DOCSLIB.ORG

CIT 485: Exploit Kits

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CIT 485: Exploit Kits CIT 485/585 Exploit Kits The primary objective of this assignment is to learn how exploit kits act to compromise victims and how such malware attempts to hide itself. This lesson comes with a set of files containing captured packets in either the PCAP or PCAPNG formats. Sections of the lesson will refer to the appropriate packet capture files to use by name. Use the references in the References section at the bottom of the lesson when needed to answer questions about the protocols in the lesson. STUDENT LEARNING OUTCOMES 1. Identify malware activity in captured network traffic. 2. Extract files transferred over HTTP. 3. Determine if files are malicious using local and cloud anti-malware tools. INTRODUCTION The objective of this assignment is to learn how to use network data to detect and respond to malware attacks. We will use PCAP tools like Wireshark, the snort IDS, and a two new tools: Clam AV and justniffer. To install ClamAV, run the following commands on your Kali VM. # apt-get update # apt-get install clamav # freshclam Clam AV is a free anti-virus program, which we can use to determine whether executables found in network traffic are malware or not. In addition to ClamAV, we can upload extracted files (or entire pcap files) to VirusTotal to evaluate files using dozens of anti-virus programs. Note that VirusTotal archives uploaded files, so the site should only be used with files that do not contain confidential or sensitive information. Uploading malware executables or example PCAPs from this assignment is fine. Packet captures from corporate networks typically need to have data removed or altered to avoid giving away confidential data and non-confidential but still sensitive data like IP addresses. To install Justniffer, run the following commands: # apt-get install libboost-all-dev libnids-dev python-nids libpcap0.8-dev # git clone https://github.com/onotelli/justniffer # cd justniffer # ./configure --prefix /usr/local # make && make install # cd python # python setup.py Justniffer is a command line network sniffer with a focus on HTTP. We will use justniffer HTTP protocol analysis features to more easily investigate HTTP traffic than we can using Wireshark or tcpdump. Justniffer also comes with a script to extract files from HTTP traffic. This script has some advantages over using Wiresharks Export HTTP Objects feature. 1 EXPLOIT KIT STRUCTURE Exploit kits are toolkits for cybercriminals to exploit systems and install malware on them. Exploit kits are typically deployed on web servers and have the following components. 1. Contact. The attacker uses social engineering to entice a user to click on a link to the server hosting the exploit kit. The first contact server may be owned by the criminal or it may be a legitimate web site compromised by the criminal. 2. Redirect. The software component on the web server screens the users browser to see if it matches certain criteria desired by the criminal, such as being located in a certain country. Browsers that pass the screening are redirected to the exploit kits landing page. 3. Exploit. The landing page examines information about the users browser and OS, starting with the browsers User-Agent string, to determine which vulnerabilities are present that match exploits in the kit. If a match is found, the landing page sends an appropriate exploit to the victims browser. 4. Infect. After successfully exploiting a vulnerability, the attacker now downloads and executes mal- ware on the victim system. EXPLOIT KIT ANALYSIS The data for this section can be found in 2014-11-16-traffic-analysis-exercise.pcap. Load the data in Wireshark and start by identifying the participants, including the victim and the web servers hosting exploit kit components. Since most of the traffic is web-based, the display filter http.request in Wireshark can be useful in getting an overview of what is happening. When using this filter, I recommend adding the web server hostname as a column in the packet overview pane, by selecting the HTTP data from one packet, left clicking on the HTTP Host header, then right clicking and selecting the Apply as Column from the right-click menu. Answer the following questions about the victim using Wireshark. Information about the victim PC can be found in DHCP and HTTP packets. When examining HTTP packets, user agent strings provide the most information about a client. Information about how to interpret user agent strings can be found at sites like http://www.useragentstring.com/ or https://udger.com/resources/ua-list. 1. What is the IP address of the victim PC? 2. What is the hostname of the victim PC? Check DHCP packets for this information. 3. Which web browser is the victim using? Include version number. 4. Which version of Windows is running on the victim PC? Note that it is often reported as Windows NT x.y. Translate that to a named Windows version like XP, 7, Vista, etc.If a users OS and browser have all currently available security patches, then it will be highly unlikely that an exploit kit can infect that user. Zero day exploits can infect fully patched systems but are highly valuable and used only on the most valuable targets. Criminals can purchase exploit kits for around $1000, while sale prices of zero day vulnerabilities start at $5000 and go up to $250,000. Fortunately for users of exploit kits, relatively few users have fully patched systems at all times. 