This document discusses network traffic analysis using Wireshark. It begins with an introduction to how network traffic analysis is important for performance optimization, network forensics, penetration testing, and ensuring integrated systems work properly. It then discusses how traffic analysis can be used maliciously by attackers to obtain sensitive information like passwords and files. The document goes on to explain how Wireshark can be used for both legitimate network analysis and malicious attacks, and describes different types of network attacks like passive and active attacks. It also discusses methods attackers can use to sniff network traffic on a switch. The document concludes with recommendations for countermeasures like access restrictions, encryption, and switch security features.
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
1. A Deeper Look into Network Traffic Analysis using Wireshark
∗Muhammed Alfawareh
King Hussein School of Computing Sciences
Princess Sumaya University for Technology,Amman,Jordan
Abstract— Networks and the Internet are the backbones of
the businesses in terms of sending and receiving data, as it saves
time, effort and cost. And using traffic analysis performance
issues can be optimized, network Forensics and spam can be
detected, network proofing with penetration Testing can be
done, policies can be formed to accommodate with using habits,
and integrated systems can be made sure they deliver the
data.Traffic analysis can also be used for malicious intents,
it can be used to monitors the contents of the transmitted data
like password, file names and communication parties, this paper
will discuss all of these things how the attacker can obtain the
traffic ,also will discuss some countermeasures to reduce this
risk .
Keywords: Wireshark, Traffic Analyzing ,Hijack attacks.
I. INTRODUCTION
Networks and the Internet are the backbone of business in
term of sending and receiving data, as it saves time, effort
and cost,Analysis of the network traffic is one of the most
important tools used in network for performance analysis
and detection of problems such as slow network and detect
the spammer cause problems in the network, but at the same
time double-edged weapon where it is the most important and
dangerous tools used by the adversary to obtain information
that helps them in gaining unauthorized access and stealing
valuable informations [1] .
A. Traffic Analysis
Traffic analysis is collection of process intercepting and
examining packets in order to extract the information from
communication parties . It can be performed even when
the communication are encrypted and cannot be decrypted.
Traffic analysis can be performed in the context of military
intelligence or counter-intelligence, and is a concern in
computer security. We can know the communion parties,
time of conversation, and we can obtain helpful information
, passwords,file names,etc.. Traffic analysis is a special type
of inference attack technique that looks at communication
patterns between entities in a system[1,2].
B. Wireshark
Wireshark ( Previously was known as Ethereal). Wire
shark is one of the best efficient tools are used for traffic
analyzing, this tool is free ,open source and compatible with
all platforms, based on libpcap. It is widely used in network
to solve the problems like performance issues , the issues be-
tween integrated system like Avaya Communication manager
and tiger system in hotels, Also we can use the wireshark in
network forensics and by network professionals as well as
educators. this tool support several type of protocols, such
as TCP, IP, ARP and HTTP[1-3].
• Performance Issues: the most famous issue on the
companies is slow connection to the web server,the
complexity is every team (Networks, System adminis-
trators, developers and security )in the company say the
problem on the other team,so the Wireshark is helpful
tool ,by analyzing the traffic in all path in the same time
, problems can be determined.
• Integrated System: the major problem in integrated
systems synchronization and losing the data , but using
powerful tools like wireshark we can determine the
cause of problem by runing the wireshark in both sides
in the same time .
• Network Forensics: some companies they have bad
employs , try to manipulate by the network and the
systems , by sending Spam packets to all network ,and
some of them send data related to the company to
outside the company to give it to the compositor,So
to fired these guys you need hard evidence , so using
Traffic analyzer like the wireshark using costume filters
we can determine these bad guys[4].
• Formulation of policies: using Wireshark we can
determine the major sites visited by the Employee in
the companies , based on the result of analysis we
can formulate policy to prevent them from access those
sites.
• Penetration Testing:
Wireshark tool enables the penetration tester to discover
the flaws and breaches in the system security at user
level authentication ,Also allows to ensures that imple-
mentation of the system followed the standard[6].
• Education :
WireShark is one of the most effective tools that help
us in understanding and studying communication pro-
cesses. For example How the clients get ip address from
DHCP server?.DHCP is one of the most protocols used
in the world in both LAN and WLAN networks, this
protocol assigns parameters to the clients automatically,
help the administrators from going to the devices and
assign IP addresses.Also, it reduces IP addresses conflict
issue. parameters are exchanged between the client and
server in 4 stages as shown in figure 1[7].
II. NETWORK ATTACKS
The attacker can lunch server hijacks attack using traffic
analysis ,these attacks can be classified into two types:-
2. Fig. 1. DHCP Lease Allocation Process.
Fig. 2. Passive Attack.
• Passive Attacks
• Active Attacks
A. Passive attack
This attack occurs without Knowledge and touch the
victim as shown in figure 2 ,where the attacker listen to
the conversation,then analyze the information using packet
analyzer and get helpful information like passwords, cookies,
name files, sites visited by the victim , and even the attacker
able to reconstruct the voice over IP (VOIP) conversations ,
as you can see in figure 3[8-9].
B. Active Attacks
This type occurs without Knowledge the victim where the
attacker the will touch the data of the victim and change the
meaning and content,it can be implemented by several way
Fig. 3. VOIP Conversation
Fig. 4. Active Attack .
like Arp spoofing, IP spoofing ..etc ,in this cases the attacker
act as Man in the middle ,as shown in figure 4 [8-9].
