Network Monitoring and Detecting Packets Using Packet Sniffing Method
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Getting Started with Ethereal
Ethereal: Getting Started Computer Networking: A Top- down Approach Featuring the Internet, 3rd edition. Version: July 2005 © 2005 J.F. Kurose, K.W. Ross. All Rights Reserved ªTell me and I forget. Show me and I remember. Involve me and I understand.º Chinese proverb One's understanding of network protocols can often be greatly deepened by ªseeing protocols in actionº and by ªplaying around with protocolsº ± observing the sequence of messages exchanged between two protocol entities, delving down into the details of protocol operation, and causing protocols to perform certain actions and then observing these actions and their consequences. The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures (ªsniffsº) messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and protocols executing on your machine. Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case, Internet protocols) and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual software in your computer, and consists of two parts. -
Exploring Open Source Wireless Tools by Jake Snyder (The Dread Pirate Roberts) @Jsnyder81 Who Am I?
Exploring Open Source Wireless Tools By Jake Snyder (The Dread Pirate Roberts) @jsnyder81 Who am I? • Wireless Engineer at CompuNet Inc • CCIE-W #43153 • CWNE #161 • Security Enthusiast • Linux hobbiest • Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/) • Blogger • Maker What does a set of professional tools cost? What I use at work: Ekahau ESS: $4000 Omnipeek: $2500 Chanalyzer + WiSpy: $1250 Aircheck: $2000 *All prices are approximates Professional tools in my first year. • Airmagnet Survey pro • Yup, that was it. http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789 “I mean, if we only had a wheelbarrow, that would be something.” -Westley Sometimes you have to build a wheelbarrow • Linux VM • Proxim 8494 • Airmon-NG • Wireshark “Well, why didn’t you list that among our assets in the first place” -Westley All these tools… Why Open Source? Pros: Cons: • Low Cost • Free if your time is worth • Flexibility nothing • Lots of available tools • Pieces of a solution, you have to put it together • Low barrier to entry • Requires knowledge • Time = investment “Please consider opensource as an alternative to suicide.” – Prince Humperdink What are my hobbiest opensource costs? Options for todays presentation: Raspberry PI: $223 Intel NUC $436 Raspberry PI 2B $38 NUC5CPYH: $134.00 ASUS USB-N53 $45 8G Memory: $34 Micro SD Card: $15 SSD: $40 Case: $5 Intel 7265 $28 Ubertooth: $120 WiSpy 2.4Ghz: $200 Existing Laptop: $8 • USB stick to boot linux • The chocolate coating makes it go down easier • VM is an option, albeit not a good one My Preferred Wireless Adapters • Asus USB-N53 • Intel 726x • 802.11n • 802.11ac • 2x2:2 • 2x2:2 • USB 2.0 • Mini PCIe half height and m.2 • Ralink RT3572 using RT2800 Driver • Intel IWLWIFI: Non-Free firmware • Works on Raspberry PI required • $45 on Amazon • $27 on amazon • Has issues with Deauth/Dissassoc • Lots of clients using them packets not being passed to host. -
Wireshark & Ethereal Network Protocol Analyzer
377_Eth2e_FM.qxd 11/14/06 1:23 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. -
Packet Capture and Analysis in Hybrid Environments
Packet Capture and Analysis in Hybrid Environments Lawrence Miller Inside the Guide • Discover why packet capture and analysis of on- premises and cloud applications in modern hybrid environments is so challenging • Learn how to analyze packets at the Transport and Application Layers to uncover the root cause of issues • Explore how putting the right tools in the hands of the right people can help make your entire IT team more effective THE GORILLA GUIDE TO... Packet Capture and Analysis in Hybrid Environments Express Edition By Lawrence Miller Copyright © 2020 by ActualTech Media All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the publisher except for the use of brief quotations in a book review. Printed in the United States of America. ACTUALTECH MEDIA 6650 Rivers Ave Ste 105 #22489 North Charleston, SC 29406-4829 www.actualtechmedia.com PUBLISHER’S ACKNOWLEDGEMENTS EDITOR Keith Ward, ActualTech Media PROJECT MANAGER Wendy Hernandez, ActualTech Media EXECUTIVE EDITOR James Green, ActualTech Media LAYOUT AND DESIGN Olivia Thomson, ActualTech Media WITH SPECIAL CONTRIBUTIONS FROM Paul R. Dietz, Riverbed Stephen Creel, Riverbed Heidi Gabrielson, Riverbed Kowshik Bhat, Riverbed TABLE OF CONTENTS Introduction 7 Chapter 1: A Primer on Packets 8 Looking at Packets and Packet-Switched Networks 8 Understanding the Open Systems Interconnection (OSI) Model and Packet Encapsulation 11 Addressing Modern Packet Capture and Analysis Challenges 13 -
