Introduction to Packet Sniffing using Ethereal 0.10.9

Introduction to Packet Sniffingusing Ethereal 0.10.9

Rob Bergin

Network Engineer

The Timberland Company

Non-Technical

Currently Data just travels around your network like a train. With a packet sniffer, get the ability to capture the data and look inside the packets to see what is actually moving long the tracks.

Technical

Ethereal (and WinPcap)

Ethereal – Application for Sniffing Packets

WinPcap – open source library for packet capture

Operating System – Windows & Unix/Linux

NPF device driver Network Driver(WinPcap runs as a protocol driver like TCP.SYS)

Network Card Drivers

WinPcap Architecture

Frame 1

WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2).

The packet filter is a device driver that adds to Windows 95, 98, ME,  NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets. 

Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS.

Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system.

WinPcap is released under a BSD-style license.

Ethereal Application

• Requires WinPcap for Captures • Can run standalone to examine captures

A Capture

Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6

• Let’s define a capture as a period of time that Ethereal captured data frames.

• Frames can be assembled to examine application traffic

Recap

• Packet Sniffing

• Ethereal

• Data Frame Architecture

• WinPcap

• Network Capture

Basic TCP/IP Stuff

Interoperable TCP/IP

• TCP/IP is Transmission Control Protocol/Internet Protocol) is a suite of network protocols.

• TCP and IP are two separate protocols

• TCP handles the data (HTTP vs. FTP vs. Telnet)

• IP handles the data transmission (i.e. between routers).

• TCP/IP protocols were designed to allow different applications running on dissimilar operating systems to communicate across a network.

Watch your Headers

TCP / UDP- Ports not Addresses- Layer 4 not 3- FTP uses 20 and 21

IP- Addresses not Ports- Layer 3 not 4- 192.168.1.1 (octet)

TCP

• TCP is connection-oriented transport layer protocol designed to provide a reliable connection for data exchange between two systems.

• TCP ensures that all packets are properly sequenced and acknowledged and that a connection is established before data is sent.

• TCP provides it reliability through the use of an acknowledgement or ACK.

TCP

• If a receiving system had to send an ACK for every packet, the result would be an incredible amount of overhead for the network.

• To reduce the overhead, a mechanism called windowing is used.

• Windowing is a method of flow control.

TCP

• The receiving system advertises a certain number of packets that it can receive at a time (input buffer size.)

• The sending system watches for an ACK after the designated number of packets is sent.

• If an ACK is not received, data will be retransmitted from the point of the last ACK.

UDP

• UDP (User Datagram Protocol) provides an unreliable, connectionless protocol to deliver packets.

• This protocol allows messages, called datagrams, to be sent without the overhead of ACKs, established connections, and sequencing.

• Applications that use UDP as their communications mechanism include NFS (2049), TFTP (79), DNS (53) and Unreal Tournament (7777).

IPv4

• IP (Internet Protocol) is used to handle datagram services between hosts.

• IP handles the addressing, routing, and reassembly

• IP addresses are 32 bits long, are organized into 4 octets (8 bits) separated by periods

• IPv4 address examples: 192.168.10.20.

• IPv6 is a next generation form of addressing.

IPv6

• IP (Internet Protocol) is used to handle datagram services between hosts.

• IP handles the addressing, routing, and reassembly

• IP addresses are 32 bits long, are organized into 4 octets (8 bits) separated by periods

• IPv4 address examples: 192.168.10.20.

• IPv6 is a next generation form of addressing.

What will IPv6 look like?IPv6 Addresses:CDFE:910A:2356:5709:8475:1024:3911:2021

2080:0000:0000:0000:0090:7AEB:1000:123A

Combo IPv4 and IPv61800:0000:0000:7AEF:0000:0000:16.114.67.16

Compacted IPv6 Address:2080:0:0:0:90:7AEB:1000:123A Legal compaction2080::90:7AEB:1000:123A Legal compaction1800::7AEF:0:0:1072:4310 Legal compaction

IPv4 vs. IPv6

• IPv4 RFC came out in 1981.

• IPv6 RFC came out in 1998.

0

200

400

600

800

1000

1200

1400

1600

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

Millions

Mobile Subscriber

s

PCs Connectedto Web

MobileInternet

Users

Sources: ABN AMRO/IDC/Ovum

Recap

• TCP vs. IP

• Headers

• TCP

• UDP

• IP

• IPv4 vs. IPv6

Ethereal Overview

View of Ethereal

Packet List

Packet Details

Packet Bytes

Packet List Packet Order

Time Order

Source IP

Destination IP

Protocol

Information

Packet Details

Breakdown of the Frame, the Packet, the TCP portion

Source and Destination IP

Source and Destination TCP Ports

Packet Bytes

View of the data – Hexidecimal and Raw Data

Ethereal Capture

Running Ethereal

Ethereal Analysis

Logging on to FTP Server

What Ethereal saw

What Ethereal saw

What Ethereal saw

What Ethereal saw

What Ethereal saw

Ethereal Filtering.

Filtering!!!!

Saving Captures

• Captured Views• Range of Packets• All Packets• Naming is critical:

– Was it the client?– Was it the Server?

After Filter/Save/Open

Time Column & Delta

FTP Only Filter

Ethereal Packet Analysis

What Username?

Is Password Required?

What Password?

Why can’t I log in?

Follow the Stream

Advanced Filtering

Filter for just that stream

(ip.addr eq 207.46.133.140 and ip.addr eq 172.17.22.56) and (tcp.port eq 21 and tcp.port eq 3511)

Filter for traffic between two hosts

ip.addr == 207.46.133.140 and ip.addr == 172.17.22.56

Filter for IP Traffic and removal of other traffic

ip and !(nbns) and !(msnms) and !(browser) and !(rip)

Summary Info

Ethereal: Encryption

HTTP

HTTPS

HTTP vs. HTTPS

HTTP vs. HTTPS

HTTP vs. HTTPS

TCP Stream vs. HTML Source

Ethereal: Miscellaneous

Protocol Hierarchy

I/O Graphing

HTTP Breakdown

Coloring Packets

Commercial Sniffers

• Sniffer Pro

• OmniPeek

• Observer

• IT Guru and ACE

Final Words

“If you can’t measure it, you can’t manage it”

- Peter Drucker