13.

Use Wireshark to Capture, Filter and Inspect Packets

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in
human-readable format. Wireshark includes filters, color coding, and other features that let you dig deep into
network traffic and inspect individual packets.

Capturing Packets

After downloading and installing Wireshark, you can launch it and double-click the name of a network interface
under Capture to start capturing packets on that interface. For example, if you want to capture traffic on your
wireless network, click your wireless interface. You can configure advanced features by clicking Capture >
Options, but this isn’t necessary for now.

ADVERTISEMENT
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures
each packet sent to or from your system.
Click the red “Stop” button near the top left corner of the window when you want to stop capturing traffic.

Color Coding

Wireshark uses colors to help you identify the types of traffic at a glance. By default, light purple is TCP traffic,
light blue is UDP traffic, and black identifies packets with errors—for example, they could have been delivered out
of order.

To view exactly what the color codes mean, click View > Coloring Rules. You can also customize and modify the
coloring rules from here, if you like.
Sample Captures

If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains
a page of sample capture files that you can load and inspect. Click File > Open in Wireshark and browse for your
downloaded file to open one.

also save your own captures in Wireshark and open them later. Click File > Save to save your captured packets.

Filtering Packets
You can also click Analyze > Display Filters to choose a filter from among the default filters included in
Wireshark. From here, you can add your own custom filters and save them to easily access them in the future.

For more information on Wireshark’s display filtering language, read the Building display filter expressions page
in the official Wireshark documentation.

Another interesting thing you can do is right-click a packet and select Follow > TCP Stream.

Close the window and you’ll find a filter has been applied automatically. Wireshark is showing you the packets
that make up the conversation.
Inspecting Packets

Click a packet to select it and you can dig down to view its details.

You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to
create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it.
Professionals use it to debug network protocol implementations, examine security problems and inspect network
protocol internals.
14. How to Run a Simple Nmap Scan

Step 1: Download the Nmap installer. This can be found for free from the developer’s website. It is highly
recommended that you download directly from the developer to avoid any potential viruses or fake files.
Downloading the Nmap installer includes Zenmap, the graphical interface for Nmap which makes it easy for
newcomers to perform scans without having to learn command lines.
 The Zenmap program is available for Windows, Linux, and Mac OS X. You can find the installation files
for all operating systems on the Nmap website.

Step 2: Install Nmap. Run the installer once it is finished downloading. You will be asked which components you
would like to install. In order to get the full benefit of Nmap, keep all of these checked. Nmap will not install any
adware or spyware.
Step 3: Run the "Nmap – Zenmap" GUI program. If you left your settings at default during installation, you
should be able to see an icon for it on your desktop. If not, look in your Start menu. Opening Zenmap will start the
program.

Step 4: Enter in the target for your scan. The Zenmap program makes scanning a fairly simple process. The first
step to running a scan is choosing your target. You can enter a domain (example.com), an IP address (127.0.0.1), a
network (192.168.1.0/24), or a combination of those.
Depending on the intensity and target of your scan, running an Nmap scan may be against the terms of your
internet service provider, and may land you in hot water. Always check your local laws and your ISP contract
before performing Nmap scans on targets other than your own network.
Step 5: Choose your Profile. Profiles are preset groupings of modifiers that change what is scanned. The profiles
allow you to quickly select different types of scans without having to type in the modifiers on the command line.
Choose the profile that best fits your needs:[1]
 Intense scan - A comprehensive scan. Contains Operating System (OS) detection, version detection, script
scanning, traceroute, and has aggressive scan timing. This is considered an intrusive scan.
 Ping scan - This scan simply detects if the targets are online, it does not scan any ports.
 Quick scan - This is quicker than a regular scan due to aggressive timing and only scanning select ports.
 Regular scan - This is the standard Nmap scan without any modifiers. It will return ping and return open
ports on the target.

Step 6: Click Scan to start scanning. The active results of the scan will be displayed in the Nmap Output tab. The
time the scan takes will depend on the scan profile you chose, the physical distance to the target, and the target’s
network configuration.
Step 7: Read your results. Once the scan is finished, you’ll see the message "Nmap done" at the bottom of the
Nmap Output tab. You can now check your results, depending on the type of scan you performed. All of the results
will be listed in the main Nmap Output tab, but you can use the other tabs to get a better look at specific data.[2]
 Ports/Hosts - This tab will show the results of your port scan, including the services for those ports.
 Topology - This shows the traceroute for the scan you performed. You can see how many hops your data
goes through to reach the target.
 Host Details - This shows a summary of your target learned through scans, such as the number of ports, IP
addresses, hostnames, operating systems, and more.
 Scans - This tab stores the commands of your previously-run scans. This allows you to quickly re-scan with
a specific set of parameters.
15. Operating System Detecting using Nmap
Service and OS detection
Nmap is one of the most popular tools used for the enumeration of a targeted host. Nmap can use scans that
provide the OS, version, and service detection for individual or multiple devices. Detection scans are critical to the
enumeration process when conducting penetration testing of a network. It is important to know where vulnerable
machines are located on the network so they can be fixed or replaced before they are attacked. Many attackers will
use these scans to figure out what payloads would be most effective on a victim's device. The OS scan works by
using the TCP/IP stack fingerprinting method. The services scan works by using the Nmap-service-probes database
to enumerate details of services running on a targeted host.
Detect OS and services
This is the command to scan and search for the OS (and the OS version) on a host. This command will provide
valuable information for the enumeration phase of your network security assessment (if you only want to detect the
operating system, type nmap -O 192.168.0.9):
nmap -A 192.168.0.9
sniffers-12.jpg

