SlideShare a Scribd company logo

Packet Analysis - Course Technology Computing Conference

Download as PPTX, PDF
Cengage Learning
Cengage Learning

Packet Analysis - Course Technology Computing Conference Presenter: Lisa Bock - Pennsylvania College of Technology Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.

Education
1 of 50
Packet Analysis Lisa Bock Pennsylvania College of Technology
Topics Covered • Overview of Packet Analysis • The OSI Model • The TCP/IP Protocol Suite – Normal Network Communication - TCP and UDP • Abnormal Communication – Scanning – Malware
Overview of Packet Analysis • Packet analysis uses a packet sniffer, network monitor or analyzer, to monitor and troubleshoot network traffic. • As data flows across the network, the sniffer captures each packet decodes the packet's raw bits – Showing the field values in the packet according to the appropriate RFC or other specifications. • The information can identify bottlenecks and help maintain efficient network data transmission.
Uses for Packet Analysis • Analyze network problems • Detect network intrusion attempts and network misuse • Perform regulatory compliance through content monitoring perimeter and endpoint traffic • Monitor bandwidth utilization • Verify endpoint security status • Gather and report network statistics
Common Packet Analyzers • Capsa Network Analyzer • Cain and Abel • Carnivore (FBI - monitors all of a target user's Internet traffic) • dSniff • ettercap • Microsoft Network Monitor • ngrep, Network Grep • OmniPeek • Snoop • Tcpdump • Wireshark (formerly known as Ethereal) • Xplico Open source Network Forensic Analysis Tool
Xplico
Packet Capture • Traffic captured is dependent on the placement of the device. • On a switch, the packet sniffer will see only data going to and from the switch to the capture device • Traffic seen will be unicast, broadcast, or multicast. • To see all traffic, port monitoring or SPAN on a switch is used, or use a full duplex tap in line with traffic http://wiki.wireshark.org/CaptureSetup/Ethernet
The OSI Model • In order to understand packet analysis you must understand the way data is prepared for transit. • The OSI model, is a seven-layer representation of how data changes in form as each layer provides services to the next layer – Data encapsulates or de-encapsulates
The OSI Model MAC Port IP Address Data Frame Segment Packet PDU Bits
Wireshark • The tool we will use for demonstration is Wireshark http://www.wireshark.org , formerly Ethereal, an open- source packet analyzer. • Download and install Wireshark – make sure you install WinPCap (Windows Packet Capture) if you are using Windows • For a live capture, launch Wireshark and click the name of an interface under Capture Interfaces to start capturing packets on that interface.
Wireshark Configure advanced features by clicking Options Select the interface with active packet exchange
The OSI Model • In Wireshark, select any TCP frame and you will see the frame contents from layer 2-7 Data Frame Segment Packet For a review go to http://wiki.wireshark.org/Ethernet
Help in Wireshark Easily find help in Wireshark-including Sample Captures
Capture Packets • We will be use pre-captured packets found in your folder and review they normal traffic versus abnormal traffic • Once you open a capture you will see three panes: – The Packet List view - a list of all of the packets received during the capture session. – The middle window is the Details view. – The bottom is the individual Packet Bytes
TCP Example • Normal traffic • Three-way handshake packets 1,2,3 • Review port numbers, flags, SEQ ACK numbers, stream index • Packets 38-39 FIN packets • Packet 4 get image: File->export objects http://www.symantec.com/connect/articles/studying-normal-traffic-part-three-tcp-headers
UDP Example  Provides connectionless Transport Layer service to other applications on the internet without having to go through a handshake or connection process.  It is a simple protocol and that does not provide any ordering or data integrity services.  UDP is an unreliable service.  Few problems occur with UDP.
What uses UDP?  Commonly used in video streaming and time-sensitive applications.  UDP Applications:  Domain Name System (DNS)  Voice over IP (VoIP)  Trivial File Transfer Protocol (TFTP)  Domain Host Configuration Protocol (DHCP)  Routing Information Protocol (RIP)
DNS • Filter UDP and you will see the DNS packets • Convert symbolic host names such (google.com) to an IP address (72.14.204.103) • Transfers name information between DNS servers • DNS uses TCP in a zone transfer • Look up other host names such as mail exchange (MX) records • DNS is essential to any network
Normal DNS Queries/Responses • Client sends query to DNS server for an IP address • Server responds with information it has or asks other DNS servers for the information • All DNS packets have four (4) sections: – Questions – Answer Resource Records – Authority Resources Records – Additional Resource Records
DNS Packet Structure - Flags If RD is set, it directs the name server to pursue the query recursively.
• With Fast Flux, a fully qualified domain name will have multiple IP addresses assigned to it. • It manipulate the way the domain name system works and takes advantage of the way load balancing is built into the domain name system. • A botnet can be created with nodes that join and drop off the network and evade capture. Fast Flux DNS Evasion
Fast Flux DNS • Criminals use a sixty-second time-to-live (TTL) setting for their DNS resource records and swapping the records' associated IP addresses in and out with extreme frequency.
FTP – Grab a Pic • Purpose of FTP is to transfer files over TCP • Uses both ports 20 and 21 – Command channel is designated on port 21 for the FTP server. – To transfer data like directory contents or files, a secondary channel, port 20 is used. • Filter FTP-data traffic - then follow the TCP stream. Save as .jpg
Reassemble the Streams • Can reassemble and obtain content if data is not encrypted • Filter ftp-data traffic • Right click follow TCP stream and save the file as raw data and click save as mystery.jpg • Go to where you saved the file and open it!
Internet Control Message Protocol • ICMP is used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. – Used to troubleshoot network issues – Not used to exchange data between systems • ICMP is used by ping because it can generate echo-request/echo-reply query messages. A Scout for IP!
