WIXLIB

Wireshark Network AnalysisWeek 1

Schedule Week 1 – Chapters 1-3 Tennisha June 5Week 2 – Chapters 4-6 Tennisha June 12Week 3 – Chapters 7-9 Tennisha June 19Week 4 – Chapters 10-12 Tennisha June 26Week 5 – Chapters 13-14 Tennisha July 10Week 6 – Chapters 15-17 Tennisha July 17Week 7 – Chapters 18-20 Arun July 24Week 8 – Chapters 21-22 Tennisha July 31Week 9 – Chapters 23 – 25 Arun August 7Week 10 – Chapters 26-28 Tennisha August 14Week 11 – Chapters 29 – 31 Arun August 21Week 12 – Chapters 32 – 33 Tennisha August 28

Chapter 1 Exam Objectives Define Network Analysis Troubleshooting Tasks for the Network Analyst Security Tasks for the Network Analyst Optimization Tasks for the Network Analyst Application Analysis Tasks for the Network Analyst Be aware of Legal Issues of Listening to Network Traffic Overcome the “Needle in the Haystack” issue Review a Checklist of Analysis Tasks Understand Network Traffic Flows

Files Used in this exercise http-wireshark-slow.pcapng

Network Analysis Definition: Network analysis is the process of listening to and analyzing network traffic. Networkanalysis, sometimes called protocol analysis, is a process used to monitor network performance andsecurity. Network analysis requires three basic skills: A solid understanding of TCP/IP communications Comfort using Wireshark Familiarity with packet structures and packet flows Process for analysis includes the following Capture packets at the appropriate location Apply filters to focus on traffic of interest Review and identify anomalies in the traffic

TCP Connection Steps If your system supports ipv4 and ipv6 you see two DNS requests, one, an IPv4 (A record) (packet 1)and one for IPv6 (AAAA record) (packet 5) System requests the ip address of wireshark.org (packet 10) System responds with 200 OK (packet 14)

wget

OK

Troubleshooting using wireshark Troubleshooting is the most common real world use of wireshark and is typically used to locate thesource of unacceptable performance of the network, an application, a host or other element ofnetwork communications. Common tasks used for troubleshooting with wireshark include: Locate faulty network devicesIdentify device or software misconfigurationsMeasure high delays along a pathLocate the point of packet lossIdentify network errors and service refusalsGraph queuing delays

Security Tasks using Wireshark Security tasks can be proactive or reactive and are typically used to identify processes or breaches onthe networks. Security tasks include Perform intrusion detectionIdentify and define malicious traffic signaturesPassively discover hosts, OSs and servicesLog traffic for forensic examinationCapture traffic as evidenceTest firewall blockingValidate secure login and data traversal

Legal Issues Have you ever heard the terms wiretapping or electronic surveillance? Wireshark provides the abilityto eavesdrop on network communications so if you’re using wireshark on a network you shouldeither : Own it Have Written Permission Work for the company that owns it Title 1 of the Electronic Communications and Privacy Act (Wiretap Act) prohibits the intentional,actual, or attempted interception, use, disclosure, or procurement of any other person to intercept orendeavor to intercept any wire, oral, or electronic communicationsability i.e. this isn’t the party trick you want to show your friends to demonstrate your hacking

Network Traffic Flows Switches forward packets based on the destination MAC address Switches do not change the MAC or IP addresses in packets When the packet arrives at a switch, the switch checks the packet to ensure it has the correctchecksum. If its correct, its good, if its incorrect it’s deemed bad and the packet is discarded Switches typically maintain error counters to indicate how many packets they have discarded becauseof bad checksums If the checksum is good, the switch examines the destination MAC address and it checks its MACaddress table to determine if it knows which switch port leads to the host using that MAC address If the switch doesn’t have the target, it will send it out to all switch ports in hopes of discovering thetarget when it answers If the switch does have the target it forwards it to that switch port

Routing Overview Routers forward packets based on the destination IP address in the IP header When a packet is sent to the MAC address to the router, the router examines the checksum to ensurethe packet is valid. If the packet is valid, the router strips the MAC header and examines the IP header to examine theTime to Live and destination of the packet If the packet is not valid, the packet is dropped If the packet has exceeded its Time to Live value, the router discards the packet and sends an ICMPTime to Live Exceeded message back to the sender If the packet is not too old, the router consults the routing tables to determine if the destination IPnetwork is known If the router is connected, it is sent the packet if it is not known to it, the router decrements the Timeto Live value, apples a new MAC header and then forwards it to the next hop router Routers can contain rules that block or permit packets based on the addressing information

Proxy, Firewall and NAT/PAT Overview Firewalls are created to examine the traffic and allow/disallow communications based on a set ofrules Basic firewalls operate at Layer 3 of the OSI model (network layer) Firewalls fire traffic that is not blocked by the firewall rules Firewall prepends a new MAC header on the packet before forwarding it If the system has Network Address Translation capabilities, the NAT system alters the IP address tohide the client’s private IP address NAT alters the source and destination IP address of the packet and tracks the connectionrelationships in a table Port Address Translation (PAT) alter the port information and use this as a method for demuliplexingmultiple internal connections so the IP address on one side of a PAT will not match the IP addresseson the other side.