Standard service detection

This is the command to scan for running service. Nmap contains a database of about 2,200 well-known services
and associated ports. Examples of these services are HTTP (port 80), SMTP (port 25), DNS (port 53), and SSH
(port 22):

nmap -sV 192.168.0.9

sniffers-13.jpg
More aggressive service detection
This is the command for an aggressive scan. Usually, experienced hackers will not use this command because it is
noisy and leaves a large footprint on the network. Most black hat hackers prefer to run as silently as possible:
nmap -sV --version-intensity 5 192.168.0.9
sniffers-14.jpg

Lighter banner-grabbing detection

This is the command for a light scan. A hacker will often use a light scan such as this to remain undetected. This
scan is far less noisy than an aggressive scan. Running silently and staying undetected gives the hacker a major
advantage while conducting enumeration of targeted hosts:
nmap -sV --version-intensity 0 192.168.0.9
sniffers-15.jpg

Service and OS detection depend on different techniques to determine the operating system or service running on a
certain port. A more aggressive service detection is useful if there are services running on unexpected ports,
although the lighter version of the service will be much faster and leave less of a footprint. The lighter scan does
not attempt to detect the service; it simply grabs the banner of the open service to determine what is running.
Nmap output formats
Save default output to file
This command saves the output of a scan. With Nmap, you can save the scan output in different formats:
nmap -oN outputfile.txt 192.168.0.12
sniffers-16.jpg

Save in all formats

This command allows you to save in all formats. The default format can also be saved to a file using a file
redirect command, or > file. Using the -oN option allows the results to be saved, but also allows them to be viewed
in the terminal as the scan is being conducted:
nmap -oA outputfile 192.168.0.12
sniffers-17.jpg

Scan using a specific NSE script

This command will search for a potential heartbleed attack. A Heartbleed attack exploits a vulnerability that is
found in older, unpatched versions of OpenSSL:
nmap -sV -p 443 -script=ssl-heartbleed.nse 192.168.1.1
sniffers-18.jpg

Scan with a set of scripts

This command is useful when searching for multiple types of attack. Using multiple scripts will save time and
allow for better efficiency while monitoring the network. You can also use the following command to scan for
heartbleed attacks:
nmap -sV -p 443 --script=ssl-heartbleed 192.168.0.13/24
It is important to keep an updated database of current scripts. To update the Nmap script database, type the
command nmap - -script-updatedb . The following screenshot demonstrates the screen you will see when you run
this command:
sniffers-19.png

16. Do the following using NS2 Simulator

i. NS2 Simulator- Introduction
AIM: To study about NS2 simulator in detail.
THEORY: Network Simulator (Version 2), widely known as NS2, is simply an event driven simulation tool that
has proved useful in studying the dynamic nature of communication networks. Simulation of wired as well as
wireless network functions and protocols (e.g., routing algorithms, TCP, UDP) can be done using NS2. In general,
NS2 provides users with a way of specifying such network protocols and simulating their corresponding behaviors.
Due to its flexibility and modular nature, NS2 has gained constant popularity in the networking research
community since its birth in 1989. Ever since, several revolutions and revisions have marked the growing maturity
of the tool, thanks to substantial contributions from the players in the field. Among these are the University of
California and Cornell University who developed the REAL network simulator,1 the foundation which NS is based
on. Since 1995 the Defense Advanced Research Projects Agency (DARPA) supported development of NS through
the Virtual Inter Network Testbed (VINT) project . Currently the National Science Foundation (NSF) has joined
the ride in development. Last but not the least, the group of Researchers and developers in the community are
constantly working to keep NS2 strong and versatile.
BASIC ARCHITECTURE:

NS2 provides users with an executable command ns which takes on input argument, the name of a Tcl simulation
scripting file. Users are feeding the name of a Tcl simulation script (which sets up a simulation) as an input
argument of an NS2 executable command ns.
In most cases, a simulation trace file is created, and is used to plot graph and/or to create animation. NS2 consists
of two key languages: C++ and Object-oriented Tool Command Language (OTcl). While the C++ defines the
internal mechanism (i.e., a backend) of the simulation objects, the OTcl sets up simulation by assembling and
configuring the objects as well as scheduling discrete events (i.e., a frontend).

