This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
All Rights Reserved. Reproduction is Strictly Prohibited
What is Wireshark?
Wireshark is a network analyzer. It reads packets from the network, decodesthem, and presents them in an easy-to-understand format.
Features of Wireshark include:
• It is a distributed GPL.• It is available for UNIX and WINDOWS.• It works in promiscuous and non-promiscuous modes.p p• It can capture data from the network or read from a capture file.• It supports tcpdump format capture filters.• It can read capture files from over 25 different products.• It can filter and search the packets
All Rights Reserved. Reproduction is Strictly Prohibited
Example
To see just HTTP request packets (e.g., GET POST, HEAD, and so on) type:j q p ( g , , , ) yphttp.request
Filter fields can also be compared against values such as p ghttp.request.method==“GET” to see only HTTP GET requests. The comparison operators can be expressed using the following abbreviations and symbols:
All Rights Reserved. Reproduction is Strictly Prohibited
Greater than or equal to ge >=
Less than or equal to le <=
Wireshark: Tshark
Tshark is the command-line version of Wireshark, which can be used to capture livepackets from the wire or to read saved capture filespackets from the wire or to read saved capture files.
By default, Tshark prints the summary line information to the screen.
This is the same information contained in the top pane of the Wireshark GUI.
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Capinfos
Capinfos is a utility of Wireshark used for printing information about binary capture files.
$ Capinfos -hCapinfos
Prints information about capture files.Usage: capinfos[-t][-c][-s][-d][-u][-a][-e][-y][-i][-z][-h]
<capfile>where
-t display the capture type of <capfile>-c count the number of packetsc count the number of packets-s display the size of the file-d display the total length of all packets in the file(in
bytes)-u display the capture duration (in seconds)-a display the capture start time-a display the capture start time-e display the capture end time-y display average data rate (in bytes)-i display average data rate (in bits)-z display average packet size (in bytes)h d hi h l li i
All Rights Reserved. Reproduction is Strictly Prohibited
9. Code should be compiled.
Wireshark: Dumpcap
Dumpcap is a command line tool used for capturing data from the livek d i h k filnetwork and copying those packets to a file.
Capture interface:-i <interface> name or idx of interface (def: first nonel b k)loopback)-f <capture filter> packet filter in libpcap filter syntax-s <snaplen> packet snapshot length (def: 65535)-p don't capture in promiscuous mode-B <buffer size> size of kernel buffer (def: 1MB)B <buffer size> size of kernel buffer (def: 1MB)-y <link type> link layer type (def: first appropriate)-D print list of interfaces and exit-L print list of link-layer types of iface and exit
Stop conditions:-c <packet count> stop after n packets (def: infinite)-a <autostop cond.> ... duration:NUM - stop after NUM secondsfilesize:NUM - stop this file after NUM KB
All Rights Reserved. Reproduction is Strictly Prohibited
files:NUM - stop after NUM files
Wireshark: Dumpcap(cont’d)(cont d)
Output (files): Output (files): -w <filename> name of file to save (def: tempfile) -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files
Miscellaneous: -v print version information and exit -h display this help and exit Ctrl-C to stop capturing at any time Ctrl C to stop capturing at any time
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Editcap
Editcap is used to remove packets from a file and to translate the format ofp pcapture files.
I i i il h S A f d ll f h fIt is similar to the Save As feature. Editcap can read all of the same types offiles that Wireshark can, and writes to the libpcap format by default.
C \ il \ i h k diC:\Program Files\Wireshark>editcap -r -v -F snoop capturecapture_snoop 1-5File capture is a libpcap (tcpdump Wireshark etc.) capture fileAdd_Selected: 1-5I l i 1Inclusive ... 15Record: 1Record: 2R d 3
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Text2pcap
Text2pcap reads in ASCII hexdump captures and writes the data into a libpcapText2pcap reads in ASCII hexdump captures and writes the data into a libpcapoutput file.
It is capable of reading hexdumps containing multiple packets and building acapture file of multiple packets.
