Scribd
Upload
112 views18 pages

An Introduction To Network Analyzers New

Network analyzers are tools used to capture and analyze network traffic. They allow monitoring of network activity to identify issues like slowdowns, detect patterns in traffic flow between nodes, and more. Common network analyzers include Wireshark, Windump, and Etherpeak. They work by passively capturing network packets and decoding the packet contents. The captured data can then be analyzed in real-time or stored for later review. Network analyzers are used by system administrators to troubleshoot problems and understand performance, as well as by malicious actors to intercept private information or map out target networks.

Uploaded by

padmaiyer
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
112 views18 pages

An Introduction To Network Analyzers New

Network analyzers are tools used to capture and analyze network traffic. They allow monitoring of network activity to identify issues like slowdowns, detect patterns in traffic flow between nodes, and more. Common network analyzers include Wireshark, Windump, and Etherpeak. They work by passively capturing network packets and decoding the packet contents. The captured data can then be analyzed in real-time or stored for later review. Network analyzers are used by system administrators to troubleshoot problems and understand performance, as well as by malicious actors to intercept private information or map out target networks.

Uploaded by

padmaiyer
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

An introduction to Network

Analyzers

Dr. Farid Farahmand


3/23/2009
Network Analysis and Sniffing

 Process of capturing, decoding, and


analyzing network traffic
 Why is the network slow
 What is the network traffic pattern
 How is the traffic being shared between nodes
 Also known as
 traffic analysis, protocol analysis, sniffing, packet
analysis, eavesdropping*, etc.

*Listen secretly to what is said in private!


Network Analyzer
 A combination of hardware  Common network analyzers
and software tools what can  Wireshark / Ethereal
detect, decode, and  Windump
manipulate traffic on the  Etherpeak
network  Dsniff
 Passive monitoring (detection)
- Difficult to detect
 And much more….
 Active (attack)
 Available both free and
commercially
 Mainly software-based
(utilizing OS and NIC)
 Also known as sniffer Read: Basic Packet-Sniffer
Construction from the Ground Up!
 A program that monitors the
data traveling through the by Chad Renfro
network passively Checkout his program: sniff.c
Network Analyzer Capturing the data is easy!
Components The question is what to do with it!

 Hardware  Capture driver


 Special hardware devices  capturing the data
 Monitoring voltage  Buffer
fluctuation
 memory or disk-based
 Jitter (random timing
variation)  Real-time analysis
 Jabber (failure to handle  analyzing the traffic in
electrical signals) real time; detecting any
 CRC and Parity Errors intrusions
 NIC Card  Decoder
 making data readable
Who Uses Network Analyzers

 System administrators
 Understand system problems and performance
 Malicious individuals (intruders)
 Capture cleartext data
 Passively collect data on vulnerable protocols
 FTP, POP3, IMAP, SMATP, rlogin, HTTP, etc.
 Capture VoIP data
 Mapping the target network
 Traffic pattern discovery
 Actively break into the network (backdoor techniques)
Basic Operation
 Ethernet traffic is broadcasted to all nodes on the
same segment
 Sniffer can capture all the incoming data when the
NIC is in promiscuous mode:
 ifconfig eth0 promisc
 ifconfig eth0 –promisc
 Default setup is non-promiscuous (only receives the data
destined for the NIC)
 Remember: a hub receives all the data!
 If switches are used the sniffer must perform port
spanning
 Also known as port mirroring
 The traffic to each port is mirrored to the sniffer
Port Monitoring
Protecting Against Remember: 00:01:02:03:04:05
MAC address (HWaddr)=
Sniffers Vender Address + Unique NIC #

