Seminar Presentation

Network Protocol Analyzer
2017.07.06

Presenter : Ma Van Linh


Table of Content

1.
2.
3.
4.
5.

Overview of Network Analyzer
Wireshark
Wireshark – advanced features
Wireshare – case studies
Conclusion

2


1. Overview of Network Analyzer
1.1 What is Network Protocol Analyzer?
•

The packet analyzer (also known as a network analyzer, protocol analyzer or sniffer) is
computer software or computer hardware that can intercept and log traffic passing over a

digital network or part of a network.

•

Network sniffer is a program and/or device that monitors data travelling over a network.
Network sniffers can be used both for legitimate network management functions and for
stealing information off a network.

3


1. Overview of Network Analyzer
1.2 What to use?
•
•
•
•
•
•
•
•
•

Analyze network problems.
Detect network intrusion attempts.
Gain information for effecting a network intrusion.
Monitor network usage.
Gather and report network statistics.
Filter suspect content from network traffic.
Spy on other network users and collect sensitive information such as passwords

(depending on any content encryption methods which may be in use)
Debug client/server communications.
Debug network protocol implementations.

4


1. Overview of Network Analyzer
1.3 Protocols used on network
Names of protocols

Importance

What it does

ethernet, SLIP, PPP, Token Ring,
ARCnet

Essential

Allows messages to be packaged and sent between physical
locations.

IP,ICMP

Essential

Manages movement of messages and reports errors.

ARP


Essential

Communicates between layers to allow one layer to get
information to support another layer

TCP,UDP

Critical

Controls the management of service between computers.

DNS,RPC

Important

DNS provides address to name translation for locations and
network cards. RPC allows remote computer to perform
functions on other computers.

RARP, BOOTP, DHCP, IGMP,
SNMP,RIP, OSPF, BGP, CIDR

Advanced

Enhances network management and increases functionality

FTP, TFTP, SMTP, Telnet, NFS,
ping, Rlogin


Useful

Provides direct services to the user.

5


1. Overview of Network Analyzer
1.4 Network Analyzer Tools
•
•
•
•
•
•
•

Wireshark: Wireshark (formerly known as Ethereal) is a fantastic open
source network protocol analyzer for Unix and Windows.
Snort: This is network intrusion detection and prevention system excels at traffic analysis on
IP networks.
Netcat: This simple utility reads and writes data across TCP or UDP network connections.
Tcpdump: Tcpdump is the IP sniffer used before Ethereal (Wireshark) came on the scene,
and many of us continue to use it frequently.
Netfilter: Netfilter is a powerful packet filter implemented in the standard Linux kernel.
Capsa: Capsa Network Analyzer is an all-in-one & easy-to-use Ethernet network protocol
analyzer for Windows platforms.
Other tools: Carnivore, dSniff, Clarified Analyzer, SoftPerfect, Snoop, NetScout etc;

6



2. Wireshark
2.1 What is Wireshark
•

Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible.
Ø You could think of a network packet analyzer as a measuring device used to examine what's going
on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on
inside an electric cable (but at a higher level, of course).
Ø In the past, such tools were either very expensive, proprietary, or both. However, with the advent of
Wireshark, all that has changed.
Ø Wireshark is perhaps one of the best open source packet analyzers available today.

7


2. Wireshark
2.2 People use Wireshark for
1.
2.
3.
4.
5.

Network administrators use it to troubleshoot network problems.
Network security engineers use it to examine security problems.
Developers use it to debug protocol implementations.
People use it to learn network protocol internals.

Beside these examples, Wireshark can be helpful in many other situations too.

8


2. Wireshark
2.3 Feature (1)
•
•
•
•
•
•
•
•
•

Available for UNIX and Windows.
Capture live packet data from a network interface.
Display packets with very detailed protocol information.
Open and Save packet data captured.
Import and Export packet data from and to a lot of other capture programs.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.

9



2. Wireshark
2.3 Feature (2)
•

Live capture from many different network media
ü Wireshark can capture traffic from many different network media types - and despite its name including wireless LAN as well. Which media types are supported, depends on many things like the
operating system you are using.

•

Import files from many other capture programs
ü Wireshark can open packets captured from a large number of other capture programs.

•

Export files for many other capture programs
ü Wireshark can save packets captured in a large number of formats of other capture programs.

•

Open Source Software
ü Wireshark is an open source software project, and is released under the GNU. You can
freely use Wireshark on any number of computers you like, without worrying about
license keys or fees or such. In addition, all source code is freely available under the
GPL. Because of that, it is very easy for people to add new protocols to Wireshark,
either as plugins, or built into the source, and they often do!

