Packets and Packets and Protocols Protocols Chapter One Chapter One Introduction Introduction
Jan 28, 2016
Packets and ProtocolsPackets and Protocols
Chapter OneChapter One
IntroductionIntroduction
Packets and ProtocolsPackets and Protocols Course title: Introduction to TCP/IPCourse title: Introduction to TCP/IP Course No: CISCourse No: CIS Prerequisite: CISPrerequisite: CIS Credit Hrs: 4Credit Hrs: 4 Text Book: Text Book: Wireshark and Ethereal - Wireshark and Ethereal -
SyngressSyngress– We cannot troubleshoot networks until we We cannot troubleshoot networks until we
understand how they work. To know how understand how they work. To know how protocols work at their most basic level means protocols work at their most basic level means that you have a clear understanding of how that you have a clear understanding of how protocols and their associated packets work. protocols and their associated packets work. With this knowledge you will be able to With this knowledge you will be able to troubleshoot a myriad of network problems.troubleshoot a myriad of network problems.
Packets and ProtocolsPackets and Protocols
Class structure - Class structure - http://cis.sc4.edu/http://cis.sc4.edu/ Start – 6:15Start – 6:15 Breaks – 2 –various timesBreaks – 2 –various times End – NLT 10:00End – NLT 10:00 Contact time – 5:25 – 6:15Contact time – 5:25 – 6:15 Instructor – John Kowalski Instructor – John Kowalski
– [email protected]@sc4.edu
Packets and ProtocolsPackets and Protocols
Silly-busSilly-bus Course websiteCourse website Grading scaleGrading scale SlidesSlides Course outcomesCourse outcomes White hat agreementWhite hat agreement
Packets and ProtocolsPackets and Protocols
1.1. NameName
2.2. Background/Experiences/Certifications, Background/Experiences/Certifications, etc?etc?
3.3. What do you know about the use of What do you know about the use of sniffers?sniffers?
Packets and ProtocolsPackets and Protocols
Network analysis – definedNetwork analysis – defined– The process of capturing network traffic The process of capturing network traffic
for the purpose of troubleshooting for the purpose of troubleshooting network anomalies with various tools network anomalies with various tools and techniques.and techniques.
What is a sniffer ?What is a sniffer ?– Technically it is a product produced by Technically it is a product produced by
NetScoutNetScout– It is a tool that converts bits and bytes It is a tool that converts bits and bytes
into a format that we can understand.into a format that we can understand.
Packets and ProtocolsPackets and Protocols
What is a network analyzerWhat is a network analyzer– Can be anything!Can be anything!
Portable laptopPortable laptopDedicated hardwareDedicated hardwareGeneric PC used for packet capturesGeneric PC used for packet captures
What does an analyzer tool look like?What does an analyzer tool look like?
Packets and ProtocolsPackets and Protocols
SUMMARY
DETAIL
DATA
Packets and ProtocolsPackets and Protocols
A packet analyzer is composed of A packet analyzer is composed of five basic componentsfive basic components
1.1. HardwareHardware
2.2. DriverDriver
3.3. BufferBuffer
4.4. Real-Time Analysis ToolReal-Time Analysis Tool
5.5. Decode Decode
Packets and ProtocolsPackets and Protocols
What is a protocol analysis tool used for?What is a protocol analysis tool used for?– Converting binary to EnglishConverting binary to English– TroubleshootingTroubleshooting– Performance analysisPerformance analysis– Logging trafficLogging traffic– Establishing benchmarksEstablishing benchmarks– Discovering faulty devicesDiscovering faulty devices– Intrusion detectionIntrusion detection– Virus detectionVirus detection
Packets and ProtocolsPackets and Protocols
The Good, the Bad and the UglyThe Good, the Bad and the Ugly– Like any tool the possibility for misuse Like any tool the possibility for misuse
existsexistsHackers can steal infoHackers can steal infoThe “curious” can snoopThe “curious” can snoopPasswords can be capturedPasswords can be capturedLearn what viruses would be most effectiveLearn what viruses would be most effectiveLearn IP addressing schemes for DOS Learn IP addressing schemes for DOS
attacksattacks
Packets and ProtocolsPackets and Protocols
Other network analyzersOther network analyzers– WinDumpWinDump– Network General Sniffer (now NetScout)Network General Sniffer (now NetScout)– Network MonitorNetwork Monitor– EthehrPeekEthehrPeek– TCP DumpTCP Dump– SnoopSnoop– SnortSnort– DsniffDsniff– EttercapEttercap– Etc….Etc….