Internet Control Message Protocol • Four types of query messages that characterize the output generated by the ping command. – Echo request/echo reply: Used to test reachability – Time stamp request/time stamp reply: Used to compute delay between time stamps – Information request/information reply: Locates address of local IP network – Subnet mask request/subnet mask reply: Subnet information is exchange
ICMP-Dest Unreachable • RFC 792 –” ICMP is actually an integral part of IP, and must be implemented by every IP module.”
ICMP Error Codes • Type 3 Destination Unreachable Codes – 0 - Net Unreachable – 1 - Host Unreachable – 2 - Protocol Unreachable • Type 5 Redirect Codes – 0 – Redirect Datagram for Network – 1 – Redirect Datagram for Host – 2 - Redirect Datagram for Type of Service • Type 11 Time Exceeded Codes – 0 – TTL Exceeded – 1 – Fragment Reassembly Time Exceeded • Type 12 Parameter Problem Codes – 0 – Pointer Indicates the Error – 1 – Missing Required Option – 2 - Bad Length
ICMP - Errors • Frame 5 Destination unreachable port unreachable snmp 161 • A response with a nested packet – We have the IP header to send the packet to the target – After the destination unreachable message returns it sends back the IP header and 64 bits of original datagram • ICMP is used in reconnaissance by Kali Linux http://it-ebooks.info/book/3000/
BAD Connection • Diagnose performance problems – Use Wireshark's expert system and coloring rules • High latency can be from: – Processing delays – Distance – Queuing delays (BUFFERBLOAT) • Buffers to fill up and remain full at congested links, contributing to excessive traffic delay and losing the ability to perform their intended function of absorbing bursts.
Identify High Latency Times • In this trace file you can identify delays – First filter on conversations Go to-Statistics then Conversations – Select IPv4 tab SORT Bytes A->B – Right click Apply as a Filter - >Selected A->B
Identify High Latency Times • Set the Time column to Seconds since Previously Displayed Packet – Sort highest to lowest and you will see: – Retransmissions- Dup ACK’s, Keep-Alives
Expert System • Using Wireshark’s Expert System to help Identify problems – Clear filter – Lower left hand corner click on the red circle to bring up the expert system
Zero Window • If the client advertizes a zero window, the application is unable to process quickly enough from the TCP receive buffers. Packet 298
Network Scans • Nmap is a tool used to discover hosts and services on a network, and create a "map" of the network. – It can be either legitimately or maliciously used to quickly scan thousands of ports, and discrimination between ports in open, closed and filtered states. • By default, Nmap performs a SYN Scan, which works against any TCP stack.
Nmap • Scanning can be used as a passive attack in the form of reconnaissance. • After running a scan, the software will output results from the IP range you selected: – PortslHosts - the results of the port scan, including the well-known services for those ports. – Topology - an interactive view of the connections between hosts in a network. – Host Details – Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
Scan – SYN • Same source and destination IP address • Only the SYN flag is set • The destination port numbers of each packet changes as it tries every port http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
Scan - ARP • An arp-scan sends ARP packets to hosts on the local network and displays any responses that are received. – ARP packets are not routable • An advantage of ARP scanning is discovering hosts behind a firewall
Detecting an ARP Scan • Detecting can be difficult if the scanning software is not scanning at a high speed • Below find a comparison of a normal capture to an ARP scan – the right shows a higher packet rate
SCAN - Port • Full Connect Scan • TCP connect scan is the default TCP scan type when SYN scan is not an option. • A TCP Reset response indicates the port is closed
SCAN - Port • Packets 18, 19 and 20 we see an actual connection • Then it continues to attempt another connection in Packet 21
SEC-Bittorrent • BitTorrent uses a distributed sloppy hash table (DHT) for storing peer contact information for "trackerless" torrents. • DHT consists of a number of different queries and corresponding responses. – Ping G used to check if a peer is available. – Find_node G used to find the contact information for a peer. – Get_peers G requests a list of peers which have pieces of the content. – Announce_peer G announces the contact information for the peer to the network. Right click on packet 22 and follow UDP Stream
Ettercap • Ettercap is an open source tool used to perform a man-in-the-middle attack in a switched environment • Once Ettercap has inserted itself in the middle of a connection, it can capture and examine all communication between the two victims, and launch an attack - such as a DNS spoof
SEC-ettercap-poisoner • Ettercap also has the ability to actively or passively find other poisoners on the LAN. • This trace file has the signature of Ettercap’s 'Check for Poisoner' function. – Go to the IP header - > ID field of a ping packets contains the signature 0xe77e which is ‘ette’ in Leet speak – Systems that answer back with the same IP ID value are most likely running Ettercap as well.
Fragmentation Scanning • A scanning technique that fragments IP packets during the port scan in an attempt to bypass some firewall devices. • Instead of just sending the probe packet, it is broken into a couple of small IP fragments. • Splitting up the TCP header over several packets to make it harder for packet filters and IDS to detect. – This method won't work with packet filters and firewalls that queue IP fragments and can cause some systems to crash
Fragmentation Scanning • Not an attack tool itself, rather it is a technology that allows other attacks to avoid detection by network intrusion detection systems. NOTE: Fragmentation of a packet should rarely occur since MTU discovery techniques now exist.
SEC-nmap-fragscan • This trace file depicts a system sending an IP fragment scan. • If you examine the IP header, the protocol field indicates that TCP follows. • Manually decode the TCP header to identify the purpose of the TCP packets. Configure your devices!
SEC-nmap-ipscan • nmap-ipscan is an IP scan used to determine what services are supported directly on top of the IP header. – IRDP, ICMP, EGP. • Sort Info column heading to see a list of protocols queried.
More Resources • For more Packet Captures go to http://www.netresec.com/?page=PcapFiles • Wireshark Network Analysis, by Laura Chappell, Chappell Binding Paperback ISBN 978-1- 893939-99-8 • Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated ISBN-13: 9781593272661 2010