Tcl scripting

Tcl is a general purpose scripting language. [Interpreter]

• Tcl runs on most of the platforms such as Unix, Windows, and Mac.
• The strength of Tcl is its simplicity.
• It is not necessary to declare a data type for variable prior to the usage.

Basics of TCL

Syntax: command arg1 arg2 arg3

Hello World!

puts stdout{Hello, World!} Hello, World!

Variables Command Substitution set

a 5 set len [string length foobar]
set b $a set len [expr [string length foobar] + 9]

Wired TCL Script Components

Create the event scheduler

Open new files & turn on the tracing
Create the nodes
Setup the links
Configure the traffic type (e.g., TCP, UDP, etc) Set
the time of traffic generation (e.g., CBR, FTP)
Terminate the simulation

NS Simulator Preliminaries.

1. Initialization and termination aspects of the ns simulator.

2. Definition of network nodes, links, queues and topology.
3. Definition of agents and of applications.
4. The nam visualization tool.
5. Tracing and random variables.

Initialization and Termination of TCL Script in NS-2

An ns simulation starts with the command

set ns [new Simulator]

Which is thus the first line in the tcl script. This line declares a new variable as using the set command, you can
call this variable as you wish, In general people declares it as ns because it is an instance of the Simulator
class, so an object the code[new Simulator] is indeed the installation of the class Simulator using the reserved
word new.

In order to have output files with data on the simulation (trace files) or files used for visualization (nam files),
we need to create the files using ―open command:
#Open the Trace file
set tracefile1 [open out.tr w]
$ns trace-all $tracefile1

#Open the NAM trace file

set namfile [open out.nam w]
$ns namtrace-all $namfile
The above creates a dta trace file called out.tr and a nam visualization trace file called out.nam.
Within the tcl script, these files are not called explicitly by their names, but instead by pointers that
aredeclared above and called ―tracefile1 and ―namfile respectively. Remark that they begins with a
# symbol. The second line open the file ―out.tr to be used for writing, declared with the letter ―w.
The third line uses a simulator method called trace-all that have as parameter the name of the file
where thetraces will go.
Define a “finish‟ procedure
Proc finish { } {
global ns tracefile1 namfile
$ns lush-trace
Close $tracefile1
Close $namfile
Exec nam out.nam &
Exit 0
}

Definition of a network of links and nodes

The way to define a node is

set n0 [$ns node]

Once we define several nodes, we can define the links that connect them. An example of a
definitionof a link is:

$ns duplex-link $n0 $n2 10Mb 10ms DropTail

Which means that $n0 and $n2 are connected using a bi-directional link that has 10ms of
propagationdelay and a capacity of 10Mb per sec for each direction.
To define a directional link instead of a bi-directional one, we should replace ―duplex-link by
―simplex-link.
In ns, an output queue of a node is implemented as a part of each link whose input is that node.
Weshould also define the buffer capacity of the queue related to each link. An example would be:

#set Queue Size of link (n0-n2) to 20

$ns queue-limit $n0 $n2 20

FTP over TCP

TCP is a dynamic reliable congestion control protocol. It uses Acknowledgements created by

thedestination to know whether packets are well received.
There are number variants of the TCP protocol, such as Tahoe, Reno, NewReno, Vegas. The type
ofagent appears in the first line:
 set tcp [new Agent/TCP]

The command $ns attach-agent $n0 $tcp defines the source node of the tcp connection.
The command set sink [new Agent /TCPSink] Defines the behavior of the destination node of
TCPand assigns to it a pointer called sink.

#Setup a UDP

connection set

udp [new

Agent/UDP]

$ns attach-agent
$n1 $udp set null
[new Agent/Null]

$ns attach-agent $n5 $null

$ns connect $udp $null

$udp set fid_2

#setup a CBR over UDP connection

The below shows the definition of a CBR application using a UDP agent
The command $ns attach-agent $n4 $sink defines the destination node. The command $ns connect
$tcp $sink finally makes the TCP connection between the source and destination nodes.

set cbr [new Application/Traffic/CBR]

$cbr attach-agent $udp

$cbr set packetsize_ 100

$cbr set rate_ 0.01Mb

$cbr set random_ false

TCP has many parameters with initial fixed defaults values that can be changed if mentioned explicitly.
For example, the default TCP packet size has a size of 1000bytes.This can be changed to another value,
say 552bytes, using the command $tcp set packetSize_ 552.