2 JUSTNIFFER ANALYSIS Use justniffer to analyze the HTTP traffic in the file with the command below. The -u option indicates to print binary characters as periods, while the pipe to grep eliminates most binary only data lines that describe non-HTTP flows. The -l option lets us specify what features of each HTTP flow to print. Use man justniffer to learn about all the possible data to print with this option. We print the webserver hostname, the URL being accessed, and the HTTP response code. Remember that 2xx response codes indicate success, 3xx are redirects, and 4xx and 5xx are errors. See RFC 2616 for details on the meaning of individual response codes. $ justniffer -u -l "%request.header.host %request.url %response.code" -f 2014-11-16-traffic-analysis-exercise.pcap | fgrep -v ... | less www.ciniholland.nl /wp-content/plugins/contact-form-7/includes/css/styles.css? ver=3.7.2 200 www.ciniholland.nl /wp-content/plugins/sitemap/css/page-list.css?ver=4.2 200 www.ciniholland.nl /wp-content/themes/cini/js/functions.js 200 www.ciniholland.nl / 200 www.ciniholland.nl /wp-content/themes/cini/style.css 200 HTTP requests are listed in the order they occurred. Add %request.timestamp to your -l option string if you want to know the time an HTTP flow occurred. Adding %source.ip to the -l option is useful in most situations, but this particular PCAP has data for only a single browser using HTTP, so the IP address is always that of the victim. As a result, the list of HTTP flows provided by Justniffer is an ordered list of the servers and URLs the victim contacted during their web browsing session. Answer the following questions about the exploit kit using Wireshark and justniffer: 1. What is the IP address of the contact server? 2. What is the domain name of the contact server? 3. What web servers does the victim contact in order? To answer this easily, you can eliminate everything from the justniffer -l string except %request.header.host. When looking at the list of web servers in your answer to question 7, the hostnames of three web servers appear many times, whereas a couple of web servers like www.youtube.com appear only once. The servers that appear only once are most likely advertisements or trackers that are not part of the exploit kit. The web servers that are components of the exploit kit are the servers that appear multiple times. Based on this information, answer the following questions: 1. What is the domain name of the EKs redirect server? 2. What is the domain name of the EKs server that contains the exploit? Looking at the output of the original Justniffer command, there is only one HTTP redirect (as indicated by a 301 response code). How is users browser transferred from one component of the exploit kit to the next without HTTP redirects? Use the ngrep command in the form ngrep -I filename hostname where hostname represents the name of the one of the EKs components. The hostname of the redirect server must be found somewhere in the HTML, CSS, or JavaScript content of the contact page in order for the contact page to transfer control to the redirect server. Similarly, the hostname of the server with the exploit server must be found somewhere in the content provided by the redirect server. 3 1. What type of content is the URL of the redirect server found in? 2. What is the IP address of the server that sends the redirect to the redirect server? Does this IP address match that of the contact server? 3. What type of content is the URL of the exploit server found in? 4. What is the IP address of the server that redirects the browser to the exploit server? Does this IP address match that of the redirect server? HTTP FILE CARVING We have two options for carving files from HTTP traffic. We can use Wireshark’s Export HTTP Objects feature or we can use the script justniffer-grab-http-traffic that comes with justniffer. The justniffer script has a couple of advantages over Wireshark: it organizes files by domain, and it gives files names based on URL paths with appropriate suffixes by MIME type.
Load more

Recommended publications
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • Virtualization of the RIOT Operating System
    Computer Systems and Telematics — Distributed, Embedded Systems Diploma Thesis Virtualization of the RIOT Operating System Ludwig Ortmann Matr. 3914103 Supervisor: Dr. Emmanuel Baccelli Assisting Supervisor: Prof. Dr.-Ing. Jochen Schiller Institute of Computer Science, Freie Universität Berlin, Germany March 2, 2015 iii I hereby declare to have written this thesis on my own. I have used no other literature and resources than the ones referenced. All text passages that are literal or logical copies from other publications have been marked accordingly. All figures and pictures have been created by me or their sources are referenced accordingly. This thesis has not been submitted in the same or a similar version to any other examination board. Berlin, March 2, 2015 (Ludwig Ortmann) Abstract Abstract Software developers in the growing field of the Internet of Things face many hurdles which arise from the limitations of embedded systems and wireless networking. The employment of hardware and network virtualization promises to allow developers to test and debug hard- ware independent code without being affected by these limitations. This thesis presents RIOT native, a hardware and network emulation implementation for the RIOT operating system, which enables developers to compile and run RIOT as a process in their host operat- ing system. Running the operating system as a process allows for the use of debugging tools and techniques only available on desktop computers otherwise, the integration of common network analysis tools, and the emulation of arbitrary network topologies. By enabling the use of these tools and techniques for the development of software for distributed embedded systems, the hurdles they impose on the development process are significantly reduced.
