Packet Analysis for Beginners (Lab)

Presenter: Lisa Bock, Pennsylvania College of Technology Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unsual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection systems rules, and perform incident and threat detection.

1.0x

Packet Analysis for Beginners (Lab)

Created 2 years ago

Duration 0:00:00
lesson view count 858
Presenter: Lisa Bock, Pennsylvania College of Technology Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unsual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection systems rules, and perform incident and threat detection.
Select the file type you wish to download
Slide Content
  1. Packet Analysis for Beginners

    Slide 1 - Packet Analysis for Beginners

    • Lisa Bock, Pennsylvania College of Technology
  2. Topics Covered

    Slide 2 - Topics Covered

    • Overview of Packet Analysis
    • The OSI Model
    • The TCP/IP Protocol Suite
    • Normal Network Communication - TCP and UDP
    • Abnormal Communication
    • Scanning
    • Malware
  3. Overview of Packet Analysis

    Slide 3 - Overview of Packet Analysis

    • Packet analysis uses a packet sniffer, network monitor or analyzer, to monitor and troubleshoot network traffic.
    • As data flows across the network, the sniffer captures each packet decodes the packet's raw bits
    • Showing the field values in the packet according to the appropriate RFC or other specifications.
    • The information can identify bottlenecks and help maintain efficient network data transmission.
  4. Uses for Packet Analysis

    Slide 4 - Uses for Packet Analysis

    • Analyze network problems
    • Detect network intrusion attempts and network misuse
    • Perform regulatory compliance through content monitoring perimeter and endpoint traffic
    • Monitor bandwidth utilization
    • Verify endpoint security status
    • Gather and report network statistics
  5. Some Common Packet Analyzers

    Slide 5 - Some Common Packet Analyzers

    • Cain and Abel
    • Carnivore (FBI - monitors all of a target user's Internet traffic)
    • dSniff
    • ettercap
    • ngrep, Network Grep
    • OmniPeek
    • Snoop
    • Tcpdump
    • Wireshark (formerly known as Ethereal)
  6. Packet Capture

    Slide 6 - Packet Capture

    • Traffic captured is dependent on the placement of the device.
    • On a switch, the packet sniffer will see only data going to and from the switch to the capture device
    • Traffic seen will be unicast, broadcast, or multicast.
    • To see all traffic, port monitoring or SPAN on a switch is used, or use a full duplex tap in line with traffic
    • http://wiki.wireshark.org/CaptureSetup/Ethernet
  7. The OSI Model

    Slide 7 - The OSI Model

    • In order to understand packet analysis you must understand the way data is prepared for transit.
    • The OSI model, is a seven-layer representation of how data changes in form as each layer provides services to the next layer
    • Data encapsulates or de-encapsulates
  8. The OSI Model

    Slide 8 - The OSI Model

    • MAC
    • Port
    • IP
    • Address
    • Data
    • Frame
    • Segment
    • Packet
    • PDU
    • Bits
  9. Wireshark

    Slide 9 - Wireshark

    • The tool we will use for demonstration is Wireshark, formerly Ethereal, an open-source packet analyzer http://www.wireshark.org
    • Download and install Wireshark – make sure you install WinPCap (Windows Packet Capture) if you are using Windows
    • For a live capture, launch Wireshark and click the name of an interface under Capture Interfaces to start capturing packets on that interface.
  10. Wireshark

    Slide 10 - Wireshark

    • Configure advanced features by clicking Options
    • Select the interface with active packet exchange
    • Checkmark the interface you want to capture on
  11. The OSI Model

    Slide 11 - The OSI Model

    • In Wireshark, select any TCP frame and you will see the frame contents from layer 2-7
    • Data
    • Frame
    • Segment
    • Packet
    • For a review go to http://wiki.wireshark.org/Ethernet
  12. Help in Wireshark

