Scribd
Upload
348 views24 pages

1.3-Basic Packet Analysis Wireshark

Tcpdump is a command line tool used to capture and analyze network packets. It utilizes the libpcap library to capture packets from network interfaces. Tcpdump commands can be used to filter packets based on attributes like source/destination IP, port, protocol etc. Captured packets can be saved to a pcap file or read from an existing pcap file. Wireshark is a graphical network packet analyzer tool. It allows users to examine captured packet data in detail including protocol analysis and following TCP streams. Wireshark is commonly used by network administrators, security engineers and developers to troubleshoot networks, examine security issues and debug protocol implementations.

Uploaded by

nbadung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
348 views24 pages

1.3-Basic Packet Analysis Wireshark

Tcpdump is a command line tool used to capture and analyze network packets. It utilizes the libpcap library to capture packets from network interfaces. Tcpdump commands can be used to filter packets based on attributes like source/destination IP, port, protocol etc. Captured packets can be saved to a pcap file or read from an existing pcap file. Wireshark is a graphical network packet analyzer tool. It allows users to examine captured packet data in detail including protocol analysis and following TCP streams. Wireshark is commonly used by network administrators, security engineers and developers to troubleshoot networks, examine security issues and debug protocol implementations.

Uploaded by

nbadung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Packet Analysis -

Wireshark
Why do we need to capture/analyse
packets & how is it relevant to
security?
tcpdump
• tcpdump is a utility used to capture and analyze
packets on network interfaces.
• Details about these packets can either be displayed
to the screen or they can be saved to a file for later
analysis (-w option).
• tcpdump utilizes the libpcap library for packet
capturing.
tcpdump command example
# tcpdump –nni eth0
# tcpdump –nni eth0 host 10.10.10.10
# tcpdump –nni eth0 dst host 10.10.10.10 and proto tcp
# tcpdump –nni eth0 src net 10.10.10.0/24 and port tcp and
portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port no


-i = interface to watch
dst = watch only traffic destined to a net, host or port
src = watch only traffic whose src is a net, host or port
net = specifies network
host = specifies host
port = specifies a port
proto = protocol (Ex: tcp or udp)
tcpdump command example
# tcpdump –nni eth0 -s0
# tcpdump –nni eth0 not port 22 -s0 -c 1000
# tcpdump –nni eth0 not port 22 and dst host 10.10.10.10
and not src net 10.20.30.0/24

-s0 (snaplength) = setting samples length to 0 means use the required


length to catch whole packet (default 260KB)
-c = packet count
tcpdump pcaps
# tcpdump -nni eth0 -w capture.pcap -vv -c 1000
# tcpdump -nni eth0 -r capture.pcap and port 80

• -w capture.pcap = write captured packets to capture.pcap file, rather


than printing out
• –vv (more verbose) = Ex: display number of packets captured
• -r capture.pcap = read packets from capture file, which was created
with a –w option
• -c = no to packets
tcpdump Output
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.],
seq 53:106, ack 1, win 67, options [nop,nop,TS val
854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack


106, win 4092, options [nop,nop,TS val 376934736 ecr
854797891], length 0

IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.],


seq 106:159, ack 1, win 67, options [nop,nop,TS val
854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack


159, win 4091, options [nop,nop,TS val 376934736 ecr
854797891], length 0
What is Wireshark?
• Wireshark is a network packet/protocol analyzer
Why Wireshark
• network administrators use it to troubleshoot network
problems
• network security engineers use it to examine security
problems
• developers use it to debug protocol implementations
• people use it to learn network protocol internals

• Wireshark is not a intrusion detection system


• Wireshark will not manipulate packets on the
network; it will only ”read" packets.
How to Install
• Straight forward
– Download
• https://www.wireshark.org/download.html

– Just double-click and follow the instructions


Filters
• Capture filter
– Capture traffic that matches the capture filter rule
– saves disk space

• Display filter
Apply Filters
• ip.addr == 10.0.0.1 [Sets a filter for any packet with
10.0.0.1, as either the source or dest]
• ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation
filter between the two defined IP addresses]
• http or dns [sets a filter to display all http and dns]
• tcp.port==4000 [sets a filter for any TCP packet with 4000 as
a source or dest port]
• tcp.flags.reset==1 [displays all TCP resets]
• http.request [displays all HTTP GET requests]
• tcp contains rviews [displays all TCP packets that contain the
word ‘rviews’. Excellent when searching on a specific string
or user ID]
• !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever
other protocols may be background noise. Allowing you to focus
on the traffic of interest]
Follow TCP Stream
Follow TCP Stream
• Build TCP Stream
– Select TCP Packet -> Follow TCP Stream
Use “Statistics”
• What protocol is used in your network
– Statistics -> Protocol Hierarchy
Use “Statistics”
• Which host is most chatty
– Statistics -> Conversations
Need CLI?
• Try tshark
– Example - C:\program files\wireshark\tshark.exe
Lab Exercise

18
Exercise
• Install Wireshark

• Download captured (pcap) files from the lab website


– Follow the guides in the next pages
Exercise 1: Good Old Telnet
• File
– telnet.pcap
• Question
– Reconstruct the telnet session

• Q1: Who logged into 192.168.0.1


– Username __________, Password __________ .

• Q2: After logging in, what did the user do?


Exercise 2: Covert channel
• File
– covertinfo.pcap
• Question: Is it a genuine ICMP packet?
– Take a closer look! This is not a typical ICMP Echo/Reply…
Ex 3: Suspicious FTP activity
• File
– ftp.pcap
• Question
– Q1: 10.121.70.151 is FTP ______ .
– Q2: 10.234.125.254 is FTP ______ .
– Q3: What is FTP Err Code 530?__________ .
– Q4: 10.234.125.254 attempts to ________.

• Tip
– Number of login attempts within a minute?
Exercise 4: Chatty Employees
• File
– chat.dmp
• Question
• Q1: What kind protocol is used? _______
• Q2: This is conversation between
[email protected] and [email protected]
• Q3: What do they say about you (sysadmin)?
• Tip
– Your chats can be monitored by your network admin.
Exercise 5: SIP
• File
– sip_chat.pcap
• Question:
– Can we listen to SIP voice?

You might also like