Seminar Presentation
Network Protocol Analyzer
2017.07.06
Presenter : Ma Van Linh
Table of Content
1.
2.
3.
4.
5.
Overview of Network Analyzer
Wireshark
Wireshark – advanced features
Wireshare – case studies
Conclusion
2
1. Overview of Network Analyzer
1.1 What is Network Protocol Analyzer?
•
The packet analyzer (also known as a network analyzer, protocol analyzer or sniffer) is
computer software or computer hardware that can intercept and log traffic passing over a
digital network or part of a network.
•
Network sniffer is a program and/or device that monitors data travelling over a network.
Network sniffers can be used both for legitimate network management functions and for
stealing information off a network.
3
1. Overview of Network Analyzer
1.2 What to use?
•
•
•
•
•
•
•
•
•
Analyze network problems.
Detect network intrusion attempts.
Gain information for effecting a network intrusion.
Monitor network usage.
Gather and report network statistics.
Filter suspect content from network traffic.
Spy on other network users and collect sensitive information such as passwords
(depending on any content encryption methods which may be in use)
Debug client/server communications.
Debug network protocol implementations.
4
1. Overview of Network Analyzer
1.3 Protocols used on network
Names of protocols
Importance
What it does
ethernet, SLIP, PPP, Token Ring,
ARCnet
Essential
Allows messages to be packaged and sent between physical
locations.
IP,ICMP
Essential
Manages movement of messages and reports errors.
ARP
Essential
Communicates between layers to allow one layer to get
information to support another layer
TCP,UDP
Critical
Controls the management of service between computers.
DNS,RPC
Important
DNS provides address to name translation for locations and
network cards. RPC allows remote computer to perform
functions on other computers.
RARP, BOOTP, DHCP, IGMP,
SNMP,RIP, OSPF, BGP, CIDR
Advanced
Enhances network management and increases functionality
FTP, TFTP, SMTP, Telnet, NFS,
ping, Rlogin
Useful
Provides direct services to the user.
5
1. Overview of Network Analyzer
1.4 Network Analyzer Tools
•
•
•
•
•
•
•
Wireshark: Wireshark (formerly known as Ethereal) is a fantastic open
source network protocol analyzer for Unix and Windows.
Snort: This is network intrusion detection and prevention system excels at traffic analysis on
IP networks.
Netcat: This simple utility reads and writes data across TCP or UDP network connections.
Tcpdump: Tcpdump is the IP sniffer used before Ethereal (Wireshark) came on the scene,
and many of us continue to use it frequently.
Netfilter: Netfilter is a powerful packet filter implemented in the standard Linux kernel.
Capsa: Capsa Network Analyzer is an all-in-one & easy-to-use Ethernet network protocol
analyzer for Windows platforms.
Other tools: Carnivore, dSniff, Clarified Analyzer, SoftPerfect, Snoop, NetScout etc;
6
2. Wireshark
2.1 What is Wireshark
•
Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible.
Ø You could think of a network packet analyzer as a measuring device used to examine what's going
on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on
inside an electric cable (but at a higher level, of course).
Ø In the past, such tools were either very expensive, proprietary, or both. However, with the advent of
Wireshark, all that has changed.
Ø Wireshark is perhaps one of the best open source packet analyzers available today.
7
2. Wireshark
2.2 People use Wireshark for
1.
2.
3.
4.
5.
Network administrators use it to troubleshoot network problems.
Network security engineers use it to examine security problems.
Developers use it to debug protocol implementations.
People use it to learn network protocol internals.
Beside these examples, Wireshark can be helpful in many other situations too.
8
2. Wireshark
2.3 Feature (1)
•
•
•
•
•
•
•
•
•
Available for UNIX and Windows.
Capture live packet data from a network interface.
Display packets with very detailed protocol information.
Open and Save packet data captured.
Import and Export packet data from and to a lot of other capture programs.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.
9
2. Wireshark
2.3 Feature (2)
•
Live capture from many different network media
ü Wireshark can capture traffic from many different network media types - and despite its name including wireless LAN as well. Which media types are supported, depends on many things like the
operating system you are using.
•
Import files from many other capture programs
ü Wireshark can open packets captured from a large number of other capture programs.
•
Export files for many other capture programs
ü Wireshark can save packets captured in a large number of formats of other capture programs.
•
Open Source Software
ü Wireshark is an open source software project, and is released under the GNU. You can
freely use Wireshark on any number of computers you like, without worrying about
license keys or fees or such. In addition, all source code is freely available under the
GPL. Because of that, it is very easy for people to add new protocols to Wireshark,
either as plugins, or built into the source, and they often do!