It can also read hexdumps of application-level data by inserting dummy EthernetIP and User Datagram Protocol (UDP) or TCP headers.IP and User Datagram Protocol (UDP) or TCP headers.
C:\Program Files\Wireshark>text2pcap hex_sample.txt libpcap_outputInput from: hex_sample.txtO t t t lib t tOutput to: libpcap_outputWrote packet of 168 bytes at 0Read 1 potential packetswrote 1 packets
All Rights Reserved. Reproduction is Strictly Prohibited
Using Wiresharkfor System Administrationfor System Administration
Th b i f h ARP
• When a system needs to communicate with another system on the samesubnet, and has an IP address for that system but not a MAC address, an ARP
The basics of the ARP are:
yrequest is broadcast onto the Ethernet segment.
• (e.g., a network with hosts 192.168.1.1 and 192.168.1.2 having MAC addresses00:01:02:03:04:05 and 06:07:08:09:0a:0b) and issues the followingcommand sequence through ARP:
00:01:02:03:04:05 to ff:ff:ff:ff:ff:ff Who has 192.168.1.2? Tell 192.168.1.1
06:07:08:09:0a:0b to 00:01:02:03:04:05 192.168.1.2 is at 06:07:08:09:0a:0b
All Rights Reserved. Reproduction is Strictly Prohibited
ARP Problems
ARP traffic is a necessary precursor to normal network traffic.ARP traffic is a necessary precursor to normal network traffic.
Wireshark can be used to check for the presence of this traffic onth t kthe network.
There are several conditions of ARP that indicate specificblproblems.
If there is no ARP traffic from the system on the network, eitheryou are not capturing the traffic correctly or there are driver or OSy p g yissues preventing network communication.
If the system is issuing ARP requests but there is no response fromthe host it may not be on the network
The type ICMP protocol field, which is a 1-byte field at the very beginning of the ICMPprotocol header, indicates the type of ICMP packet.p , yp p
If the type field is 8, the packet is an ICMP echo (ping) request.
If the type field is 0, the packet is an ICMP echo (ping) reply.
This capture filter tests for packets that are either ICMP ping requests or ICMP pingThis capture filter tests for packets that are either ICMP ping requests or ICMP pingreplies by retrieving the first byte:
All Rights Reserved. Reproduction is Strictly Prohibited
TCP Flags
Th TCP fl fi ld i bit fi ld hi h i i t h th i di id l bitThe TCP flags field is a bit field, which is an integer where the individual bitsare used as separate fields.
For example, the TCP flags field is an 8-bit integer field, but the bits in thatinteger represent independent fields that are either true or false (or 1 or 0).
All Rights Reserved. Reproduction is Strictly Prohibited
TCP SYN Packet Flags Bit Field (cont’d)(cont d)
In this packet TCP handshake (a Synchronize (SYN)/Acknowledge (ACK) packet), b th th t d t k bit tboth the tcp-syn and tcp-ack bits are set.
To write a filter to test for the SYN bit, use the bitwise and operator to mask out all of the bits except for the SYN bit.the bits except for the SYN bit.
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario 1: SYN no SYN+ACK
If your Wireshark capture shows that the client is sending a SYN packet,b t i i d f th th i t ibut no response is received from the server, the server is not processingthe packet.
It could be that a firewall between the two hosts is blocking the packet orIt could be that a firewall between the two hosts is blocking the packet, orthat the server itself has a firewall running on it.
If your Wireshark capture shows that the server is responding with the resetIf your Wireshark capture shows that the server is responding with the reset(RST) flag, the destination server is receiving the packet but there is noapplication bound to that port.
Make sure that your application is bound to the correct port on the correct IPaddress.
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario 3: SYN SYN+ACK ACK
If your Wireshark capture shows that the TCP connection is established and that iti di t l l th d ti ti b j ti th li t’ IP ddimmediately closes, the destination server may be rejecting the client’s IP addressdue to security restrictions.
On UNIX systems, check the tcpwrappers file at etc/hosts.allow andy , p pp //etc/hosts.deny and verify that you haven’t inadvertently blockedcommunication.