    Slide 12 - Help in Wireshark

    • Easily find help in Wireshark-including Sample Captures
  13. Capture Packets

    Slide 13 - Capture Packets

    • We will be use pre-captured packets found in your folder and review they normal traffic versus abnormal traffic
    • Once you open a capture you will see three panes:
    • The Packet List view - a list of all of the packets received during the capture session.
    • The middle window is the Details view.
    • The bottom is the individual Packet Bytes
  14. TCP Example

    Slide 14 - TCP Example

    • Normal traffic
    • Three-way handshake packets 1,2,3
    • Review port numbers, flags, SEQ ACK numbers, stream index
    • Packets 38-39 FIN packets
    • Packet 4 get image: File->export objects
    • http://www.symantec.com/connect/articles/studying-normal-traffic-part-three-tcp-headers
  15. UDP Example

    Slide 16 - UDP Example

    • Provides connectionless Transport Layer service to other applications on the internet without having to go through a handshake or connection process.
    • It is a simple protocol and that does not provide any ordering or data integrity services.
    • UDP is an unreliable service.
    • Few problems occur with UDP.
  16. What uses UDP?

    Slide 17 - What uses UDP?

    • Commonly used in video streaming and time-sensitive applications.
    • UDP Applications:
    • Domain Name System (DNS)
    • Routing Information Protocol (RIP)
    • Voice over IP (VoIP)
    • Trivial File Transfer Protocol (TFTP)
    • Domain Host Configuration Protocol (DHCP)
    • 2015 Cengage Learning Computing Conference
    • 17
  17. DNS

    Slide 18 - DNS

    • Filter UDP and you will see the DNS packets
    • Convert symbolic host names such (google.com) to an IP address (72.14.204.103)
    • Transfers name information between DNS servers
    • DNS uses TCP in a zone transfer
    • Look up other host names such as mail exchange (MX) records
    • DNS is essential to any network
  18. Normal DNS Queries/Responses

    Slide 19 - Normal DNS Queries/Responses

    • Client sends query to DNS server for an IP address
    • Server responds with information it has or asks other DNS servers for the information
    • All DNS packets have four (4) sections:
    • Questions
    • Answer Resource Records
    • Authority Resources Records
    • Additional Resource Records
  19. DNS Packet Structure - Flags

    Slide 20 - DNS Packet Structure - Flags

    • If RD is set, it directs the name server to pursue the query recursively.
  20. FTP – Grab a Pic

    Slide 21 - FTP – Grab a Pic

    • Purpose of FTP is to transfer files over TCP
    • Uses both ports 20 and 21
    • Command channel is designated on port 21 for the FTP server.
    • To transfer data like directory contents or files, a secondary channel, port 20 is used.
    • Filter FTP-data traffic - then follow the TCP stream. Save as .jpg
  21. Reassemble the Streams

    Slide 22 - Reassemble the Streams

    • Can reassemble and obtain content if data is not encrypted
    • Filter ftp-data traffic
    • Right click follow TCP stream and save the file as raw data and click save as mystery.jpg
    • Go to where you saved the file and open it!
  22. Internet Control Message Protocol

    Slide 23 - Internet Control Message Protocol

    • ICMP is used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts.
    • Used to troubleshoot network issues
    • Not used to exchange data between systems
    • ICMP is used by ping because it can generate echo-request/echo-reply query messages.
    • A Scout for IP!
  23. Internet Control Message Protocol

    Slide 24 - Internet Control Message Protocol

    • Four types of query messages that characterize the output generated by the ping command.
    • Echo request/echo reply:
    • Used to test reachability
    • Time stamp request/time stamp reply:
    • Used to compute delay between time stamps
    • Information request/information reply:
    • Locates address of local IP network
    • Subnet mask request/subnet mask reply:
    • Subnet information is exchange
  24. ICMP-Dest Unreachable

    Slide 25 - ICMP-Dest Unreachable

    • RFC 792 –” ICMP is actually an integral part of IP, and must be implemented by every IP module.”
  25. ICMP Error Codes

