WIXLIB

14Ethical Network Surveillance using Packet Sniffing Tools: A Comparative StudyPersonal Identification Number (PIN) logins are bankingsystems, electronic mails login, All Time Money (ATM),Point of Sales (POS), server login, etc. all of these waysare considered as the sources of computer's networkvulnerability if there is no strong protection of loginmethods. The packet sniffing tools are used efficientlyand effectively to test the weakness of the user names andpasswords login methods. These packet sniffing toolsprovide the network administrator with full details of usernames and passwords that are plain text or not havestrong encryption techniques to take a suitablecountermeasure to solve weaknesses in the networksystem.Moreover, there are many types of password attacksthat make an attackers and hackers to crack passwords.From these types are the brute-force, dictionary attack,malware/key logger, SQL injection, rainbow table attack,and phishing attack. As network administrator, you canuse the packet sniffing application to determine the fieldof the user names and passwords in the data traffic andtest the complexity of the passwords and take anappropriate countermeasure to prevent attackers fromstealing of the passwords, for example, when the networkadministrator shows the passwords contains on acombination of numbers, characters and specialcharacters that is brute force attack type, he must adviceto prevent this type of attack by make the password morecomplex and very long [4].III. NETWORK SNIFFINGThe network sniffing is the process of capturing,monitoring, and analysis of the data traffic travelling inthe network both incoming and outgoing traffic. The toolthat performed this process is called packet sniffer whichis the program that captured traffic either in wirednetwork via the wired or wireless network via the air.Packet sniffer has the benefits of analyzing the traffic,determining and understanding the characteristic of thenetwork, possible malicious and attacks, peak usage ofbandwidth and its availability and finding the unsecuredapplications, data and protocols [1].There are two types of packet sniffing which are eithermonitor mode or promiscuous mode. When the NetworkInterface Card (NIC) is set in promiscuous mode, then thehost is becoming able to sniff all packets. In the monitormode, or sometimes called "rfmon" mode, the NIC doesnot care about the Cyclic Redundancy check (CRC) andthe capturing process is occurred without associating orauthentication, for example between access point andwireless NIC in wireless networks [5].A. Components of Packet SnifferThe packetcomponents.snifferconsistsofthefollowing Hardware: the piece of hardware that used like astandard network adapters. Capture driver: It is critical part of packet sniffer. Ithas the role of capturing data from network eitherCopyright 2018 MECSwire or wireless, filters the particular traffic andprotocols and then store data into the buffer. Buffer stores the captured frames that gathered fromthe network. Analysis and decode: in this phase the network datais displayed in descriptive text format, and analysisis figured for each part of data [4].B. Packet Sniffing TypesThere are some parameters of the classification of thepacket sniffing, as shown in the following points. IP based sniffing: This is the fundamental andcommonly used packet sniffing method. In this waythe network card is set in promiscuous mode forcapturing all packets that passes the network. It usesan IP based filtering, and only the packets arecaptured when they are matching the specified IPaddresses. In general, the IP based filter is not set,so the IP sniffing can capture all packets. IP basedsniffing filter works in non-switched networks. MAC Sniffing: like IP based filter, the MACsniffing filter allows the host captures all thenetwork's packets according to the correspondingMAC addresses. ARP Sniffing: This way is used efficiently inswitched networks. It works little different and doesnot require putting the network card intopromiscuous mode because the ARP packets will besend to us. This occurred for the reason that theARP protocol is stateless [1][2].C. Packet Sniffing Work ProcessThe packet sniffing is worked as in the following steps. Collection in which the packet sniffer gathering andcollecting the binary raw data from the networkinterface either wire or wireless interface. Conversion in which the captured binary data isconverted into readable data format to know theprotocols used and data payload. Analysis of the captured and converted data toextract the protocols that used and analyze theirparameters.Each device in network has NIC's physical address thatuniquely identified. When the device is sending thepacket, it passes on all of the network machines. With theprinciple of shared Ethernet, all machines on network cansee the traffic but not response to that traffic if it does notbelong to that machine.When the NIC sets on promiscuous mode, the machinecan see all traffic on the segment. However, when theNIC puts in promiscuous mode for one machine, the NICtakes and gathers all frames and packets on the networkeven if that frames and packets do not destined for thatmachine, which in this situation called sniffer. The snifferbegins the reading all information entered into theI.J. Computer Network and Information Security, 2018, 7, 12-22

