Intrusion Detection, Packet Sniffing
1y ago
28 Views
1 Downloads
394.04 KB
38 Pages
Report/dmca
Download PDF

Transcription

Intrusion Detection,Packet SniffingBy : Eng. Ayman AmairehSupervisor :Dr. Lo'ai TawalbehNew York Institute of Technology (NYIT)Jordan’s campus-200612/2/2006eng Ayman1

What is a "packet sniffer"? A packet sniffer is a wire-tap devices\SW that plugs into computer networksand eavesdrops on the network traffic.Like a telephone wiretap. allows us tolisten in on other people's conversationsa "sniffing" program lets someonelisten in on computer conversations.12/2/2006eng Ayman2

Introduction Terminology:A packet sniffer also known asa network analyzer or protocol analyzer,for particular types of networks, an Ethernetsniffer or wireless snifferPacket sniffer can intercept and log trafficpassing over a digital network or part of anetwork. As data streams travel back andforth over the network, the sniffer captureseach packet and eventually decodes andanalyzes its content according with anyspecifications12/2/2006eng Ayman3

Introduction However, computer conversations consist ofapparently random binary data. Therefore,network wiretap programs also come with afeature known as "protocol analysis", whichallow them to "decode" the computer trafficand make sense of it.12/2/2006eng Ayman4

shared media Sniffing also has one advantage overtelephone wiretaps: many networks use"shared media". This means that you don'tneed to break into a wiring closet to installyour wiretap, you can do it from almost anynetwork connection to eavesdrop on yourneighbors. This is called a "promiscuousmode" sniffer. However, this "shared"technology is moving quickly toward"switched" technology where this will nolonger be possible, which means you willhave to actually tap into the wire.12/2/2006eng Ayman5

Shared media On wired broadcast LANs, depending on the networkstructure (hub or switch), one can capture traffic onall or just parts of the traffic from a single machinewithin the network; however, there are somemethods to avoid traffic narrowing by switches togain access to traffic from other systems on thenetwork (e.g. ARP spoofing).For network monitoring purposes it may also bedesirable to monitor all data packets in a LAN byusing a network switch with a so-called monitoringport, whose purpose is to mirror all packets passingthrough all ports of the switch12/2/2006eng Ayman6

Server 2Server 1Server 3hub\SwitchStation 3Station 112/2/2006Station 2eng Ayman7

avoid traffic narrowing byswitches12/2/2006eng Ayman8

avoid traffic narrowing byswitches12/2/2006eng Ayman9

How does sniffing work? Ethernet was built around a "shared"principle: all machines on a local networkshare the same wire.This implies that all machines are able to"see" all the traffic on the same wire.Thus, Ethernet hardware is built with a "filter"that ignores all traffic that doesn't belong toit. It does this by ignoring all frames whoseMAC address doesn't match.12/2/2006eng Ayman10

How does sniffing work? A sniffer program turns off this filter,putting the Ethernet hardware into"promiscuous mode". Thus, Mark cansee all the traffic among all machines,as long as they are on the sameEthernet wire.12/2/2006eng Ayman11

What is it used for? Sniffing programs have been around fora long time in two forms. Commercialpacket sniffers are used to helpmaintain networks.Underground packet sniffers are usedto break into computers12/2/2006eng Ayman12

Why we use packet snifing? The versatility of packet sniffers meansthey can be used to: Analyse network problems.Detect network intrusion attempts.Gain information for effecting a networkintrusion.Gather and report network statistics.12/2/2006eng Ayman13

Why we use packet snifing? Filter suspect content from network traffic.Debug client/server communicationsMilicious use: Spy on other network users and collect sensitiveinformation such as passwords (depending on anycontent encryption methods which may be in use)Reverse engineer protocols used over thenetwork.12/2/2006eng Ayman14

Example uses A packet sniffer for a token ring networkcould detect that the token has been lost orthe presence of too many tokens (verifyingthe protocol).A packet sniffer could detect that messagesare being sent to a network adapter; if thenetwork adapter did not report receiving themessages then this would localize the failureto the adapter.12/2/2006eng Ayman15

Example uses A packet sniffer could detect excessivemessages being sent by a port, detecting anerror in the implementation.A packet sniffer could collect statistics on theamount of traffic (number of messages) froma process detecting the need for morebandwidth or a better method.12/2/2006eng Ayman16

What are the components of apacket sniffer? The hardware: Most products workfrom standard network adapters,though some require special hardware.If you use special hardware, you cananalyze hardware faults like CRC errors,voltage problems, cable programs,"dribbles", "jitter", negotiation errors,and so forth.12/2/2006eng Ayman17

What are the components of apacket sniffer? Capture driver :This is the mostimportant part. It captures the networktraffic from the wire, filters it for theparticular traffic you want, then storesthe data in a buffer.Buffer :Once the frames are capturedfrom the network, they are stored in abuffer.12/2/2006eng Ayman18

What are the components of apacket sniffer? Decode :this displays the contents ofnetwork traffic with descriptive text sothat an analysist can figure out what isgoing on.Packet editing/transmission :Someproducts contain features that allow youto edit your own network packets andtransmit them onto the network.12/2/2006eng Ayman19

Sniffing Detection12/2/2006eng Ayman20

Sniffing Detection12/2/2006eng Ayman21

Sniffing Detection programs12/2/2006eng Ayman22

Finally how to protect my selfor packet ?We can protect my packet through SSL :secure socket layer to encryptedpacket with different way 40 bit -128 bitto get secure channel for databasecommunication or SMTP Also we use some thing call SSL overhttp in e-Commerce & E-mail “HTTPS”12/2/2006eng Ayman23