    Slide 26 - ICMP Error Codes

    • Type 3 Destination Unreachable Codes
    • 0 - Net Unreachable
    • 1 - Host Unreachable
    • 2 - Protocol Unreachable
    • Type 5 Redirect Codes
    • 0 – Redirect Datagram for Network
    • 1 – Redirect Datagram for Host
    • 2 - Redirect Datagram for Type of Service
  26. ICMP Error Codes

    Slide 27 - ICMP Error Codes

    • Type 11 Time Exceeded Codes
    • 0 – TTL Exceeded
    • 1 – Fragment Reassembly Time Exceeded
    • Type 12 Parameter Problem Codes
    • 0 – Pointer Indicates the Error
    • 1 – Missing Required Option
    • 2 - Bad Length
  27. ICMP - Errors

    Slide 28 - ICMP - Errors

    • Frame 5 Destination unreachable port unreachable snmp 161
    • A response with a nested packet
    • We have the IP header to send the packet to the target
    • After the destination unreachable message returns it sends back the IP header and 64 bits of original datagram
    • ICMP is used in reconnaissance by Kali Linux
    • http://it-ebooks.info/book/3000/
  28. DDOS

    Slide 29 - DDOS

    • Go to http://map.ipviking.com/
    • 2015 Cengage Learning Computing Conference
    • 29
  29. Network Scans

    Slide 30 - Network Scans

    • Nmap is a tool used to discover hosts and services on a network, and create a "map" of the network.
    • It can be either legitimately or maliciously used to quickly scan thousands of ports, and discrimination between ports in open, closed and filtered states.
    • By default, Nmap performs a SYN Scan, which works against any TCP stack.
  30. Nmap

    Slide 31 - Nmap

    • Scanning can be used as a passive attack in the form of reconnaissance.
    • After running a scan, the software will output results from the IP range you selected:
    • PortslHosts - the results of the port scan, including the well-known services for those ports.
    • Topology - an interactive view of the connections between hosts in a network.
    • Host Details – Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
  31. Normal Three Way Handshake

    Slide 32 - Normal Three Way Handshake

    • 2015 Cengage Learning Computing Conference
    • 32
  32. Port Scan

    Slide 33 - Port Scan

    • A command line tool such as tcpdump will provide a way to analyze traffic
    • Open Wireshark OUT
    • Do you see a pattern?
    • An Ack Reset sent in response to a Syn frame is sent to acknowledge the receipt of the frame but then to let the client know that the server cannot allow the connection on that port.
    • 2015 Cengage Learning Computing Conference
    • 33
  33. Port Scan

    Slide 34 - Port Scan

    • Same source and destination IP address
    • Only the SYN flag is set
    • The destination port numbers of each packet changes as it tries every port
    • http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
  34. Port Scan

    Slide 35 - Port Scan

    • Packets 14, 15 and 16 we see an actual connection
    • Then it continues to attempt another connection in Packet 18, 19, 20
    • Enable SYN flood protection
    • 2015 Cengage Learning Computing Conference
    • 35
  35. SEC-Bittorrent

    Slide 36 - SEC-Bittorrent

    • BitTorrent uses a distributed sloppy hash table (DHT) for storing peer contact information for "trackerless" torrents and consists of a number of different queries and corresponding responses.
    • Ping G used to check if a peer is available.
    • Find_node G used to find the contact information for a peer.
    • Get_peers G requests a list of peers which have pieces of the content.
    • Announce_peer G announces the contact information for the peer to the network.
    • Right click on packet 22 and follow UDP Stream
  36. More Resources

    Slide 37 - More Resources

    • For more Packet Captures go to http://www.netresec.com/?page=PcapFiles
    • Wireshark Network Analysis, by Laura Chappell, Chappell Binding Paperback ISBN 978-1-893939-99-8
    • Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated ISBN-13: 9781593272661 2010