Packet Capture and Traffic Analysis
This session is intended to help new or beginning network administrators learn how to use packet capture software for basic network troubleshooting and traffic analysis. It will cover both installation and use of packet capture software and the fundamentals of basic network traffic analysis, including identifying communication issues, monitoring network performance, verifying network security and tracking communication transactions.
Define traffic analysis
Identify reasons for traffic analysis
Packet capture software
What Is Traffic Analysis?
“Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network.”– Orebaugh, Angela. Ethereal Packet Sniffing. Rockland, MA: Syngress Publishing, Inc., 2004.
Note: Traffic analysis, network analysis, protocol analysis, packet analysis and packet sniffing all typically refer to the same thing.
Reasons to Analyze Traffic
Identify network or communication issues
Monitor network performance
Verify network security
Track communication transactions
Log network traffic
Discover source of unwanted traffic
Discover compromised workstations
Ensure users are adhering to AUP
Capture network information
Read confidential information
Determine network information
Back to Top
What do you need to know?
You don't have to be an expert. You can get a good idea of what might be causing a network problem simply by looking at the packets.
You do need to know the following information for your network: – Network layout - network diagram
– Server information
– Application information
– IP address information
You also need to have a basic understanding of network communication: – Protocols (TCP/IP, HTTP, DNS)
– MAC addresses
– IP addresses
– TCP is connection-oriented
– UDP is connectionless
Ethernet breaks information into packets. Each packet has a header with important information, such as source and destination.
Packets are sent and only the destination device responds.
MAC addresses and IP addresses can be spoofed.
How Packet Capture Works
Collects packets without modifying them.Promiscuous mode - Receives all traffic, not just traffic for that machine.
You can only capture traffic from the network you are on. - Flat network
- Switched network
- Port mirroring
Notify administration and users.
Add a disclaimer to your AUP.
"For security or maintenance purposes, equipment and network traffic may be monitored at any time."
Back to Top
Network Analyzers -- What's Available?
Differences are usually in the features.
Windows 2000/NT Server Network Monitor
Network Associates Sniffer and SnifferPro
Network Instruments Observer
Features can include:
Number of protocols supported
Graphing and statistical analysis
Expert analysis features
Free (Open source software)
Runs on multiple platforms
Supports over 480 protocols
Reads capture files from other products (MS Network Monitor, TCPdump, Sniffer, Novell Lanalyzer)
Installation is a two step process.
Note: Ethereal may be installed without WinPcap, but only saved capture files can be read.
WinPcap: the Free Packet Capture Architecture for Windows
Also found at Ethereal ( http://www.ethereal.com)
Download and run the executable (WinPcap 3.0 for Windows).
Follow the instructions on the screen.
Note: You must have rights to install new drivers and be logged in as administrator or have administrative rights.
By default, WinPcap installs in C:\Program Files\WinPCap\.
Download and run the executable (Ethereal-setup-0.10.2.exe).
Follow the instructions on screen.
Note: The first time you execute Ethereal (or any other WinPcap-based application) you must be logged in with administrative rights so the driver will be installed on the system.
By default Ethereal installs to C:\Program Files\Ethereal\.
Ethereal's Main Window
Summary Window or Packet View (top)
Protocol Detail or Tree View (middle)
Data View (bottom)
One-line summary of each packet. Default fields include:
Note: You can change the default fields under Edit > Preferences.
Back to Top
Time Display Options
View/Time Display Format
Time of day
Date and time of day
Seconds since beginning of capture
Seconds since previous frame
Note: Only one option can be selected at a time.
Depending on your reasons for packet capture, you may want to change this parameter.
Detailed decode of the packet highlighted in the Summary Window. It displays a one-line summary of each layer in the protocol stack.
Example: Frame, Ethernet II, Internet Protocol, Transmission Control Protocol
Displays raw data of the packet highlighted in the Summary Window in hexadecimal and ASCII format.
Displays data in two rows.
Bytes corresponding to those highlighted in the Summary Window are also highlighted in the Data View window.
Note: Not all bytes are conveniently displayable in ASCII.
Start a new live capture
Open a capture file
Save this capture file
Close this capture file
Determine where to place the sniffer on your network. What are you trying to accomplish?
If you are on a switched network and there is a problem, pick a segment where you can capture traffic related to the problem. Note: Remember you must be on the same segment.
Capture menu – Start
Capture Preferences menu
Back to Top
Capture Preferences Menu
Capture Interface. Select your preferred capture interface. Default value: first non-loopback interface.
Capture packets in promiscuous mode. If this option is not set to promiscuous mode, you will only capture packets going to or from your own computer.
Limit each packet to ____ bytes. Capture only the specified portion of the packet.
Capture Filter. Specify a capture filter. Default value: no filter
Capture File File. Specify the file name to use when you save the capture. Default value: blank.
Stop capture after __ packets.
Stop capture after __ kilobytes.
Stop capture after __ seconds.
Update list of packets in real time. Selected captures are displayed in the packet list pane in real time.
Automatic scrolling. Selected captures will scroll the packet list pane so you are always looking at the last packet captured.
Enable MAC name resolution. Translates the first three bytes into Manufacturer Name
Enable network name resolution. Translates the IP address into DNS domain name. (Note: Triggers DNS lookup requests.)
Enable transport name resolution. Translates port numbers into protocols.
Back to Top
What information do you want to retrieve?
Traffic from a specific IP address
Unauthorized protocols (FTP)
Traffic to a specific Internet address
Follow TCP streams
Highlight TCP packet/select Follow TCP Stream. Displays data as the application layer would see it.
Configuring filters is outside the scope of this presentation.
Ethereal has the ability to use both capture and display filters. Capture filters sort traffic being captured.
Display filters sort traffic that is already captured.
Packetyzer is a Windows interface for Ethereal.
Network Chemistry. Packetyzer - Packet Analyzer for Windows. 2004.
Distributed with WinPcap and Ethereal
Unauthorized Packet Capture
Can you protect your network?
Encryption - SSH
- PGP (e-mail)
Back to Top
Download and install Ethereal.
Formulate a “capture statement.” What do you want to find out?
Do you want to identify what traffic is crossing your network?
Identify unauthorized protocols?
Identify top talkers?
Create a network diagram and determine the best place to capture traffic that is related to your “statement.”
Create and save three capture files.
Limit capture files to 1000 packets.
Capture network traffic during different times of the day.
Analyze the traffic you captured.
What protocols do you see?
Can you find any unauthorized traffic?
Can you identify the two top talkers?
Follow a TCP stream (HTTP) and save it as a file.
Write a brief description of what you found through network analysis.
C|EH, SSP-MPA, GHTQ, GCWN, SSP-GHD