Recommended

ACIT Mumbai - OSI Model
ACIT Mumbai - OSI ModelACIT Mumbai - OSI Model
ACIT Mumbai - OSI ModelSleek International
 
Sanitizing PCAPs
Sanitizing PCAPsSanitizing PCAPs
Sanitizing PCAPsJasper Bongertz
 
Performance test
Performance testPerformance test
Performance testTony Fortunato
 
CapAnalysis - Deep Packet Inspection
CapAnalysis - Deep Packet InspectionCapAnalysis - Deep Packet Inspection
CapAnalysis - Deep Packet InspectionChris Harrington
 
Computer network coe351- part2- final
Computer network coe351- part2- finalComputer network coe351- part2- final
Computer network coe351- part2- finalTaymoor Nazmy
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Chapter 3 : User Datagram Protocol (UDP)
Chapter 3 : User Datagram Protocol (UDP)Chapter 3 : User Datagram Protocol (UDP)
Chapter 3 : User Datagram Protocol (UDP)Ministry of Higher Education
 
TCP Theory
TCP TheoryTCP Theory
TCP Theorysoohyunc
 

Recommended

ACIT Mumbai - OSI Model
ACIT Mumbai - OSI ModelACIT Mumbai - OSI Model
ACIT Mumbai - OSI ModelSleek International
 
Sanitizing PCAPs
Sanitizing PCAPsSanitizing PCAPs
Sanitizing PCAPsJasper Bongertz
 
Performance test
Performance testPerformance test
Performance testTony Fortunato
 
CapAnalysis - Deep Packet Inspection
CapAnalysis - Deep Packet InspectionCapAnalysis - Deep Packet Inspection
CapAnalysis - Deep Packet InspectionChris Harrington
 
Computer network coe351- part2- final
Computer network coe351- part2- finalComputer network coe351- part2- final
Computer network coe351- part2- finalTaymoor Nazmy
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Chapter 3 : User Datagram Protocol (UDP)
Chapter 3 : User Datagram Protocol (UDP)Chapter 3 : User Datagram Protocol (UDP)
Chapter 3 : User Datagram Protocol (UDP)Ministry of Higher Education
 
TCP Theory
TCP TheoryTCP Theory
TCP Theorysoohyunc
 
Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPOlivier Bonaventure
 
TCP/IP and UDP protocols
TCP/IP and UDP protocolsTCP/IP and UDP protocols
TCP/IP and UDP protocolsDawood Faheem Abbasi
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark pptbala150985
 
Ch 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsCh 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsYoram Orzach
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP Ramesh Giri
 
User Datagram protocol For Msc CS
User Datagram protocol For Msc CSUser Datagram protocol For Msc CS
User Datagram protocol For Msc CSThanveen
 
Introduction to TCP/IP
Introduction to TCP/IPIntroduction to TCP/IP
Introduction to TCP/IPFrank Fang Kuo Yu
 
TCP/IP Models
TCP/IP ModelsTCP/IP Models
TCP/IP ModelsSmt. Indira Gandhi College of Engineering, Navi Mumbai, Mumbai
 
TCP- Transmission Control Protocol
TCP- Transmission Control Protocol TCP- Transmission Control Protocol
TCP- Transmission Control Protocol Akhil .B
 
Module 1 slides
Module 1 slidesModule 1 slides
Module 1 slidesAnaniaKapala
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCPOlivier Bonaventure
 
User datagram protocol (udp)
User datagram protocol (udp)User datagram protocol (udp)
User datagram protocol (udp)Ramola Dhande
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control ProtocolPeter R. Egli
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Adam Dunkels
 
TCPLS presentation @ietf 109
TCPLS presentation @ietf 109TCPLS presentation @ietf 109
TCPLS presentation @ietf 109Olivier Bonaventure
 
Udp
UdpUdp
Udpkundan sahani
 
Tcp
TcpTcp
TcpVarsha Kumar
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Dhananja Kariyawasam
 
protocol and the TCP/IP suite Chapter 02
protocol and the TCP/IP suite Chapter 02 protocol and the TCP/IP suite Chapter 02
protocol and the TCP/IP suite Chapter 02daniel ayalew
 
OSI Layering
OSI Layering OSI Layering
OSI Layering BBAU Lucknow University
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcpOlivier Bonaventure
 

More Related Content

What's hot

Ch 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsCh 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsYoram Orzach
 
User Datagram protocol For Msc CS
User Datagram protocol For Msc CSUser Datagram protocol For Msc CS
User Datagram protocol For Msc CSThanveen
 
TCP- Transmission Control Protocol
TCP- Transmission Control Protocol TCP- Transmission Control Protocol
TCP- Transmission Control Protocol Akhil .B
 