Steelcentral Packet Analyzer Reference Manual, Personal Edition
SteelCentral Packet Analyzer Reference Manual Personal Edition Version 10.9 October 2015 © 2015 Riverbed Technology. All rights reserved. Riverbed®, SteelApp™, SteelCentral™, SteelFusion™, SteelHead™, SteelScript™, SteelStore™, Steelhead®, Cloud Steelhead®, Virtual Steelhead®, Granite™, Interceptor®, Stingray™, Whitewater®, WWOS™, RiOS®, Think Fast®, AirPcap®, BlockStream™, FlyScript™, SkipWare®, TrafficScript®, TurboCap®, WinPcap®, Mazu®, OPNET®, and Cascade® are all trademarks or registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners. F5, the F5 logo, iControl, iRules, and BIG-IP are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. Portions of SteelCentral™ products contain copyrighted information of third parties. Title thereto is retained, and all rights therein are reserved, by the respective copyright owner. PostgreSQL is (1) Copyright © 1996-2009 The PostgreSQL Development Group, and (2) Copyright © 1994-1996 the Regents of the University -
Wireshark Lab1, Part A: Getting Started
Wireshark Lab1, part a: Getting Started Version: 2.0 © 2007 J.F. Kurose, K.W. Ross. All Rights Reserved “Tell me and I forget. Show me and I remember. Involve me and I understand.” Chinese proverb One’s understanding of network protocols can often be greatly deepened by “seeing protocols in action” and by “playing around with protocols” – observing the sequence of messages exchanged between two protocol entities, delving down into the details of protocol operation, and causing protocols to perform certain actions and then observing these actions and their consequences. In these Wireshark labs we will observe the operation of real network protocols. You will be running various network applications in different scenarios using a computer in the lab or your own computer, if you prefer. You will observe the network protocols in your computer “in action,” interacting and exchanging messages with protocol entities executing elsewhere in the Internet. The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by your computer. It will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and protocols executing on your machine. -
Promiscuous Mode Detection Platform
Promiscuous Mode Detection Platform Zouheir Trabelsi and Hamza Rahmani College of Telecommunications The University of Tunisia Cité Technologique des Communications Route de Raoued Km 3,5 – 2083 El Ghazala, Ariana, Tunisia Abstract. Among various types of attacks on an Ethernet network, “sniffing attack” is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host’s Network Interface Card (NIC) into the promiscuous mode. When a host’s NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP, Telnet and SMTP, send passwords and data in clear text in the packets, sniffers can be used by hackers to capture passwords and confidential data. A number of anti-sniffers have been developed, such as PMD [18], PromiScan [17] and L0pht AntiSniff [19]. An anti-sniffer is a program that tries to detect the hosts running sniffers, in a Local Area Network (LAN). Current anti-sniffers are mainly based on three detection techniques, namely: the ARP detection, the DNS detection, and the RTT (Round Trip Time) detection techniques [13 and 16]. However, sniffers are becoming very advanced so that anti-sniffers are unable to detect them. The main drawback of these detection techniques is that they rely on the ARP, ICMP and/or DNS reply messages generated by the sniffing hosts. Therefore, in order to stay undetectable by anti-sniffers, advanced sniffers do not generate such reply messages while sniffing. This paper discusses an anti-sniffer based on a new detection technique. -
Qualitative Assessment of Digital Forensic Tools