All Rights Reserved. Reproduction is Strictly Prohibited
Tapping into the NetworkNetwork
Wireshark’s TAP system is a dominant and flexibleprocess for providing event driven notification forprocess for providing event driven notification forpackets matching certain protocols.
Tapping system is divided into two parts:
• Code in the actual dissectors to allow tapping of data.Event driven code that registers a tap listener and processes• Event driven code that registers a tap listener and processesreceived packets of data.
Wire tapping is the process of tapping the wiredt k i iffnetwork using sniffers.
Wireless tapping requires specifications such as signal
All Rights Reserved. Reproduction is Strictly Prohibited
hubbing out.
Using Wireshark forSecurity AdministrationSecurity Administration
One of the most popular and useful Wireshark features is packetOne of the most popular and useful Wireshark features is packetreassembly, which allows us to see the contents of exchanged data.
For protocols such as Telnet and FTP, Wireshark clearly displaysthe sername and pass ord for the connection itho t anthe username and password for the connection, without anyreassembly.
For unknown, custom, or otherwise obscure protocols, packetbl b dreassembly can be used.
To use reassembly, capture the traffic through Wireshark or anothertool and then load the capture file into Wireshark and right click onany packet in the connection.
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Internet Relay Chat ActivityActivity
Besides the policy implications of chat rooms, IRC is frequented by hackers and used as acommand and control mechanismcommand and control mechanism.
IRC normally uses TCP port 6667.
If you set Wireshark to detect traffic with destination port 6667, you will see IRC traffic that lookslike the following:
Local client to IRC serverport 6667:USER username localsystem.example.com irc.example.net :gaimRemote IRC server to local client:NOTICE AUTH :*** Looking up your hostname...g p yLocal client to IRC serverport 6667:NICK clever-nick-nameRemote IRC server to local client:
All Rights Reserved. Reproduction is Strictly Prohibited
NOTICE AUTH :*** Checking identNOTICE AUTH :*** Found your hostname
Wireshark as a Detector for Proprietary Information TransmissionProprietary Information Transmission
If your company marks its confidential and proprietary information with aconsistent phrase, there is no reason you cannot use Wireshark to detect thetransmission of information.
You can use Wireshark to capture all outbound traffic on a span port and then useWireshark’s Find Packet function.
All Rights Reserved. Reproduction is Strictly Prohibited
Sniffer Detection
When the interface is placed into promiscuous mode, the PROMISCk d i h ib i h i h l b lkeyword appears in the attributes section, as shown in the example below:
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Sniffing with Wireshark
Wireshark has sophisticated wireless protocol analysis support to helpp p y pp padministrators troubleshoot wireless networks.
It can capture traffic “from the air” and decode it into a format that helpsp padministrators track down issues that are causing poor performance,intermittent connectivity, and other common problems.
You will need to purchase and install AirPcap to be able to sniff Wirelesstraffic.
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap
CACE Technologies have introduced a commercial product called AirPcap. Abi ti f USB IEEE 802 11b/ d t ti d i ft dcombination of a USB IEEE 802.11b/g adapter, supporting driver software, and a
client configuration utility.
AirPcap provides a simple mechanism to capture wireless traffic in monitor mode onAirPcap provides a simple mechanism to capture wireless traffic in monitor mode onWindows workstations at a reasonable cost.
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap (cont’d)
If you want to analyze the traffic for a specificy y pwireless AP or station, you must identify thechannel or frequency used by the target device,and configure your wireless card to use thesame channel before initiating your packetcapture.
This is because wireless cards can only operateThis is because wireless cards can only operateon a single frequency at any given time.
If you want to capture traffic from multiplechannels simultaneously, you would need anadditional wireless card for every channel you
All Rights Reserved. Reproduction is Strictly Prohibited
Using Channel Hopping
If you want to capture traffic for a specific station how do you locate the channelIf you want to capture traffic for a specific station, how do you locate the channelnumber that it is operating on?