    [Show full text]
  • Hands-On Network Forensics, FIRST 2015
    2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 1 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Erik Hjelmvik, Swedish Armed Forces CERT FIRST 2015, Berlin 2 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 3 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE ”Password” Ned 4 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE SysAdmin: Homer 5 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE PR /Marketing: Krusty the Clown 6 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Password Ned AB = pwned.se 7 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE pwned.se Network [INTERNET] | Default Gateway 192.168.0.1 PASSWORD-NED-XP www.pwned.se | 192.168.0.53 192.168.0.2 [TAP]--->Security- | | | Onion -----+------+---------+---------+----------------+------- | | Homer-xubuntu Krustys-PC 192.168.0.51 192.168.0.54 8 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Security Onion 9 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Paths (also on Cheat Sheet) • PCAP files: /nsm/sensor_data/securityonion_eth1/dailylogs/ • Argus files:
    [Show full text]
  • Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic
    Chapter 1 NETWORK INTELL: ENABLING THE NON- EXPERT ANALYSIS OF LARGE VOLUMES OF INTERCEPTED NETWORK TRAFFIC Erwin van de Wiel, Mark Scanlon and Nhien-An Le-Khac Abstract In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wire- tapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully inter- cepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic cap- tured. The advent of Internet-of-Things further complicates the pro- cess for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an arXiv:1712.05727v2 [cs.CR] 27 Jan 2018 insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data. Keywords: Network Investigation, Big Data Forensics, Intercepted Network Traffic, Internet tap, Network Metadata Analysis, Non-Technical Investigator. 1. Introduction Lawful interception is a method that is used by the police force in some countries in almost all middle-to high-level criminal investigations.
    [Show full text]
  • CIT 485: Network Forensics
    CIT 485/585 Network Forensics The primary objective of this assignment is to learn a process for investigating security incidents and to give students practice analyzing such an incident using captured network data. 1S TUDENT LEARNING OUTCOMES 1. Describe digital evidence and how the type of legal dispute affects evidence used to resolve it. 2. Describe the steps of the OSCAR network forensics methodology. 3. Identify and decode protocols used on non-standard ports. 4. Investigate suspicious network data for malicious activity. 2D IGITAL EVIDENCE Digital evidence refers to any data collected in digital form from any computer, whether that computer is a desktop, mobile device, game console, printer, or IoT device. A primary goal of digital forensics is ensuring evidence integrity, the preservation of evidence in its original form. Evidence integrity is supported by a chain of custody, a set of documentation that describes the acquisition, copying, and analysis of digital evidence. As analysis of digital data often changes that data (reading a file will not modify the file itself but will change the last accessed time on the file), cryptographic checksums such as SHA-256 are often used to ensure that copies of digital evidence match the original evidence. Details of digital evidence handling are discussed in CIT 430: Computer Forensics. Digital evidence in a criminal case is returned through an inventory of items take through a search warrant. Any devices that may contain an embedded computer can contain digital evidence. Defense attorneys can request an invetory of items and obtain forensic copies of the data from those devices.
