An Introduction to Network Analyzers New
Transcript of An Introduction to Network Analyzers New
-
8/8/2019 An Introduction to Network Analyzers New
1/18
-
8/8/2019 An Introduction to Network Analyzers New
2/18
-
8/8/2019 An Introduction to Network Analyzers New
3/18
-
8/8/2019 An Introduction to Network Analyzers New
4/18
Network AnalyzerComponents
HardwareSpecial hardwaredevices
Monitoring voltagefluctuationJitter (random timingvariation)Jabber (failure to handle
electrical signals)CRC and P arity Errors
NIC Card
Capture driver capturing the data
Buffer memory or disk-based
Real-time analysisanalyzing the traffic inreal time; detecting any
intrusionsDecoder
making data readable
Capturing the data is easy!The question is what to do with it!
-
8/8/2019 An Introduction to Network Analyzers New
5/18
-
8/8/2019 An Introduction to Network Analyzers New
6/18
B asic Operation
Ethernet traffic is broadcasted to all nodes on thesame segmentSniffer can capture all the incoming data when theNIC is in promiscuous mode:
ifconfig eth0 promiscifconfig eth0 promiscDefault setup is n o n- promiscuous (only receives the datadestined for the NIC)Remember: a hub receives all the data!
If switches are used the sniffer must perform portspanning
Also known as port mirroringThe traffic to each port is mirrored to the sniffer
-
8/8/2019 An Introduction to Network Analyzers New
7/18
P ort Monitoring
-
8/8/2019 An Introduction to Network Analyzers New
8/18
P rotecting Against
SniffersSpoofing the MAC is often referred to changing theMAC address (in Linux:)
ifconfig eth0 downifconfig eth0 hw ether 00:01:02:03:04:05ifconfig eth0 upRegister the new MAC address by broadcasting it
ping c 1 b 192.168.1.1To detect a sniffer (Linux)
Download Promisc.c )ifconfig -a (search for promisc )ip link (search for promisc )
To detect a sniffer (Windows)Download P romiscDetect
Remember: 00:01:02:03:04:05MAC address (HWaddr)=
Vender Address + Unique NIC #
-
8/8/2019 An Introduction to Network Analyzers New
9/18
P rotecting Against Sniffers
Using switches can helpUse encryption
Making the intercepted data unreadable
Note: in many protocols the packet headers are cleartext!VP Nn use encryption and authorization for securecommunications
VP N Methods
Secure Shell ( SSH): headers are not encryptedSecure Sockets Layer ( SSL): high network level packetsecurity; headers are not encryptedIP sec: Encrypted headers but does not used TC P or UD P
Remember: Never useunauthorized Sniffers at wok!
-
8/8/2019 An Introduction to Network Analyzers New
10/18
Wh at is W iresh ark?
Formerly called Ethe r eal An open source program
free with many featuresDecodes over 750 protocolsCompatible with many other sniffersP lenty of online resources are availableSupports command-line and GUI interfaces
TSHARK (offers command line interface) has three componentsEditcap (similar to Save as..to translate the format of capturedpackets)Mergecap (combine multiple saved captured files)Text2pcap (ASCII Hexdump captures and write the data into alibpcap output file)
Remember: You must have agood understanding of the
network before you useSniffers effectively!
-
8/8/2019 An Introduction to Network Analyzers New
11/18
I nstalling W iresh ark
Download the program fromwww.wireshark.org/download.html
Requires to install capture drivers (monitor ports and capture alltraveling packets)
Linux: libpcapWindows: winpcap (www.winpcap.org)
Typically the file is in TAR format (Linux)To install in Linux
rpm ivh libpcap-0.9.4-8.1.i.386.rpm (install lipcapRP M)
rpm q libpcap (query lipcap R P M)tar zxvf libpcap-0.9.5.tar.gz./configmakesudo make install
-
8/8/2019 An Introduction to Network Analyzers New
12/18
I nstalling W iresh ark
P ackages that are needed for InstallationEthereal (available in Fedora Core 4disk #4)
ethereal0.10.11.-2.i386.rpmEthereal GNOME User Interface
ethereal-gnome-0.10.11-2.i386.rpm
Log in as the root user Insert Fedora Code 4 Disk #4Navigate to the following folder in the disk /F edora /RPMSLocate packages
ethereal0.10.11.-2.i386.rpmethereal-gnome-0.10.11-2.i386.rpm
Copy the above packages to your systemChange directory to the packages location
cd Install Ethereal
rpm ivh ethereal0.10.11.-2.i386.rpmInstall Ethereal GNOME user Interface
rpm ivh ethereal-gnome-0.10.11-2.i386.rpm
-
8/8/2019 An Introduction to Network Analyzers New
13/18
W iresh ark W indow
Menu Bar
SummaryWindow
Tool Bar
F ilter Bar
InfoF ield
Disp.Info field
Protocol Tree Window
Data View Window
-
8/8/2019 An Introduction to Network Analyzers New
14/18
Packetnumber 8 BGP
(Boarder Gateway
Prot)
Protocol TreeWindow:Details of theselectedpacket (#8)
Raw data (content of packet # 8)
-
8/8/2019 An Introduction to Network Analyzers New
15/18
-
8/8/2019 An Introduction to Network Analyzers New
16/18
W e continue in t h e lab.
Download the following files and copy them inyour HW:
bgp_testtcp_stream_analysisfollow_tcp_stream
-
8/8/2019 An Introduction to Network Analyzers New
17/18
A Little about P rotocolsP
rotocols are standard for communicationsEthernet is the most popular protocol standard to enablecomputer communication
Based on shared medium and broadcastingEthernet address is called MAC address
48 bit HW address coded in the RON of the NIC card
The first 12 bits represent the vender The second 12 bits represent the serial number Use: arp a
Remember: I P address is logical addressingNetwork layer is in charge of routingUse: ipconfig
-
8/8/2019 An Introduction to Network Analyzers New
18/18
OS I Model
P hysicalData link; sublayers:
MAC: P hysical addressing: moving packets from one NICcard to another LLC (Logical Link Control) Flow control and error control
NetworkLogical addressing (I P protocol)
TransportP rovides reliable end-to-end transportCan be connectionless (UD P ) or connection oriented (TC P )Connection oriented requires ACK