Packets and ProtocolsPackets and Protocols
How does a sniffer……sniff?How does a sniffer……sniff?– All Ethernet enabled devices see all of the All Ethernet enabled devices see all of the
traffic on “the wire”traffic on “the wire”– Ethernet is not a secure protocol so sniffers are Ethernet is not a secure protocol so sniffers are
the perfect tool for troubleshootingthe perfect tool for troubleshooting Normal NIC behaviorNormal NIC behavior
– Unicasts, bcasts, mcastsUnicasts, bcasts, mcasts Promiscuous modePromiscuous mode
– All-Unicasts, all-bcasts, all-mcasts, all-traffic!All-Unicasts, all-bcasts, all-mcasts, all-traffic!
Packets and ProtocolsPackets and Protocols
MAC 103
MAC 101 MAC 102
MAC 104
MAC 100
I have a packet here for MAC Address 103
ROUTER
It’s not for me! It’s not for me! It’s not for me!
It’s not for me!
That’s my address!
End node in Normal mode
Packets and ProtocolsPackets and Protocols
MAC 103
MAC 101 MAC 102MAC 100
I have a packet here for MAC Address 103
ROUTER
It’s not for me! It’s not for me! It’s not for me!
It’s not my address but I’ll
take it!
That’s my address!
MAC 104
End node in Promiscuous mode
Packets and ProtocolsPackets and Protocols
A word about MAC addressesA word about MAC addresses– Media Access Control Addresses:Media Access Control Addresses:
Are uniqueAre uniqueCan be viewed by ipconfig (windows)Can be viewed by ipconfig (windows)Can be overridden (spoofing)Can be overridden (spoofing)
– DOS attackDOS attack– SYN attackSYN attack– Smurf AttackSmurf Attack
Consist of an Organization Unique IdentifierConsist of an Organization Unique Identifier– http://http://standards.ieee.org/regauth/oui/oui.txtstandards.ieee.org/regauth/oui/oui.txt
Addresses are 6 bytes longAddresses are 6 bytes long Generally written in hexadecimalGenerally written in hexadecimal Globally unique (unicast)Globally unique (unicast) Aka – Burned-in-addressAka – Burned-in-address
- Legal- Legal- Illegal
00.0C.12.34.AB.CD FF.FF.FF.FF.FF.FF00.00.01.10.45.G2
Ethernet address types
Local Area NetworksLocal Area Networks
Packets and ProtocolsPackets and Protocols
The OSI ModelThe OSI Model– A method of moving data from point to A method of moving data from point to
point using seven distinct stepspoint using seven distinct steps The TCP/IP The TCP/IP
– TCP/IP (aka DoD model) is newer and TCP/IP (aka DoD model) is newer and only contains four layers only contains four layers
Packets and ProtocolsPackets and ProtocolsAllows users to transfer files, send mail, etc.Only layer that users can communicate with directlyKey features are ease of use and functionalityStandardized data encoding and decodingData compressionData encryption and decryption
Manages user sessionsReports upper-layer errorsSupports Remote Procedure Call activities
Connection management (e.g., TCP)Error and flow controlConnectionless, unreliable (e.g., UDP)
Internetwork packet routingMinimizes subnet congestionResolves differences between subnetsNetwork access control - MAC addressPacket framingError and flow control
ApplicationApplication77
66 PresentatioPresentationn
55 SessionSession
44 TransporTransportt
33 NetworkNetwork
22 Data LinkData Link
11 PhysicalPhysicalMoves bits across a physical mediumInterface between network medium and network devicesDefines electrical and mechanical characteristics of LAN
Pro
vid
es
Serv
ices
Moves
Data
Connect
spro
cess
es
Packets and ProtocolsPackets and Protocols
OSI vs. TCP ModelOSI vs. TCP Model
The Physical Layer only transmits bits to, The Physical Layer only transmits bits to, and receives bits from, the physical and receives bits from, the physical medium. It does not “see” the bits as medium. It does not “see” the bits as organized into meaningful patterns, such organized into meaningful patterns, such as an address. as an address.
