Packet sniffing' guide


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Packet sniffing' guide

  1. 1. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™
  2. 2. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Description Ethereal is a free network protocol analyzer for UNIX and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Installation This resource can be obtained from as a 7.3mb [approx] download. Currently it can be implemented on the following platforms: - AIX, Compaq (formerly Digital) Tru64 Unix, Debian GNU/Linux, FreeBSD, HP-UX, Irix, LinuxPPC, Linux Mandrake, MacOS X, NetBSD, OpenBSD, Red Hat Linux, s/390 (Linux), SCO UnixWare 7, Solaris/Intel, Solaris/SPARC, Slackware Linux, SuSE Linux and Windows OT/NT (95/98/ME, NT4/2000/XP). Installation for Windows The following page is You must visit to download and install the WinPCap driver. Ethereal requires this to capture packets sent via your NIC. Download and install the Ethereal binary ©All rights Pack produced by Page 2 of 18
  3. 3. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ How does a Packet Sniffer Work “If, he thought to himself, such a machine is a virtual impossibility, then it must logically be a finite improbability. So all I have to do in order to make one is to work out exactly how improbable it is, feed that figure into the finite improbability generator, give it a fresh cup of really hot tea ... and turn it on!” Douglas Adams, Hitch Hikers Guide to the Galaxy NIC or other Probe Network Packet Sniffer Network [Capture Driver] Medium Interface Device Operating System application of OSI layers 7 down to 2 The packet sniffer uses the probe to act as a ‘buffer’ to capture a copy of data packets on normal transit, to and from the computer. It has no direct impact on the normal running of the computer and the network, effectively acting as a parasite. “A program and/or device that monitors data travelling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favourite weapon in the hacker's arsenal.” ©All rights Pack produced by Page 3 of 18
  4. 4. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Familiarisation with Ethereal Ethereal is comprised of three main windows, or panes. 1. The top pane is the packet list pane. It displays a summary of each packet captured. By clicking on packets in this pane your control what is displayed in the other two panes. 2. The middle pane is the tree view pane. It displays the packet selected in the top pane in more detail. 3. The bottom pane is the data view pane. It displays the data from the packet selected in the top pane, and highlights the field selected in the tree view pane In addition to the three main panes, there are four elements of interest on the bottom of the Ethereal main window. A. The lower leftmost button labeled "Filter:" can be clicked to bring up the filter construction dialog. B. The left middle text box provides an area to enter or edit filter strings. This is also where the current filter in effect it displayed. You can click on the pull down arrow to select past filter string from a list. C. The right middle button labeled "Reset" clears the current filter. D. The right text box displays informational messages. These message may indicate whether or not you are capturing, what file you have read into the packet list pane if you are not capturing. If you have selected a protocol field from the tree view pane and it is possible to filter on that field then the filter label for that protocol field will be displayed. ©All rights Pack produced by Page 4 of 18
  5. 5. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Starting a Capture Session Firstly and almost obviously select Capture/Start If you have a computer with more than one network interface device [for example; networks interface card and a MODEM]. Control size of packets [especially useful when avoiding HTTP traffic] normally this is not set. Set session termination options if required. Use DNS or another service to resolve names to addresses where possible, if required. Click OK! To start ©All rights Pack produced by Page 5 of 18
  6. 6. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Whilst traffic-capture is taking place Not the most exciting part of the process. Time taken can be based on either how many packets you want to analyse or how much time you wish to take. Network administrators can leave ethereal running for hours. Click on Stop when you have over 100 packets If your system is not generating useful traffic. Open a DOS/Command window and type > ping -t ©All rights Pack produced by Page 6 of 18
  7. 7. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ So what do we get from a traffic-capture? "Come on," he droned, "I've been ordered to take you down to the bridge. Here I am, brain the size of a planet and they ask me to take you down to the bridge. Call that job satisfaction? ‘Cos I don't." Marvin the Paranoid Android The packet list pane Capture sequence number Time elapsed since the start of the capture Source address [from whence it came!] Destination Address [to where it goes] Protocol = what type of packet it is A brief summary of the contents/role of the packet ©All rights Pack produced by Page 7 of 18
