WIXLIB

International Journal of Computer Applications (0975 – 8887)Volume 94 – No 11, May 2014An Insight in to Network Traffic Analysis using PacketSnifferJhilam BiswasAshutosh8th semester, Department of Electronics andCommunication, Manipal Institute of Technology,Manipal, Karnataka, India8th semester, Department of Electronics andCommunication, Manipal Institute of Technology,Manipal, Karnataka, IndiaABSTRACTSlowdown in the network performance can cause seriousconcern to network analysts, leading to loss in resources. Suchcases are not easy to deal with, due to the lack of time andresources available. Lack of awareness about appropriate toolswhich detect the attacks or not knowing exactly why a loss innetwork performance is occurring are some other factors.Connectivity loss or shutting down of terminals within thenetwork for unknown reasons are among the other problems.Mostly, the cause of these problems cannot be detectedaccurately and is concluded due to poor network architecture,such as inefficiently configured broadcast storms, spanningtree, usage of unsuitable routing protocols within the networkdomain, redundant links etc. However, sometimes the causecould be due to attacks by unknown third parties that try toput the web server out-of-service through means of a DoS(Denial of Service) attack, sending traffic with a poisonedARP in an attempt to discover hosts to infect, or by simplyinfecting ports with malware to form part of an alien networkor botnet. In all these cases, knowing the source of the attackis the first step towards taking appropriate action andachieving correct protection. That is when packet sniffers canbe extremely useful to detect, analyze and map traffic. Suchpacket sniffers identify threats to the network and limit theirharmful consequences.General TermsPacket sniffers, Wireshark, Data capturing techniques, LANattacks, graphical usage of WiresharkKeywordsPacket sniffing tools, Wireshark, LAN attacks1. INTRODUCTIONMany sophisticated systems such as the MARS (Monitoring,Analysis and Response System) by Cisco or IDS/IPS(Intrusion Detection System/Internet Protocol System) help inidentifying potential threats to a network. However, thesesolutions are not cost effective to any organization/company.An alternative solution is to use a packet sniffing softwarewhich gives a detailed examination of the network. Examplesof such packet sniffers are Wireshark, Capsa NetworkAnalyzer, SkyGrabber, Xplico, Microsoft Network Monitoretc.The aim of this paper is to make network administrators andtechnicians aware of the advantages of monitoring thenetwork with a packet sniffer using the free and open sourcetool Wireshark. All packet sniffing tools work similar toWireshark, hence Wireshark was chosen for experimentalpurposes in this paper. Other packet sniffing tools can be usedtoo. The paper also offers practical examples of commonattacks to local area networks (LANs) and how Wireshark canbe used to detect these attacks. Further, this paper is dividedinto sections that demonstrate different real attacks to localnetworks, such as ARP Spoof, DHCP Flooding, DNS Spoof,DDoS Attacks, Port Monitoring, etc. Wireshark is used as themain support tool to help detect and analyze the problemsgenerated by these attacks. At the same time, differentsolutions to resolve each of these attacks are proposed.2. AN OVERVIEW OF WIRESHARKWireshark is a free and open-source protocol/ packet tracer. Itruns on both Windows and Unix platforms. Formerly knownas Ethereal, its prime objective is network troubleshooting,analysis, and networking research. Wireshark facilitates awide range of filters that supports over 1200 protocols(version 1.10.7), all with a simple front-end that enables oneto break down the captured packets on the basis of differentlayers of the OSI (Open Systems Interconnection) model. TheWireshark engine can decipher the structure of differentnetworking protocols. This feature proves extremelybeneficial for users to view the fields of each one of theheaders and layers of the packets being analyzed [1]. ThusWireshark provides a wide range of options to networkengineers when performing certain traffic auditing tasks.Many tools, such as Snort, OSSIM and a number of IDS/IPSserve to warn users of some of the network related problemsand attacks. However, when one needs to analyze traffic indepth or monitor a network, when time is of primeimportance, these tools lack the flexibility that a protocolanalyzer such as Wireshark easily offers.3. FIRST STEP OF NETWORKANALYSIS: DISCUSSION ON WHERETO CAPTURE THE DATAThe very first step in auditing networks is to define where toanalyze the traffic. Taking a common scenario for analysis,the following assumptions were made. There is a switchednetwork made up of a number of switches, several terminalsand a file server. Network performance has dropped, howeverthe cause is unknown. There is no IDS (Intrusion DetectionSystem) that can alarm or inform about attacks or networkmalfunction. Also, it is known that there are no problems withthe transfer rate of the file server to LAN (Local AreaNetwork) terminals [3]. Furthermore, network equipment doesnot have Netflow protocols to analyze traffic remotely.Wireshark was chosen to analyze the above scenario. The firstdoubt which arises is where to install Wireshark. It wouldseem logical to install Wireshark on the file server itself toanalyze the traffic that flows through this network segment.However, there could be situations in which there is no accessto the server physically or quite simply for security reasons.Thus, Wireshark cannot be installed there. Some alternativesare provided in the following paragraphs that enable to39