The Physical Layer operates depending on The Physical Layer operates depending on the chosen network topology.the chosen network topology.
The Physical Layer
Packets and ProtocolsPackets and Protocols
A physical address is also referred to as a:A physical address is also referred to as a:– Hardware addressHardware address– Adapter addressAdapter address– Network interface card (NIC) addressNetwork interface card (NIC) address– Medium Access Control (MAC) addressMedium Access Control (MAC) address
A physical address is required for network A physical address is required for network devices to ultimately deliver information to devices to ultimately deliver information to a given network node. a given network node.
The Physical Layer cont.
Packets and ProtocolsPackets and Protocols
We can categorize physical addresses, for the purposes We can categorize physical addresses, for the purposes of networking, into two general types: of networking, into two general types: – A LAN address is commonly found in an Ethernet or Token Ring A LAN address is commonly found in an Ethernet or Token Ring
LAN environment.LAN environment.– WAN addresses in High-Level Data Link Control (HDLC) or WAN addresses in High-Level Data Link Control (HDLC) or
frame relay network protocol addressingframe relay network protocol addressing
– Divided into two distinct partsDivided into two distinct parts– MACMAC
– The MAC address of the node – interfaces with lower layersThe MAC address of the node – interfaces with lower layers– LLCLLC
– Tags and identifies protocols - interfaces with upper layersTags and identifies protocols - interfaces with upper layers– Think of it as a universal adapterThink of it as a universal adapter
The Data Link Layer
Packets and ProtocolsPackets and Protocols
A logical address is generally implemented A logical address is generally implemented as a software entity rather than a hardware as a software entity rather than a hardware entity. entity.
There are two primary types of logical There are two primary types of logical addresses, as follows:addresses, as follows:– Network addresses, processed at the Network Network addresses, processed at the Network
LayerLayer– Port or process addresses, processed at the Port or process addresses, processed at the
Transport LayerTransport Layer
The Network Layer
Packets and ProtocolsPackets and Protocols
The Well-Known Port The Well-Known Port Numbers Table lists Numbers Table lists some of the more some of the more commonly used TCP commonly used TCP and User Datagram and User Datagram Protocol (UDP) Protocol (UDP) addresses.addresses.
The Transport Layer
Packets and ProtocolsPackets and Protocols
The Transport Layer is responsible not only The Transport Layer is responsible not only for application addressing, but also for for application addressing, but also for providing reliable communications over the providing reliable communications over the best effort Layer 3 protocols. best effort Layer 3 protocols.
The Transport Layer provides:The Transport Layer provides:– Flow controlFlow control– WindowingWindowing– Data sequencingData sequencing– RecoveryRecovery
The Transport Layer cont.
Packets and ProtocolsPackets and Protocols
Two protocols most commonly associated Two protocols most commonly associated with layer 4with layer 4– TCPTCP
High overheadHigh overhead Connection orientedConnection oriented ReliableReliable
– UDPUDP Low overheadLow overhead ConnectionlessConnectionless UnreliableUnreliable FastFast
The Transport Layer cont.
Packets and ProtocolsPackets and Protocols
The Session Layer: The Session Layer: – establishes, manages, and terminates establishes, manages, and terminates
sessions between applications. sessions between applications. – provides its services to the Presentation provides its services to the Presentation
Layer.Layer.– synchronizes dialog between synchronizes dialog between
Presentation Layer entities and manages Presentation Layer entities and manages their data exchange.their data exchange.
The Session Layer
Packets and ProtocolsPackets and Protocols
The Presentation Layer: The Presentation Layer: – ensures that information sent by the ensures that information sent by the
Application Layer of one system is Application Layer of one system is formatted in a manner in which the formatted in a manner in which the destination system’s Application Layer destination system’s Application Layer can read it. can read it.