Ethical Network Surveillance using Packet Sniffing Tools: A Comparative Studymachine via NIC [1].As we know, the data travelling as packets or frames,group of compound bits formatted to some specifiedprotocols. For this reason, packet sniffer does not peel theencapsulation layers and decode the traffic according todestination computer, source computer, payload, targetedport number or piece of information exchanged betweentwo computers. The following points are definition forboth shared Ethernet and switched Ethernet. Shared Ethernet: As we know the shared Ethernetenvironment, all machines on the network sharesame cable and alternate using of bandwidth. In thistype, each machine receives the traffic thattravelling via network. In this situation, the networkenvironment placed in promiscuous mode, and eachone of the machines can listen to that traffic. Switched Ethernet: in this case, the network used aswitch instead of the hub which named switchedEthernet. The switch is more intelligent and has thefilters table that forward the traffic at the next timeonly to the intended machine without broadcastingthat traffic to all other machines in the network. Inthis case, the sniffer is not suitable. The switchedEthernet provides better performance, but the NICputting in promiscuous mode does not work. Thenetwork administrators assume that the sniffers donot work in this environment [1].15of libpcap library. The developers designed libpcaplibrary as an independent-platform API to work on avariety of applications and to eliminating the systemdependency for data capturing modules in eachapplication. TCPDump is considered as parsing tool.By default, it intercepted and prints out the summarythat captured from the network; the other features likestorage are performed by specified commands.TCPDump works as: 1) Read/Write the captured filefrom network in the Packet CAPture (PCAP) by usingCLI commands. 2) It filters packets according to somegiven parameters. 3) It prints on the screen the captureddata according to the specified parameters [4]. It is moreeasy and portable packet sniffer tool, because it isdepends only on CLI and the network administrators useit to access to the network devices from remote location[5][6].Fig. 1 shows the TCP/IP traffic and its analysis ofTCPDump packet sniffing tool, displaying the addressesand contents of data traffic.There are many packet sniffing applications and toolsavailable in the market. Some of them are graphicalinterface and the other are command line interface. Wewill explain and compare between three popular packetsniffing tools; TCPDUMP, Wireshark and Colasoft.Fig.1. TCPDump Overview shows the TCP/IP Characteristics flow [7].IV. PACKET SNIFFING TOOLSThere are many tools for decoding and analysis of thedata transmitted in the network, usually these tools workunder mode of promiscuous enabling the computercapturing full traffic based on IP packets and ports thatused for variety of applications. The important attentionhere, the sniffing tools are passive and designed for bothwired and wireless networks measurement. In thisresearch paper, we take three packet sniffing tools asshowed in the following points.A. TCPDUMPIt is popular Command Line Interface (CLI), and anopen source packet sniffer tool compatible on Unix andLinux platforms. It was invented in the 1987 at theLawrence Berkeley National Laboratory and afterthat published after few years.It has the libpcap library developed by C programminglanguage that worked to gather network's information.The libpcap provides the interface to all common Unixbased platforms including FreeBSD and Linux. Thelibpcap interface in Windows platform called WinDump.Windump is used the WinPcap which is the windows portCopyright 2018 MECSThe major limitation of TCPDump, it does not providethe network administrator visually GUI of the captureddata for more analyzing, there is only CLI. Since, it is atext based and easy for the user to use it remotely throughTelnet connection. There are other few disadvantageswith TCPDump. These include: Limitations on the analysis of traffic, there is a TCPbased protocols only may be used. It reports only what it finds in packets, if the IPaddress is forged in the traffic, it has no ability toreport anything else [10]. Packets that blocked by the firewall do not beshown.B. WiresharkIt is invented by the scientist Gerald Combs at the lateof 1997 for trucking and recognizing the network'sproblems and monitoring the data traffic. He named itEthereal until in May, 2006 and after that its namechanged to Wireshark. It is an open source software, freeand GUI packet analyzer tool that has written in Cprogramming language and released under GNU GeneralI.J. Computer Network and Information Security, 2018, 7, 12-22