Asian Journal of Electrical Sciences ISSN: 2249- 6297, Vol. 9, No. 1, 2020, pp. 25-32 © The Research Publication, www.trp.org.in Qualitative Assessment of Digital Forensic Tools Sakshi Singh and Suresh Kumar Department of Computer Science and Engineering, Ambedkar Institute Of Advanced Communication Technologies & Research New Delhi, Delhi, India. E-mail: [email protected], [email protected] Abstract - Forensic science is a study of science to criminals and A. Network Forensics: Network forensics is a branch of civil laws. Digital forensics is the part of forensic science relating advanced digital forensic identifying with the observing and to proof found in computers and advanced storage media. investigation of computer system traffic to collect network Forensic examiners gather, protect and break down logical traffic data, legitimate proof or interruption recognition. The confirmations over the span of examination. Digital information significant objective of the forensics of the network is to contains data as content, pictures, sound, video and so on. These days numerous cybercrime cases, for example, hacking, banking gather proof from the network traffic. It attempts to investigate cheats, phishing, email spamming, etc., have developed which are traffic information collected from various websites and connected with a computerized information. Since the digital network equipment, for example, IDS and firewalls. It screens investigation is turning into an expanding concern, numerous on the system to distinguish assaults and examine the idea of digital forensic tools have been created to manage the difficulties attacks. It is also the way of distinguishing interruption of exploring computerized wrongdoings. The motivation behind examples concentrating on attackers' exercises. -
Network Traffic Analysis and Intrusion Detection Using Packet Sniffer
2010 Second International Conference on Communication Software and Networks Network Traffic Analysis and Intrusion Detection using Packet Sniffer Mohammed Abdul Qadeer Mohammad Zahid Dept. of Computer Engineering, Asst. System Engineer, Aligarh Muslim University, Tata Consultancy Services, Aligarh- 202002, India Trivandrum, India [email protected] [email protected] Arshad Iqbal MisbahurRahman Siddiqui Scientist B, Univ. Women’s Polytechnic, GTRE, DRDO, Aligarh Muslim University, Bangalore, India Aligarh- 202002, India [email protected] [email protected] Abstract- Computer software that can intercept and log traffic the output captured by the Wireshark (packet sniffer passing over a digital network or part of a network is better software formerly known as Ethereal). In figure 2 we have known as packet sniffer. The sniffer captures these packets by shown that how the data travels from application layer to the setting the NIC card in the promiscuous mode and eventually network interface card. decodes them. The decoded information can be used in any way depending upon the intention of the person concerned who decodes the data (i.e. malicious or beneficial purpose). Depending on the network structure one can sniff all or just parts of the traffic from a single machine within the network. However, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network. This paper focuses on the basics of packet sniffer and its working, development of the tool on Linux platform and its use for Intrusion Detection. It also discusses ways to detect the presence of such software on the network and to handle them in an efficient way. -
Wireshark Network Security
Wireshark Network Security A succinct guide to securely administer your network using Wireshark Piyush Verma BIRMINGHAM - MUMBAI Wireshark Network Security Copyright © 2015 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: July 2015 Production reference: 1240715 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78439-333-5 www.packtpub.com Credits Author Project Coordinator Piyush Verma Nidhi Joshi Reviewers Proofreader David Guillen Fandos Safis Editing Mikael Kanstrup Jaap Keuter Indexer Priya Sane Tigran Mkrtchyan Production Coordinator Commissioning Editor Shantanu N. Zagade Amarabha Banerjee Cover Work Acquisition Editor Shantanu N. Zagade Larissa Pinto Content Development Editor Siddhesh Salvi Technical Editor Madhunikita Sunil Chindarkar Copy Editor Dipti Mankame About the Author Piyush Verma currently serves as a senior security analyst at NII Consulting, India, and enjoys hacking his way into organizations (legally) and fixing the vulnerabilities encountered. -
