Analyzing Network Traffic

TurkHackTeam.Org/.Net/.Com.TR
Hi everyone,
In this article, We'll Include general informations about Network. We'll
understand various protocols workness logic. We'll know and use " WireShark"
software.
WHAT IS WIRESHARK ? USING FOR WHICH PURPOSES ?
Wireshark Is using on, network's transmission speed, on network problems and
analyz to packages. We can do these processes with WireShark software;
Checking to transferring data trafic in real-time
Analyse network traffic
Capturing network's every packages and analyzing these packages that captured
now or earlier.
Ability to edit captured packages
Save that captured packages and combine with other packages
Filtering network traffic with various commands
Determine VoIP calls on network and convert them to voice
Help with various plugins to increase protocol number's
You can download WireShark software in this link;
https://www.wireshark.org/download.html
WHAT IS NETWORK ?
We call the system that devices connect to each other wired or wireless as
Network. Computers can contant with users by using networks. LAN (stands for

Local Area Network) is a kind of network that computers in local areas created
and connected to each other, but on the other hand WAN (stands for Wide Area
Network) is another kind of network that computers in wide areas created and
connected to each other. In this article we'll analyse network trafiic.
TCP/IP MODEL STRUCTURE
TCP/IP consists of 2 parts call upper and lower. Upper part calls TCP protocol,
lower part calls IP protocol. TCP protocol provides split packages that data before
transferring. After transferring, it provides combine again. IP part provides the
redirecting packages to related network address. In this model, If we need that
new protocols can easily place in avaible layers. But It hasn't got solid rules. So
OSI model works better than TCP/IP. TCP/IP model consist 4 layers.
OSI MODEL STRUCTURE
It consists 7 layers. OSI model, setsc ommunication rules between computers.
Unlike TCP/IP model, layers' and their relation with each other exactly defined.
Unnecessary layers aren't using in this model. So working with OSI model is
better. But OSI model has some bad things. These bad things complicates
developing new protocols.
USING PROTOCOLS IN TCP/IP MODEL
ARP PROTOCOL
This protocol provides, convert IP address to MAC address. In provides,
computers' communication with each other in local network. For example; When
A computer want to communicate with B computer, It looks B computer's ARP
table. In this table If there are IP and MAC addresses belong to B in table, they
can communicate. But If there aren't any MAC address belong to B (computer), A
(computer) his IP and MAC address and B computer's IP address' collect in ARP
package and sends too all computers as " broadcast " in local network. We are
calling that " Request ". All computers that received the request compare IP
address which came with package with their own IP address. If IP addresses
dont pair, there'ld be no response to request. IP address which in package is
belong to B computer. So, B computer accepts this request and get A computer's
IP and MAC addresses in ARP package and sends this package to A computer as "
unicost ". Replying this message is "Reply". By this means A and B computers'
keep each others IP and MAC addresses in their ARP tables.
DHCP PROTOCOL
DHCP protocol provides appoint dynamic IP addresses to computers. Also, this
protocol send to devices DNS address, Submask address, Gateway address and
sends windows server addresses. For example; Computers, which want to
connect to local network, check to existence of DHCP server, sends DHCP
Discover package to all computers on network. When DHCP server received this

package, sends a package called 'DHCP Offer' that contains IP informations and
IP address's exposure time to the computer that sent the package and asks to
computer to accept or reject. If computer accepts this package, computer send
DHCP request as broadcast. DHCP server gets request and IP, DNS, Submask,
Gateway and windows server address send to computer as DHCP ACK package.
By this means, request sender computer joins to network.
DNS PROTOCOL
This procotocol provides entitle to IP addresses. Thanks to this protocol, domain
to be connected is send to local DNS server by computer. If local DNS server has
been interacted with sended IP address, sends its IP and create communitication
with domain adress of request sender computer. ( D E V A M I V A R ) ...........
FTP PROTOCOL
This protocol provides file transfer between server and client. Three way
handshake is created between server and client. After that, client is checked over
port 21 if it's identified through server or not. If it won't identify, data will
transfer over port 20 in order to client's requests
HTTP PROTOCOL
This protocol sets data exchange rules between server and client. Client requests
access to datas belong to address. It is called " Request ". Server checks if this
incoming address exist in itself or not. if is that so, it sends datas about address
to client as 'Response'. By this means client shows to users these datas with
various web browsers.
KNOW TO WIRESHARK MENU
Open Wireshark software. We will see this screen. There is " Capture " title. We
can select ethernet which we want to capture netowork traffic and we can watch
network traffic. We can select interface which we want on " All interfaces shown
" text. We can see network traffics with double click on interfaces.
Bu resim yeniden boyutlandırıldı, tam halini görmek için tıklayınız.