– can translate between multiple data can translate between multiple data representation formats, if necessary.representation formats, if necessary.
The Presentation Layer
Packets and ProtocolsPackets and Protocols
The Application Layer: The Application Layer: – is the layer closest to the user.is the layer closest to the user.– provides user application services to application provides user application services to application
processes outside the OSI model’s scope and does processes outside the OSI model’s scope and does not support the other layers.not support the other layers.
– identifies and establishes the intended identifies and establishes the intended communication partners availability, synchronizes communication partners availability, synchronizes cooperating applications, and establishes agreed cooperating applications, and establishes agreed procedures for application error recovery and data procedures for application error recovery and data integrity control. integrity control.
– determines whether sufficient resources exist for determines whether sufficient resources exist for the intended communications.the intended communications.
The Application Layer
Packets and ProtocolsPackets and Protocols
Packets and ProtocolsPackets and Protocols
ArbitrationArbitration—Determines when it is —Determines when it is appropriate to use the physical mediumappropriate to use the physical medium
AddressingAddressing—Ensures that the correct —Ensures that the correct recipient(s) receives and processes the data recipient(s) receives and processes the data that is sentthat is sent
Error detectionError detection—Determines whether the —Determines whether the data made the trip across the physical data made the trip across the physical medium successfullymedium successfully
Identification of the encapsulated dataIdentification of the encapsulated data——Determines the type of header that follows the Determines the type of header that follows the data link headerdata link header
Ethernet communication steps
Packets and ProtocolsPackets and Protocols
CSMA/CD
CSMA
1. Node Listens
2. Node Sends Data
3. Node Listens
CD
1. Collision detected
2. Nodes “back off”
3. Node retransmits
Packets and ProtocolsPackets and Protocols
Packets and ProtocolsPackets and Protocols
Top four protocols:Top four protocols:– IPIP– ICMPICMP– TCPTCP– UDPUDP
While there are certainly more than While there are certainly more than four protocols these make up the four protocols these make up the bulk of network traffic.bulk of network traffic.
Packets and ProtocolsPackets and Protocols
IPIP– ConnectionlessConnectionless– Moves data from one layer three Moves data from one layer three
address to anotheraddress to anotherSeveral fields:Several fields:
– IPID FieldIPID Field– ProtocolProtocol– TTLTTL– Source IPSource IP– Destination IPDestination IP
Packets and ProtocolsPackets and Protocols
ICMPICMP– The “tattle tale” protocolThe “tattle tale” protocol
EchoEcho– Request/replyRequest/reply
UnreachableUnreachable– DestinationDestination– NetworkNetwork– PortPort
Time exceededTime exceeded– TTLTTL
Packets and ProtocolsPackets and Protocols
TCPTCP– The protocol you can count onThe protocol you can count on
Uses includeUses include– WebWeb– E-mailE-mail– FTPFTP– SSHSSH
ReliableReliable– AckAck– HandshakeHandshake
SequencingSequencing– Disassembles and reassembles large payloadsDisassembles and reassembles large payloads
Packets and ProtocolsPackets and Protocols
UDPUDP– Quick but unreliableQuick but unreliable
Guaranteed fast! (but not guaranteed to get Guaranteed fast! (but not guaranteed to get there)there)
– UsesUses VoIPVoIP DHCPDHCP DNSDNS GamingGaming
Repeaters are used toRepeaters are used to– Amplify signals and pass them to other network Amplify signals and pass them to other network
segments segments – Packets are received, amplified and retransmittedPackets are received, amplified and retransmitted
