Sunday, November 2, 2014

Introduction to Wireshark



Wireshark is considered the world’s foremost protocol analyzer. It is used across many industries and is the continuation of a project started in 1998. The original author of Wireshark is Gerald Combs. However, there is quite a huge community of developers who contribute to the continued development of Wireshark. By using a tool such as Wireshark, one can obtain microscopic or detailed information about the communication occurring on either your network or even an individual system (wireshark.org).  

As a Cyber Security professional, it is imperative to have knowledge and or understanding of tools such as Wireshark or its command line alternative tshark.

Before we begin, let's just get some definitions out of the way. While I can go ahead and just show the Wireshark labs, that would do you no good if you are not aware of some of the terminologies.



i. Sniffer

A sniffer is a piece of software that allows one to sniff the traffic flowing through a computer (Tanase, 2002). A computer in this case can be considered as any computing device which allows for the installation of such a sniffer or having a function which enable such sniffing. Examples of such sniffers are tshark, Wireshark, tcpdump, Colasoft and Microsoft Network Monitor.



ii. Protocol

A protocol is standard used to define a method of exchanging data over a computer network. This network can be a small network such as a LAN or an even larger one such as the Internet. (computerhope.com). Examples of protocols are TCP, UDP, SNMP, IP, BGP.





iii. Protocol Analyzer

A protocol analyzer can be considered as an enhanced sniffer. Typically protocol analyzers extend the functions of a sniffer by parsing the data received or presenting it in a more user friendly manner. Examples of Protocol Analyzers are tshark, Wireshark, tcpdump, Colasoft and Microsoft Network Monitor.






iv. Packet

When communication is made between two computers across a network, the data is sent via packets. As an example, when an email is sent the data within the email is broken up into packets to be transmitted to its destination. A packet is typically no larger than 1,500 bytes (computer.howstuffworks.com, 2000).





v. Packet Filter

Packet filters are used to determine whether a packet should be forwarded based on a fixed set of inbound and inbound rules. The header of each packet is parsed to see if the relevant criterion is met. Examples of these criteria are, Protocol ID, Source IP and or Port Number, Destination Address and or Port Number, Incoming or Outgoing Interface (novell.com).





vi. Live Capture

A live capture is the process of executing the sniffing software to capture information as it passes through the computer in real time. This capture can be written to a file for later analysis. This offline analysis will not be considered a live capture..





b) TCP/IP

i. Transport Control Protocol (TCP)

TCP is intended for use as a highly reliable host-to-host protocol between hosts in a packet-switched network (ietf.org, 1981). In the TCP/IP Model, TCP sits at layer 3 while in the OSI model it sits at layer 4. (Hughes)





ii. Internet Protocol (IP)

The Internet protocol is used to provide for transmitting blocks of data called datagrams from source to their destinations (ietf.org, 1981). The internet protocol also provides for fragmentation and reassembly of long datagrams. In the TCP/IP model, IP sits at layer 2 while in the OSI model it sits and layer 3. (Hughes)





iii. Network Stack

The network stack refers to layers through which communication occurs. In the TCP/IP model the stack consists of 4 layers. In the OSI model, the stack consists of 7 layers. The stack also addresses the various protocols and how they work at these layers.





iv. Packet

When communication is made between two computers across a network, the data is sent via packets. When an email is sent, the data within the email is broken up into packets, to be transmitted to its destination. A packet is typically no larger than 1,500 bytes. (computer.howstuffworks.com, 2000)





v. Packet Header

The header is concise structured information that is transmitted between one or more communication devices (jnetpcap.co). Using IPv4 as an example, the header could be found at the start of every packet. The header length is typically 20 bytes. The Version, Source and Destination are examples of three fields that make up the IPv4 header (Hughes, sixscape.com) .




Now that we have that out of the way, let's look at these labs from the perspectives of tasks. This will be similar to the Introduction to Linux Command Line post.



Task 1 – Browsing the Internet

  1.  Start Wireshark and set the following display capture.
  2. Apply a display filter of “(http) && (ip.addr == 192.168.0.11)  Replace the IP address I have with the one assigned to your interface 
  3.  Launch your favourite search engine and perform a search for scurvy
  4. Visit the first site on the link 
  5. Return to Wireshark and stop the capture



If you go through the capture you will notice that the identity of the website you visited and the search keyword you entered are not private. Meaning they can be easily seen in the capture.
  


Task 2 – Analyze Wireshark Data:

1.         Clear the existing display filter and start a new capture

2.         Browse the Internet for 5 minutes

3.         Stop the capture

4.         The following questions will be answered from the statistics menu


a)    How many UDP packets did Wireshark capture?


This can be determined from the statistics -> Protocol Hierarchy Menu

There is a total of 244 DNS packet and 9, NETBIOS packet. This brings the total up to 253 UDP packets captured by Wireshark




b) What is the average ip packet size?

This can be determined from the statistics -> Summary Menu

The average packet size is 525 bytes
             

b)    How many packets did Wireshark drop?

This can be determined from the statistics -> Comments Summary Menu
This answer is 0





 

c)    What does a flow graph show?

The flow graph shows the sequential analysis of connections.









d)    List the flow graph options.

Below shows the following flow graph options: Choose Packets, Choose flow type and Choose node address type.



Security professionals can use Wireshark for packet analysis to determine the true effects of what really transpired on a host or network. By looking directly at the raw packet, security professionals can draw clear conclusions once they can properly interpret the packet



While security professionals can use Wireshark for good, attackers can use it for lots of bad things including.
1.            Sniffing

2.            Plant a bug which can exploit vulnerabilities in Wireshark itself

3.            Packet Analysis



3.    Wireshark captures the traffic it can see as in the traffic which passes through the computer it is installed on. Point to note is that Wireshark has a remote capture option. However, Wireshark will still only see the traffic which passes through the computer on which the Remote Packet Capture Protocol service is started on (wireshark.org)


4. Sample Wireshark filters to:

a) View all traffic for 10.10.10.2.

            ip.addr == 10.10.10.2



b) View icmp traffic from any address.

            icmp



Bibliography
(n.d.). Retrieved from wireshark.org: https://www.wireshark.org/about.html
(n.d.). Retrieved from computerhope.com: http://www.computerhope.com/jargon/p/protocol.htm
(n.d.). Retrieved from novell.com: http://www.novell.com/documentation/nbm38/?page=/documentation/nbm38/overview/data/ae70q0b.html
(n.d.). Retrieved from jnetpcap.co: http://jnetpcap.com/node/110
(n.d.). Retrieved from wireshark.org: https://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html
(1981, 09). Retrieved from ietf.org: https://www.ietf.org/rfc/rfc793.txt
(1981, 09). Retrieved from ietf.org: https://www.ietf.org/rfc/rfc791.txt
(2000, 12 01). Retrieved from computer.howstuffworks.com: http://computer.howstuffworks.com/question525.htm
Hughes, L. (n.d.). Retrieved from http://www.sixscape.com/joomla/sixscape/index.php/technical-backgrounders/tcp-ip/the-dod-four-layer-model
Hughes, L. (n.d.). Retrieved from sixscape.com: http://www.sixscape.com/joomla/sixscape/index.php/technical-backgrounders/tcp-ip/ip-the-internet-protocol/ipv4-internet-protocol-version-4/ipv4-packet-header
Tanase, M. (2002, 02 26). Retrieved from symantec.com: http://www.symantec.com/connect/articles/sniffers-what-they-are-and-how-protect-yourself



No comments:

Post a Comment