We can set settings to ourselves with watching Capture > Options way. We can
filter captured network packages and we can select interfaces all of or partially.
We can filter to capturing packages in " Capture Filter Seelcted Interfaces " text.
We can see various filter options when we click on green button. (Capture only
TCP packages, capture only UPD packages...)

We can manage network interfaces with " Manage Interface " text
Now look to " Output " text. We can transfer captured network traffic to
computer on " File " title. And we can select the file type of " pcapng " or " pcap ".
Also we can stop the capturing network traffic automatically when these
packages reached the size which we setted.

Now look " Options " text. We can see varios options in it. We can make network
traffic more understanable by configuring these settings however we want.(For
example; Activate to real time package capturing, hiding capturing network
traffic information, parsing name of movement layer, parsing name of network,
parsing netwok name, parsing MAC address').Again, we can stop the capturing
network traffic automatically when these packages reached the size which we
setted.

Click "File" menu and click "Open" text, you can open files which is supporting
from WireShark. If you want to processing on these files, you can do. You can
open old files which you opened on WireShark with "Open Recent" option.
Click "File" and "Merge". You can combine saved old traffic flows and new traffic
flows in this page.
On "Go" menu, you can make transitions in packages.
You can listen packages in "Telepgony" menu.
You can reach statistics belong to traffic flows in "Statistics" menu.
Now look to "Edit" page. You can set options in "Prefences" text. (You can change
view, You can look statistics)

WIRESHARK COLORING SETTINGS
There are some coloring settings on WireShark for make more understandable
and speed up to analyze grapic. Changing color is providing to us easiness. Now
look these settings. Clicl the Menu text. Find the "Coloring Rules" text and click it.
And we are seeing coloring setting. These colors is a standart colors. They can
change from us.

We can add new coloring filter with clicking "+". After selecting filter, we can
select filter package which we want with clicking "display filter expression" text.
For example, let's assume that we're examining packages that has size 0. Let's
choose our package like below and click "OK".

As you can see, our package is in Filter section now.
Now let's set background and font color of this package. Click on "Background"
button below there and choose your color.

Then, do the same process for font color from "Foreground". Check it one last
time and click "OK" to save it.

FEATURE OF TIME DISPLAY FORMAT
Time Display Format prodives packages are chosen as timing structures. Find
"Time Display Format" from "View" menu. We'll see a pop-up tab. We can see
packages as any time frame we want. For example, date and time based or only
time based..

FEATURE OF NAME RESOLUTION
You can find Name Resolution from "View" menu, too. This feature allows you to
change MAC addresses to computer names. Also it helps to see protocol structure
that transport layer used, domain addresses of IP addresses, and name of remote
network.
COMMANDS OF TRAFFIC PACKAGE CAPTURING FILTER
We can use various filters to more confortable use for WireShark. I'll show you

how to reach that filters.
First, right click on "Filter" button. And click "Display Filter Expression" on that
opened menu.
Now we are seeing all filters of we can use. You can use these for comfortable
using.
Also, you can get information about filters with clicking blue colored shape.

CAPTURING TNETWORK TRAFFIC WITH USING WIRESHARK
First, we'll click find and double click to network name which we want to listen on
"Capture" page.
As you can see on photo, our packages is listing with start button. There are 3
diffrent parts. First part shows listing packages and shows all procceses on
network to us.

Second part shows detailed informations (IP addresses, protocols..) to us. If you
want to get detailed informations, you can double click for see them.
And third part shows localation of starting (line) to selected line. We can see
netowork package "hexadecimal" format on the left, we can see ASCII format on
the right.
If you want to listening, you can press "stop" button. If you want to restart, you
can click "green button" near the stop button. You can do other processes in that
menu too. (go to selected package fastly, stop coloring settings, enlarge texts...)
CREATING COLON AND PROFİLE WITH WIRESHARK

We can make coloring to ourselves, we can make filter settings and we can define
colon scructures which is using in analyzing. If we want to do these things, we
need to create profile. in Wireshark.
First, we'll select Interface which network traffic we want to fallow. And start
traffic flow.
Now we dont need to look traffic flow. Click to "Profile" text and click "New" in
opened menu.

Now we need set name. You can set however you want. I set "Profile 1". And
save.
You can manage profil structure however you want. These settings will be
remained.

Now I'll show "how to create columns" and "how to edit columns" titles. There
are some columns. These are "No", "Time", "Source", "Destination", "Protocol",
"Lenght", "Info". They are default columns. Now we'll create our column. Now go
to you cursor on columns line and right click. We'll see this menu
Now click "Column Prefences". We'll see this menu.

as you can see, there are colons and their description. You can edit and delete
these columns. Also you can add new cloumn. Now we'll create new cloumn. And
it shows source ports to us. First, click plus ( + ) buttom (you can see on photo).
Now we'll set name for new column. And select type (I said, i will select source
code). And press "OK" to save.

