Transcription
Intrusion Detection,Packet SniffingBy : Eng. Ayman AmairehSupervisor :Dr. Lo'ai TawalbehNew York Institute of Technology (NYIT)Jordan’s campus-200612/2/2006eng Ayman1
What is a "packet sniffer"? A packet sniffer is a wire-tap devices\SW that plugs into computer networksand eavesdrops on the network traffic.Like a telephone wiretap. allows us tolisten in on other people's conversationsa "sniffing" program lets someonelisten in on computer conversations.12/2/2006eng Ayman2
Introduction Terminology:A packet sniffer also known asa network analyzer or protocol analyzer,for particular types of networks, an Ethernetsniffer or wireless snifferPacket sniffer can intercept and log trafficpassing over a digital network or part of anetwork. As data streams travel back andforth over the network, the sniffer captureseach packet and eventually decodes andanalyzes its content according with anyspecifications12/2/2006eng Ayman3
Introduction However, computer conversations consist ofapparently random binary data. Therefore,network wiretap programs also come with afeature known as "protocol analysis", whichallow them to "decode" the computer trafficand make sense of it.12/2/2006eng Ayman4
shared media Sniffing also has one advantage overtelephone wiretaps: many networks use"shared media". This means that you don'tneed to break into a wiring closet to installyour wiretap, you can do it from almost anynetwork connection to eavesdrop on yourneighbors. This is called a "promiscuousmode" sniffer. However, this "shared"technology is moving quickly toward"switched" technology where this will nolonger be possible, which means you willhave to actually tap into the wire.12/2/2006eng Ayman5
Shared media On wired broadcast LANs, depending on the networkstructure (hub or switch), one can capture traffic onall or just parts of the traffic from a single machinewithin the network; however, there are somemethods to avoid traffic narrowing by switches togain access to traffic from other systems on thenetwork (e.g. ARP spoofing).For network monitoring purposes it may also bedesirable to monitor all data packets in a LAN byusing a network switch with a so-called monitoringport, whose purpose is to mirror all packets passingthrough all ports of the switch12/2/2006eng Ayman6
Server 2Server 1Server 3hub\SwitchStation 3Station 112/2/2006Station 2eng Ayman7
avoid traffic narrowing byswitches12/2/2006eng Ayman8
avoid traffic narrowing byswitches12/2/2006eng Ayman9
How does sniffing work? Ethernet was built around a "shared"principle: all machines on a local networkshare the same wire.This implies that all machines are able to"see" all the traffic on the same wire.Thus, Ethernet hardware is built with a "filter"that ignores all traffic that doesn't belong toit. It does this by ignoring all frames whoseMAC address doesn't match.12/2/2006eng Ayman10
How does sniffing work? A sniffer program turns off this filter,putting the Ethernet hardware into"promiscuous mode". Thus, Mark cansee all the traffic among all machines,as long as they are on the sameEthernet wire.12/2/2006eng Ayman11
What is it used for? Sniffing programs have been around fora long time in two forms. Commercialpacket sniffers are used to helpmaintain networks.Underground packet sniffers are usedto break into computers12/2/2006eng Ayman12
Why we use packet snifing? The versatility of packet sniffers meansthey can be used to: Analyse network problems.Detect network intrusion attempts.Gain information for effecting a networkintrusion.Gather and report network statistics.12/2/2006eng Ayman13
Why we use packet snifing? Filter suspect content from network traffic.Debug client/server communicationsMilicious use: Spy on other network users and collect sensitiveinformation such as passwords (depending on anycontent encryption methods which may be in use)Reverse engineer protocols used over thenetwork.12/2/2006eng Ayman14
Example uses A packet sniffer for a token ring networkcould detect that the token has been lost orthe presence of too many tokens (verifyingthe protocol).A packet sniffer could detect that messagesare being sent to a network adapter; if thenetwork adapter did not report receiving themessages then this would localize the failureto the adapter.12/2/2006eng Ayman15
Example uses A packet sniffer could detect excessivemessages being sent by a port, detecting anerror in the implementation.A packet sniffer could collect statistics on theamount of traffic (number of messages) froma process detecting the need for morebandwidth or a better method.12/2/2006eng Ayman16
What are the components of apacket sniffer? The hardware: Most products workfrom standard network adapters,though some require special hardware.If you use special hardware, you cananalyze hardware faults like CRC errors,voltage problems, cable programs,"dribbles", "jitter", negotiation errors,and so forth.12/2/2006eng Ayman17
What are the components of apacket sniffer? Capture driver :This is the mostimportant part. It captures the networktraffic from the wire, filters it for theparticular traffic you want, then storesthe data in a buffer.Buffer :Once the frames are capturedfrom the network, they are stored in abuffer.12/2/2006eng Ayman18
