© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with...

© 2010 Cisco Systems, Inc. All rights reserved. 1

CREATE Re-Tooling

Exploring Protocols with Wireshark

March 12, 2011

CREATE CATC and Ohlone College

2© 2010 Cisco Systems, Inc. All rights reserved.

Karen Stanton College of the Canyons

Michael McKeever Santa Rosa Junior College

Danijela Babic Ohlone College

Laura Chappell Wireshark University

INTRODUCTIONS


Parking

Restrooms

Other?

Before we start…


Introduction to Wireshark

Capturing Traffic

Filtering Examples

Analyzing Protocols

AGENDA


INTRODUCTION TO WIRESHARK


What is wireshark?

“Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.

You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). “

Source: Wireshark User’s Guide http://www.wireshark.org

http://www.wireshark.org/


Wireshark’s features

Available for UNIX and Windows.

Capture live packet data from a network interface.

Display packets with very detailed protocol information.

Open and Save packet data captured.

Import and Export packet data from and to a lot of other capture programs.

Filter packets on many criteria.

Search for packets on many criteria.

Colorize packet display based on filters.

Create various statistics.

... and a lot more!


Another Resource!

Wireshark Wiki

http://wiki.wireshark.org/FrontPage




Wireshark main window


CAPTURING TRAFFIC


Are you allowed to capture traffic?

Ensure that you are allowed to capture packets from the network you are working on! For example, corporate policies or applicable law might prevent you from capturing on the network you're using!

If you have to change network cabling to start a capture, ensure that you are allowed to do so! Network administrators and other people are usually not amused with re-arrangements to "their" network.

http://wiki.wireshark.org/CaptureSetup


General setup

You need to have root / Administrator privileges to start a live capture.

You need to choose the right network interface to capture packet data from.

You need to capture at the right place in the network to see the traffic you want to see


Ways to start capturing traffic

You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box. You can start a capture from this dialog box, using (one of) the "Capture" button(s).

You can start capturing using the " Capture Options" dialog box.

If you have selected the right capture options before, you can immediately start a capture using the " Capture Start" menu / toolbar item. The capture process will start immediately.

If you already know the name of the capture interface, you can start Wireshark from the command line and use the following:

wireshark -i eth0 -k



Capture Interfaces Window



Capture Options



Command Line

C:\program files\wireshark\wireshark.exe –i 1 -k


Remote CAPTURE Client Setup – Wireshark

Capture OptionsDaemon (remote) Setup First install WinPcap on

the remote machine. After that, the daemon can be found at:

C:\Program Files\WinPcap\rpcapd.exe

The easiest is to start the deamon from the command line now:

rpcapd -n

The -n will turn off authentication.

http://wiki.wireshark.org/WinPcap


PRACTICE Capturing your own traffic

1.Start Wireshark

2.Select the correct interface

3.Start capture

4.Generate traffic

5.Stop capture


PRACTICE Capturing Remote Traffic

Work with a partner on this exercise. You will need to computers.

Computer 1, the remote daemon; and Computer 2, the Wireshark Client

Computer 1 – Remote

Start the WinPCAP daemon Go to command prompt Go to the directory where

WinPCAP is installed Run the following command

rpcapd -n


PRACTICE Capturing Remote Traffic

Computer 2 - Wireshark

1. Start Wireshark

2. Go to Capture Options

3. For interface type, select Remote

4. Enter the IP address of Computer 1 for the Host IP address.

5. Select Null Authentication and then OK.

6. Select the correct remote interface and then click Start.

7. Generate traffic in Computer 1

Can you capture the remote traffic?


FILTERING TRAFFIC

Squid, a popular web proxy/cache server

http://www.squid-cache.org/


Two Types of Filters

Display Filters Capture Filters


Capture only traffic to or from IP address 172.18.5.4:

host 172.18.5.4

Capture traffic to or from a range of IP addresses:

net 192.168.0.0/24 or

net 192.168.0.0 mask 255.255.255.0

Capture traffic from a range of IP addresses:

src net 192.168.0.0/24 or

src net 192.168.0.0 mask 255.255.255.0

Capture traffic to a range of IP addresses:

dst net 192.168.0.0/24 or

dst net 192.168.0.0 mask 255.255.255.0

Capture only DNS (port 53) traffic:

port 53

Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):

host www.example.com and not (port 80 or port 25)

host www.example.com and not port 80 and not port 25

CAPTURE FILTERS


Capture except all ARP and DNS traffic:

port not 53 and not arp

Capture traffic within a range of ports

(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

or, with newer versions of libpcap (0.9.1 and later):

tcp portrange 1501-1549

Capture only Ethernet type EAPOL:

ether proto 0x888e

Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:

not ether dst 01:80:c2:00:00:0e

Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:

ip

Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:

not broadcast and not multicast

CAPTURE FILTERS(cont.)


Display Filter

Comparison Operators

Display filters


Show only SMTP (port 25) and ICMP traffic:

tcp.port eq 25 or icmp

Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

Display filters

http://wiki.wireshark.org/SMTP

http://wiki.wireshark.org/ICMP


ANALYZING PROTOCOLS


User needs to have a good understanding of the protocol

The protocol analyzer is just a toolAnalyzingProtocols


File Transfer protocol

Characteristics- Application

Protocol- TCP- Control – Port 21- Data – Port 20- Clear Text- Commands


Requirements FTP server: ftp.sbccnetworking.com

User Authentication enable Small image file

Capturing FTP TRAFFIC


Configure Wireshark to capture just FTP traffic

Start Wireshark


Setup Wireshark


Open the command prompt and connect to the ftp server as follow:

Enter the command:ftp ftp.sbccnetworking.com

Use the following name to authenticate: Username: student# Password: Studentftp#

Where # is a number assigned by instructor 1-20


Connect to FTP site


From the ftp server, download the SecretImage.png

Enter the command

get secretimage.png

Stop the capture after the download.

Capturing FTP TRAFFICDownload an image file


Analyze traffic


Locate a FTP-DATA frame and follow the TCP Stream

Analyze traffic


Save the stream as RAW data with a new name: capturedimage.png

Analyze traffic


CAPTURED IMAGE


Practice FTP Capture


Analyzing other Protocols

Telnet

RIP v2

OSPF

EIGRP

VPN anyone? Got one somewhere?

© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with...

Documents

Transcript of © 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with...