 Spoofing the MAC is often referred to changing the


MAC address (in Linux:)
 ifconfig eth0 down
 ifconfig eth0 hw ether 00:01:02:03:04:05
 ifconfig eth0 up
 Register the new MAC address by broadcasting it
 ping –c 1 –b 192.168.1.1
 To detect a sniffer (Linux)
 Download Promisc.c)
 ifconfig -a (search for promisc)
 ip link (search for promisc)
 To detect a sniffer (Windows)
 Download PromiscDetect
Protecting Against Sniffers
Remember: Never use
 Using switches can help unauthorized Sniffers at wok!
 Use encryption
 Making the intercepted data unreadable
 Note: in many protocols the packet headers are cleartext!
 VPNn use encryption and authorization for secure
communications
 VPN Methods
 Secure Shell (SSH): headers are not encrypted

 Secure Sockets Layer (SSL): high network level packet


security; headers are not encrypted
 IPsec: Encrypted headers but does not used TCP or UDP
What is Wireshark?
Remember: You must have a
good understanding of the
 Formerly called Ethereal network before you use
 An open source program Sniffers effectively!
 free with many features

 Decodes over 750 protocols


 Compatible with many other sniffers
 Plenty of online resources are available
 Supports command-line and GUI interfaces
 TSHARK (offers command line interface) has three components

 Editcap (similar to Save as..to translate the format of captured


packets)
 Mergecap (combine multiple saved captured files)
 Text2pcap (ASCII Hexdump captures and write the data into a
libpcap output file)
Installing Wireshark
 Download the program from
 www.wireshark.org/download.html

 Requires to install capture drivers (monitor ports and capture all


traveling packets)
 Linux: libpcap

 Windows: winpcap (www.winpcap.org)

 Typically the file is in TAR format (Linux)


 To install in Linux
 rpm –ivh libpcap-0.9.4-8.1.i.386.rpm (install lipcap
RPM)
 rpm –q libpcap (query lipcap RPM)

 tar –zxvf libpcap-0.9.5.tar.gz

 ./config

 make

 sudo make install


Installing Wireshark
 Log in as the ‘root’ user
 Insert Fedora Code 4 Disk #4
 Navigate to the following folder in the disk /Fedora/RPMS
 Locate packages
 ethereal—0.10.11.-2.i386.rpm
 ethereal-gnome-0.10.11-2.i386.rpm
 Copy the above packages to your system
 Change directory to the packages location
 cd <package_dir>
 Install Ethereal
 rpm –ivh ethereal—0.10.11.-2.i386.rpm  Packages that are needed for
 Install Ethereal GNOME user Interface Installation
 rpm –ivh ethereal-gnome-0.10.11-2.i386.rpm  Ethereal (available in Fedora Core 4
disk #4)
 ethereal—0.10.11.-2.i386.rpm
 Ethereal GNOME User Interface
 ethereal-gnome-0.10.11-2.i386.rpm
Wireshark Window
Menu Bar

Tool Bar

Filter Bar
Summary
Window

Info
Field Protocol Tree Window

Disp.
Data View Window
Info field
Packet
number 8
– BGP
Protocol Tree (Boarder
Window: Gateway
Details of the Prot)
selected
packet (#8)

Raw data (content of


packet # 8)
Filtering
BGP
packets
only
We continue in the lab….

 Download the following files and copy them in


your HW:
 bgp_test
 tcp_stream_analysis
 follow_tcp_stream
A Little about Protocols…
 Protocols are standard for communications
 Ethernet is the most popular protocol standard to enable
computer communication
 Based on shared medium and broadcasting

 Ethernet address is called MAC address


 48 bit HW address coded in the RON of the NIC card

 The first 12 bits represent the vender

 The second 12 bits represent the serial number

 Use: arp –a

 Remember: IP address is logical addressing


 Network layer is in charge of routing

 Use: ipconfig
OSI Model
 Physical
 Data link; sublayers:
 MAC: Physical addressing: moving packets from one NIC
card to another
 LLC (Logical Link Control) Flow control and error control
 Network
 Logical addressing (IP protocol)
 Transport
 Provides reliable end-to-end transport
 Can be connectionless (UDP) or connection oriented (TCP)
 Connection oriented requires ACK

You might also like