SlideShare a Scribd company logo

Malware and Software Vulnerability Analysis Using Wireshark

Download as PPT, PDF
Senthil Vit
Senthil Vit

This topic is Network traffic monitoring using wireshark

Engineering
1 of 63
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016
Acknowledgement  http://ilta.ebiz.uapps.net/ProductFiles/prod uctfiles/672/wireshark.ppt  UC Berkley course “EE 122: Intro to Communication Networks”  http://www.eecs.berkeley.edu/~jortiz/courses/ ee122/presentations/Wireshark.ppt  Other resources:  http://openmaniak.com/wireshark_filters.php 2
Motivation for Network Monitoring  Essential for Network Management  Router and Firewall policy  Detecting abnormal/error in networking  Access control  Security Management  Detecting abnormal traffic  Traffic log for future forensic analysis 3
4 Tools Overview  Tcpdump  Unix-based command-line tool used to intercept packets  Including filtering to just the packets of interest  Reads “live traffic” from interface specified using -i option …  … or from a previously recorded trace file specified using -r option  You create these when capturing live traffic using -w option  Tshark  Tcpdump-like capture program that comes w/ Wireshark  Very similar behavior & flags to tcpdump  Wireshark  GUI for displaying tcpdump/tshark packet traces
5 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
6 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packet Source host name Source port number (22) Destination host name Destination port number TCP specific information • Different output formats for different packet types What does a line convey?
7 Similar Output from Tshark 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502
8 Demo 1 – Basic Run  Syntax: tcpdump [options] [filter expression]  Unfortunately, Eustis machine does not allow normal users to run tcpdump  $ sudo tcpdump –i eth0  Sudo command allows you to run tcpdump in root previlege  On your own Unix machine, you can run it using “sudo” or directly run “tcpdump” if you have root previliege  Observe the output
9 Filters  We are often not interested in all packets flowing through the network  Use filters to capture only packets of interest to us
10 Demo 2 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
11 Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
12 Demo 2 (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets and TCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
13 How to write filters  Refer the tcpdump/tshark man page  Many example webpages on the Internet
14 Running tcpdump  Requires superuser/administrator privileges on Unix  http://www.tcpdump.org/  You can do it on your own Unix machine  You can install a Linux OS in Vmware on your windows machine  Tcpdump for Windows  WinDump: http://www.winpcap.org/windump/  Free software
So What is WireShark?  Packet sniffer/protocol analyzer  Open Source Network Tool  Latest version of the ethereal tool
What is tShark?  The command-line based packet capture tool  Equivalent to Wireshark 16
17 Network Layered Structure  What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
Wireshark Interface 18
19 Wireshark Interface
Status Bar 20
Capture Options Promiscuous mode is used to Capture all traffic Sometime this does not work: • driver does not support • You are on a switch LAN
Capture Filter
Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
Capture Buffer Usage
Capture Interfaces
Interface Details: Characteristics
Interface Details: Statistics
Interface Details: 802.3 (Ethernet)
Display Filters (Post-Filters)  Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace  Display filters use their own format and are much more powerful then capture filters
Display Filter
Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
Display Filter 33
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
Display Filter  String1, String2 (Optional settings):  Sub protocol categories inside the protocol.  Look for a protocol and then click on the "+" character.  Example:  tcp.srcport == 80  tcp.flags == 2  SYN packet  Tcp.flags.syn==1  tcp.flags == 18  SYN/ACK  Note of TCP Flag field: 35
Display Filter Expressions  snmp || dns || icmp  Display the SNMP or DNS or ICMP traffics.  tcp.port == 25  Display packets with TCP source or destination port 25.  tcp.flags  Display packets having a TCP flags  tcp.flags.syn == 0x02  Display packets with a TCP SYN flag. 36 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
Save Filtered Packets After Using Display Filter  We can also save all filtered packets in text file for further analysis  Operation: 37 FileExport packet dissections as “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
Protocol Hierarchy
Protocol Hierarchy
Follow TCP Stream
Follow TCP Stream red - stuff you sent blue - stuff you get
Filter out/in Single TCP Stream  When click “filter out this TCP stream” in previous page’s box, new filter string will contain like:  http and !(tcp.stream eq 5)  So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 42
Expert Info
Expert Info
Conversations
Conversations
 Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 47
Find EndPoint Statistics  Menu “statistics”  “endpoint list”  “TCP”  You can sort by field  “Tx” : transmit “Rx” : receive 48
Find EndPoint Statistics  Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 49
Flow Graphs
Flow Graphs • The “displayed packet” option could let you only Show the flow of packets shown up for example, only display http traffic, then show The flow to analyze
Flow Graphs
Export HTTP
Export HTTP Objects
HTTP Analysis
HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
HTTP Analysis – Packet Counter
HTTP Analysis – Requests
Improving WireShark Performance  Don’t use capture filters  Increase your read buffer size  Don’t update the screen dynamically  Get a faster computer  Use a TAP  Don’t resolve names
Post-Processing Text File  For saved text-format packet files, further analysis needs coding or special tools  One useful tool on Unix: Grep  On Windows: PowerGrep http://www.powergrep.com/  Command-line based utility for searching plain-text data sets for lines matching a regular expression. 60
Basic usage of Grep  Command-line text-search program in Linux  Some useful usage:  Grep ‘word’ filename # find lines with ‘word’  Grep –v ‘word’ filename # find lines without ‘word’  Grep ‘^word’ filename # find lines beginning with ‘word’  Grep ‘word’ filename > file2 # output lines with ‘word’ to file2  ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature  grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4  Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines  Grep –i ‘word’ filename # find lines with ‘word’ regardless of case  Many tutorials on grep online  http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/  http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 61
On-line Wireshark Trace Files  Public available .pcap files:  http://www.netresec.com/?page=PcapFiles  http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/  Wiki Sample capture  https://wiki.wireshark.org/SampleCaptures 62
Example Trace File and Questions  Network Forensic Puzzle Contests  http://forensicscontest.com/2010/02/03/puzzl e-4-the-curious-mr-x  SharkFest'15 Packet Challenge  https://sharkfest.wireshark.org/assets/present ations15/packetchallenge.zip 63