User datagram protocol (udp)
User datagram protocol (udp)User datagram protocol (udp)
User datagram protocol (udp)Ramola Dhande
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control ProtocolPeter R. Egli
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Adam Dunkels
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Dhananja Kariyawasam
 
protocol and the TCP/IP suite Chapter 02
protocol and the TCP/IP suite Chapter 02 protocol and the TCP/IP suite Chapter 02
protocol and the TCP/IP suite Chapter 02daniel ayalew
 

What's hot (20)

Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCP
 
TCP/IP and UDP protocols
TCP/IP and UDP protocolsTCP/IP and UDP protocols
TCP/IP and UDP protocols
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
 
Ch 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsCh 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocols
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
 
User Datagram protocol For Msc CS
User Datagram protocol For Msc CSUser Datagram protocol For Msc CS
User Datagram protocol For Msc CS
 
Introduction to TCP/IP
Introduction to TCP/IPIntroduction to TCP/IP
Introduction to TCP/IP
 
TCP/IP Models
TCP/IP ModelsTCP/IP Models
TCP/IP Models
 
TCP- Transmission Control Protocol
TCP- Transmission Control Protocol TCP- Transmission Control Protocol
TCP- Transmission Control Protocol
 
Module 1 slides
Module 1 slidesModule 1 slides
Module 1 slides
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
 
User datagram protocol (udp)
User datagram protocol (udp)User datagram protocol (udp)
User datagram protocol (udp)
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control Protocol
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram Protocol
 
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
 
TCPLS presentation @ietf 109
TCPLS presentation @ietf 109TCPLS presentation @ietf 109
TCPLS presentation @ietf 109
 
Udp
UdpUdp
Udp
 
Tcp
TcpTcp
Tcp
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
 
protocol and the TCP/IP suite Chapter 02
protocol and the TCP/IP suite Chapter 02 protocol and the TCP/IP suite Chapter 02
protocol and the TCP/IP suite Chapter 02
 

Viewers also liked

Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet AnalysisAmmar WK
 
Computer Networking : Principles, Protocols and Practice - lesson 1
Computer Networking : Principles, Protocols and Practice - lesson 1Computer Networking : Principles, Protocols and Practice - lesson 1
Computer Networking : Principles, Protocols and Practice - lesson 1Olivier Bonaventure
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - BasicsYoram Orzach
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with WiresharkJim Gilsinn
 

Viewers also liked (12)

OSI Layering
OSI Layering OSI Layering
OSI Layering
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
Cipc
CipcCipc
Cipc
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet Analysis
 
Computer Networking : Principles, Protocols and Practice - lesson 1
Computer Networking : Principles, Protocols and Practice - lesson 1Computer Networking : Principles, Protocols and Practice - lesson 1
Computer Networking : Principles, Protocols and Practice - lesson 1
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - Basics
 
Wireshark
WiresharkWireshark
Wireshark
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
 
Wireshark
WiresharkWireshark
Wireshark
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with Wireshark
 

Similar to Packet Analysis - Course Technology Computing Conference

Network protocol
Network protocolNetwork protocol
Network protocolOnline
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IPPiero Fraternali
 
02 coms 525 tcpip - introduction to tcpip
02 coms 525 tcpip - introduction to tcpip02 coms 525 tcpip - introduction to tcpip
02 coms 525 tcpip - introduction to tcpipPalanivel Kuppusamy
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.pptaymenshykh
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22Techvilla
 
Lecture 2 -_understanding_networks_2013
Lecture 2 -_understanding_networks_2013Lecture 2 -_understanding_networks_2013
Lecture 2 -_understanding_networks_2013Travis Leong Ping
 
Internet Protocol.pdf
Internet Protocol.pdfInternet Protocol.pdf
Internet Protocol.pdfBIT DURG
 
Presentation on network_protocols
Presentation on network_protocolsPresentation on network_protocols
Presentation on network_protocolsIUBAT
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies toolsgocybersec
 
98 366 mva slides lesson 5
98 366 mva slides lesson 598 366 mva slides lesson 5
98 366 mva slides lesson 5suddenven
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security PresentationWajahat Rajab
 

Similar to Packet Analysis - Course Technology Computing Conference (20)

Network protocol
Network protocolNetwork protocol
Network protocol
 
Tcp ip
Tcp ipTcp ip
Tcp ip
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IP
 
TCP/IP
TCP/IPTCP/IP
TCP/IP
 
TCP /IP
TCP /IPTCP /IP
TCP /IP
 
TCP/IP model
TCP/IP modelTCP/IP model
TCP/IP model
 
02 coms 525 tcpip - introduction to tcpip
02 coms 525 tcpip - introduction to tcpip02 coms 525 tcpip - introduction to tcpip
02 coms 525 tcpip - introduction to tcpip
 
TCP/IP Protocols
TCP/IP ProtocolsTCP/IP Protocols
TCP/IP Protocols
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-on
 
Transport layer protocol
Transport layer protocolTransport layer protocol
Transport layer protocol
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.ppt
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22
 
Lecture 2 -_understanding_networks_2013
Lecture 2 -_understanding_networks_2013Lecture 2 -_understanding_networks_2013
Lecture 2 -_understanding_networks_2013
 
Internet Protocol.pdf
Internet Protocol.pdfInternet Protocol.pdf
Internet Protocol.pdf
 