  8. 8. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ The tree view pane Hardware [MAC] address of device packet is going to Hardware [MAC] address of device that packet originated from Network layer protocol Specific protocol of data packet Destination Network Layer [3] address of packet [note ethereal attempts name resolution] Source Network Layer [3] address of packet. Its worth noting that I have captured an ICMP [Ping!] packet ©All rights Pack produced by Page 8 of 18
  9. 9. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ The data view pane Symbolic hexadecimal dump of ‘binary’ data bits sent in the data packet. TIP: Click on one of the numbers and its counterpart in the tree view window will be highlighted An ASCII dump of a data packet. Many network services operate a ‘plain text’ transmission process. This means that we can see the contends of many data packets The windows version of Ping! Sends the ASCII alphabet A- W ©All rights Pack produced by Page 9 of 18
  10. 10. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ So what protocols does ethereal support? Currently [23/08/2002] ethereal supports 280 protocols: - 802.1q Virtual LAN Cisco SLARP GPRS Tunneling 802.1x Authentication Common Open Policy Protocol v0 Address Resolution Service GPRS Tunneling Protocol Common Unix Protocol v1 Ad hoc On-demand Printing System Hummingbird NFS Distance Vector (CUPS) Browsing Daemon Routing Protocol Protocol Hypertext Transfer Ad hoc On-demand Data Protocol Distance Vector Datagram Delivery ICQ Protocol Routing Protocol v6 Protocol IEEE 802.11 wireless Aggregate Server Data Link SWitching LAN Access Protocol Data Stream Interface IEEE 802.11 wireless Andrew File System DCE RPC LAN management (AFS) DCE/RPC frame AOL Instant Conversation Manager ILMI Messenger DCE/RPC Endpoint Inter-Access-Point Apache JServ Protocol Mapper Protocol v1.3 DCE/RPC Remote Internet Cache Appletalk Address Management Protocol Resolution Protocol DCOM OXID Resolver Internet Content AppleTalk Filing DCOM Remote Adaptation Protocol Protocol Activation Internet Control AppleTalk Session DEC Spanning Tree Message Protocol Protocol Protocol Internet Control AppleTalk Transaction DHCPv6 Message Protocol v6 Protocol packet Diameter Protocol Internet Group Async data over ISDN Distance Vector Management Protocol (V.120) Multicast Routing Internet Message ATM Protocol Access Protocol ATM LAN Emulation Distributed Checksum Internet Printing Authentication Header Clearinghouse Protocol BACnet Virtual Link Protocol Internet Protocol Control Domain Name Service Internet Protocol Banyan Vines Dynamic DNS Tools Version 6 Banyan Vines Protocol Internet Relay Chat Fragmentation Encapsulating Security Internet Security Protocol Payload Association and Key Banyan Vines SPP Enhanced Interior Management Protocol Blocks Extensible Gateway Routing Internetwork Packet Exchange Protocol Protocol eXchange Boot Parameters Ethernet IP Payload Bootstrap Protocol Extensible Compression Border Gateway Authentication IPX Message Protocol Protocol IPX Routing Building Automation Fiber Distributed Data Information Protocol and Control Network Interface iSCSI APDU File Transfer Protocol ISDN Q.921-User Building Automation (FTP) Adaptation Layer and Control Network Frame ISDN User Part NPDU Frame Relay ISO 10589 ISIS InTRA Cisco Auto-RP FTP Data Domain Routeing Cisco Discovery GARP Multicast Information Exchange Protocol Registration Protocol Protocol Cisco Group GARP VLAN ISO 8073 COTP Management Protocol Registration Protocol Connection-Oriented Cisco HDLC General Inter-ORB Transport Protocol Cisco Hot Standby Protocol ISO 8473 CLNP Router Protocol Generic Routing ConnectionLess Cisco Interior Encapsulation Network Protocol Gateway Routing Gnutella Protocol ISO 8602 CLTP Protocol GPRS Tunneling ConnectionLess Cisco ISL Protocol Transport Protocol ©All rights Pack produced by Page 10 of 18
  11. 11. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ ISO 9542 ESIS MMS Message Routing Information Encapsulation Exchange Protocol Mobile IP ITU-T Modbus/TCP Recommendation Mount Service H.261 MSNIP: Multicast Java RMI Source Notification of Java Serialization Interest Protocol Kerberos MS Proxy Protocol Kernel Lock Manager MTP2 Peer Adaptation Label Distribution Layer Protocol MTP 2 Transparent Layer 2 Tunneling Proxy Protocol MTP 2 User Lightweight Directory Adaptation Layer Access Protocol MTP 3 User Line Printer Daemon Adaptation Layer Protocol Link Access Procedure Balanced Ethernet (LAPBETHER) Link Access Procedure Balanced (LAPB) Link Access Procedure, Channel D (LAPD) Link Aggregation Control Protocol Link Management Protocol (LMP) Linux cooked-mode capture Local Management Interface LocalTalk Link Access Protocol Logical-Link Control Lucent/Ascend debug output Message Transfer Part Level 2 Message Transfer Part Level 3 Microsoft Distributed File System Microsoft Exchange MAPI Microsoft Local Security Architecture Microsoft Network Logon Microsoft Registry Microsoft Security Account Manager Microsoft Server Service Microsoft Spool Subsystem Microsoft Telephony API Service Microsoft Windows Browser Protocol Microsoft Windows Lanman Remote API Protocol Microsoft Windows Logon Protocol Microsoft Workstation Service ©All rights Pack produced by Page 11 of 18
