© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with...
-
Upload
domenic-evans -
Category
Documents
-
view
212 -
download
0
Transcript of © 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with...
© 2010 Cisco Systems, Inc. All rights reserved. 1
CREATE Re-Tooling
Exploring Protocols with Wireshark
March 12, 2011
CREATE CATC and Ohlone College
2© 2010 Cisco Systems, Inc. All rights reserved.
Karen Stanton College of the Canyons
Michael McKeever Santa Rosa Junior College
Danijela Babic Ohlone College
Laura Chappell Wireshark University
INTRODUCTIONS
3© 2010 Cisco Systems, Inc. All rights reserved.
Parking
Restrooms
Other?
Before we start…
4© 2010 Cisco Systems, Inc. All rights reserved.
Introduction to Wireshark
Capturing Traffic
Filtering Examples
Analyzing Protocols
AGENDA
5© 2010 Cisco Systems, Inc. All rights reserved.
INTRODUCTION TO WIRESHARK
6© 2010 Cisco Systems, Inc. All rights reserved.
What is wireshark?
“Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). “
Source: Wireshark User’s Guide http://www.wireshark.org
7© 2010 Cisco Systems, Inc. All rights reserved.
Wireshark’s features
Available for UNIX and Windows.
Capture live packet data from a network interface.
Display packets with very detailed protocol information.
Open and Save packet data captured.
Import and Export packet data from and to a lot of other capture programs.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.
... and a lot more!
8© 2010 Cisco Systems, Inc. All rights reserved.
Another Resource!
Wireshark Wiki
http://wiki.wireshark.org/FrontPage
9© 2010 Cisco Systems, Inc. All rights reserved.
Wireshark main window
10© 2010 Cisco Systems, Inc. All rights reserved.
CAPTURING TRAFFIC
11© 2010 Cisco Systems, Inc. All rights reserved.
Are you allowed to capture traffic?
Ensure that you are allowed to capture packets from the network you are working on! For example, corporate policies or applicable law might prevent you from capturing on the network you're using!
If you have to change network cabling to start a capture, ensure that you are allowed to do so! Network administrators and other people are usually not amused with re-arrangements to "their" network.
http://wiki.wireshark.org/CaptureSetup
12© 2010 Cisco Systems, Inc. All rights reserved.
General setup
You need to have root / Administrator privileges to start a live capture.
You need to choose the right network interface to capture packet data from.
You need to capture at the right place in the network to see the traffic you want to see
13© 2010 Cisco Systems, Inc. All rights reserved.
Ways to start capturing traffic
You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box. You can start a capture from this dialog box, using (one of) the "Capture" button(s).
You can start capturing using the " Capture Options" dialog box.
If you have selected the right capture options before, you can immediately start a capture using the " Capture Start" menu / toolbar item. The capture process will start immediately.
If you already know the name of the capture interface, you can start Wireshark from the command line and use the following:
wireshark -i eth0 -k
14© 2010 Cisco Systems, Inc. All rights reserved.
Ways to start capturing traffic
Capture Interfaces Window
15© 2010 Cisco Systems, Inc. All rights reserved.
Ways to start capturing traffic
Capture Options
16© 2010 Cisco Systems, Inc. All rights reserved.
Ways to start capturing traffic
Command Line
C:\program files\wireshark\wireshark.exe –i 1 -k
17© 2010 Cisco Systems, Inc. All rights reserved.
Remote CAPTURE Client Setup – Wireshark
Capture OptionsDaemon (remote) Setup First install WinPcap on
the remote machine. After that, the daemon can be found at:
C:\Program Files\WinPcap\rpcapd.exe
The easiest is to start the deamon from the command line now:
rpcapd -n
The -n will turn off authentication.
18© 2010 Cisco Systems, Inc. All rights reserved.
PRACTICE Capturing your own traffic
1.Start Wireshark
2.Select the correct interface
3.Start capture
4.Generate traffic
5.Stop capture
19© 2010 Cisco Systems, Inc. All rights reserved.
PRACTICE Capturing Remote Traffic
Work with a partner on this exercise. You will need to computers.
Computer 1, the remote daemon; and Computer 2, the Wireshark Client
Computer 1 – Remote
Start the WinPCAP daemon Go to command prompt Go to the directory where
WinPCAP is installed Run the following command
rpcapd -n
20© 2010 Cisco Systems, Inc. All rights reserved.