Recommended

Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdfssuserafc27c
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 

Recommended

Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdfssuserafc27c
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
Day2
Day2Day2
Day2Jai4uk
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Wireshark
Wireshark Wireshark
Wireshark antivirusspam
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3Shahid Beheshti University
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis courseTECHNOLOGY CONTROL CO.
 
project_docs
project_docsproject_docs
project_docsAndrey Lavrinovic
 
Tshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testTshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testclaudiu59
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall FactsDAVID RAUDALES
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Switching Problems.pdf
Switching Problems.pdfSwitching Problems.pdf
Switching Problems.pdfSenthil Vit
 
Big Oh.ppt
Big Oh.pptBig Oh.ppt
Big Oh.pptSenthil Vit
 

More Related Content

Similar to Malware and Software Vulnerability Analysis Using Wireshark

Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Tshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testTshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testclaudiu59
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 

Similar to Malware and Software Vulnerability Analysis Using Wireshark (20)

Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
 
Day2
Day2Day2
Day2
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domain
 
Wireshark
Wireshark Wireshark
Wireshark
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filters
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
project_docs
project_docsproject_docs
project_docs
 
Tshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testTshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent test
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Nmap
NmapNmap
Nmap
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 

More from Senthil Vit

Switching Problems.pdf
Switching Problems.pdfSwitching Problems.pdf
Switching Problems.pdfSenthil Vit
 
AsymptoticNotations.ppt
AsymptoticNotations.pptAsymptoticNotations.ppt
AsymptoticNotations.pptSenthil Vit
 
First Best and Worst Fit.pptx
First Best and Worst Fit.pptxFirst Best and Worst Fit.pptx
First Best and Worst Fit.pptxSenthil Vit
 
File Implementation Problem.pptx
File Implementation Problem.pptxFile Implementation Problem.pptx
File Implementation Problem.pptxSenthil Vit
 
Design Issues of an OS.ppt
Design Issues of an OS.pptDesign Issues of an OS.ppt
Design Issues of an OS.pptSenthil Vit
 
Operating Systems – Structuring Methods.pptx
Operating Systems – Structuring Methods.pptxOperating Systems – Structuring Methods.pptx
Operating Systems – Structuring Methods.pptxSenthil Vit
 