III. METHODS TO SNIFF ON SWITCH
Now we are going to discuss the methods that can be used
to sniff the packets on the switch, being an intelligent device.
A. ARP Spoofing
As we Know the Communication on L2 using the MAC
Address , In most scenarios when we want to send /receive
data we need the destination mac address , So we used
the ARP protocol the main problem with this protocol is
stateless, which means any device connected on the switch
can lunch reply packet pretend he is the destination mac
address or the gateway, in this way we poised the cash entry
on the victim machine and on the SW, therefore Any packet
send from any machine to different network the attacker can
take copy from packets[10-11].
B. MAC-Flooding
The switch is an smart device , contain Mac address table
, mapping between the mac address and the port number
, Therefore when the the sender send data this data will
forward to the destination based on the mac table , but the
main problem the Switches have limitation on the number of
recodes on the mac table , therefore the attacker can use tools
like hping3 generate massive number of mac addresses,in
this case the switch will become like the hub(Dumy device)
, will forward copy of the data to all devices connected on
the switch , the attacker one of them[11].
C. Port Mirroring
Is a method of monitoring network traffic. With port
mirroring enabled, the switch sends a copy of all network
packets seen on one port (or an entire VLAN) to another
port, where the packet can be analyzed.As you can see
in figure 5.In this type the attacker need to Access the
switch either direct connection using console or remotely
using Management protocol like HTTP, Telnet, SSH, and
add couple of command to the switch to take a copy from
the victim traffic to the attacker machine[11-12].
3. Fig. 5. Port mirroring Architecture .
Fig. 6. Hardware Wired Tool kit Connections.
Fig. 7. Alfa Tool Kit For wireless connections .
D. Hardware Tool kits
In this type the attacker use hardware tool and connect the
kit to the victim cable , As shown figures 6,7.
We can use another tool kit As shown in figure if the
attacker connected by Wifi to the network
IV. COUNTERMEASURES
When the IT Staff Implement the network, they should
aware of set of countermeasures
• restrict the physical access to the Switches and cables
only to the IT staff.
• use TLS/SSL in the communication between the clients
and the Servers.
• allow only specific number of MAC address per Port ,
Depends on the Implementation requirement .
• use feature Dynamic arp inspection to prevent the
attacker to change the MAC Address.
• use feature IP source guard to prevent the attacker from
change his IP Address.
• use feature DHCP snooping to prevent the attacker from
violation (IP Source guard,Dynamic arp inspection).
• adopt Encrypted protocols to manage the Switches and
routers.
V. CONCLUSIONS
In this paper we discussed the importance of Network
traffic analysis using wireshark and its role of solving the
problems , network fornices ..etc. Also we discussed risk
of network traffic analysis can be used to obtain helpful
information to lunch the attack or stealing information . We
also addressed many solutions that prevent the adversary
from obtaining data and in case of access to the data , he
will get encrypted data.
VI. FUTURE WORK
For future work, I will take the research in this paper
further step to make comparing between all types of Traffic
analysis tools And find the best environment to make ana-
lyzing in less cost and with minimal delay to response to the
clients Incidents .
VII. ACKNOWLEDGMENT
I would like to express My gratitude to all those who gave
me the possibility to complete this paper. I want to thank the
Computer Science Department for giving me permission to
commence this paper in the first instance, to do the necessary
research work and to use departmental data. I am deeply
indebted to Dr. Ali Hadi from the CS Department for his
guidance, stimulating suggestions and encouragement.
REFERENCES
[1] Ming-Hsing Chiu, Kuo-Pao Yang, Randall Meyer, and Tristan Kid-
der,Analysis of a Man-in-the-Middle Experiment with Wireshark.
[2] Mohammed Abdul Qadeer,Mohammad Zahid,Network Traffic Analy-
sis and Intrusion Detection using Packet Sniffer,2010 .
[3] Mustapha Adamu Mohammed*, Ashigbi Franlin Degadzor, Botchey
Francis Effrim,Kwame Anim Appiah,BRUTE FORCE ATTACK DE-
TECTION AND PREVENTION ON A NETWORK USING WIRE-
SHARK ANALYSIS,2017.
4. .
[4] Natarajan Meghanathan, Sumanth Reddy Allam and Loretta A.
Moore,TOOLS AND TECHNIQUES FOR NETWORK FOREN-
SICS,IJNSA, Vol .1, No.1,April 2009 .
[5] Zhifeng Xiao,Yang Xiao,Network forensics analysis using Wire-
shark,2015.
[6] Brandon F. Murphy,Network Penetration Testing and Research,2013.
[7] Te-Shun Chou, East Carolina University,TEACHING NETWORK
SECURITY THROUGH SIGNATURE ANALYSIS OF COMPUTER
NETWORK ATTACKS .
[8] Ashwani Kumar,Security Attacks in Manet - A Review,2011.
[9] D.Madhavi,TCP Session Hijacking Implementation by Stealing Cook-
ies,Vol. 2, Issue 11, 2015
[10] Ankita Gupta, Kavita, Kirandeep Kaur,Vulnerability Assessment and
Penetration Testing,International Journal of Engineering Trends and
Technology- Volume4Issue3- 2013.
[11] Mohammed Abdul Qadeer,Misbahur Rahman Siddiqui,Network Traf-
fic Analysis and Intrusion Detection Using Packet Sniffer,January
2010.
[12] Jian Zhang and Andrew Moore,Traffic Trace Artifacts due to Moni-
toring Via Port Mirroring.