Repeaters have limited abilitiesRepeaters have limited abilities– Repeaters cannotRepeaters cannot filter or error check packetsfilter or error check packets– They are physical level devices with no built in They are physical level devices with no built in
algorithmsalgorithms– Function is limited to digital signal amplificationFunction is limited to digital signal amplification
Repeaters
Packets and ProtocolsPackets and Protocols
Hubs are multi-port repeatersHubs are multi-port repeaters– Multi-port repeaters are also known as Multi-port repeaters are also known as HubsHubs– Connect workstations to the networkConnect workstations to the network– Hubs can have multiple port connections an be stackedHubs can have multiple port connections an be stacked– Use Twisted-pair cablingUse Twisted-pair cabling
Hubs
Packets and ProtocolsPackets and Protocols
A bridge provides forA bridge provides for– Creation of a single “logical” LAN longer than any one cableCreation of a single “logical” LAN longer than any one cable– Offers electrical & traffic isolation between cable segments Offers electrical & traffic isolation between cable segments – Keeps local traffic local on the LANKeeps local traffic local on the LAN– Forwards only necessary traffic on to the WANForwards only necessary traffic on to the WAN
Bridges are protocol independentBridges are protocol independent– Can support any protocol on the LAN Can support any protocol on the LAN – Most common use of a bridge is to filter traffic Most common use of a bridge is to filter traffic – Purpose is to separate LAN traffic based on MAC addresses Purpose is to separate LAN traffic based on MAC addresses – Supports asynchronous or synchronous WAN connectionsSupports asynchronous or synchronous WAN connections
Bridge
Packets and ProtocolsPackets and Protocols
Packets and ProtocolsPackets and Protocols
LAN Segmentation
• Ethernet bridges are known as TRANSPARENT BRIDGES
because they are invisible – or – transparent to the end devices
Transparent Bridges perform three functions:
1. Learn MAC addresses by examining the source MAC address of each frame received by the bridge
2. Deciding when to forward a frame or when to filter (not forward) a frame, based on the destination MAC address
3. Create a loop-free environment with other bridges by using the Spanning Tree Protocol
Packets and ProtocolsPackets and Protocols
•Bridges observe traffic as it passes and record the MAC addresses
•Bridges forward all broadcast and unknown unicast packets
Packets and ProtocolsPackets and Protocols
Used to alleviate network congestion Used to alleviate network congestion – Divide networks into virtual LAN (Divide networks into virtual LAN (VLANVLAN) segments ) segments – Ability to dedicate more bandwidth Ability to dedicate more bandwidth – Function at data link layer of workgroupsFunction at data link layer of workgroups– Function at Network layer of network backbonesFunction at Network layer of network backbones
Switches provide 100 Mbps ports for user Switches provide 100 Mbps ports for user connectionsconnections– Ethernet switches have replaced bridges in large Ethernet switches have replaced bridges in large
networksnetworks– Can also filter traffic based on MAC addressCan also filter traffic based on MAC address– Ethernet switches function as a repeater and a bridgeEthernet switches function as a repeater and a bridge
Switch (multi-port bridge)
Packets and ProtocolsPackets and Protocols
Packets and ProtocolsPackets and Protocols
Switches actually make packet analysis more difficult
Layer 3 deviceLayer 3 device Interconnects networksInterconnects networks A Layer 3 switch is a multi-port routerA Layer 3 switch is a multi-port router
Router
Packets and ProtocolsPackets and Protocols
Packets and ProtocolsPackets and Protocols
Routers stop the flow of broadcasts
How many
collision domains
are there?