As you can see, our column has been created.
WIRESHARK STATISTICS MENU
Wireshark creates statistic datas about logged traffic flow. We're gonna see these
statistics under this heading.
FEATURE OF SUMMARY
You can learn something about general structure of network traffic (such as
when the first and last package is captured, etc.) with this feature. You need to
find "Capture File Properties" from "Statistic" menu. Also you can leave a
comment from "Capture File Comments".

FEATURE OF ADDRESS SOLUTION
It's the feature that shows domain addresses of IP addresses within traffic. You
need to find "Resolved Adresses" from same menu.

FEATURE OF PROTOKOL HIERARCHY
This feature shows detailed traffic package informations about interaction
percent of packages that have TCP/IP model structure, structures of incoming
and outgoing packages, incoming data amount, etc. You need to find "Protocol
hierarchy" from same menu.

FEATURE OF CONVERSATION
This feature shows user that machines interacted within traffic and which
protocol structure they used. You need to find "Conversation" from same menu.
FEATURE OF ENDPOINTS
It shows machine that the last interacted with. You need to find "Endpoints" from
same menu.

FEATURE OF I/O GRAPHS
This feature shows structure of network to user as graphic. You need to find "IO
Graphs" from same menu.

FEATURE OF FLOW GRAPHS
This feature shows flows of sent and received packages. We can learn how every
process performed within network flow with this feature. You need to find "Flow
Graphs" from same menu.
HTTP PROTOCOL STATISTICS
We can monitor the statistics about processes that use HTTP protocol with this
feature. You need to find "HTTP" from same menu and choose any process you
want to see the statistics.

LOOKING AT THREE WAY HANDSHAKE STRUCTURE ON WIRESHARK
We've talked about three way handshake structure earlier. Now we gonna try to
look at it on Wireshark. I'm gonna explain it through .pcap file that i downloaded
to my pc. Firstly, click "Open" from "File" menu and choose that file. Traffic flow
of our file displayed.
We need only traffics that uses TCP protocol in order to observing three way
handshake structure. Take a closer look to this 3 line and what happens in there.

When two machines wanted to contact with each other, source machine who
wants to connect sends SYN package to targeted machine and set SEQ value as 0.
Targeted machine who received SYN package sends SYN ACK package and sets
ACK value as 1 to point out that accepted the connection.
Source machine who received SYN ACK package confirms the connection, sends
ACK package to targeted machine and set SEQ and ACK values as 1.

That's how three way handshake is performed and start to data exchange.
When a machine wanna stop this connection, sends FIN package to other one.
That machine who received FIN package finishes this process by sending ACK
package.
And that's how to stop this connection.
ANALYZING ARP PROTOCOL PACKETS
You need to remember that ARP protocol is the one who converting IP addresses
into MAC addresses. You can see your ARP table by inputting this command to
CMD.
Kod:
arp -a

Now let's see this process on Wireshark. Choose your interface from "Capture".
Then filter it only "ARP".
As you can see, "Broadcast" is the first one. It wants MAC address of IP address
that identified on server information section with broadcast. I've mentioned it
earlier, we call this process as "Request". Here it is:

Let's see the response to that request. Server specifies IP address of which client
wants to connect and says "whoever has this IP address, send me your MAC
address". We can see it in INFO column. And here is the detailed one (with sender
and receiver IP&MAC addresses, protocol type, etc.):

ANALYSING DHCP PROTOCOL PACKET
We know that this protocol is a kind of protocol that give automatically gives
several addresses to the machine connected to network. We gonna examine
DHCP protocol packet in this title. Let's see what's the IP address:
Kod:
ipconfig

Then choose our interface on Wireshark. Traffic flow started to listing.
Now we need to release our IP address.
Kod:
ipconfig /release

And we need to renew it, duh..
Kod:
ipconfig /renew
After getting new IP address, go back to Wireshark and filter "bootp".

At the first, we can see traffic flow that happens when we release our IP address.
Under that, we can see that it received request incoming from port 68 and sent
data from port 67.
In here, client wanted an IP address by sending DHCP discover packet. DHCP
server that received this packet, sent DHCP offer packet back. As you know, DHCP
offer packet is the one that provide several addresses to client. Let's examine this
packet and see provided addresses. Click on DHCP offer line and see details.
Here it is: submask address, router address, time offsett, and IP address.

And check the below one about DHCP request is sent. This packet shows that
client accepted offers sent by DHCP server. So DHCP ACK packet is assigned to
client with offered infos by server.
ANALYSING DNS PROTOCOL PACKAGE
DNS protocol is the one that converts website domains to IP addresses. Now we
gonna examine it on Wireshark. Input below command to see websites that
you've visited. Here's the info about turkhackteam for example.

Kod:
ipconfig /displaydns
Now let's clear our browser cache.
Kod:
ipconfig /flushdns
Now check out table again.

