Wireshark is considered the world’s foremost protocol
analyzer. It is used across many industries and is the continuation of a
project started in 1998. The original author of Wireshark is Gerald Combs.
However, there is quite a huge community of developers who contribute to the
continued development of Wireshark. By using a tool such as Wireshark, one can
obtain microscopic or detailed information about the communication occurring on
either your network or even an individual system (wireshark.org).
As a Cyber Security professional, it is imperative to have knowledge and or understanding of tools such as Wireshark or its command line alternative tshark.
Before we begin, let's just get some definitions out of the way. While I can go ahead and just show the Wireshark labs, that would do you no good if you are not aware of some of the terminologies.
As a Cyber Security professional, it is imperative to have knowledge and or understanding of tools such as Wireshark or its command line alternative tshark.
Before we begin, let's just get some definitions out of the way. While I can go ahead and just show the Wireshark labs, that would do you no good if you are not aware of some of the terminologies.
i. Sniffer
A sniffer is a piece of software that allows one to sniff
the traffic flowing through a computer (Tanase, 2002). A computer in this case can be
considered as any computing device which allows for the installation of such a
sniffer or having a function which enable such sniffing. Examples of such
sniffers are tshark, Wireshark, tcpdump, Colasoft and Microsoft Network
Monitor.
ii. Protocol
A protocol is standard used to define a method of
exchanging data over a computer network. This network can be a small network
such as a LAN or an even larger one such as the Internet. (computerhope.com). Examples of
protocols are TCP, UDP, SNMP, IP, BGP.
iii. Protocol Analyzer
A protocol analyzer can be considered as an enhanced
sniffer. Typically protocol analyzers extend the functions of a sniffer by
parsing the data received or presenting it in a more user friendly manner.
Examples of Protocol Analyzers are tshark, Wireshark, tcpdump, Colasoft and
Microsoft Network Monitor.
iv. Packet
When communication is made between two computers across a
network, the data is sent via packets. As an example, when an email is sent the
data within the email is broken up into packets to be transmitted to its
destination. A packet is typically no larger than 1,500 bytes (computer.howstuffworks.com,
2000).
v. Packet Filter
Packet filters are used to determine whether a packet
should be forwarded based on a fixed set of inbound and inbound rules. The
header of each packet is parsed to see if the relevant criterion is met.
Examples of these criteria are, Protocol ID, Source IP and or Port Number,
Destination Address and or Port Number, Incoming or Outgoing Interface (novell.com).
vi. Live Capture
A live capture is the process of executing the sniffing
software to capture information as it passes through the computer in real time.
This capture can be written to a file for later analysis. This offline analysis
will not be considered a live capture..
b)
TCP/IP
i. Transport Control Protocol (TCP)
TCP is intended for use as a highly reliable host-to-host
protocol between hosts in a packet-switched network (ietf.org, 1981). In the TCP/IP Model, TCP sits at layer
3 while in the OSI model it sits at layer 4. (Hughes)
ii. Internet Protocol (IP)
The Internet protocol is used to provide for transmitting
blocks of data called datagrams from source to their destinations (ietf.org, 1981). The internet
protocol also provides for fragmentation and reassembly of long datagrams. In
the TCP/IP model, IP sits at layer 2 while in the OSI model it sits and layer
3. (Hughes)
iii. Network Stack
The network stack refers to layers through which
communication occurs. In the TCP/IP model the stack consists of 4 layers. In
the OSI model, the stack consists of 7 layers. The stack also addresses the
various protocols and how they work at these layers.
iv. Packet
When communication is made between two computers across a
network, the data is sent via packets. When an email is sent, the data within
the email is broken up into packets, to be transmitted to its destination. A
packet is typically no larger than 1,500 bytes. (computer.howstuffworks.com,
2000)
v. Packet Header
The header is concise structured
information that is transmitted between one or more communication devices (jnetpcap.co). Using IPv4 as an example,
the header could be found at the start of every packet. The header length is
typically 20 bytes. The Version, Source and Destination are examples of three
fields that make up the IPv4 header (Hughes, sixscape.com) .
