Overview of Packet Analysis
Packet analysis uses a packet sniffer, network monitor or analyzer, to monitor and troubleshoot network traffic.
As data flows across the network, the sniffer captures each packet decodes the packet’s raw bits
- Showing the field values in the packet according to the appropriate RFC or other specifications.
The information can identify bottlenecks and help maintain efficient network data transmission.
Uses for Packet Analysis
- Analyze network problems
- Detect network intrusion attempts and network misuse
- Perform regulatory compliance through content monitoring perimeter and endpoint traffic
- Monitor bandwidth utilization
- Verify endpoint security status
- Gather and report network statistics
Some Common Packet Analyzers
Cain and Abel
Carnivore (FBI – monitors all of a target user’s Internet traffic)
ngrep, Network Grep
Wireshark (formerly known as Ethereal)
Traffic captured is dependent on the placement of the device.
On a switch, the packet sniffer will see only data going to and from the switch to the capture device
Traffic seen will be unicast, broadcast, or multicast.
To see all traffic, port monitoring or SPAN on a switch is used, or use a full-duplex tap in line with traffic
The OSI Model
In order to understand packet analysis, you must understand the way data is prepared for transit.
The OSI model is a seven-layer representation of how data changes in form as each layer provides services to the next layer
- Data encapsulates or de-encapsulates
The tool we will use for demonstration is Wireshark, formally Ethereal, an open-source packet analyzer http://www.wireshark.org
Download and install Wireshark – make sure you install WinPCap (Windows Packet Capture) if you are using Windows
For a live capture, launch Wireshark and click the name of an interface under Capture Interfaces to start capturing packets on that interface.
Checkmark the interface you want to capture on
Configure advanced features by clicking Options Select the interface with active packet exchange
The OSI Model
Easily find help in Wireshark-including Sample Captures
We will be using pre-captured packets found in your folder and review they normal traffic versus abnormal traffic
Once you open a capture you will see three panes:
- The Packet List view – a list of all the packets received during the capture session.
- The middle window is the Details view.
- The bottom is the individual Packet Bytes
Three-way handshake packets 1,2,3
Review port numbers, flags, SEQ ACK numbers, stream index
Packets 38-39 FIN packets
Packet 4 get image: File->export objects
Provides connectionless Transport Layer service to other applications on the internet without having to go through a handshake or connection process.
It is a simple protocol and that does not provide any ordering or data integrity services.
UDP is an unreliable service.
Few problems occur with UDP.
What uses UDP?
Commonly used in video streaming and time-sensitive applications.
- Domain Name System (DNS)
- Routing Information Protocol (RIP)
- Voice over IP (VoIP)
- Trivial File Transfer Protocol (TFTP)
- Domain Host Configuration Protocol (DHCP)
Filter UDP and you will see the DNS packets
Convert symbolic host names such (google.com) to an IP address (220.127.116.11)
Transfers name information between DNS servers
- DNS uses TCP in a zone transfer
Look up other host names such as mail exchange (MX) records
DNS is essential to any network
Normal DNS Queries/Responses
A client sends the query to DNS server for an IP address
The server responds with information it has or asks other DNS servers for the information
All DNS packets have four (4) sections:
- Answer Resource Records
- Authority Resources Records
- Additional Resource Records
DNS Packet Structure – Flags
FTP – Grab a Pic
Purpose of FTP is to transfer files over TCP
Uses both ports 20 and 21
- The Command channel is designated on port 21 for the FTP server.
- To transfer data like directory contents or files, a secondary channel, port 20 is used.
Filter FTP-data traffic – then follow the TCP stream. Save as .jpg
Reassemble the Streams
Can reassemble and obtain content if data is not encrypted
Filter FTP-data traffic
Right-click follow TCP stream and save the file as raw data and click save as mystery.jpg
Go to where you saved the file and open it!
Internet Control Message Protocol
ICMP is used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts.
- Used to troubleshoot network issues
- Not used to exchange data between systems
ICMP is used by ping because it can generate echo-request/echo-reply query messages.
Internet Control Message Protocol
Four types of query messages that characterize the output generated by the ping command.
- Echo request/echo reply:
- Used to test reachability
- Time stamp request/time stamp reply:
- Used to compute delay between time stamps
- Information request/information reply:
- Locates address of local IP network
- Subnet mask request/subnet mask reply:
- Subnet information is an exchange
- Echo request/echo reply:
RFC 792 –” ICMP is actually an integral part of IP, and must be implemented by every IP module.”
ICMP Error Codes
Type 3 Destination Unreachable Codes
- 0 – Net Unreachable
- 1 – Host Unreachable
- 2 – Protocol Unreachable
Type 5 Redirect Codes
- 0 – Redirect Datagram for Network
- 1 – Redirect Datagram for Host
- 2 – Redirect Datagram for Type of Service
Type 11 Time Exceeded Codes
- 0 – TTL Exceeded
- 1 – Fragment Reassembly Time Exceeded
Type 12 Parameter Problem Codes
- 0 – Pointer Indicates the Error
- 1 – Missing Required Option
- 2 – Bad Length
Frame 5 Destination unreachable port unreachable snmp 161
A response with a nested packet
- We have the IP header to send the packet to the target
- After the destination, unreachable message returns it sends back the IP header and 64 bits of the original datagram
ICMP is used in reconnaissance by Kali Linux
Distributed denial of service (DDoS)
Nmap is a tool used to discover hosts and services on a network, and create a “map” of the network.
- It can be either legitimately or maliciously used to quickly scan thousands of ports, and discrimination between ports in open, closed and filtered states.
By default, Nmap performs an SYN Scan, which works against any TCP stack.
Scanning can be used as a passive attack in the form of reconnaissance.
After running a scan, the software will output results from the IP range you selected:
- PortslHosts – the results of the port scan, including the well-known services for those ports.
- Topology – an interactive view of the connections between hosts in a network.
- Host Details – Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
Normal Three-Way Handshake
A command line tool such as tcpdump will provide a way to analyze traffic
Open Wireshark OUT
Do you see a pattern?
An Ack Reset sent in response to a Syn frame is sent to acknowledge the receipt of the frame but then to let the client know that the server cannot allow the connection on that port.
Same source and destination IP address
Only the SYN flag is set
The destination port numbers of each packet changes as it tries every port
Packets 14, 15 and 16 we see an actual connection
Then it continues to attempt another connection in Packet 18, 19, 20
Enable SYN flood protection
BitTorrent uses a distributed sloppy hash table (DHT) for storing peer contact information for “trackerless” torrents and consists of a number of different queries and corresponding responses.
- Ping G used to check if a peer is available.
- Find_node G used to find the contact information for a peer.
- Get_peers G requests a list of peers which have pieces of the content.
- Announce_peer G announces the contact information for the peer to the network.