Rhonda Layfield Sniffing Your Network With Netmon 3.3

3,892 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,892
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
79
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • This causes the server to send internal packets over the network that would ordinarily stay completely local and not be viewable in a network trace. The packets will just return to the test computer itself.
  • Rhonda Layfield Sniffing Your Network With Netmon 3.3

    1. 1. Network Monitor: From “No” to “Pro” in 75 Minutes Rhonda J. Layfield Sr. Technical Consultant
    2. 2. Outline • Meet Network Monitor: the Basics – Capture and Interpret data: lots of data and lots of demos! – Filters: making sense out of all of that data • Going Beyond the Basics: Advanced Features – What machine do I run Netmon on? – Hearing from all players: simultaneous traces • Secure Your Network with Network Monitor – Watching intruders – Auditing applications
    3. 3. Why does anyone care? • NYC Government Agency office under attack by a specific machine name • Exchange server under attack while attempting to verify existing domain names before delivering emails • Would you like to know if there are uninvited guests in your network?
    4. 4. Turning your Network into Glass • Wouldn’t it be nice if we could actually see what is on the network wire? • I mean really SEE the traffic, data, protocols and ports being used
    5. 5. This is Our Network Deploy Server DC/DNS/DHCP 20.20.20.10 20.20.20.5 Bare Metal client
    6. 6. Network Monitor: the Basics • Why should we use Netmon? • When should we use Netmon? – To find out what type of traffic is on our network – When we get unexpected results from software/hardware – To find security holes we may not be aware of based on where traffic is coming from • How do we use it? Generate a trace – Explain the panes • Where do we take the trace from? Do we need more than one trace? • Create pre/post capture filters
    7. 7. Netmons History…the versions • In the past the version that ships on the Operating System CD was – 2.1 Lite Version – Version 5.2 (Build 3790: Service Pack 1) • The version that you get with SMS was – 2.1 (Build 5.2.3790.170.040510-1249) • There is an open source “free” promiscuous sniffer called Wireshark – We only have time for Netmon today
    8. 8. What’s new with Netmon 3.1 • Complete re-write of it’s capture/parser engine • Detecting other machines running Network Monitor • Capture wireless 802.11 frames in monitor mode • New Reassembly Engine • Performance improvements • Capture on the VPN and RRAS interfaces • Protocol parsers are better • Filtering is more flexible
    9. 9. Where do you get Netmon 3.2? • Netmon 3.x doesn’t ship with any OS or product but is a free download from Microsoft • Supported to run on: – Windows XP – Windows Vista – Windows Server 2003 / 2008
    10. 10. Which Users may run Netmon? • Windows XP – Anyone logged on as a local administrator • Windows Vista – From an elevated command prompt you can run Netmon.exe as administrator – Right-click the icon and select Run as administrator – Any user account in the Netmon Users group which is created during the installation of Network Monitor 3.1
    11. 11. How do you run Netmon? • Log on as administrator • Run either Netmon.exe or Nmcap.exe with administrative privilege – from either an elevated command prompt – or by right-clicking Netmon.exe icon and selecting Run as administrator. • Log on as a standard user • Add your user account to the Netmon Users group • Log off and back on for your token to be updated with the new group membership
    12. 12. Standard user running Netmon? • When they attempt to start a capture the error quot;None of the network adapters are bound to the Netmon driver“ will be displayed • AND • When viewing your adapters in Netmon the error quot;This network adapter is not configured to capturequot; will be displayed
    13. 13. Meet Netmon and your Networks Scroll to see “State” = Bound
    14. 14. Before You use Netmon • Disc space: capture files named cap*.tmp will be created and stored in your local settingstemp directory. The files will be 20 MB each until your disc is within 2% of available free space before it will stop capturing. • Memory & Processor utilization: The “Enable Conversations” box uses a lot more memory and processor cycles
    15. 15. The Captured File Sizes – Tools / Options / capture
    16. 16. Starting a Capture • Start page / Create a new capture tab • Or, File / New / Capture • Choose your network from the Select Networks window • Configure your capture filter in the Filter window • On the Capture menu, click Start or F10 or click on the play button
    17. 17. What is captured… • Frames addressed to the specific computer • Broadcast frames • Multicast to a group that an application on the computer is assigned • To capture all traffic on the wire you can set netmon to capture in quot;p-modequot; (promiscuous modequot;)
    18. 18. Real-time Packet View
    19. 19. Packet Details
    20. 20. Conversations • Netmon assigns properties to frames and groups them into quot;conversationsquot; using those properties • All Traffic – My Traffic – Other Traffic – frames are sorted by source and destination network address – drill down to see more specific conversations • Conversations are disabled by default • The corresponding frames are displayed in the Frame Summary window • To build custom filters for conversations, right-click the desired conversation, select Copy Conversation Filter to Clipboard • Some higher-level protocol filters require conversation properties, so you may need to experiment if you are planning on using capture filters with conversation support turned off