One technique is to use the channel hopping command to rapidly scan through allavailable wireless channels until the appropriate channel number is identified.
Channel hopping will cause you to lose traffic, because you are rapidly switchingchannels.
If your wireless card is configured to operate on channel 11 and you hop to anotherchannel, you will not be able to “hear” any traffic that is occurring on channel 11 untilyou return as part of the channel-hopping pattern.
All Rights Reserved. Reproduction is Strictly Prohibited
Interference and Collisions
Another challenge of sniffing wireless networks is the risk of interference andAnother challenge of sniffing wireless networks is the risk of interference andlost packets. Unlike an Ethernet network that can transmit and monitor thenetwork simultaneously, wireless cards can only receive or transmitasynchronously.
Wireless networks must take special precautions to prevent multiple stationsf t itti t th tifrom transmitting at the same time.
While these collision-avoidance mechanisms work well, it is still possible toWhile these collision avoidance mechanisms work well, it is still possible toexperience collisions between multiple transmitters on the same channel, or toexperience collisions with wireless local area networks (LANs) and otherdevices using the same frequency (for example, cordless phones, baby monitors,microwave ovens and so on)
All Rights Reserved. Reproduction is Strictly Prohibited
microwave ovens, and so on).
Recommendations for Sniffing Wireless TrafficSniffing Wireless Traffic
Locate the capture station near the source:
• When initiating a packet capture, locate the capture station close to the sourceof the wireless activity you are interested in (i.e., an AP or a wireless station).
p
• To achieve a more accurate packet capture, disable any built-in wirelesstransmitters on the capture station.
Disable other nearby transmitters:
• If your host experiences excessive CPU utilization during a packet capture,
Reduce CPU utilization while capturing:
y p g p p ,you may experience packet loss in the wireless capture (e.g., it is not a goodidea to burn a DVD while capturing wireless traffic).
All Rights Reserved. Reproduction is Strictly Prohibited
IEEE 802.11 Header
Following the frame statistics data, Wireshark starts to dissect the protocol informationfor the selected packet.
The IEEE 802.11 header is fairly complex; unlike a standard Ethernet header, it isbetween 24 and 30 bytes (compared to the standard Ethernet header of 14 bytes), hasth f dd ( d t Eth t’ t dd ) d hthree or four addresses (compared to Ethernet’s two addresses), and has many morefields to specify various pieces of information pertinent to wireless networks.
Wireless frames can have additional protocols appended to the end of the IEEE 802.11header, including encryption options, Quality of Service (QoS) options, and embeddedprotocol identifiers (IEEE 802.2 header), all before actually getting any data torepresent the upper-layer Network layer protocols.
All Rights Reserved. Reproduction is Strictly Prohibited
Filters
Filter for a station MAC:
• With the packet capture open, apply a display filter to display only traffic from theclient station using the wlan.sa display field name. Assuming the station MACaddress is 00:09:5b:e8:c4:03, the display filter would be applied as:
• wlan.sa eq 00:09:5b:e8:c4:03
Filter on BSSID:
lan bssid eq 00 11 92 6e cf 00• wlan.bssid eq 00:11:92:6e:cf:00
Filter on SSID:
• We can apply a display filter to identify all packets that includes the SSID“NOWIRE” as shown below:
All Rights Reserved. Reproduction is Strictly Prohibited
Unencrypted Data Traffic
Another common analysis technique is to identifyAnother common analysis technique is to identifywireless traffic that is unencrypted.
This may be in an effort to identify misconfigureds ay be a e o t to de t y sco gu eddevices that could be disclosing sensitive informationover the wireless network.
Most rogue devices are deployed without encryption.
All Rights Reserved. Reproduction is Strictly Prohibited
Identifying Hidden SSIDs
Many organizations have adopted SSID cloaking which prevents their APs from advertising Many organizations have adopted SSID cloaking, which prevents their APs from advertising their SSIDs to anyone who asks.
When an AP wants to obscure the SSID of the network, it does not respond when it receives a request for the network name, and it removes the SSID advertisement from beacon frames.