Presentation on network_protocols
Presentation on network_protocolsPresentation on network_protocols
Presentation on network_protocols
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
 
98 366 mva slides lesson 5
98 366 mva slides lesson 598 366 mva slides lesson 5
98 366 mva slides lesson 5
 
MVA slides lesson 5
MVA slides lesson 5MVA slides lesson 5
MVA slides lesson 5
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
 

More from Cengage Learning

Discovering History Through Digital Newspaper Collection
Discovering History Through Digital Newspaper CollectionDiscovering History Through Digital Newspaper Collection
Discovering History Through Digital Newspaper CollectionCengage Learning
 
Are Your Students Ready for Lab?
Are Your Students Ready for Lab?Are Your Students Ready for Lab?
Are Your Students Ready for Lab?Cengage Learning
 
5 Course Design Tips to Increase Engagement and Outcomes
5 Course Design Tips to Increase Engagement and Outcomes5 Course Design Tips to Increase Engagement and Outcomes
5 Course Design Tips to Increase Engagement and OutcomesCengage Learning
 
The Journey to Digital: Incorporating Technology to Strengthen Critical Minds
The Journey to Digital: Incorporating Technology to Strengthen Critical Minds The Journey to Digital: Incorporating Technology to Strengthen Critical Minds
The Journey to Digital: Incorporating Technology to Strengthen Critical MindsCengage Learning
 
Google Drive Plus TexQuest Equals a Match Made in Research Heaven
Google Drive Plus TexQuest Equals a Match Made in Research HeavenGoogle Drive Plus TexQuest Equals a Match Made in Research Heaven
Google Drive Plus TexQuest Equals a Match Made in Research HeavenCengage Learning
 
Improving Time Management: Tips that Will Help College Students Start the Yea...
Improving Time Management: Tips that Will Help College Students Start the Yea...Improving Time Management: Tips that Will Help College Students Start the Yea...
Improving Time Management: Tips that Will Help College Students Start the Yea...Cengage Learning
 
Mind Tap Open Trial Cengage Learning
Mind Tap Open Trial Cengage LearningMind Tap Open Trial Cengage Learning
Mind Tap Open Trial Cengage LearningCengage Learning
 
Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...
Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...
Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...Cengage Learning
 
Taming the Digital Tiger: Implementing a Successful Digital or 1:1 Initiative
Taming the Digital Tiger: Implementing a Successful Digital or 1:1 InitiativeTaming the Digital Tiger: Implementing a Successful Digital or 1:1 Initiative
Taming the Digital Tiger: Implementing a Successful Digital or 1:1 InitiativeCengage Learning
 
Decimal and Fraction Jeopardy - A Game for Developmental Math
Decimal and Fraction Jeopardy - A Game for Developmental MathDecimal and Fraction Jeopardy - A Game for Developmental Math
Decimal and Fraction Jeopardy - A Game for Developmental MathCengage Learning
 
Game it up! Introducing Game Based Learning for Developmental Math
Game it up! Introducing Game Based Learning for Developmental MathGame it up! Introducing Game Based Learning for Developmental Math
Game it up! Introducing Game Based Learning for Developmental MathCengage Learning
 
Overcoming Textbook Fatigue
Overcoming Textbook FatigueOvercoming Textbook Fatigue
Overcoming Textbook FatigueCengage Learning
 
Adult Student Success: How Does Awareness Correlate to Program Completion?
Adult Student Success: How Does Awareness Correlate to Program Completion?Adult Student Success: How Does Awareness Correlate to Program Completion?
Adult Student Success: How Does Awareness Correlate to Program Completion?Cengage Learning
 
You're responsible for teaching, and your students are resonsible for learnin...
You're responsible for teaching, and your students are resonsible for learnin...You're responsible for teaching, and your students are resonsible for learnin...
You're responsible for teaching, and your students are resonsible for learnin...Cengage Learning
 
What is the Impact of the New Standard on the Intermediate Accounting Course?
What is the Impact of the New Standard on the Intermediate Accounting Course?What is the Impact of the New Standard on the Intermediate Accounting Course?
What is the Impact of the New Standard on the Intermediate Accounting Course?Cengage Learning
 
The ABCs Approach to Goal Setting and Implementation
The ABCs Approach to Goal Setting and ImplementationThe ABCs Approach to Goal Setting and Implementation
The ABCs Approach to Goal Setting and ImplementationCengage Learning
 
Competency-based Education: Out with the new, in with the old?
Competency-based Education: Out with the new, in with the old? Competency-based Education: Out with the new, in with the old?
Competency-based Education: Out with the new, in with the old? Cengage Learning
 
Student-to-Student Learning, Powered by FlashNotes
Student-to-Student Learning, Powered by FlashNotes Student-to-Student Learning, Powered by FlashNotes
Student-to-Student Learning, Powered by FlashNotes Cengage Learning
 
Creating Career Success: A Flexible Plan for the World of Work
Creating Career Success: A Flexible Plan for the World of WorkCreating Career Success: A Flexible Plan for the World of Work
Creating Career Success: A Flexible Plan for the World of WorkCengage Learning
 
Preparing Students for Career Success
Preparing Students for Career Success Preparing Students for Career Success
Preparing Students for Career Success Cengage Learning
 

More from Cengage Learning (20)

Discovering History Through Digital Newspaper Collection
Discovering History Through Digital Newspaper CollectionDiscovering History Through Digital Newspaper Collection
Discovering History Through Digital Newspaper Collection
 
Are Your Students Ready for Lab?
Are Your Students Ready for Lab?Are Your Students Ready for Lab?
Are Your Students Ready for Lab?
 