Questions for Chapter 1 What is the hardware address of the client that is browsing to maps.google.com? What is the IP address of the DNS server (which is also the router)? What is the hardware address of the DNS server/router? What IP addresses are associated with maps.google.com?

Chapter 2 Exam Objectives Wireshark Creation and Maintenance Obtain the Latest Version of Wireshark Compare Wireshark Release and Development Versions Report A Wireshark Bug or Submit an Enhancement Capture Packets on Wired or Wireless Networks Open Various Trace File Types Understand How Wireshark Processes Packets Use the Start Page Identify the Nine GUI Elements Navigate Wireshark’s Main Menu Use the Main Toolbar for Efficiency Focus Faster with the Filter Toolbar Make the Wireless Toolbar Visible Work Faster Using Right-Click Functionality Functions of the Menus and Toolbars

Files Used in this exercise ftp-dir.enc

Types of Packet Capture Libpcap – capture traffic on NIX hosts WInPcap – capture traffic on windows port of the libpcap link-layer interface AirPcap - Link-layer interface and network adapter to capture wireless traffic on windows

Expert Info Button & File Information

Expert Info Button Red – Highest Level is Errors Yellow – Highest level is Warnings Cyan – Highest level is Notes Blue – Highest level is Chats Green – There are packet comments, but no Errors, Warning or Notes Grey – No Expert Info items

File Information

Packet Information and Profile

File & Edit Menus

Edit Mark Packets (Can be done for a single packet or a group of packets) (CTRL-M) Ignore Packets Time Shift (Say if you want to view all the packets from EST instead of default) Edit or Add Packet Comments

View Menu

View Menu View timestamp in Relative, Absolute, Absolute with Date, Delta View Name Resolution at MAC layer, Network layer, and transport layer resolution (by defaultwireshark resolves the first three bytes of MAC addresses and the port number in use) View coloring rules

Coloring Rules

Go menu Go to corresponding packet Next Packet First or Last Packets in Conversation

Analyze Menu Follow TCP Stream UDP Stream or SSL Streams Display Filters Apply as a Filter Decode as (to use a specific dissector on the traffic) Expert Info

Expert Info

Statistics Summary Endpoints Conversations Protocol Hierarchy (Things like %of traffic) Conversations and Endpoints (tocheck out conversations betweenspecific communications) Packet Lengths IP Addresses and Destinations HTTP Statistics

Tools Firewall ACL Rules (Access control lists)

Finding aPacket Control –F Search based on filter value,hex value or an ASCII string Search in packet lists, packetdetails or packet bytes

Filter Toolbar

Questions Chapter 2 What is the purpose of WinPcap? Open the ftp-dir.enc file What is the highest level of expert information contained in this trace file What profile has been applied What is the time display format setting Did wireshark resolve IP addresses to names Hint: Each of these items can be determined through the Wireshark status bar or Main Menu system

Chapter 3 Exam Objectives Know Where to Tap into the network Run Wireshark Locally Capture Traffic on Switched Networks Use a Test Access Port (TAP) on Full-Duplex Networks Set up Port Spanning/Port Mirroring on a Switch Analyze Routed Networks Analyze Wireless Networks Capture at Two Locations Select the Right Capture Interface Capture on Multiple Adapters Simultaneously Interface Details (Windows) Capture Traffic Remotely Automatically Save Packets to one or more files Optimize Wireshark to Avoid Dropping Packets Conserve Memory with Command-Line Capture

Files Used in this Exercise

Know Where to Tap Into the Network Consider the network diagramshown to the right. Client A iscomplaining We’d want to place our networkanalyzer as close to Client A aspossible to identify traffic issuesfrom A’s perspective If Everyone on Router A iscomplaining you can place it closerto that device

Run Wireshark Locally One option is to run it from the system that you want to capture traffic to or from However sometimes that is not possible due to the security measures needed to get wiresharkinstalled on the user machine Portable Wireshark can be installed onto a portableApps-enabled device

Capture Traffic on Switched Networks Using a switch to help control and isolate network traffic When you connect wireshark to a switch port, you will only see up to four types of traffic by default Broadcast trafficMulticast trafficTraffic to and From your Own Hardware AddressTraffic to an unknown hardware address

Using Analyzer Agents for Remote Capture Analyzer agents are used by distributed analyzers Analyze agents enable you to manage switched traffic from a central location

Analyze Routed Networks Routers isolate traffic based on the network address such as IP address If you place wireshark on one side of a router, you will only see traffic that is destined to or comingfrom that network

Analyze Wireless Network Start from the bottom and move through the protocol stack when analyzing wlan environment. Wireshark cannot identify unmodulated rf energy or interference. Use a spectrum analyzer to identify these problems Wireshark’s location on a wireless network is similar to the location in a wired network – start asclose as possible to the complaining user Once you have determined the interference is not an issue, move up to the packet level to examinethe wlan traffic

Dual Captures It may be necessary to capture traffic on two or more systems. This is called dualed capture Traffic can be captured using t shark or wireshark Both analyzer systems should be time synched Mergecap can be used to combine the trace files

Capture Traffic Remotely There may be times when you want to capture traffic remotely but analyze it locally Some switches offer remote spanning capability You can also use the remote capture abilities in tools like winpcap