SlideShare a Scribd company logo

Analyze Network Traffic and Monitor Wireshark

S
ssuserafc27c

This document discusses network monitoring and packet analysis using Wireshark. It provides an overview of Wireshark and tcpdump, examples of how to use capture and display filters to filter traffic, and how to analyze network traffic such as following TCP streams, endpoint statistics, and HTTP analysis. It also discusses improving Wireshark performance and using grep to further analyze saved packet files.

Internet
1 of 52
Download to read offline
Traffic Analysis–Wireshark CIS 6395, Incident ResponseTechnologies Fall 2016, Dr. Cliff Zou czou@cs.ucf.edu
Motivation for Network Monitoring — Essential for Network Management ◦ Router and Firewall policy ◦ Detecting abnormal/error in networking ◦ Access control — Security Management ◦ Detecting abnormal traffic ◦ Traffic log for future forensic analysis 2
3 Tools Overview — Tcpdump ◦ Unix-based command-line tool used to intercept packets – Including filtering to just the packets of interest — Wireshark ◦ GUI for displaying tcpdump/tshark packet traces
4 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
5 Filters — We are often not interested in all packets flowing through the network — Use filters to capture only packets of interest to us — How to write filters? ◦ Refer the tcpdump/tshark man page ◦ Many example webpages on the Internet
6 Example 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
7 Example (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
8 Example (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets andTCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
9 Running tcpdump — Requires superuser/administrator privileges on Unix ◦ http://www.tcpdump.org/ ◦ You can do it on your own Unix machine ◦ You can install a Linux OS inVmware on your windows machine — Tcpdump forWindows ◦ WinDump: http://www.winpcap.org/windump/ – Free software
SoWhat isWireShark? — Packet sniffer/protocol analyzer — Open Source NetworkTool — Latest version of the ethereal tool
What is tShark? — The command-line based packet capture tool — Equivalent toWireshark 11
12 Network Layered Structure — What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
Wireshark Interface 13
14 Wireshark Interface
Status Bar 15
Capture Options Promiscuous mode is used to Capture all traffic In many cases this does not work: • Network driver does not support • You are on a switch LAN
Capture Filter There are some pre-built capture filters that you can use:
Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
Capture Buffer Usage
Display Filters (Post-Filters) — Display filters (also called post-filters) ◦ Only filter the view of what you are seeing ◦ All packets in the capture still exist in the trace — Display filters use their own format and are much more powerful then capture filters
Display Filter There are some basic pre-built display filters, too
Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
Display Filter 24 There are thousands of pre-defined protocol fields that You can use in the display filter!
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
Display Filter — String1, String2 (Optional settings): ◦ Sub protocol categories inside the protocol. ◦ Look for a protocol and then click on the "+" character. ◦ Example: ◦ tcp.srcport == 80 ◦ tcp.flags == 2 – SYN packet – Or use “Tcp.flags.syn==1” ◦ tcp.flags == 18 – SYN/ACK ◦ Note ofTCP Flag field: 26
Display Filter Expressions — snmp || dns || icmp ◦ Display the SNMP or DNS or ICMP traffics. — tcp.port == 25 ◦ Display packets with TCP source or destination port 25. — tcp.flags ◦ Display packets having aTCP flags — tcp.flags.syn == 0x02 ◦ Display packets with aTCP SYN flag. 27 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
Save Filtered Packets asText After Using Display Filter — We can save all filtered packets in text file for further analysis — Operation: 28 FileàExport packet dissections àas “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
Save Filtered Packets inWireshark format After Using Display Filter — We can also save all filtered packets in the original wireshark format for further analysis — Operation: 29 1. Enter Display filter to show packets you want 2. Go to "Edit>" and choose "Mark all displayed packets“ 3. Go to “File” à Export specific packets… 4. Choose the option “Marked packets” to save the file
Protocol Hierarchy
Protocol Hierarchy
FollowTCP Stream
FollowTCP Stream red - stuff you sent blue - stuff you get
Filter out/in SingleTCP Stream — When click “filter out this TCP stream” in previous page’s box, new filter string will contain like: ◦ http and !(tcp.stream eq 5) — So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 34
Expert Info
Expert Info
Conversations
Conversations
— Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 39
Find EndPoint Statistics — Menu “statistics” à “endpoint list” à “TCP” — You can sort by field — “Tx” : transmit “Rx” : receive 40
Find EndPoint Statistics — Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 41
Export HTTP
Export HTTP Objects Now you can save all files transmitted in Web traffic!
HTTP Analysis
HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
HTTP Analysis – Packet Counter
HTTP Analysis – Requests
Improving WireShark Performance — Don’t use capture filters — Increase your read buffer size — Don’t update the screen dynamically — Get a faster computer — Use aTAP — Don’t resolve DNS hostnames
Post-ProcessingText File — For saved text-format packet files, further analysis needs coding or special tools — One useful tool on Unix: Grep ◦ OnWindows: PowerGrep http://www.powergrep.com/ ◦ Command-line based utility for searching plain-text data sets for lines matching a regular expression. 49
Basic usage of Grep — Command-line text-search program in Linux — Some useful usage: ◦ Grep ‘word’ filename # find lines with ‘word’ ◦ Grep –v ‘word’ filename # find lines without ‘word’ ◦ Grep ‘^word’ filename # find lines beginning with ‘word’ ◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2 ◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature ◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4 ◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines ◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case — Many tutorials on grep online ◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/ ◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 50
On-lineWiresharkTrace Files — Public available .pcap files: ◦ http://www.netresec.com/?page=PcapFiles — http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/ — Wiki Sample capture ◦ https://wiki.wireshark.org/SampleCaptures 51
Example Trace File and Questions — Network Forensic Puzzle Contests ◦ http://forensicscontest.com/2010/02/03/puzzle -4-the-curious-mr-x — SharkFest'15 Packet Challenge ◦ https://sharkfest.wireshark.org/assets/presenta tions15/packetchallenge.zip 52