10
2. Wireshark
2.4 Disadvantage
•
Wireshark is not an intrusion detection system. It will not warn you when someone does
strange things on your network that he/she isn't allowed to do.
•
Wireshark will not manipulate things on the network, it will only "measure" things from it.
Wireshark does not send packets on the network or do other active things
11
2. Wireshark
2.5 Where to locate the Wireshark?
For Internet connectivity monitoring:
Before or after the Firewall
For WAN monitoring:
Connect the laptop to the LAN switch, with
port mirror to the monitored router
To ISP
For server monitoring:
Connect the laptop to the LAN switch, with
port mirror to the monitored server
12
2. Wireshark
2.6 Datagram (1)
•
TCP/IP Protocol Stack - Reminder
SMTP
Telnet
FTP
HTTP
SNMP
DNS
OSI Layer 5-7
OSI Layer 4
TCP
UDP
IP
OSI Layer 3
ICMP
ARP
Ethernet
OSI Layer 1/2
F.R.
DialUp
T.R.
13
ATM
ISDN
2. Wireshark
2.6 Datagram (2)
•
Data Structure
Overhead
Data
Err (Op.)
Layer 5-7
Overhead
Data
Err (Op.)
Layer 4
Overhead
Data
Err (Op.)
Layer 3
Data
Err (Op.)
Layer 2
Overhead
Data
Layer 1
14
2. Wireshark
2.6 Datagram (3)
•
Data Flow
Eth.
Eth.
Router
Router
Server
Host
HTTP (L-5/6/7)
OH
Data
E
TCP (L4)
OH
Data
E
IP (L3)
OH
Data
E
Ethernet (L2)
OH
Data
E
Bit stream
FR (L2)
OH
Data
E
OH
Data
E
OH
Data
E
OH
Data
E
OH
Data
E
OH
Data
OH
Bit stream
15
Data
E
OH
Data
Bit stream
E
E
2. Wireshark
2.6 Datagram (4)
•
Frame Format – Ethernet II / 802.3
IP
Ethernet II
PA
Dest.
Address
8
6
Source
Address
IPX
Type
6
AppleTalk
Data
Pad
2
CRC
4
bytes
IEEE 802.3
PA
7
SFD
Dest.
Address
1
6
Source
Address
Length
6
Data
2
CRC
4
Length
16
Pad
2. Wireshark
2.6 Datagram (5)
•
IP Datagram Format
H
Data
E
HTTP (L-5/6/7)
H
Data
E
TCP (L4)
H
Data
H
Data
This is the IP header
Bit stream
17
IP (L3)
E
Ethernet (L2)
2. Wireshark
2.6 Datagram (6)
•
IP Datagram Format
32 bits
“Type” of data
Ver
Head.
len
Type of
service
IP protocol version
number
Time to
live
Total datagram length
(in bytes)
Fragment
offset
flgs
16-bit identifier
Header Length (in
bytes
Length
Upper
layer
Internet
checksum
32 bit source IP address
32 bit destination IP address
Max. no. remaining hops
(decremented at each router)
Upper layer protocol to
which payload is delivered
For fragmentation and
reassembly
Options (if any)
Data
(variable length,
typically a TCP
or UDP segment)
18
E.g. timestamp, record route
taken, specify list of routers to
visit
2. Wireshark
2.6 Datagram (7)
•
Ø
UDP Frame Structure
32 bits
There are only four fields in the UDP header:
–
–
–
–
Source port
Destination port
Message length
Message checksum
Length, in
bytes of UDP
segment,
including
header
Frame
checksum
source port #
dest port #
length
checksum
Application
data
(message)
UDP segment format
19
2. Wireshark
2.7 How to use the Wireshark? (1)
•
The Interface (Version 2.2.1)
20
2. Wireshark
2.4 How to use the Wireshark? (2)
•
Choose the Interface and Start the Capture
21
2. Wireshark
2.7 How to use the Wireshark? (3)
•
Capture Packet
Packet
List
Packet
Details
Packet
Bytes
22
2. Wireshark
2.7 How to use the Wireshark? (4)
•
TCP Packet Example
23
2. Wireshark
2.7 How to use the Wireshark? (5)
•
Example 1 – HTTP session Opened
24
2. Wireshark
2.7 How to use the Wireshark? (6)
•
Statistics => Flow Graph…
25