This document provides an overview of network sniffing and packet analysis using Wireshark. It discusses why sniffing is useful for understanding network activity, troubleshooting issues, and performing computer forensics. The document outlines topics like the basic techniques of sniffing, an introduction to Wireshark and its features, analyzing common network protocols, and examples of case studies sniffing could be used for. It emphasizes that patience is a prerequisite and encourages interactive discussion.

1. Network S niffing and P acket
Analysis Using Wireshark
C ombined null and O W A S P meet
B angalore
1101/0011/1010
ta m a g hna .ba s u@g m a il.c om
ta m a ha w k -tec hg uru.blo g s pot.c om
tw itter.c om /tita nla m bda

2. • D ifficult to put all these
things together
• E xisting sessions – 100 –
150 slides
• Time C onstraint

3. Topics
• Why?
• What?
• How ?
• B as ic sniffing techniques
• Intro to wireshark
• C losure look at protocols
• C ase S tudies

5. P rerequisite:
• P atience
• P atience
• P atience
AND
Or
M ay
be...

6. Why sniffing/packet analysis
• Why you?
• Why M e?
• Why O thers?

7. P urpose of sniffing and
packet analysis
● A million different things can go wrong with a computer network,
from a simple spyware infection to a complex router configuration
error.
● P acket level is the most basic level where nothing is hidden.
●Understand the network, who is on a network, whom your
computer is talking to, What is the network us age, any s uspicious
communication (D O S , botnet, Intrus ion attempt etc)
●Find uns ecured and bloated applications – FTP sends cleartext
authentication data
●O ne phase of computer forensic - could reveal data otherwise
hidden s omewhere in a 150 G B HD D .

8. What is this?
• Also known as packet sniffing, protocol analysis etc.
• Three P hases -
• C ollection – promiscuous mode
• C onversion – UI based tools are better
• Analysis – P rotocol level, setting rules etc
• G et various data like text content, files, clear text
authentication details etc.
• Tools
•S niffer – wireshark, cain and abel, tcpdump
(commnd line tool), networkminer
• P acket Analysis – wireshark, networkminer, xplico
etc

9. S niffing Techniques
• P romiscuous mode
• Hub environment
• S witch environment
• P ort mirroring
• Hubbing out the target network/machine
• AR P cache poisoning /AR P spoofing

10. Wireshark: History
G erald C ombs , a computer science graduate of
the University of M iss ouri at Kansas C ity,
originally developed it out of necessity.
The very firs t version of C ombs’ application,
called E thereal, was releas ed in 1998 under the
G NU P ublic Licens e (GP L).
E ight years after releasing E thereal, C ombs left
his job and rebranded the project as Wireshark
in mid-2006.

11. Wireshark: Features
• GPL
• Available in all platform
• Both live and offline analysis
• Understands almost all protocols, if not, add it – open
source
• Filter/search packets, E xpert's comment, Follow TC P
S tream, Flow G raph etc
• P lenty of tutorials /documentation available
• G et sample captured packets for study -
http:/ wiki.wireshark.org/ ampleC aptures
/ S
• D em o: L et's s ta rt ea ting . Feed yo ur bra in. :)

12. S tarters: P rotocol diagnosis
• AR P
• D HC P
•HTTP / PTC
• D NS
• FTP
• Telnet
• IC M P
• S M TP

13. D eserts: C ase S tudies
• FTP C rack
• B las ter worm
• OS fingerprinting
• P ort S canning
• IC M P C overt C hannel
• B rowser Hijacking - spyware

14. M outh Freshner: Honeynet C hallenge
• C hallenge 1
• P roblem S tatement
• Analysis
• Tools used
• S olution

15. M ainC ourse? ? ? ?
“Tell me and I forget. Show
me and I remember. Involve
me and I understand.” -
chinese proverb

16. Thank you for witnessing this
historical moment...
A ns w ers a nd D is c us s io ns ?
ta m a g hna .ba s u@g m a il.c om
ta m a ha w k -tec hg uru.blo g s pot.c om
tw itter.c om /tita nla m bda