Finally how to protect my selfor packet ? TLS :Transport layer security which is basedon SSL that need to use the certificates whichnow days called web-based certificatesIPSec Protocol: it’s worked in IP layer in N.Wlayer in OSI model it’s encrypted all sendpacket .12/2/2006eng Ayman24

Security Model(1)Capable of sending anymessage to any processand reading or copyingany message between apair of processesCopy of mThe enemym’Process pmProcess qCommunication channel12/2/2006eng Ayman25

CryptographyPrincipalAThe enemyProcesspSecure channel12/2/2006eng AymanPrincipal BProcessq26

Resources http://en.wikipedia.org/wiki/Packet ing sniffers on your network.html12/2/2006eng Ayman27

Ultra Network Sniffer12/2/2006eng Ayman28

Sniffing SW Ultra Network Sniffer is a powerfully network visibilitytools. It consists of a well-integrated set of functionsthat you can use to resolve network problem.Ultra Network Sniffer will list all of network packets inreal-time from multi network card (Include Modem,ISDN,ADSL) and also support capturing packet base onthe application.Ultra Network Sniffer will capture the evidence ofnetwork intrusionsUltra Network Sniffer allows the network administrator tocapture and retrace the steps of any network user12/2/2006eng Ayman29

Features Monitor network activityin real time.Dynamic networkstatistics and chart.Expert HTML Export.Get Permanent, Lifetimefree software updates forregister user.Capture network trafficfor detailed analysis.Capture network trafficbase on application(TDI,SOCKET).12/2/2006 Probe the network withactive tools to simulatetraffic, measure responsetimes, and troubleshootproblemsPowerful packetgenerator in order toanalyze network statusand resolve troubleshoot.Supports all of windowsversion (WindowsXP/2000/NT/ME/98/95);eng Ayman30

How to use it After installing Ultra Network Sniffer,Choose network adapter that you wantto monitor,and click on Start Capturebuttonin main toolbar.The Capture menu offers the followingcommands:12/2/2006eng Ayman31

12/2/2006eng Ayman32

SW interface This window displays packets as they arrivefrom the wire. The packet display windowallows you to select specific packets to beshown in the Decoder Window,It also allowsyou to right click a specific packet andperform certain functions on it.User can drag packet to packet generatorwindows for send the packet to network.12/2/2006eng Ayman33

Packet Decoder This window is used to display information aboutthe structure of the packet from Packet Listwindow, in an easy to understand tree form.This provides a simpler way of displaying thevarious aspects of the packet.Each header it finds (MAC Header, IP Header,ICMP Header, TCP Header, and UDP Header)will be broken down, displaying each part of thepacket and the data it contains within.12/2/2006eng Ayman34

Packet Generator Packet Generator allows you to edit andsend packets via your network card12/2/2006eng Ayman35

Packet editor The Data Frame Editor allows user tochange the packet contents and have thepacket decode displayed in the bottomwindow as you edit it. You can create packets of any kind; you canchoose which network adapter to send thispacket. User can use compute CRC toautomatically correct checksum.12/2/2006eng Ayman36

How to filter packet Examples: only capture data from 10.0.0.2 and "ip" protocol.1. Select main menu "monitor-- option"2. select page named "Protocol Filter"3. Uncheck all protocol and Only check protocol "IP" and its parent protocoland child protocol.4. Select page named "Advance filter".5. Check IP method in list box,you will see a list in right part of page.6. There are thee button on right of list,buttion " " is used for adding oneIP Filter,"-" is used for deleting one IP filter . "." is used for modifying.7. Click button " " to add ip filter.IP filter dialog will show.8. Fill 10.0.0.2 ip into station1 and fill "any ip address" to staton2 fields ondialog.9. Fill the interested protocol into Protocol Type.10. Fill direction between stations into dir.11. Mode: Include is used for discarding all of matching packet.Exclude is used for only capturing all of matching packet.12/2/2006eng Ayman37

12/2/2006eng Ayman38

the structure of the packet from Packet List window, in an easy to understand tree form. This provides a simpler way of displaying the various aspects of the packet. Each header it finds (MAC Header, IP Header, ICMP Header, TCP Header, and UDP Header) will be broken down, displaying each part of the packet and the data it contains within.

Related Books

Intrusion, Inc. SecureNet Pro Intrusion Detection System Version 4.1 .

Intrusion, Inc. SecureNet Pro Intrusion Detection System Version 4.1 .

Intrusion Detection and Prevention System: Issues and Challenges

Intrusion Detection and Prevention System: Issues and Challenges

Helium Leak Detection Techniques - Paul Scherrer Institut (PSI)

Helium Leak Detection Techniques - Paul Scherrer Institut (PSI)

Packet Sniffing: Network Wiretapping - 123seminarsonly

Packet Sniffing: Network Wiretapping - 123seminarsonly

Ethical Network Surveillance using Packet Sniffing Tools: A Comparative .

Ethical Network Surveillance using Packet Sniffing Tools: A Comparative .

Anomaly Intrusion Detection in Wireless Sensor Networks

Anomaly Intrusion Detection in Wireless Sensor Networks

Packet Sniffing and Spoofing - UMD

Packet Sniffing and Spoofing - UMD

Literature Review on an Approach to Detect Packets Using Packet Sniffing

Literature Review on an Approach to Detect Packets Using Packet Sniffing

108 Evaluation of Intrusion Detection Systems - NIST

108 Evaluation of Intrusion Detection Systems - NIST

Intrusion Detection System: Classification, Techniques and Datasets to .

Intrusion Detection System: Classification, Techniques and Datasets to .

Anomaly Based Intrusion Detection System Which Analyze the Dataset and .

Anomaly Based Intrusion Detection System Which Analyze the Dataset and .

PopularTags

Recent Views