    [Show full text]
  • I3: Maximizing Packet Capture Performance
    I3: Maximizing Packet Capture Performance Andrew Brown Agenda • Why do captures drop packets, how can you tell? • Software considerations • Hardware considerations • Potential hardware improvements • Test configurations/parameters • Performance results Sharkfest 2014 What is a drop? • Failure to capture a packet that is part of the traffic in which you’re interested • Dropped packets tend to be the most important • Capture filter will not necessarily help Sharkfest 2014 Why do drops occur? • Applications don’t know that their data is being captured • Result: Only one chance to capture a packet • What can go wrong? Let’s look at the life of a packet Sharkfest 2014 Internal packet flow • Path of a packet from NIC to application (Linux) • Switch output queue drops • Interface drops • Kernel drops Sharkfest 2014 Identifying drops • Software reports drops • L4 indicators (TCP ACKed lost segment) • L7 indicators (app-level sequence numbers revealed by dissector) Sharkfest 2014 When is (and isn’t) it necessary to take steps to maximize capture performance? • Not typically necessary when capturing traffic of <= 1G end device • More commonly necessary when capturing uplink traffic from a TAP or SPAN port • Some sort of action is almost always necessary at 10G • Methods described aren’t always necessary • Methods focus on free solutions Sharkfest 2014 Software considerations - Windows • Quit unnecessary programs • Avoid Wireshark for capturing ˗ Saves to TEMP ˗ Additional processing for packet statistics • Uses CPU • Uses memory over time, can lead
    [Show full text]
  • Airpcap User's Guide
    AirPcap User’s Guide May 2013 © 2013 Riverbed Technology. All rights reserved. Accelerate®, AirPcap®, BlockStream™, Cascade®, Cloud Steelhead®, Granite™, Interceptor®, RiOS®, Riverbed®, Shark®, SkipWare®, Steelhead®, TrafficScript®, TurboCap®, Virtual Steelhead®, Whitewater®, WinPcap®, Wireshark®, and Stingray™ are trademarks or registered trademarks of Riverbed Technology, Inc. in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners. Riverbed Technology 199 Fremont Street San Francisco, CA 94105 Tel: +1 415 247 8800 Fax: +1 415 247 8801 www.riverbed.com 712-00090-02 ii Contents The AirPcapProduct Family .................................................................................... 1 A Brief Introduction to 802.11 ................................................................................. 2 Terminology ........................................................................................................ 2 802.11 Standards ................................................................................................. 3 Channels ............................................................................................................. 3 Types of Frames ................................................................................................
    [Show full text]
  • RIOT: an Open Source Operating System for Low-End Embedded Devices in the Iot Emmanuel Baccelli, Cenk Gundo¨ Gan,˘ Oliver Hahm, Peter Kietzmann, Martine S
    This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2018.2815038, IEEE Internet of Things Journal 1 RIOT: an Open Source Operating System for Low-end Embedded Devices in the IoT Emmanuel Baccelli, Cenk Gundo¨ gan,˘ Oliver Hahm, Peter Kietzmann, Martine S. Lenders, Hauke Petersen, Kaspar Schleiser, Thomas C. Schmidt, and Matthias Wahlisch¨ Abstract—As the Internet of Things (IoT) emerges, compact low-end IoT devices. RIOT runs on minimal memory in the operating systems are required on low-end devices to ease devel- order of ≈10kByte, and can run on devices with neither MMU opment and portability of IoT applications. RIOT is a prominent (memory management unit) nor MPU (memory protection free and open source operating system in this space. In this paper, we provide the first comprehensive overview of RIOT. We cover unit). The goal of this paper is to provide an overview of the key components of interest to potential developers and users: RIOT, both from the operating system point of view, and from the kernel, hardware abstraction, and software modularity, both an open source software and ecosystem point of view. conceptually and in practice for various example configurations. We explain operational aspects like system boot-up, timers, power Prior work [28], [29] has surveyed the space of operating management, and the use of networking. Finally, the relevant APIs as exposed by the operating system are discussed along systems for low-end IoT devices.