Network Forensics Network Forensics Principles
Agenda Network Forensics PPrinciples of Network Forensics PTerms & Log-based Tracing Richard Baskerville PApplication Layer Log Analysis PLower Layer Log Analysis Georgia State University 1 2 Network Forensics Network Forensics Kim, et al (2004) “A fuzzy expert system for network fornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176 Principles The action of capturing, recording, and analyzing network audit trails in order to discover the source of security breaches or other information assurance problems. 3 4 Network Attacks Attack Residue PProtocol PSuccessful < Eg, SQL-Injection < Obfuscation of residue PMalware PUnsuccessful < Eg, Virus, Trojan, Worm < Residue is intact PFraud < Eg, Phishing, Pharming, etc. 5 6 Honeytraps Network Traffic Capture Systems Designed to be Compromised and Collect Attack Data Logging Issues Driving Automated Support PManaging data volume PManaging logging performance PEnsuring logs are useful to reconstruct the Attack PCorrelation of data in logs < Importance of timestamping From Yasinac, A. and Manzano, Y. (2002) “Honeytraps, A Network Forensic Tool” Florida State University. 7 8 Network Traffic Analysis Traceback Evidence Processing Usually Requires Software Tools PMinimizing distance to source PSessionizing PTraversing firewalls, proxies and address translation PProtocol parsing and analysis PMuliple cooroborating collectors PDecryption PTime and location stamping PSecurity of Analysis and Data < Avoiding detection and analysis-data compromise 9 10 Two Important Terms PPromiscuous Mode < An Ethernet Network Interface Card (NIC) in promiscuous mode is a configuration that will pass all traffic received by the card to the Terms and Log-based operating system, rather than just packets addressed to it. This Tracing feature is normally used for packet sniffing. PIPSpoofing < Forging the source address in the header of an IP packet so that it contains a different address, making it appear that the packet was sent by a different machine. -
Zen and the Art of Packet Capturing... [email protected] About Me
#SharkFest15 Zen and the art of packet Capturing... [email protected] About me... • Capturing packets since '99 • Used SnifferPro, but changed to Ethereal quickly :-) • Lots of bug chasing on Alteon and F5 ADC's • Missed some features, so started developing in2006 • Became core developer in 2007 • Started SYN-bit in 2009 • Focus on network troubleshooting and providing wireshark/protocol trainings • And some ADC consultancy (F5 BigIPs, iRules, etc) • Scuba diving / Arthouse movies 2 [email protected] Why capture packets? • Learn • Develop • Solve • Monitor • Detect 3 [email protected] Capture challenges... • Where to get the packets • How to get the packets • How to timestamp the packets • How to filter the packets • How to save the packets 4 [email protected] Zen and the art of packet Capturing... • Where to capture the packets • How to capture the packets • Timestamping • Capture filters • Saving packets • Q&A 5 [email protected] Where would you capture if... User A complains that something is not working in application on server S5? 6 [email protected] Where would you capture if... Some users in Paris complain complain about the performance of the loadbalanced application on server S1, S2, S3, S4? 7 [email protected] Where would you capture if... All users complain about the performance of an application on server S6? 8 [email protected] Where would you capture if... All users in Amsterdam complain about slow performance on every application? 9 [email protected] Some guidelines... • Capture close to the client, but not ON the client • Capture close to the server, but not ON the server • Capture (on several points) in between the client and server to drill down the source of the problem • Use intermediate devices like FW, LB, IDS, IPS, WAN optimizers for quick access to packets • But use SPAN ports and/or TAPs if these devices are under suspicion 10 [email protected] Zen and the art of packet Capturing..