International Journal of Computer Applications (0975 – 8887)Volume 94 – No 11, May 2014capture traffic without having to install Wireshark on theserver.3.1 Using a HubIf a user connects a node where Wireshark is installed to oneof the switch ports, he will only see the packets that occurbetween the switch and his terminal, however this is notdesired for traffic analysis. The switch divides the networkinto segments creating separate collision domains for eachport. Unlike a collision domain, in a broadcast domain, thepackets are sent to all ports (belonging to the same VirtualLAN -VLAN). This objective is met using a hub, asillustrated in Fig 1, connecting the hub- a broadcast device tothe same network segment on the user’s server. Now alltraffic between the switch and the server can be analyzed onthe user’s terminal, where Wireshark is installed.the switch and the server, as illustrated in Fig 3. This is aMitM (Man in the Middle), at the physical level, where he hasa passive access to all traffic throughput. There are severalways in which the user can configure his PC in this mode.More so, it is easy to install and configure bridge-utils (bridgepacket utilities for Linux). This is necessary to create abridge-type interface and thereafter add the physical interfacesthat form part of this bridge. Lastly, users can activate theinterface and execute Wireshark. The disadvantage of thiscapture method is the loss of data streams during installation.Fig 3: Capture Mode 3- A Bridge setup (Man in themiddle) where he has access to the traffic throughput.3.4 Arp SpoofFig 1: Capture Mode 1- A hub connectivity between theserver and the user’s terminal where Wireshark isinstalled.3.2 Port Mirroring or VACL (VLAN-BasedACLS)As long as the user has access to the switch, this is the mostconvenient method to capture network traffic. This way ofworking is known as Services and Protocols for AdvancedNetworks (SPAN). It enables the user to duplicate the trafficbetween one or more switch ports and mirror it to the port thathe wants, as shown in Fig 2. In this method, the portconfigured as mirroring has to be as fast as the port(s) to bemonitored to avoid packet loss, while data capturing. Thismethod is used by many administrators to install IDS or otheranalysis tools [5]. The advantage which Port Mirroring has,that it allows better filtering algorithms when specifying thetraffic that he wants to analyze. When configuring PortMirroring, it is possible to redirect traffic from one port orVLAN to another. Also, with VACL it is possible to specifyACLs to select the type of traffic that the user is interested in.Fig 2: Capture Mode 2- Port Mirroring connection setup,enables to duplicate traffic between various switch ports3.3 Bridge ModeIf the user is not able to access the switch, he can use amachine with two network cards to position himself betweenOn certain occasions, if network administrators cannot use theprevious methods, they can use the ARP Spoofing technique.This is rather an offensive method and is only useful in noncritical environments where there is a need to capture trafficbetween various machines. What is achieved from thismethod, is that the machine which the user wants to monitorsends all segments via his PC where he has Wiresharkexecuting. The process is performed by infecting the cache ofthe machine with a false IP/MAC association [7]. Someswitches have functions available that enable to detect thisprocess (Dynamic ARP Inspection and DHCP Snooping3), soit is important to deactivate this function in the networkdevices so that the port does not go into shutdown mode.Fig 4: Capture Mode 4- ARP Spoofing connection setupand flow of data within the connectivity.3.5 Remote Packet CaptureBesides the above methods, there are several options forcapturing data remotely. One of them is by means of aRPCAP (Remote Packet Capture System). ). In this technique,in addition to a client program from which the data will berecovered and viewed; in this case, Wireshark, it is necessaryto execute a server program (rpcapd) along with the requiredlibraries on the machine. As like ARP Spoofing, this methodis appropriate for non-critical environments where the usercan install the software in the machine whose traffic he wishesto analyze, with the associated stability and performance risks.Users can specify the listening port and other options such asauthentication, authorized client lists to connect to the server.40