    [Show full text]
  • Network Forensics
    Network Forensics Michael Sonntag Institute of Networks and Security What is it? Evidence taken from the “network” In practice this means today the Internet (or LAN) In special cases: Telecommunication networks (as long as they are not yet changed to VoIP!) Typically not available “after the fact” Requires suspicions and preparation in advance Copying the communication content At the source (=within the suspects computer): “Online search” This could also be a webserver, e.g. if it contains illegal content “Source” does NOT mean that this is the client/initiator of communication/… At the destination: See some part of the traffic Only if unavoidable or the only interesting part Somewhere on the way of the (all?) traffic: ISP, physically tapping the wires, home routers etc. Network Forensics 2 Problems of network forensics “So you have copied some Internet traffic – but how is it linked to the suspect?” The IP addresses involved must be tied to individual persons This might be easy (location of copying) or very hard “When did it take place?” Packet captures typically have only relative timestamps But there may be lots of timestamps in the actual traffic! As supporting evidence to some external documentation “Is it unchanged?” These are merely packets; their content can be changed Although it is possible to check e.g. checksums, this is a lot of work and normally not done Treat as any other digital evidence Hash value + Chain of Custody; work on copies only Network Forensics 3 Scenario Suspect: Mallory Malison; released
    [Show full text]
  • Guide to Computer Forensics and Investigations Fourth Edition
    Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions Objectives • Describe primary concerns in conducting forensic examinations of virtual machines • Describe the importance of network forensics • Explain standard procedures for performing a live acquisition • Explain standard procedures for network forensics • Describe the use of network tools Guide to Computer Forensics and Investigations 2 Virtual Machines Overview • Virtual machines are important in today’s networks. • Investigators must know how to detect a virtual machine installed on a host, acquire an image of a virtual machine, and use virtual machines to examine malware. Virtual Machines Overview (cont.) • Check whether virtual machines are loaded on a host computer. • Check Registry for clues that virtual machines have been installed or uninstalled. Network Forensics Overview • Network forensics – Systematic tracking of incoming and outgoing traffic • To ascertain how an attack was carried out or how an event occurred on a network • Intruders leave trail behind • Determine the cause of the abnormal traffic – Internal bug – Attackers Guide to Computer Forensics and Investigations 5 Securing a Network • Layered network defense strategy – Sets up layers of protection to hide the most valuable data at the innermost part of the network • Defense in depth (DiD) – Similar approach developed by the NSA – Modes of protection • People • Technology • Operations Guide to Computer Forensics and Investigations
    [Show full text]
  • Contents in Detail
    CONTENTS IN DETAIL ACKNOWLEDGMENTS xv INTRODUCTION xvii Why This Book? .....................................................................................................xvii Concepts and Approach ........................................................................................xviii How to Use This Book ............................................................................................. xix About the Sample Capture Files ................................................................................ xx The Rural Technology Fund ....................................................................................... xx Contacting Me ........................................................................................................ xx 1 PACKET ANALYSIS AND NETWORK BASICS 1 Packet Analysis and Packet Sniffers ............................................................................. 2 Evaluating a Packet Sniffer ............................................................................ 2 How Packet Sniffers Work............................................................................. 3 How Computers Communicate.................................................................................... 4 Protocols ..................................................................................................... 4 The Seven-Layer OSI Model .......................................................................... 5 Data Encapsulation .....................................................................................
    [Show full text]
  • Introduction to Wireshark
    ¡ ¢ £ ¤ ¥ £ ¢ ¦ ¢ £ § ¨ ¤ © ¢ ¦ ¥ ¡ ¥ ¤ ¥ ¢ ¡ ¦ © £ £ ¨ ¡ ¥ ¢ ¨ ¡ 3 INTRODUCTION TO WIRESHARK As mentioned in Chapter 1, several packet-sniffing applications are available for performing network analysis, but we’ll focus mostly on Wireshark in this book. This chapter introduces Wireshark. A Brief History of Wireshark Wireshark has a very rich history. Gerald Combs, a computer science gradu- ate of the University of Missouri at Kansas City, originally developed it out of necessity. The first version of Combs’s application, called Ethereal, was released in 1998 under the GNU Public License (GPL). Eight years after releasing Ethereal, Combs left his job to pursue other career opportunities. Unfortunately, his employer at that time had full rights to the Ethereal trademarks, and Combs was unable to reach an agreement that would allow him to control the Ethereal brand. Instead, Combs and the rest of the development team rebranded the project as Wireshark in mid-2006. ¡ ¢ £ ¤ ¥ £ ¢ ¦ ¢ £ § ¨ ¤ © ¢ ¦ ¥ ¡ ¥ ¤ ¥ ¢ ¡ ¦ © £ £ ¨ ¡ ¥ ¢ ¨ ¡ Wireshark has grown dramatically in popularity, and its collaborative development team now boasts more than 500 contributors. The program that exists under the Ethereal name is no longer being developed. The Benefits of Wireshark Wireshark offers several benefits that make it appealing for everyday use. Aimed at both the up-and-coming and the expert packet analyst, it offers a variety of features to entice each. Let’s examine Wireshark according to the criteria defined in Chapter 1 for selecting a packet-sniffing tool. Supported protocols Wireshark excels in the number of protocols that it supports—more than 1,000 as of this writing. These range from common ones like IP and DHCP to more advanced proprietary proto- cols like DNP3 and BitTorrent.
    [Show full text]