  12. 12. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Multicast Router PPP Multilink Session Description DISCovery protocol Protocol Protocol Multicast Source PPP Multiplexing Session Initiation Discovery Protocol PPPMux Control Protocol MultiProtocol Label Protocol Short Message Peer to Switching Header PPP-over-Ethernet Peer Name Binding Discovery Signalling Connection Protocol PPP-over-Ethernet Control Part Name Management Session Simple Mail Transfer Protocol over IPX PPP Password Protocol NetBIOS Authentication Simple Network NetBIOS Datagram Protocol Management Protocol Service PPP VJ Compression Sinec H1 Protocol NetBIOS Name Service Pragmatic General Skinny Client Control NetBIOS over IPX Multicast Protocol NetBIOS Session Prism SliMP3 Service Protocol Independent Communication NetWare Core Multicast Protocol Protocol Q.2931 SMB MailSlot Network Data Q.931 Protocol Management Protocol Quake III Arena SMB Pipe Protocol Network File System Network Protocol SMB (Server Message Network Lock Quake II Network Block Protocol) Manager Protocol Protocol SNA-over-Ethernet Network News Quake Network SNMP Multiplex Transfer Protocol Protocol Protocol Network Status QuakeWorld Network Socks Protocol Monitor CallBack Protocol Spanning Tree Protocol Qualified Logical Link Protocol Network Status Control SPRAY Monitor Protocol Radio Access Network SS7 SCCP-User Network Time Application Part Adaptation Layer Protocol Radius Protocol SSCOP NFSACL Raw packet data Stream Control NFSAUTH Real Time Streaming Transmission Protocol NIS+ Protocol Syslog message NIS+ Callback Real-time Transport Systems Network NSPI Control Protocol Architecture Null/Loopback Real-Time Transport TACACS OpenBSD Packet Protocol TACACS+ Filter log file Remote Procedure Telnet Open Shortest Path Call Time Protocol First Remote Quota Time Synchronization PC NFS Remote Shell Protocol Point-to-Point Remote Wall protocol Token-Ring Protocol Resource ReserVation Token-Ring Media Point-to-Point Protocol (RSVP) Access Control Tunnelling Protocol RFC 2250 MPEG1 TPKT Portmap RIPng Transmission Control Post Office Protocol Rlogin Protocol Protocol PPP Bandwidth Routing Information Transparent Network Allocation Control Protocol Substrate Protocol Protocol Routing Table Trivial File Transfer PPP Bandwidth Maintenance Protocol Protocol Allocation Protocol RPC Browser Universal Computer PPP Callback Control RSTAT Protocol Protocol RX Protocol User Datagram PPP Challenge SADMIND Protocol Handshake SCSI Virtual Router Authentication Secure Socket Layer Redundancy Protocol Protocol Sequenced Packet Virtual Trunking PPP Compressed eXchange Protocol Datagram Service Advertisement Web Cache PPP Compression Protocol Coordination Protocol Control Protocol Service Location Wellfleet Compression PPP IP Control Protocol Who Protocol Session Announcement Wireless Session PPP Link Control Protocol Protocol Protocol ©All rights Pack produced by Page 12 of 18
  13. 13. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Wireless Transaction Protocol Wireless Transport Layer Security X11 X.25 X.25 over TCP X Display Manager Control Protocol Yahoo Messenger Protocol Yellow Pages Bind Yellow Pages Passwd Yellow Pages Service Yellow Pages Transfer Zebra Protocol ©All rights Pack produced by Page 13 of 18
  14. 14. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ What can I do with my captured traffic? “It says that the effect of a Pan Galactic Gargle Blaster is like having your brains smashed out by a slice of lemon wrapped round a large gold brick.” A quote from the guide.. Hitch Hikers Guide to the Galaxy Like all good applications select File/Save The traffic you have captured can be saved in many other sniffer formats. All of them readable in an ASCII text editor [notepad for example]. Save as mytraffic.txt in a location ©All rights Pack produced by you have read/write rights Page 14 of 18
  15. 15. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Open the file mytraffic.txt in Notepad ………….….. Whilst the file will appear to be ‘garbage’ you can see the A-W plain text from each ICMP packet. Many hackers use this technique to locate plain text passwords and logins. Try this on a web surfing exercise and you will find the HTML source code for the web page. ©All rights Pack produced by Page 15 of 18
  16. 16. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ Other features This guide like many only scrapes the surface of the power of this application please visit where you will find up to date guides and information on this resource. Ethereal can be run in a command line environment and is supported by Tethereal and Editcap. Ethereal [ -B byte view height ] [ -c count ] [ - f filter expression ] [ -h ] [ -i interface ] [ -k ] [ -m font ] [ -n ] [ - o preference setting ] ... [ -p ] [ -P packet list height ] [ -Q ] [ -r infile ] [ - R filter expression ] [ -S ] [ -s snaplen ] [ -T tree view height ] [ - t time stamp format ] [ -v ] [ -w savefile] ©All rights Pack produced by Page 16 of 18
  17. 17. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ ©All rights Pack produced by Page 17 of 18
  18. 18. Ethereal Guide for Windows Sniffing the glue that holds the Internet together™ ©All rights Pack produced by Page 18 of 18