Because it is mandatory to include some indicator of the network name (whether legitimate or not) in beacon frames, vendors have adopted different conventions for obscuring the SSID by replacing it with one or more space characters or NULL bytes (one or more 0s) or
Troubleshooting authentication problemson the wireless network can be challenging,and often requires a packet sniffer todetermine if the failure is happening on theclient or over the network.
Wireshark can assist in identifying EAPh i i f ilauthentication failure messages.
S EAP th d ti t T t L S it (TLS) t lSome EAP methods negotiate a Transport Layer Security (TLS) tunnelbefore exchanging authentication information to protect weakauthentication protocol data.
In order to establish the TLS tunnel, at least one digital certificate istransmitted from the AP to the station.transmitted from the AP to the station.
All Rights Reserved. Reproduction is Strictly Prohibited
Identifying WEP
WEP is the most prevalent encryption mechanism used to protectp yp pwireless networks.
I i l id l k i lIt is also widely known as an insecure protocol.
Wireshark uniquely identifies WEP encrypted traffic by decodingWireshark uniquely identifies WEP-encrypted traffic by decodingthe 4-byte WEP header that follows the IEEE 802.11 header.
W id tif WEP t ffi b id tif i f th t i l dWe can identify WEP traffic by identifying any frames that includethe mandatory WEP Initialization Vector (IV).
All Rights Reserved. Reproduction is Strictly Prohibited
Identifying TKIP and CCMP
TKIP is the successor to WEP, and is designed to be a software upgrade for hardware built only to supportWEP.
TKIP was designed to work on legacy WEP hardware, it retained the use of the same underlying encryptionprotocol, RC4.
RC4 is still considered safe for current use; it is no longer an acceptable encryption mechanism for use byU S iU.S. government agencies.
Another alternative is to use the CCMP protocol, which uses the Advanced Encryption System (AES)cipher.
Like WEP, both TKIP and CCMP use an encryption protocol header that follows the IEEE 802.11 header.
This header is modified from the legacy WEP header, allowing us to identify whether TKIP or CCMP are inuse, but does not allow us to differentiate TKIP from CCMP.
We can only determine that one or the other is currently in use by looking at this header.
We can use a display filter to identify this header by filtering on the extended IV field:
All Rights Reserved. Reproduction is Strictly Prohibited
Decrypting Traffic
One of the challenges of wireless traffic analysis is the ability toinspect the contents of encrypted data frames.
Wireshark offers some options to analyze WEP-encrypted data.
When configured with the appropriate WEP key, Wireshark canautomatically decrypt WEP-encrypted data and dissect theplaintext contents of these frames.p
In order for Wireshark to decrypt the contents of WEP-encryptedpackets, it must be given the appropriate WEP key for thenetwork.
Wireshark does not assist you in breaking WEP keys or attackingthe WEP protocol.
All Rights Reserved. Reproduction is Strictly Prohibited
a result of worm activity.
TCP Connect Scan
TCP connect scan is used to determine which ports are open andlistening on a target device.
This type of scanning is the most basic because it completes the TCPyp g pthree-way handshake with open ports and immediately closes them.
An intruder sends a SYN packet and analyzes the response. A responsepacket with the Reset (RST) and Acknowledgment (ACK) flagspacket with the Reset (RST) and Acknowledgment (ACK) flagsset indicates that the port is closed.
If SYN/ACK i i d it i di t th t th t i d li t iIf a SYN/ACK is received, it indicates that the port is open and listening.
The intruder will then respond with an ACK to complete the connection
All Rights Reserved. Reproduction is Strictly Prohibited
TCP Connect Scan (cont’d)
The previous screenshot shows the attacker, 192.168.0.9, sending SYN packets to thet t 192 168 0 99target, 192.168.0.99
Most ports respond with an RST/ACK packet; however, the highlighted packets show theSYN/ACK response and the subsequent ACK followed by the RST/ACK exchange on theSYN/ACK response and the subsequent ACK followed by the RST/ACK exchange on thedomain name system (DNS) port.
