the application layer would see it.
Filters
Configuring filters is outside the scope of this presentation.
Ethereal has the ability to use both capture and display filters. Capture filters sort traffic being captured.
Display filters sort traffic that is already captured.
Packetyzer
Packetyzer is a Windows interface for Ethereal.
Network Chemistry. Packetyzer - Packet Analyzer for Windows. 2004.
http://www.networkchemistry.com/products/packetyzer/Distributed with WinPcap and Ethereal
Free
Unauthorized Packet Capture
Can you protect your network?
Use switches
Encryption - SSH
- IPSec
- PGP (e-mail)
Back to Top
Follow-up Assignment
Download and install Ethereal.
Formulate a “capture statement.” What do you want to find out?
Do you want to identify what traffic is crossing your network?
Identify unauthorized protocols?
Identify top talkers?
Other?
Create a network diagram and determine the best place to capture traffic that is related to your “statement.”
Create and save three capture files.
Limit capture files to 1000 packets.
Capture network traffic during different times of the day.
Analyze the traffic you captured.
What protocols do you see?
Can you find any unauthorized traffic?
Can you identify the two top talkers?
Follow a TCP stream (HTTP) and save it as a file.
Write a brief description of what you found through network analysis.
Other : LZMA Decompression Help