What are the components of apacket sniffer? Decode :this displays the contents ofnetwork traffic with descriptive text sothat an analysist can figure out what isgoing on.Packet editing/transmission :Someproducts contain features that allow youto edit your own network packets andtransmit them onto the network.12/2/2006eng Ayman19
Sniffing Detection12/2/2006eng Ayman20
Sniffing Detection12/2/2006eng Ayman21
Sniffing Detection programs12/2/2006eng Ayman22
Finally how to protect my selfor packet ?We can protect my packet through SSL :secure socket layer to encryptedpacket with different way 40 bit -128 bitto get secure channel for databasecommunication or SMTP Also we use some thing call SSL overhttp in e-Commerce & E-mail “HTTPS”12/2/2006eng Ayman23
Finally how to protect my selfor packet ? TLS :Transport layer security which is basedon SSL that need to use the certificates whichnow days called web-based certificatesIPSec Protocol: it’s worked in IP layer in N.Wlayer in OSI model it’s encrypted all sendpacket .12/2/2006eng Ayman24
Security Model(1)Capable of sending anymessage to any processand reading or copyingany message between apair of processesCopy of mThe enemym’Process pmProcess qCommunication channel12/2/2006eng Ayman25
CryptographyPrincipalAThe enemyProcesspSecure channel12/2/2006eng AymanPrincipal BProcessq26
Resources http://en.wikipedia.org/wiki/Packet ing sniffers on your network.html12/2/2006eng Ayman27
Ultra Network Sniffer12/2/2006eng Ayman28
Sniffing SW Ultra Network Sniffer is a powerfully network visibilitytools. It consists of a well-integrated set of functionsthat you can use to resolve network problem.Ultra Network Sniffer will list all of network packets inreal-time from multi network card (Include Modem,ISDN,ADSL) and also support capturing packet base onthe application.Ultra Network Sniffer will capture the evidence ofnetwork intrusionsUltra Network Sniffer allows the network administrator tocapture and retrace the steps of any network user12/2/2006eng Ayman29
Features Monitor network activityin real time.Dynamic networkstatistics and chart.Expert HTML Export.Get Permanent, Lifetimefree software updates forregister user.Capture network trafficfor detailed analysis.Capture network trafficbase on application(TDI,SOCKET).12/2/2006 Probe the network withactive tools to simulatetraffic, measure responsetimes, and troubleshootproblemsPowerful packetgenerator in order toanalyze network statusand resolve troubleshoot.Supports all of windowsversion (WindowsXP/2000/NT/ME/98/95);eng Ayman30
How to use it After installing Ultra Network Sniffer,Choose network adapter that you wantto monitor,and click on Start Capturebuttonin main toolbar.The Capture menu offers the followingcommands:12/2/2006eng Ayman31
12/2/2006eng Ayman32
SW interface This window displays packets as they arrivefrom the wire. The packet display windowallows you to select specific packets to beshown in the Decoder Window,It also allowsyou to right click a specific packet andperform certain functions on it.User can drag packet to packet generatorwindows for send the packet to network.12/2/2006eng Ayman33
Packet Decoder This window is used to display information aboutthe structure of the packet from Packet Listwindow, in an easy to understand tree form.This provides a simpler way of displaying thevarious aspects of the packet.Each header it finds (MAC Header, IP Header,ICMP Header, TCP Header, and UDP Header)will be broken down, displaying each part of thepacket and the data it contains within.12/2/2006eng Ayman34
Packet Generator Packet Generator allows you to edit andsend packets via your network card12/2/2006eng Ayman35
Packet editor The Data Frame Editor allows user tochange the packet contents and have thepacket decode displayed in the bottomwindow as you edit it. You can create packets of any kind; you canchoose which network adapter to send thispacket. User can use compute CRC toautomatically correct checksum.12/2/2006eng Ayman36
How to filter packet Examples: only capture data from 10.0.0.2 and "ip" protocol.1. Select main menu "monitor-- option"2. select page named "Protocol Filter"3. Uncheck all protocol and Only check protocol "IP" and its parent protocoland child protocol.4. Select page named "Advance filter".5. Check IP method in list box,you will see a list in right part of page.6. There are thee button on right of list,buttion " " is used for adding oneIP Filter,"-" is used for deleting one IP filter . "." is used for modifying.7. Click button " " to add ip filter.IP filter dialog will show.8. Fill 10.0.0.2 ip into station1 and fill "any ip address" to staton2 fields ondialog.9. Fill the interested protocol into Protocol Type.10. Fill direction between stations into dir.11. Mode: Include is used for discarding all of matching packet.Exclude is used for only capturing all of matching packet.12/2/2006eng Ayman37
12/2/2006eng Ayman38
the structure of the packet from Packet List window, in an easy to understand tree form. This provides a simpler way of displaying the various aspects of the packet. Each header it finds (MAC Header, IP Header, ICMP Header, TCP Header, and UDP Header) will be broken down, displaying each part of the packet and the data it contains within.