5 Course Design Tips to Increase Engagement and Outcomes
5 Course Design Tips to Increase Engagement and Outcomes5 Course Design Tips to Increase Engagement and Outcomes
5 Course Design Tips to Increase Engagement and Outcomes
 
The Journey to Digital: Incorporating Technology to Strengthen Critical Minds
The Journey to Digital: Incorporating Technology to Strengthen Critical Minds The Journey to Digital: Incorporating Technology to Strengthen Critical Minds
The Journey to Digital: Incorporating Technology to Strengthen Critical Minds
 
Google Drive Plus TexQuest Equals a Match Made in Research Heaven
Google Drive Plus TexQuest Equals a Match Made in Research HeavenGoogle Drive Plus TexQuest Equals a Match Made in Research Heaven
Google Drive Plus TexQuest Equals a Match Made in Research Heaven
 
Improving Time Management: Tips that Will Help College Students Start the Yea...
Improving Time Management: Tips that Will Help College Students Start the Yea...Improving Time Management: Tips that Will Help College Students Start the Yea...
Improving Time Management: Tips that Will Help College Students Start the Yea...
 
Mind Tap Open Trial Cengage Learning
Mind Tap Open Trial Cengage LearningMind Tap Open Trial Cengage Learning
Mind Tap Open Trial Cengage Learning
 
Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...
Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...
Getting Started with Enhanced WebAssign 8/11/15 Presented by: Mike Lafreniere...
 
Taming the Digital Tiger: Implementing a Successful Digital or 1:1 Initiative
Taming the Digital Tiger: Implementing a Successful Digital or 1:1 InitiativeTaming the Digital Tiger: Implementing a Successful Digital or 1:1 Initiative
Taming the Digital Tiger: Implementing a Successful Digital or 1:1 Initiative
 
Decimal and Fraction Jeopardy - A Game for Developmental Math
Decimal and Fraction Jeopardy - A Game for Developmental MathDecimal and Fraction Jeopardy - A Game for Developmental Math
Decimal and Fraction Jeopardy - A Game for Developmental Math
 
Game it up! Introducing Game Based Learning for Developmental Math
Game it up! Introducing Game Based Learning for Developmental MathGame it up! Introducing Game Based Learning for Developmental Math
Game it up! Introducing Game Based Learning for Developmental Math
 
Overcoming Textbook Fatigue
Overcoming Textbook FatigueOvercoming Textbook Fatigue
Overcoming Textbook Fatigue
 
Adult Student Success: How Does Awareness Correlate to Program Completion?
Adult Student Success: How Does Awareness Correlate to Program Completion?Adult Student Success: How Does Awareness Correlate to Program Completion?
Adult Student Success: How Does Awareness Correlate to Program Completion?
 
You're responsible for teaching, and your students are resonsible for learnin...
You're responsible for teaching, and your students are resonsible for learnin...You're responsible for teaching, and your students are resonsible for learnin...
You're responsible for teaching, and your students are resonsible for learnin...
 
What is the Impact of the New Standard on the Intermediate Accounting Course?
What is the Impact of the New Standard on the Intermediate Accounting Course?What is the Impact of the New Standard on the Intermediate Accounting Course?
What is the Impact of the New Standard on the Intermediate Accounting Course?
 
The ABCs Approach to Goal Setting and Implementation
The ABCs Approach to Goal Setting and ImplementationThe ABCs Approach to Goal Setting and Implementation
The ABCs Approach to Goal Setting and Implementation
 
Competency-based Education: Out with the new, in with the old?
Competency-based Education: Out with the new, in with the old? Competency-based Education: Out with the new, in with the old?
Competency-based Education: Out with the new, in with the old?
 
Student-to-Student Learning, Powered by FlashNotes
Student-to-Student Learning, Powered by FlashNotes Student-to-Student Learning, Powered by FlashNotes
Student-to-Student Learning, Powered by FlashNotes
 
Creating Career Success: A Flexible Plan for the World of Work
Creating Career Success: A Flexible Plan for the World of WorkCreating Career Success: A Flexible Plan for the World of Work
Creating Career Success: A Flexible Plan for the World of Work
 
Preparing Students for Career Success
Preparing Students for Career Success Preparing Students for Career Success
Preparing Students for Career Success
 

Recently uploaded

Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 

Recently uploaded (20)

Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 

Packet Analysis - Course Technology Computing Conference

  • 2. Topics Covered • Overview of Packet Analysis • The OSI Model • The TCP/IP Protocol Suite – Normal Network Communication - TCP and UDP • Abnormal Communication – Scanning – Malware
  • 3. Overview of Packet Analysis • Packet analysis uses a packet sniffer, network monitor or analyzer, to monitor and troubleshoot network traffic. • As data flows across the network, the sniffer captures each packet decodes the packet's raw bits – Showing the field values in the packet according to the appropriate RFC or other specifications. • The information can identify bottlenecks and help maintain efficient network data transmission.
  • 4. Uses for Packet Analysis • Analyze network problems • Detect network intrusion attempts and network misuse • Perform regulatory compliance through content monitoring perimeter and endpoint traffic • Monitor bandwidth utilization • Verify endpoint security status • Gather and report network statistics
  • 5. Common Packet Analyzers • Capsa Network Analyzer • Cain and Abel • Carnivore (FBI - monitors all of a target user's Internet traffic) • dSniff • ettercap • Microsoft Network Monitor • ngrep, Network Grep • OmniPeek • Snoop • Tcpdump • Wireshark (formerly known as Ethereal) • Xplico Open source Network Forensic Analysis Tool
  • 7. Packet Capture • Traffic captured is dependent on the placement of the device. • On a switch, the packet sniffer will see only data going to and from the switch to the capture device • Traffic seen will be unicast, broadcast, or multicast. • To see all traffic, port monitoring or SPAN on a switch is used, or use a full duplex tap in line with traffic http://wiki.wireshark.org/CaptureSetup/Ethernet
  • 8. The OSI Model • In order to understand packet analysis you must understand the way data is prepared for transit. • The OSI model, is a seven-layer representation of how data changes in form as each layer provides services to the next layer – Data encapsulates or de-encapsulates
  • 10. Wireshark • The tool we will use for demonstration is Wireshark http://www.wireshark.org , formerly Ethereal, an open- source packet analyzer. • Download and install Wireshark – make sure you install WinPCap (Windows Packet Capture) if you are using Windows • For a live capture, launch Wireshark and click the name of an interface under Capture Interfaces to start capturing packets on that interface.
  • 11. Wireshark Configure advanced features by clicking Options Select the interface with active packet exchange
  • 12. The OSI Model • In Wireshark, select any TCP frame and you will see the frame contents from layer 2-7 Data Frame Segment Packet For a review go to http://wiki.wireshark.org/Ethernet
  • 13. Help in Wireshark Easily find help in Wireshark-including Sample Captures
  • 14. Capture Packets • We will be use pre-captured packets found in your folder and review they normal traffic versus abnormal traffic • Once you open a capture you will see three panes: – The Packet List view - a list of all of the packets received during the capture session. – The middle window is the Details view. – The bottom is the individual Packet Bytes
  • 15. TCP Example • Normal traffic • Three-way handshake packets 1,2,3 • Review port numbers, flags, SEQ ACK numbers, stream index • Packets 38-39 FIN packets • Packet 4 get image: File->export objects http://www.symantec.com/connect/articles/studying-normal-traffic-part-three-tcp-headers
  • 16.
  • 17. UDP Example  Provides connectionless Transport Layer service to other applications on the internet without having to go through a handshake or connection process.  It is a simple protocol and that does not provide any ordering or data integrity services.  UDP is an unreliable service.  Few problems occur with UDP.
  • 18. What uses UDP?  Commonly used in video streaming and time-sensitive applications.  UDP Applications:  Domain Name System (DNS)  Voice over IP (VoIP)  Trivial File Transfer Protocol (TFTP)  Domain Host Configuration Protocol (DHCP)  Routing Information Protocol (RIP)
  • 19. DNS • Filter UDP and you will see the DNS packets • Convert symbolic host names such (google.com) to an IP address (72.14.204.103) • Transfers name information between DNS servers • DNS uses TCP in a zone transfer • Look up other host names such as mail exchange (MX) records • DNS is essential to any network
  • 20. Normal DNS Queries/Responses • Client sends query to DNS server for an IP address • Server responds with information it has or asks other DNS servers for the information • All DNS packets have four (4) sections: – Questions – Answer Resource Records – Authority Resources Records – Additional Resource Records
  • 21. DNS Packet Structure - Flags If RD is set, it directs the name server to pursue the query recursively.
  • 22. • With Fast Flux, a fully qualified domain name will have multiple IP addresses assigned to it. • It manipulate the way the domain name system works and takes advantage of the way load balancing is built into the domain name system. • A botnet can be created with nodes that join and drop off the network and evade capture. Fast Flux DNS Evasion
  • 23. Fast Flux DNS • Criminals use a sixty-second time-to-live (TTL) setting for their DNS resource records and swapping the records' associated IP addresses in and out with extreme frequency.
  • 24. FTP – Grab a Pic • Purpose of FTP is to transfer files over TCP • Uses both ports 20 and 21 – Command channel is designated on port 21 for the FTP server. – To transfer data like directory contents or files, a secondary channel, port 20 is used. • Filter FTP-data traffic - then follow the TCP stream. Save as .jpg
  • 25. Reassemble the Streams • Can reassemble and obtain content if data is not encrypted • Filter ftp-data traffic • Right click follow TCP stream and save the file as raw data and click save as mystery.jpg • Go to where you saved the file and open it!
  • 26. Internet Control Message Protocol • ICMP is used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. – Used to troubleshoot network issues – Not used to exchange data between systems • ICMP is used by ping because it can generate echo-request/echo-reply query messages. A Scout for IP!
  • 27. Internet Control Message Protocol • Four types of query messages that characterize the output generated by the ping command. – Echo request/echo reply: Used to test reachability – Time stamp request/time stamp reply: Used to compute delay between time stamps – Information request/information reply: Locates address of local IP network – Subnet mask request/subnet mask reply: Subnet information is exchange