PRACTICE Capturing Remote Traffic
Computer 2 - Wireshark
1. Start Wireshark
2. Go to Capture Options
3. For interface type, select Remote
4. Enter the IP address of Computer 1 for the Host IP address.
5. Select Null Authentication and then OK.
6. Select the correct remote interface and then click Start.
7. Generate traffic in Computer 1
Can you capture the remote traffic?
21© 2010 Cisco Systems, Inc. All rights reserved.
FILTERING TRAFFIC
Squid, a popular web proxy/cache server
22© 2010 Cisco Systems, Inc. All rights reserved.
Two Types of Filters
Display Filters Capture Filters
23© 2010 Cisco Systems, Inc. All rights reserved.
Capture only traffic to or from IP address 172.18.5.4:
host 172.18.5.4
Capture traffic to or from a range of IP addresses:
net 192.168.0.0/24 or
net 192.168.0.0 mask 255.255.255.0
Capture traffic from a range of IP addresses:
src net 192.168.0.0/24 or
src net 192.168.0.0 mask 255.255.255.0
Capture traffic to a range of IP addresses:
dst net 192.168.0.0/24 or
dst net 192.168.0.0 mask 255.255.255.0
Capture only DNS (port 53) traffic:
port 53
Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):
host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25
CAPTURE FILTERS
24© 2010 Cisco Systems, Inc. All rights reserved.
Capture except all ARP and DNS traffic:
port not 53 and not arp
Capture traffic within a range of ports
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549
Capture only Ethernet type EAPOL:
ether proto 0x888e
Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:
not ether dst 01:80:c2:00:00:0e
Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:
ip
Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:
not broadcast and not multicast
CAPTURE FILTERS(cont.)
25© 2010 Cisco Systems, Inc. All rights reserved.
Display Filter
Comparison Operators
Display filters
26© 2010 Cisco Systems, Inc. All rights reserved.
Show only SMTP (port 25) and ICMP traffic:
tcp.port eq 25 or icmp
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Display filters
27© 2010 Cisco Systems, Inc. All rights reserved.
ANALYZING PROTOCOLS
28© 2010 Cisco Systems, Inc. All rights reserved.
User needs to have a good understanding of the protocol
The protocol analyzer is just a toolAnalyzingProtocols
29© 2010 Cisco Systems, Inc. All rights reserved.
File Transfer protocol
Characteristics- Application
Protocol- TCP- Control – Port 21- Data – Port 20- Clear Text- Commands
30© 2010 Cisco Systems, Inc. All rights reserved.
Requirements FTP server: ftp.sbccnetworking.com
User Authentication enable Small image file
Capturing FTP TRAFFIC
31© 2010 Cisco Systems, Inc. All rights reserved.
Configure Wireshark to capture just FTP traffic
Start Wireshark
Capturing FTP TRAFFIC
Setup Wireshark
32© 2010 Cisco Systems, Inc. All rights reserved.
Open the command prompt and connect to the ftp server as follow:
Enter the command:ftp ftp.sbccnetworking.com
Use the following name to authenticate: Username: student# Password: Studentftp#
Where # is a number assigned by instructor 1-20
Capturing FTP TRAFFIC
Connect to FTP site
33© 2010 Cisco Systems, Inc. All rights reserved.
From the ftp server, download the SecretImage.png
Enter the command
get secretimage.png
Stop the capture after the download.
Capturing FTP TRAFFICDownload an image file
34© 2010 Cisco Systems, Inc. All rights reserved.
Analyze traffic
35© 2010 Cisco Systems, Inc. All rights reserved.
Locate a FTP-DATA frame and follow the TCP Stream
Analyze traffic
36© 2010 Cisco Systems, Inc. All rights reserved.
Save the stream as RAW data with a new name: capturedimage.png
Analyze traffic
37© 2010 Cisco Systems, Inc. All rights reserved.
CAPTURED IMAGE
38© 2010 Cisco Systems, Inc. All rights reserved.
Practice FTP Capture
39© 2010 Cisco Systems, Inc. All rights reserved.
Analyzing other Protocols
Telnet
RIP v2
OSPF
EIGRP
VPN anyone? Got one somewhere?
40© 2010 Cisco Systems, Inc. All rights reserved.
41© 2010 Cisco Systems, Inc. All rights reserved.