16Ethical Network Surveillance using Packet Sniffing Tools: A Comparative StudyPublic License (GPL). It runs on a variety of Unix-likeoperating systems including Mac OS X, Linux, Solarisplatform, as well as the Microsoft Windows operatingsystem. Command Line Interface (CLI) of Wireshark iscalled TShark to enable the user deal with it viacommands. It is like TCPDump with additional GUI,supporting a variety of protocols and ability of filteringand sorting options. It is used in Network ForensicAnalysis Tool (NFAT) in an organizations.Wireshark is designed for capturing packets from livenetworks and also browsing previously saved captureddata file. The supported format of packet capture is"PCAP" file format. It displays the captured data in a byteand hexadecimal formats showing different types of usedpackets and protocols. It is also allows the user toassemble the packets data into a TCP stream.It has the interface with three panes; the summary paneor packet list panel which shows different capturedpacket analysis like frame number, date, time, destinationand source IP addresses, upper layer protocols, length ofpacket and information of the traffic content with colorfor each captured packet type. The second pane iscaptured packet details. When the packet is determined atthe packet list pane, the details appear in the followingtwo panels; the details and the byte or hexadecimal panes.The details panel is appeared as the tree-like structure ofthe protocols that are captured for a variety ofapplications such as Transmission Control Protocol(TCP), User Datagram Protocol (UDP), Internet ControlMessage Protocol (ICMP), Hyper Text Transfer Protocol(HTTP), etc.,. The third panel is named data or byte panewhich shows raw of captured data displaying the packetbyte in the hexadecimal, ASCII encoding and textformats [8][9][10].The important note here, to run the Wireshark tool, itsets the NIC to promiscuous mode for enabling the snifferto see all traffic on that interface, not just the traffic thataddressed to one of the configured interfaces. Beside thepromiscuous mode, it may be enable the port mirroring toany points of the network when the promiscuous modedoes not coverage all network [5][6].Fig. 2 shows Wireshark interface displaying the threewindows; the summary, details and byte panel, withdifferent characteristics of network's traffic in readablemanner. The section of details shows that the framenumber is 60 bytes, the network type which is Ethernet II,the protocol type is IPv4 and payload content is ARP.The frame size is measured with the MaximumTransmission Unit (MTU) and this unit is determinedaccording to the used network type. For example, theMTU for the Asynchronous Transfer Mode (ATM) is 53bytes [17], the MTU in the Ethernet and IPv4 network is1500 bytes and there is other network types use of jumboframes that reach to 9000 bytes [18]. Hence, the framesize changes according to MTU in a given network type.Copyright 2018 MECSSummarySection of DetailsHexadecimal ContentFig.2. Wireshark Packet Sniffing Tool Interface.Furthermore, the frame size also determine accordingto the used application in the network. In this case study,it is 60 bytes in which the ARP is used to find thephysical link-layer address of a router interface or hostwhen its logical IP address is given. Another example, theauthor [19] used the frame data size of 500 bytes byapplied Quality of service (QoS) on some UDP-basedhealthcare applications and concluded that is suitable forboth delay and jitter, as well as used some of other QoSthat led to get upon frame size 1500 bytes. Then, theframe is appeared in the packet sniffing tool according toapplication or protocol that used in the network.The Wireshark limitations, it needs the bestunderstanding of the protocol formats, HTTP andCascade Style Sheet CSS language knowledge of the byteformat. It uses the PCAP file format for capturing thetraffic, so it can only capture the packets on the networktypes that support PCAP file format. Anotherdisadvantage is that, because the Wireshark is notautomated tool, it is not support for working of long timemonitoring.C. ColasoftIt is closed source network protocol analyzer tooldesigned to work on business and personal use operatedWindows operating system platform that used by networkadministrator to troubleshoot, monitor, and diagnose thetraffic on computer network. Capsa produces freeeditions of Colasoft tool that is ease of use, real-timepacket analysis, and reliable forensic, in-depth protocolanalysis and it is worked continuously 24/7 networkmonitoring. It has a feature of opening multiple interfacesat single instance, providing the user with graphicalinterfaces and matrix representations [5].It has in-depth analysis of packets showing differentcharacteristics with ability of generating reports, logs andalerting with only voice and electronic mails for thelicensed versions. It has a variety of GUI features,displaying the captured information in graphs, matrix andaccording to each characteristic of the network's trafficshowing each protocol used in the network. Fig. 3 showsthe Colasoft tool and its enhanced GUI features.I.J. Computer Network and Information Security, 2018, 7, 12-22

