Traffic Analysis 1
Traffic Analysis 1
2
Motivation for Network Monitoring
Essential for Network Management
◦ Router and Firewall policy
◦ Detecting abnormal/error in networking
◦ Access control
Security Management
◦ Detecting abnormal traffic
◦ Traffic log for future forensic analysis
3
Tools Overview
Tcpdump
◦ Unix-based command-line tool used to intercept packets
Including filtering to just the packets of interest
Tshark
◦ Tcpdump-like capture program that comes w/ Wireshark
◦ Very similar behavior & flags to tcpdump
Wireshark
◦ GUI for displaying tcpdump/tshark packet traces
4
Tcpdump example
• Ran tcpdump on a Unix machine
• You can try it on your Kali Linux VM
• First few lines of the output:
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
5
Similar Output from Tshark
1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH
Encrypted request packet len=48
1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH
Encrypted response packet len=48
1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP
6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0
TSV=445871583 TSER=632535493
1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH
Encrypted request packet len=48
1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH
Encrypted response packet len=48
1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP
6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0
TSV=445871583 TSER=632535502
6
Filters
We are often not interested in all packets
flowing through the network
Use filters to capture only packets of
interest to us
7
Example
1. Capture only udp packets
• tcpdump “udp”
2. Capture only tcp packets
• tcpdump “tcp”
8
Example (contd.)
1. Capture only UDP packets with destination
port 53 (DNS requests)
• tcpdump “udp dst port 53”
2. Capture only UDP packets with source port
53 (DNS replies)
• tcpdump “udp src port 53”
3. Capture only UDP packets with source or
destination port 53 (DNS requests and
replies)
• tcpdump “udp port 53” 9
Example (contd.)
1. Capture only packets destined to
longwood.eecs.ucf.edu
• tcpdump “dst host longwood.eecs.ucf.edu”
2. Capture both DNS packets and TCP
packets to/from longwood.eecs.ucf.edu
• tcpdump “(tcp and host
longwood.eecs.ucf.edu) or udp port 53”
10
Running tcpdump
Requires superuser/administrator privileges on Unix
◦ http://www.tcpdump.org/
◦ You can do it on your own Unix machine
◦ You can install a Linux OS in Vmware/VirtualBox on your
windows machine
11
So What is WireShark?
Packet sniffer/protocol analyzer
Open Source Network Tool
Latest version of the ethereal tool
What is tShark?
The command-line based packet capture
tool
Equivalent to Wireshark
13
Network Layered Structure
What is the Internet?
Network IP Network
Physical
link 14
Wireshark Interface
15
Wireshark Interface
16
Status Bar
17
Capture Options
Promiscuous mode is used to
Capture all traffic
ip
tcp.port==80 || tcp.port==3389
tcp.dstport == 80
Display Filter
26
TCP segment structure
32 bits
URG: urgent data counting
(generally not used) source port # dest port #
by bytes
sequence number of data
ACK: ACK #
valid acknowledgement number (not segments!)
head not
len used
UA P R S F Receive window
PSH: push data now # bytes
checksum Urg data pnter
rcvr willing
RST, SYN, FIN: to accept
Options (variable length)
connection estab
(setup, teardown
commands)
application
Internet data
checksum (variable length)
(as in UDP)
Display Filter
String1, String2 (Optional settings):
◦ Sub protocol categories inside the protocol.
◦ Look for a protocol and then click on the "+"
character.
◦ Example:
◦ tcp.srcport == 80
◦ tcp.flags == 2
SYN packet
Or use “Tcp.flags.syn==1”
◦ tcp.flags == 18
SYN/ACK
30
Save Filtered Packets in Wireshark format After
Using Display Filter
We can also save all filtered packets in the original
wireshark format for further analysis
Operation:
31
Protocol Hierarchy
Protocol Hierarchy
Follow TCP Stream
Follow TCP Stream
red - stuff you sent blue - stuff you get
Filter out/in Single TCP Stream
When click “filter out this TCP stream” in previous page’s
box, new filter string will contain like:
◦ http and !(tcp.stream eq 5)
So,
if you use “tcp.stream eq 5” as filter string, you keep this
HTTP session
36
Expert Info
Expert Info
Conversations
Conversations
Use the “Copy” button to copy all text into
clipboard
51
Basic usage of Grep
Command-line text-search program in Linux
Some useful usage:
◦ Grep ‘word’ filename # find lines with ‘word’
◦ Grep –v ‘word’ filename # find lines without ‘word’
◦ Grep ‘^word’ filename # find lines beginning with ‘word’
◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2
◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature
◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4
◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of
these lines
◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case
Many tutorials on grep online
◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/
◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examp
les/ 52
On-line Wireshark Trace Files
Public available .pcap files:
◦ http://www.netresec.com/?page=PcapFiles
http://www.tp.org/jay/nwanalysis/traces/Lab
%20Trace%20Files/
53
Example Trace File and Questions
SharkFest'15 Packet Challenge
◦ https://sharkfestus.wireshark.org/sf15
◦ https
://sharkfest.wireshark.org/assets/presentations
15/packetchallenge.zip
54