    21. 21. Saving the Captured Frames • The default location is: – DocumentsMicrosoft Network Monitor_3Captures • cap2C0.tmp, cap2C1.tmp, cap2C2.tmp • File/Save AS – All captured frames – Displayed frames – Selected frames – A range of frames (ie…from 17..53) – Click Save.
    22. 22. Create and Apply Aliases • From the capture tab • Select Aliases tab • Click the Create New Alias icon • Enter the IP address of the computer you want to grant an alias, the name of the alias and comments • Click the “Applyquot; button from the aliases toolbar • You could also go through the View / Aliases menu
    23. 23. New Aliases
    24. 24. Creating an Alias
    25. 25. Save and Load your Aliases • Save your aliases by clicking the Save Alias button on the aliases toolbar • Load saved aliases by clicking the Open Folder icon on the aliases toolbar • Browse to the folder containing your saved aliases file (.nma) • Select the aliases file • Apply the aliases
    26. 26. Welcome to “Filters” • There are two different types of filters – Capture filter - Captures only specific types of traffic • Traffic between two machines • Frames containing a certain pattern match (computer name) in them • Be careful NOT to filter out information that could help identify an issue – Display Filter • Used most often because the possibility of filtering out traffic which could give you a clue for troubleshooting purposes is no longer a problem • Captures all traffic • Filter after the capture and all frames stay in tact even if you change the filters
    27. 27. Filter Expressions Filter on: – Properties – Protocols – Protocol elements • Limited intellisense technology • Looking for a specific Protocol? – .Protocol. And choose from the drop-down list • Type the protocol name (icmp or http) and add a period quot;.quot;
    28. 28. Sample Filters • Load filters button in Capture/Display filter windows
    29. 29. Filtering on ICMP
    30. 30. Applying an ICMP Filter
    31. 31. Building Custom Filters • Filter expressions are similar to equations • Usually separated by AND / OR (C representation of && AND, || = OR) • Basic Operators – == (equals) – != (NOT equal to) – ! (NOT) • // begins a comment field • // View IPv4 traffic between a source and a destination node IPv4.Address==10.50.50.50 and IPv4.Address==10.50.50.55 • Program FilesMS NetmonHelpFilterExpressionManual.doc
    32. 32. Add a little Color to Your Filter • Click Filter from the menu options • Color Filter
    33. 33. Colors… • Load standard filter & choose colors
    34. 34. Lets see how Netmon displays this…
    35. 35. Document • It can become confusing when analyzing traces as to which machine the issue was occurring on • Document which services are running on which machine…Comp1 (Exchange), Comp2 (DNS), Comp3 (Active Directory) • Keep detailed notes on the Issues you are working on and what you have found
    36. 36. Advanced Features • Where do you take a trace from? – Follow the flow of traffic • How many traces do you need? – How many interfaces does the traffic flow through? • Follow that packet – multiple trace scenario – Time of day option can be helpful here • Server / Client on the same machine? – Turn local traffic into network traffic so you
    37. 37. Where to take a trace from? Between two machines is easy, take the trace on either one OR Sometimes it is necessary to take a trace on both at the same time
    38. 38. Now Where? Exchange Server XP Client Internal Firewall External
    39. 39. How many traces do you need? • In our previous example we had three different pieces of equipment to look at – An XP workstation – A Firewall with two interfaces – An Exchange Server • To follow a data packet from the XP workstation all the way through to the Exchange server we would need four traces taken at the same time
    40. 40. Follow that Trace • Time of day comes in handy here… • Open all four traces and find the time of day • Then you can watch the flow from one trace to the next pretty easily
    41. 41. Tips and Tricks • For really large traces use PING packets as bookmarks Outlook Clients Exchange Server
    42. 42. How to Find the Needle in the Haystack PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKET
    43. 43. Use PINGs as Bookmarks PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPINGPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PINGPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KETPACKETPACKETPACKETPACKETPACKET PACKETPACKETPACKETPACKETPACKETPAC KET
    44. 44. Server/Client Traffic on the same machine • Req: The computer must be on a routed network • route add <IP Address of the server that you are on> <IP Address of default gateway of the server you are on> • remove the “route add statement” – route add <IP Address of the server that you are on>
    45. 45. Securing your network with Network Monitor • Excessive traffic • IP addresses not from your network • Black hole router
    46. 46. What we Covered • Where to get Netmon • Which Oses support it • Capture – network trace • Filters – pre & post capture • Aliases • Conversations • Simultaneous traces • Parsers
    47. 47. Thank You •NetMon traces can be read anywhere… •Please let me help you with your traces •Rhonda@Minasi.Com

    ×