You will also notice that the intruder’s source port increases by one for each attempted
You can find these by using a filter, such as
connection.
tcp.flags.syn==1&&tcp.flags.ack==1 or tcp.flags==18
to view packets with the SYN and ACK flags set.
The filter will show multiple responses for each port because several scanning methods
All Rights Reserved. Reproduction is Strictly Prohibited
SYN Scan
It is also known as a half-open scan, because a full TCP connection is never completed.
It is used to determine which ports are open and listening on a target device.
A i t d d k t d l th If / i i d itAn intruder sends a SYN packet and analyzes the response. If an RST/ACK is received, itindicates that the port is closed.
If a SYN/ACK is received, it indicates that the port is open and listening.
The intruder will then follow with an RST to close the connection.
SYN scans are known as stealth scans because few devices will notice or log them.
All Rights Reserved. Reproduction is Strictly Prohibited
Null Scan (cont’d)
The previous figure shows that the attacker, 192.168.0.9, is sending packets to thet ttarget.
192.168.0.99 has all flags turned off, as indicated by the empty brackets [ ].
Most ports respond with an RST/ACK packet.
Th hi hli h d k f h h i h bThe highlighted packet for the https port never receives a response, therebyindicating that the port is open and has dropped the packet.
Notice that the intruder is using somewhat static source ports 42294 and 42295Notice that the intruder is using somewhat static source ports, 42294 and 42295.
The previous figure shows that intruder is running the client on 192.168.1.1, whichis connected to the ser er on the ictim’s computer at 192 168 1 200is connected to the server on the victim’s computer at 192.168.1.200.
You will notice that the server is running on the default ports 12345 and 12346 andthat data is being pushed between the client and server.g p
The two separate source ports indicate two distinct TCP connections.
All Rights Reserved. Reproduction is Strictly Prohibited
Time Stamps
A ti t i th i t f ti th d t k t i t dA time stamp is the point of time the data packet is captured.
Libpcap or winPcap library provides time stamps to the Wireshark.
Timestamps are documented to be analyzed later.
• Deal with the time display format of the timestamps.
Wireshark internals:
Deal with the time display format of the timestamps.• The time display format can be adjusted by the user.• Depending upon the requirement, Wireshark converts the
timestamp to capture either file format or Wireshark’s internal f
All Rights Reserved. Reproduction is Strictly Prohibited
Time Stamps (cont’d)
C t i fil f t
• Time stamps are supported by each and every capture file format ofWireshark
Capturing file formats:
Wireshark.• File formats store the time stamps with a precision (e.g. nano sec or
micro sec).• The Wireshark captures the file format supporting micro seconds
lresolution.
Accuracy:
• Wireshark displays time stamps that are generated by its otherresources (Libpcap/winPcap).Since time stamps are just displayed the point of accuracy is
All Rights Reserved. Reproduction is Strictly Prohibited
Packet Reassembling
Packet reassembling mechanism is implemented in the WiresharkPacket reassembling mechanism is implemented in the Wiresharkfor finding, decoding, and displaying the large chunks of data.
Network protocols handle the chunk boundaries in such a way thatNetwork protocols handle the chunk boundaries in such a way thatwhen the data is large, it spreads data over multiple packets.
All Rights Reserved. Reproduction is Strictly Prohibited
Checksums
A checksum or redundancy checking is the process of checking the functionality ofWireshark.
To ensure data integrity, checksums are used by the network protocols.
Through checksum algorithms, simple errors can be solved.
The algorithms that are applied for particular network protocol depends on the error rate,error detection ability of the processor performance of the checksum etcerror detection, ability of the processor, performance of the checksum, etc.
Packet loss and re-transmission:
• Packet loss is the error condition where data packets are transmitted correctly but without reaching• Packet loss is the error condition where data packets are transmitted correctly, but without reachingthe destination.
• Transmitting the lose data packets again is called re-transmission.• Re-transmission occurs when there is loss of data packet or acknowledgement packet.