Ethical Network Surveillance using Packet Sniffing Tools: A Comparative Study17The following steps are applying the Wireshark andColasoft packet sniffing tools on HTTP protocol which isuses the TCP protocol at the transport layer [20]. Toextract and analysis of HTTP protocol, do the followingpoints. Open the browser, run the Wireshark and Colasoftin capturing state, and browsing any web site, herein this case study, we are choosing the web site"http://www.sababank.com/signin.php", and try totype the user name and password login. After thatclose the web site and stop the capturing of thenetwork traffic. Use the filter toolbar for filtering the specifiedpacket, showing the protocols and data content.Fig.3. Colasoft Packet Sniffing Tool Interface.There are some limitations of Colasoft; it is expensiveapplication, whereas a free version is available, but withrestricted features, for example the free version does notnotify to the user though E-mail and voice channels.Another two disadvantages of Colasoft tool is that, itworks on the Microsoft Windows operating systemplatform only, and it supports only 300 protocols which isconsidered less compared with some other packet sniffingtools such as Wireshark tool [6][8].V. EXPERIMENTAL ANALYSIS AND FILTERINGThe general packet sniffing process is occurred viathree steps; first, the sniffer is gathered or captured thenetwork's information, second conversion of the capturedbinary data into a readable format, and finally applyinganalysis and filtering of the converted data. There arevarious ways and methods for filtering and choosing thespecified protocol or some part of data traffic. The NICinterface of the machine that the sniffing tools areinstalled on it must be in promiscuous mode to capture allpackets and frames on all segments of network. Thismachine is called sniffer [11]The filtering process of the currently real time capturedpackets or saved captured packets is considered animportant for analysis and diagnosis of various datatraffic, protocols and applications that are used in thecomputer's network system. From that protocols likeHTTP, ICMP, Domain Name System (DNS), TCP/IP,UDP, Simple Network Management Protocol (SNMP),etc., all of the volume information and losses of packetsare shown in that captured information [12].In addition, these packet sniffing tools; TCPDump,Wireshark, and Colasoft are used for monitoring, analysis,and auditing of the data traffic on the computer networkseither wired or wireless networks. Further, they are usedin penetration test and intrusion detection by observingstrange packets in the network. The network's securitythreats are shown by sniffer in which has the ability ofcapturing all incoming and outgoing data traffic,including the clear-text user names and passwords, andother critical information [13]. The packet sniffersinclude engines for discovering intrusion detection andfor searching on specific types of network's attacks suchas packet flooding and IP spoofing attacks [14].Copyright 2018 MECSFig. 4 is an example of extracting user name andpassword in a Wireshark tool by filtering the HTTPprotocol which shows the clear text user name andpassword as shown in the rectangle box which shows theuser name is "Ibrahim Diyeb" and password is"yemen 123".Thefilteringcommandis"http.request.method "POST"". This filtering is guidethe network administrator to make the remediation forthis vulnerability in specified application by using thesecure protocol such as Hyper Text Transfer ProtocolSecure (HTTPS) or encrypt the content.Fig.4. Wireshark Filtering Showing Clear Text of user Name andPassword.Furthermore, to extract all of TCP connection stream ina file, select the packet that you want, and then right clickon the “Follow TCP Stream” by mouse, the file with allcontent of that packet is appeared.Fig.5. Colasoft Analysis and Filtering Showing Web Site.I.J. Computer Network and Information Security, 2018, 7, 12-22

18Ethical Network Surveillance using Packet Sniffing Tools: A Comparative Studyinterfaces at single instance. The graphs show morevisualization for various network statistics and properties.The Wireshark is limited with these capabilities of GUIand it

The packet sniffing tools are used efficiently and effectively to test the weakness of the user names and passwords login methods. These packet sniffing tools provide the network administrator with full details of user names and passwords that are plain text or not have strong encryption techniques to take a suitable .