There are six collision domains
Packets and ProtocolsPackets and Protocols
FirewallsFirewalls– Specialized devicesSpecialized devices– Ability to examine packets at virtually Ability to examine packets at virtually
every layer of the OSI modelevery layer of the OSI model– Generally placed at the “edge” of the Generally placed at the “edge” of the
networknetwork– Offloads “policing” policies from the Offloads “policing” policies from the
core routerscore routers
Packets and ProtocolsPackets and Protocols
Packets and ProtocolsPackets and Protocols
Typical
Switch
Port
Packets and ProtocolsPackets and Protocols
Spanned Switch Port
Sniffer PC
Packets and ProtocolsPackets and Protocols
Spanned Uplink Port
Internet
Sniffer PC
Placement of the sniffer is critical
Packets and ProtocolsPackets and Protocols
Disparate Spanned Ports
This will work, but you are bound to loose some data1
1 Gigabyte
1 Gigabyte
1 Gigabyte
100 Megabyte
Packets and ProtocolsPackets and Protocols
Detecting Sniffers on your networkDetecting Sniffers on your network– Look for DNS reverse lookupsLook for DNS reverse lookups
Sniffers often used reverse lookupsSniffers often used reverse lookups
– Send the pump-fake packetSend the pump-fake packetLook for a RST packetLook for a RST packet
– Monitor hub portsMonitor hub portsMaintain physical security/disable unused Maintain physical security/disable unused
portsports
– Send a fake-arpSend a fake-arpSniffers respond to non-b-cast arp requestsSniffers respond to non-b-cast arp requests
Packets and ProtocolsPackets and Protocols
Wireless sniffer toolsWireless sniffer tools– NetstumblerNetstumbler
Network scanner, not really a snifferNetwork scanner, not really a sniffer
– KismetKismetGood all around open source all free toolGood all around open source all free tool
– WiresharkWiresharkSniffer; does not show SSID/Signal strengthSniffer; does not show SSID/Signal strength
– CommViewCommViewCommercial wireless monitor for WiFiCommercial wireless monitor for WiFi
– And others…(P36)And others…(P36)
Packets and ProtocolsPackets and Protocols
Commonly seen protocolsCommonly seen protocols– DHCPDHCP– DNSDNS– NTPNTP– HTTPHTTP– SMTPSMTP
Packets and ProtocolsPackets and Protocols
DHCPDHCP– Used to give clients the necessary information Used to give clients the necessary information
they need to function on the networkthey need to function on the network IP addressIP address Subnet maskSubnet mask DGDG WINS serverWINS server DNS serverDNS server
– Sniff for: Sniff for: The last ACK packet to gather the most informationThe last ACK packet to gather the most information
Packets and ProtocolsPackets and Protocols
DNSDNS– Used to determine the IP address of a Used to determine the IP address of a
hostname and visa-versahostname and visa-versaUses UDP port 53 – TCP for zone transfers Uses UDP port 53 – TCP for zone transfers
and packets >512kand packets >512kUsed to remotely look up records in a DNS Used to remotely look up records in a DNS
databasedatabase
– Sniff for:Sniff for:The DNS response packetThe DNS response packet
Packets and ProtocolsPackets and Protocols
NTPNTP– Used to reference a time source for Used to reference a time source for
synchronizationsynchronizationUses UDP port 123Uses UDP port 123Uses a server/client modelUses a server/client model
– Sniff for:Sniff for:The NTP response packet with the time and The NTP response packet with the time and
synchronization packet in it.synchronization packet in it.
Packets and ProtocolsPackets and Protocols
HTTPHTTP– Most commonly used protocolMost commonly used protocol– Payload is text dataPayload is text data
Uses TCP port 80Uses TCP port 80Uses a server/client modelUses a server/client model
– Sniff for:Sniff for:Uses TCP, make sure the handshake takes Uses TCP, make sure the handshake takes
place, then look for data to followplace, then look for data to follow
Packets and ProtocolsPackets and Protocols
SMTPSMTP– Used to transfer e-mail from place to Used to transfer e-mail from place to
mail server to mail server and mail mail server to mail server and mail server to clientserver to clientUses TCP port 25Uses TCP port 25Payload is text dataPayload is text data
– Non-textual data is converted to text via MIMENon-textual data is converted to text via MIME
Packets and ProtocolsPackets and Protocols
Protecting your network from sniffersProtecting your network from sniffers
Physical security is Physical security is the best methodthe best methodLock closetsLock closetsDisable portsDisable portsBe alert for hubs, Be alert for hubs,
WAPs etcWAPs etc
As a last resort, just make sure that whatever is sniffed is useless to a hacker
Packets and ProtocolsPackets and Protocols
How to ward off the evil doersHow to ward off the evil doers– Use SSH – not TELNETUse SSH – not TELNET
SSH encrypts it’s payloadSSH encrypts it’s payload
– Use SSL – not HTTPUse SSL – not HTTPSSL encrypts HTTP dataSSL encrypts HTTP data
– Use IPSecUse IPSec IPSec is layer three encryption (tunneling)IPSec is layer three encryption (tunneling)
– Use VPNUse VPNVPN encrypts data into IP tunnels (layer 2 VPN encrypts data into IP tunnels (layer 2
tunneling)tunneling)