  • 28. ICMP-Dest Unreachable • RFC 792 –” ICMP is actually an integral part of IP, and must be implemented by every IP module.”
  • 29. ICMP Error Codes • Type 3 Destination Unreachable Codes – 0 - Net Unreachable – 1 - Host Unreachable – 2 - Protocol Unreachable • Type 5 Redirect Codes – 0 – Redirect Datagram for Network – 1 – Redirect Datagram for Host – 2 - Redirect Datagram for Type of Service • Type 11 Time Exceeded Codes – 0 – TTL Exceeded – 1 – Fragment Reassembly Time Exceeded • Type 12 Parameter Problem Codes – 0 – Pointer Indicates the Error – 1 – Missing Required Option – 2 - Bad Length
  • 30. ICMP - Errors • Frame 5 Destination unreachable port unreachable snmp 161 • A response with a nested packet – We have the IP header to send the packet to the target – After the destination unreachable message returns it sends back the IP header and 64 bits of original datagram • ICMP is used in reconnaissance by Kali Linux http://it-ebooks.info/book/3000/
  • 31. BAD Connection • Diagnose performance problems – Use Wireshark's expert system and coloring rules • High latency can be from: – Processing delays – Distance – Queuing delays (BUFFERBLOAT) • Buffers to fill up and remain full at congested links, contributing to excessive traffic delay and losing the ability to perform their intended function of absorbing bursts.
  • 32. Identify High Latency Times • In this trace file you can identify delays – First filter on conversations Go to-Statistics then Conversations – Select IPv4 tab SORT Bytes A->B – Right click Apply as a Filter - >Selected A->B
  • 33. Identify High Latency Times • Set the Time column to Seconds since Previously Displayed Packet – Sort highest to lowest and you will see: – Retransmissions- Dup ACK’s, Keep-Alives
  • 34. Expert System • Using Wireshark’s Expert System to help Identify problems – Clear filter – Lower left hand corner click on the red circle to bring up the expert system
  • 35. Zero Window • If the client advertizes a zero window, the application is unable to process quickly enough from the TCP receive buffers. Packet 298
  • 36. Network Scans • Nmap is a tool used to discover hosts and services on a network, and create a "map" of the network. – It can be either legitimately or maliciously used to quickly scan thousands of ports, and discrimination between ports in open, closed and filtered states. • By default, Nmap performs a SYN Scan, which works against any TCP stack.
  • 37. Nmap • Scanning can be used as a passive attack in the form of reconnaissance. • After running a scan, the software will output results from the IP range you selected: – PortslHosts - the results of the port scan, including the well-known services for those ports. – Topology - an interactive view of the connections between hosts in a network. – Host Details – Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
  • 38. Scan – SYN • Same source and destination IP address • Only the SYN flag is set • The destination port numbers of each packet changes as it tries every port http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
  • 39. Scan - ARP • An arp-scan sends ARP packets to hosts on the local network and displays any responses that are received. – ARP packets are not routable • An advantage of ARP scanning is discovering hosts behind a firewall
  • 40. Detecting an ARP Scan • Detecting can be difficult if the scanning software is not scanning at a high speed • Below find a comparison of a normal capture to an ARP scan – the right shows a higher packet rate
  • 41. SCAN - Port • Full Connect Scan • TCP connect scan is the default TCP scan type when SYN scan is not an option. • A TCP Reset response indicates the port is closed
  • 42. SCAN - Port • Packets 18, 19 and 20 we see an actual connection • Then it continues to attempt another connection in Packet 21
  • 43. SEC-Bittorrent • BitTorrent uses a distributed sloppy hash table (DHT) for storing peer contact information for "trackerless" torrents. • DHT consists of a number of different queries and corresponding responses. – Ping G used to check if a peer is available. – Find_node G used to find the contact information for a peer. – Get_peers G requests a list of peers which have pieces of the content. – Announce_peer G announces the contact information for the peer to the network. Right click on packet 22 and follow UDP Stream
  • 44. Ettercap • Ettercap is an open source tool used to perform a man-in-the-middle attack in a switched environment • Once Ettercap has inserted itself in the middle of a connection, it can capture and examine all communication between the two victims, and launch an attack - such as a DNS spoof
  • 45. SEC-ettercap-poisoner • Ettercap also has the ability to actively or passively find other poisoners on the LAN. • This trace file has the signature of Ettercap’s 'Check for Poisoner' function. – Go to the IP header - > ID field of a ping packets contains the signature 0xe77e which is ‘ette’ in Leet speak – Systems that answer back with the same IP ID value are most likely running Ettercap as well.
  • 46. Fragmentation Scanning • A scanning technique that fragments IP packets during the port scan in an attempt to bypass some firewall devices. • Instead of just sending the probe packet, it is broken into a couple of small IP fragments. • Splitting up the TCP header over several packets to make it harder for packet filters and IDS to detect. – This method won't work with packet filters and firewalls that queue IP fragments and can cause some systems to crash
  • 47. Fragmentation Scanning • Not an attack tool itself, rather it is a technology that allows other attacks to avoid detection by network intrusion detection systems. NOTE: Fragmentation of a packet should rarely occur since MTU discovery techniques now exist.
  • 48. SEC-nmap-fragscan • This trace file depicts a system sending an IP fragment scan. • If you examine the IP header, the protocol field indicates that TCP follows. • Manually decode the TCP header to identify the purpose of the TCP packets. Configure your devices!
  • 49. SEC-nmap-ipscan • nmap-ipscan is an IP scan used to determine what services are supported directly on top of the IP header. – IRDP, ICMP, EGP. • Sort Info column heading to see a list of protocols queried.
  • 50. More Resources • For more Packet Captures go to http://www.netresec.com/?page=PcapFiles • Wireshark Network Analysis, by Laura Chappell, Chappell Binding Paperback ISBN 978-1- 893939-99-8 • Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated ISBN-13: 9781593272661 2010