Recommended

Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptssuser0a05422
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptToffeeLomerz
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptSenthil Vit
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 

Recommended

Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptssuser0a05422
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptToffeeLomerz
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptSenthil Vit
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
Wireshark
Wireshark Wireshark
Wireshark antivirusspam
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Day2
Day2Day2
Day2Jai4uk
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3Shahid Beheshti University
 
project_docs
project_docsproject_docs
project_docsAndrey Lavrinovic
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorCharles Profitt
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdumpalex wade
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis courseTECHNOLOGY CONTROL CO.
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guideabhijitgnbbl
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

More Related Content

Similar to Analyze Network Traffic and Monitor Wireshark

Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorCharles Profitt
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 

Similar to Analyze Network Traffic and Monitor Wireshark (20)

Wireshark
Wireshark Wireshark
Wireshark
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-on
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domain
 
Day2
Day2Day2
Day2
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
 
Nmap
NmapNmap
Nmap
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3
 
project_docs
project_docsproject_docs
project_docs
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems Administrator
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture Filters
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guide
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
 

Recently uploaded

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdfkeithzhangding
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 

Recently uploaded (20)

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
象限策略:Google Workspace 与 Microsoft 365 对业务的影响 .pdf
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 

Analyze Network Traffic and Monitor Wireshark

  • 1. Traffic Analysis–Wireshark CIS 6395, Incident ResponseTechnologies Fall 2016, Dr. Cliff Zou czou@cs.ucf.edu
  • 2. Motivation for Network Monitoring — Essential for Network Management ◦ Router and Firewall policy ◦ Detecting abnormal/error in networking ◦ Access control — Security Management ◦ Detecting abnormal traffic ◦ Traffic log for future forensic analysis 2
  • 3. 3 Tools Overview — Tcpdump ◦ Unix-based command-line tool used to intercept packets – Including filtering to just the packets of interest — Wireshark ◦ GUI for displaying tcpdump/tshark packet traces
  • 4. 4 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
  • 5. 5 Filters — We are often not interested in all packets flowing through the network — Use filters to capture only packets of interest to us — How to write filters? ◦ Refer the tcpdump/tshark man page ◦ Many example webpages on the Internet
  • 6. 6 Example 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
  • 7. 7 Example (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
  • 8. 8 Example (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets andTCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
  • 9. 9 Running tcpdump — Requires superuser/administrator privileges on Unix ◦ http://www.tcpdump.org/ ◦ You can do it on your own Unix machine ◦ You can install a Linux OS inVmware on your windows machine — Tcpdump forWindows ◦ WinDump: http://www.winpcap.org/windump/ – Free software
  • 10. SoWhat isWireShark? — Packet sniffer/protocol analyzer — Open Source NetworkTool — Latest version of the ethereal tool
  • 11. What is tShark? — The command-line based packet capture tool — Equivalent toWireshark 11
  • 12. 12 Network Layered Structure — What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
  • 16. Capture Options Promiscuous mode is used to Capture all traffic In many cases this does not work: • Network driver does not support • You are on a switch LAN
  • 17. Capture Filter There are some pre-built capture filters that you can use:
  • 18. Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
  • 20.
  • 21. Display Filters (Post-Filters) — Display filters (also called post-filters) ◦ Only filter the view of what you are seeing ◦ All packets in the capture still exist in the trace — Display filters use their own format and are much more powerful then capture filters
  • 22. Display Filter There are some basic pre-built display filters, too
  • 23. Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
  • 24. Display Filter 24 There are thousands of pre-defined protocol fields that You can use in the display filter!
  • 25. TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
  • 26. Display Filter — String1, String2 (Optional settings): ◦ Sub protocol categories inside the protocol. ◦ Look for a protocol and then click on the "+" character. ◦ Example: ◦ tcp.srcport == 80 ◦ tcp.flags == 2 – SYN packet – Or use “Tcp.flags.syn==1” ◦ tcp.flags == 18 – SYN/ACK ◦ Note ofTCP Flag field: 26
  • 27. Display Filter Expressions — snmp || dns || icmp ◦ Display the SNMP or DNS or ICMP traffics. — tcp.port == 25 ◦ Display packets with TCP source or destination port 25. — tcp.flags ◦ Display packets having aTCP flags — tcp.flags.syn == 0x02 ◦ Display packets with aTCP SYN flag. 27 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
  • 28. Save Filtered Packets asText After Using Display Filter — We can save all filtered packets in text file for further analysis — Operation: 28 FileàExport packet dissections àas “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
  • 29. Save Filtered Packets inWireshark format After Using Display Filter — We can also save all filtered packets in the original wireshark format for further analysis — Operation: 29 1. Enter Display filter to show packets you want 2. Go to "Edit>" and choose "Mark all displayed packets“ 3. Go to “File” à Export specific packets… 4. Choose the option “Marked packets” to save the file
  • 33. FollowTCP Stream red - stuff you sent blue - stuff you get
  • 34. Filter out/in SingleTCP Stream — When click “filter out this TCP stream” in previous page’s box, new filter string will contain like: ◦ http and !(tcp.stream eq 5) — So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 34
  • 39. — Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 39
  • 40. Find EndPoint Statistics — Menu “statistics” à “endpoint list” à “TCP” — You can sort by field — “Tx” : transmit “Rx” : receive 40
  • 41. Find EndPoint Statistics — Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 41
  • 43. Export HTTP Objects Now you can save all files transmitted in Web traffic!
  • 45. HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
  • 46. HTTP Analysis – Packet Counter
  • 47. HTTP Analysis – Requests
  • 48. Improving WireShark Performance — Don’t use capture filters — Increase your read buffer size — Don’t update the screen dynamically — Get a faster computer — Use aTAP — Don’t resolve DNS hostnames
  • 49. Post-ProcessingText File — For saved text-format packet files, further analysis needs coding or special tools — One useful tool on Unix: Grep ◦ OnWindows: PowerGrep http://www.powergrep.com/ ◦ Command-line based utility for searching plain-text data sets for lines matching a regular expression. 49
  • 50. Basic usage of Grep — Command-line text-search program in Linux — Some useful usage: ◦ Grep ‘word’ filename # find lines with ‘word’ ◦ Grep –v ‘word’ filename # find lines without ‘word’ ◦ Grep ‘^word’ filename # find lines beginning with ‘word’ ◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2 ◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature ◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4 ◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines ◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case — Many tutorials on grep online ◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/ ◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 50
  • 51. On-lineWiresharkTrace Files — Public available .pcap files: ◦ http://www.netresec.com/?page=PcapFiles — http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/ — Wiki Sample capture ◦ https://wiki.wireshark.org/SampleCaptures 51
  • 52. Example Trace File and Questions — Network Forensic Puzzle Contests ◦ http://forensicscontest.com/2010/02/03/puzzle -4-the-curious-mr-x — SharkFest'15 Packet Challenge ◦ https://sharkfest.wireshark.org/assets/presenta tions15/packetchallenge.zip 52