Virtualization.pptx
Virtualization.pptxVirtualization.pptx
Virtualization.pptxSenthil Vit
 
ALPHA_BETA_EXAMPLE_PROB
ALPHA_BETA_EXAMPLE_PROBALPHA_BETA_EXAMPLE_PROB
ALPHA_BETA_EXAMPLE_PROBSenthil Vit
 

More from Senthil Vit (14)

Switching Problems.pdf
Switching Problems.pdfSwitching Problems.pdf
Switching Problems.pdf
 
Big Oh.ppt
Big Oh.pptBig Oh.ppt
Big Oh.ppt
 
AsymptoticNotations.ppt
AsymptoticNotations.pptAsymptoticNotations.ppt
AsymptoticNotations.ppt
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
First Best and Worst Fit.pptx
First Best and Worst Fit.pptxFirst Best and Worst Fit.pptx
First Best and Worst Fit.pptx
 
File Implementation Problem.pptx
File Implementation Problem.pptxFile Implementation Problem.pptx
File Implementation Problem.pptx
 
Design Issues of an OS.ppt
Design Issues of an OS.pptDesign Issues of an OS.ppt
Design Issues of an OS.ppt
 
Operating Systems – Structuring Methods.pptx
Operating Systems – Structuring Methods.pptxOperating Systems – Structuring Methods.pptx
Operating Systems – Structuring Methods.pptx
 
deadlock.ppt
deadlock.pptdeadlock.ppt
deadlock.ppt
 
Virtualization.pptx
Virtualization.pptxVirtualization.pptx
Virtualization.pptx
 
Lect_2.pptx
Lect_2.pptxLect_2.pptx
Lect_2.pptx
 
6. Deadlock.ppt
6. Deadlock.ppt6. Deadlock.ppt
6. Deadlock.ppt
 
os4-2_cop.ppt
os4-2_cop.pptos4-2_cop.ppt
os4-2_cop.ppt
 
ALPHA_BETA_EXAMPLE_PROB
ALPHA_BETA_EXAMPLE_PROBALPHA_BETA_EXAMPLE_PROB
ALPHA_BETA_EXAMPLE_PROB
 

Recently uploaded

Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZTE
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 

Recently uploaded (20)

Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 

Malware and Software Vulnerability Analysis Using Wireshark

  • 1. CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016
  • 2. Acknowledgement  http://ilta.ebiz.uapps.net/ProductFiles/prod uctfiles/672/wireshark.ppt  UC Berkley course “EE 122: Intro to Communication Networks”  http://www.eecs.berkeley.edu/~jortiz/courses/ ee122/presentations/Wireshark.ppt  Other resources:  http://openmaniak.com/wireshark_filters.php 2
  • 3. Motivation for Network Monitoring  Essential for Network Management  Router and Firewall policy  Detecting abnormal/error in networking  Access control  Security Management  Detecting abnormal traffic  Traffic log for future forensic analysis 3
  • 4. 4 Tools Overview  Tcpdump  Unix-based command-line tool used to intercept packets  Including filtering to just the packets of interest  Reads “live traffic” from interface specified using -i option …  … or from a previously recorded trace file specified using -r option  You create these when capturing live traffic using -w option  Tshark  Tcpdump-like capture program that comes w/ Wireshark  Very similar behavior & flags to tcpdump  Wireshark  GUI for displaying tcpdump/tshark packet traces
  • 5. 5 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
  • 6. 6 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packet Source host name Source port number (22) Destination host name Destination port number TCP specific information • Different output formats for different packet types What does a line convey?
  • 7. 7 Similar Output from Tshark 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502
  • 8. 8 Demo 1 – Basic Run  Syntax: tcpdump [options] [filter expression]  Unfortunately, Eustis machine does not allow normal users to run tcpdump  $ sudo tcpdump –i eth0  Sudo command allows you to run tcpdump in root previlege  On your own Unix machine, you can run it using “sudo” or directly run “tcpdump” if you have root previliege  Observe the output
  • 9. 9 Filters  We are often not interested in all packets flowing through the network  Use filters to capture only packets of interest to us
  • 10. 10 Demo 2 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
  • 11. 11 Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
  • 12. 12 Demo 2 (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets and TCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
  • 13. 13 How to write filters  Refer the tcpdump/tshark man page  Many example webpages on the Internet
  • 14. 14 Running tcpdump  Requires superuser/administrator privileges on Unix  http://www.tcpdump.org/  You can do it on your own Unix machine  You can install a Linux OS in Vmware on your windows machine  Tcpdump for Windows  WinDump: http://www.winpcap.org/windump/  Free software
  • 15. So What is WireShark?  Packet sniffer/protocol analyzer  Open Source Network Tool  Latest version of the ethereal tool
  • 16. What is tShark?  The command-line based packet capture tool  Equivalent to Wireshark 16
  • 17. 17 Network Layered Structure  What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
  • 21. Capture Options Promiscuous mode is used to Capture all traffic Sometime this does not work: • driver does not support • You are on a switch LAN
  • 23. Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
  • 25.
  • 30. Display Filters (Post-Filters)  Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace  Display filters use their own format and are much more powerful then capture filters
  • 32. Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
  • 34. TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
  • 35. Display Filter  String1, String2 (Optional settings):  Sub protocol categories inside the protocol.  Look for a protocol and then click on the "+" character.  Example:  tcp.srcport == 80  tcp.flags == 2  SYN packet  Tcp.flags.syn==1  tcp.flags == 18  SYN/ACK  Note of TCP Flag field: 35
  • 36. Display Filter Expressions  snmp || dns || icmp  Display the SNMP or DNS or ICMP traffics.  tcp.port == 25  Display packets with TCP source or destination port 25.  tcp.flags  Display packets having a TCP flags  tcp.flags.syn == 0x02  Display packets with a TCP SYN flag. 36 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
  • 37. Save Filtered Packets After Using Display Filter  We can also save all filtered packets in text file for further analysis  Operation: 37 FileExport packet dissections as “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
  • 41. Follow TCP Stream red - stuff you sent blue - stuff you get
  • 42. Filter out/in Single TCP Stream  When click “filter out this TCP stream” in previous page’s box, new filter string will contain like:  http and !(tcp.stream eq 5)  So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 42
  • 47.  Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 47
  • 48. Find EndPoint Statistics  Menu “statistics”  “endpoint list”  “TCP”  You can sort by field  “Tx” : transmit “Rx” : receive 48
  • 49. Find EndPoint Statistics  Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 49
  • 51. Flow Graphs • The “displayed packet” option could let you only Show the flow of packets shown up for example, only display http traffic, then show The flow to analyze
  • 56. HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
  • 57. HTTP Analysis – Packet Counter
  • 58. HTTP Analysis – Requests
  • 59. Improving WireShark Performance  Don’t use capture filters  Increase your read buffer size  Don’t update the screen dynamically  Get a faster computer  Use a TAP  Don’t resolve names
  • 60. Post-Processing Text File  For saved text-format packet files, further analysis needs coding or special tools  One useful tool on Unix: Grep  On Windows: PowerGrep http://www.powergrep.com/  Command-line based utility for searching plain-text data sets for lines matching a regular expression. 60
  • 61. Basic usage of Grep  Command-line text-search program in Linux  Some useful usage:  Grep ‘word’ filename # find lines with ‘word’  Grep –v ‘word’ filename # find lines without ‘word’  Grep ‘^word’ filename # find lines beginning with ‘word’  Grep ‘word’ filename > file2 # output lines with ‘word’ to file2  ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature  grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4  Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines  Grep –i ‘word’ filename # find lines with ‘word’ regardless of case  Many tutorials on grep online  http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/  http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 61
  • 62. On-line Wireshark Trace Files  Public available .pcap files:  http://www.netresec.com/?page=PcapFiles  http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/  Wiki Sample capture  https://wiki.wireshark.org/SampleCaptures 62
  • 63. Example Trace File and Questions  Network Forensic Puzzle Contests  http://forensicscontest.com/2010/02/03/puzzl e-4-the-curious-mr-x  SharkFest'15 Packet Challenge  https://sharkfest.wireshark.org/assets/present ations15/packetchallenge.zip 63