Now that we have that out of the way, let's look at these labs from the perspectives of tasks. This will be similar to the Introduction to Linux Command Line post.
Task 1 – Browsing the Internet
- Start Wireshark and set the following display capture.
- Apply a display filter of “(http) && (ip.addr == 192.168.0.11)” Replace the IP address I have with the one assigned to your interface
- Launch your favourite search engine and perform a search for scurvy
- Visit the first site on the link
- Return to Wireshark and stop the
capture
If you go through the capture you will notice that the identity of the website you visited and the search keyword you entered are not private. Meaning they can be easily seen in the capture.
Task
2 – Analyze Wireshark Data:
1. Clear the
existing display filter and start a new capture
2. Browse the
Internet for 5 minutes
3. Stop the
capture
4. The
following questions will be answered from the statistics menu
a) How many UDP packets did Wireshark capture?
This can be determined from the statistics -> Protocol Hierarchy Menu
There
is a total of 244 DNS packet and 9, NETBIOS packet. This brings the total up to
253 UDP packets captured by Wireshark
b) What is the average ip packet size?
This can be determined from the statistics -> Summary
Menu
The average packet size is 525 bytes
b) How
many packets did Wireshark drop?
This
can be determined from the statistics
-> Comments Summary Menu
This answer is 0
This answer is 0
c) What
does a flow graph show?
The
flow graph shows the sequential analysis of connections.
d) List
the flow graph options.
Below
shows the following flow graph options: Choose Packets, Choose flow type and
Choose node address type.
Security professionals can use Wireshark for packet analysis to determine the
true effects of what really transpired on a host or network. By looking
directly at the raw packet, security professionals can draw clear conclusions once they can
properly interpret the packet
While security professionals can use Wireshark for good, attackers can use it for lots of bad things including.
1.
Sniffing
2.
Plant a bug which can exploit vulnerabilities in Wireshark
itself
3.
Packet Analysis
3. Wireshark captures the traffic it can see
as in the traffic which passes through the computer it is installed on. Point
to note is that Wireshark has a remote capture option. However, Wireshark will
still only see the traffic which passes through the computer on which the Remote Packet Capture
Protocol service is started on (wireshark.org)
4. Sample Wireshark filters to:
a)
View all traffic for 10.10.10.2.
ip.addr == 10.10.10.2
b)
View icmp traffic from any address.
icmp
Bibliography
(n.d.). Retrieved from wireshark.org: https://www.wireshark.org/about.html
(n.d.). Retrieved from computerhope.com: http://www.computerhope.com/jargon/p/protocol.htm
(n.d.). Retrieved from novell.com: http://www.novell.com/documentation/nbm38/?page=/documentation/nbm38/overview/data/ae70q0b.html
(n.d.). Retrieved from jnetpcap.co: http://jnetpcap.com/node/110
(n.d.). Retrieved from wireshark.org: https://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html
(1981, 09). Retrieved from ietf.org: https://www.ietf.org/rfc/rfc793.txt
(1981, 09). Retrieved from ietf.org: https://www.ietf.org/rfc/rfc791.txt
(2000, 12 01). Retrieved from computer.howstuffworks.com: http://computer.howstuffworks.com/question525.htm
Hughes, L. (n.d.). Retrieved from http://www.sixscape.com/joomla/sixscape/index.php/technical-backgrounders/tcp-ip/the-dod-four-layer-model
Hughes, L. (n.d.). Retrieved from sixscape.com: http://www.sixscape.com/joomla/sixscape/index.php/technical-backgrounders/tcp-ip/ip-the-internet-protocol/ipv4-internet-protocol-version-4/ipv4-packet-header
Tanase, M. (2002, 02 26). Retrieved from symantec.com: http://www.symantec.com/connect/articles/sniffers-what-they-are-and-how-protect-yourself
No comments:
Post a Comment