Kod:
ipconfig /displaydns
We are no longer able to see THT's IP address. Run the Wireshark and send ping
to website from CMD.
Kod:
ping www.turkhackteam.org
We sent request to website. Let's see what's going on to Wireshark. Filter "dns"
and search it. We can see that there is query process first. Then server performed
response and convert domain to IP. Here is detailed version:

ANALYSING HTTP PROTOCOL PACKET
This protocol works on application layer and uses TCP protocol on transport layer.
Let's say that you entered a website. TCP protocol is the first run. Three way
handshake is performed when the protocol is triggered. If three way handshake
is performed succesfully, connection can be done and visit request sends to
server with HTTP protocol. After that, server starts to sending datas. It's possible
to see this process through Wireshark.

FEATURE OF FOLLOW TCP/UDP STREAM
We can fallow TCP/UDP streams with feature of fallow TCP/UDP stream in
Wireshark. This feature makes more understandable streaming traffic on
Wireshark. Basen on everything we learned till this heading, we can say that it'ld
be so confusing for someone familiar with it to understand TCP/IP protocol
structure flowing over network on wireshark. When we want to control flowing
traffic without packet filter, we know that it's gonne be damn hard even if we're
familiar with TCP/IP protocol structure. I'll show you how to make more
understandable streaming traffic. And our traffic will be graphical. Now continue,
I opened a "pcap" file on Wireshark. And I right click traffic streamings which is
using TCP protocol, and I click "Follow TCP/UDP Stream" text.
Now a page opened. You can see TCP traffic streaming in diffrent formats on this
page. And you can reach source codes of website which you surfed. You can save
this traffic with "Save As"

EXPORT OBJECT FEATURE
You can determine a file on traffic streaming, Also you can save which format you
want that file.
If you use this feature, you need click "File" menu and select "Expert Object".
After select, you will see a page. Select "HTTP" on page.

After, you will see a new page. You can see real formats of traffic streaming files.
Also you can save them.

SOLVING SSL TRAFFIC
In this title, we'll try to crack a password of network traffic. But It was
passworded with SSL protocol. We'll crack it with SSL password. So, we need a
SSL key to crack it. I was downloaded pcap and key type files from Internet. Now
we'll open our pcap file. And It is opening,
We'll open "Edit" menu and click "Prefences" option.

Now select "RSA Key" (you can see on left bar). And press "Add New Key File"
button and select our .key file. and press okay.
Open "File" menu and click "Export Object". Now press "HTTP" text. And you can

see crypted datas and you can save them.
DISPLAYIN SSL CERTIFICATE INSIDE OF SSL PACKETS
Now we gonna get SSL certificate of website from SSL packets that we display.
It's enough to filter "SSL".

Then click on a packet, doesn't matter which one, and check "Certificate" info.
Right click on "Certificate : .." and choose "Export Packet Bytes".

Then it's gonne explore where to save it. Choose anywhere and save it as ".crt" or
".cer" extension. Then open that saved file. Here is what does mine look like.

CONVERTING VOIP PACKETS TO VOICE
Lemme talk about RTP protocol and VoIP first. RTP protocol is used for end to
end transport processes in communication that has media exchange in it. VoIP is
the IP structure that used for voice calls over internet. In this protocol, voices are
send to other side as packets. And this title is about converting this packets to
voice.
First of all, we need to see protocols which have RTP structure. I opened an
example .pcap file for RTP protocol.
Then find RTP -> RTP Streams from "Telephony" menu.

We have two different voices.
Choose one and click on "Analyze".

We need to see a screen like this. Just hit "Play Streams".

We got voice from packets here. Click "Play" to listen this voice. And we can even
check voice's date and time.

FEATURE OF EXPERT INFO
This feature show users datas like warning or reminder about captured packets
over network traffic. But to use this feature, network traffic needs to be
performed. When it's done, we can see messages and its source. Click on that
icon i showed in the below screenshot.

A new screen is displayed now. This is the warning message.
You can see that it's a lil bit detailed, too. If there is one than one of this
messages, click on one of them and see its details. We can even filter this
messages. Click on "Show" button and choose whatever you want.

MERGING CAPTURED TRAFFIC FLOWS
With this process, we gonna merge seperately captured traffic flows into one file.
Open your .pcap file first.
Then find "Merge" from "File" menu to merge with other.

When we click open, that two packets are merged now on Wireshark.

Now let's save this merged packets as one file. Find "Save As" from "File" menu.
Choose your folder, input folder's name, and click "OK". Now they are in one
.pcap file.
That's all we can give. Take care!
TurkHackTeam.Org/.Net/.Com.TR

Analyzing Network Traffic

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Analyzing Network Traffic

Similar to Analyzing Network Traffic (20)

Recently uploaded

Recently uploaded (20)

Analyzing Network Traffic