10



2. Wireshark
2.4 Disadvantage
•

Wireshark is not an intrusion detection system. It will not warn you when someone does
strange things on your network that he/she isn't allowed to do.

•

Wireshark will not manipulate things on the network, it will only "measure" things from it.
Wireshark does not send packets on the network or do other active things

11


2. Wireshark
2.5 Where to locate the Wireshark?

For Internet connectivity monitoring:
Before or after the Firewall

For WAN monitoring:
Connect the laptop to the LAN switch, with
port mirror to the monitored router

To ISP

For server monitoring:
Connect the laptop to the LAN switch, with
port mirror to the monitored server


12


2. Wireshark
2.6 Datagram (1)
•

TCP/IP Protocol Stack - Reminder
SMTP

Telnet

FTP

HTTP

SNMP

DNS

OSI Layer 5-7

OSI Layer 4

TCP

UDP

IP


OSI Layer 3

ICMP

ARP

Ethernet
OSI Layer 1/2

F.R.

DialUp

T.R.

13

ATM
ISDN


2. Wireshark
2.6 Datagram (2)
•

Data Structure

Overhead


Data

Err (Op.)

Layer 5-7

Overhead

Data

Err (Op.)

Layer 4

Overhead

Data

Err (Op.)

Layer 3

Data

Err (Op.)

Layer 2

Overhead


Data

Layer 1

14


2. Wireshark
2.6 Datagram (3)
•

Data Flow
Eth.
Eth.
Router

Router
Server

Host

HTTP (L-5/6/7)

OH

Data

E

TCP (L4)


OH

Data

E

IP (L3)

OH

Data

E

Ethernet (L2)

OH

Data

E

Bit stream

FR (L2)

OH

Data


E

OH

Data

E

OH

Data

E

OH

Data

E

OH

Data

E

OH

Data


OH

Bit stream

15

Data

E

OH

Data

Bit stream

E

E


2. Wireshark
2.6 Datagram (4)
•

Frame Format – Ethernet II / 802.3

IP


Ethernet II

PA

Dest.
Address

8

6

Source
Address

IPX

Type

6

AppleTalk

Data

Pad

2

CRC
4

bytes

IEEE 802.3

PA
7

SFD

Dest.
Address

1

6

Source
Address

Length

6

Data

2

CRC
4


Length

16

Pad


2. Wireshark
2.6 Datagram (5)
•

IP Datagram Format
H

Data

E

HTTP (L-5/6/7)

H

Data

E

TCP (L4)

H


Data

H

Data

This is the IP header

Bit stream

17

IP (L3)

E

Ethernet (L2)


2. Wireshark
2.6 Datagram (6)
•

IP Datagram Format
32 bits
“Type” of data
Ver

Head.
len


Type of
service

IP protocol version
number

Time to
live

Total datagram length
(in bytes)
Fragment
offset

flgs

16-bit identifier
Header Length (in
bytes

Length

Upper
layer

Internet
checksum

32 bit source IP address


32 bit destination IP address
Max. no. remaining hops
(decremented at each router)

Upper layer protocol to
which payload is delivered

For fragmentation and
reassembly

Options (if any)
Data
(variable length,
typically a TCP
or UDP segment)

18

E.g. timestamp, record route
taken, specify list of routers to
visit


2. Wireshark
2.6 Datagram (7)
•
Ø

UDP Frame Structure

32 bits

There are only four fields in the UDP header:
–
–
–
–

Source port
Destination port
Message length
Message checksum

Length, in
bytes of UDP
segment,
including
header

Frame
checksum

source port #

dest port #

length

checksum


Application
data
(message)

UDP segment format

19


2. Wireshark
2.7 How to use the Wireshark? (1)
•

The Interface (Version 2.2.1)

20


2. Wireshark
2.4 How to use the Wireshark? (2)
•

Choose the Interface and Start the Capture

21


2. Wireshark
2.7 How to use the Wireshark? (3)
•


Capture Packet

Packet
List

Packet
Details

Packet
Bytes

22


2. Wireshark
2.7 How to use the Wireshark? (4)
•

TCP Packet Example

23


2. Wireshark
2.7 How to use the Wireshark? (5)
•

Example 1 – HTTP session Opened


24


2. Wireshark
2.7 How to use the Wireshark? (6)
•

Statistics => Flow Graph…

25