Packets and Protocols

Packets and ProtocolsPackets and Protocols

Chapter OneChapter One

IntroductionIntroduction

Packets and ProtocolsPackets and Protocols Course title: Introduction to TCP/IPCourse title: Introduction to TCP/IP Course No: CISCourse No: CIS Prerequisite: CISPrerequisite: CIS Credit Hrs: 4Credit Hrs: 4 Text Book: Text Book: Wireshark and Ethereal - Wireshark and Ethereal -

SyngressSyngress– We cannot troubleshoot networks until we We cannot troubleshoot networks until we

understand how they work. To know how understand how they work. To know how protocols work at their most basic level means protocols work at their most basic level means that you have a clear understanding of how that you have a clear understanding of how protocols and their associated packets work. protocols and their associated packets work. With this knowledge you will be able to With this knowledge you will be able to troubleshoot a myriad of network problems.troubleshoot a myriad of network problems.


Class structure - Class structure - http://cis.sc4.edu/http://cis.sc4.edu/ Start – 6:15Start – 6:15 Breaks – 2 –various timesBreaks – 2 –various times End – NLT 10:00End – NLT 10:00 Contact time – 5:25 – 6:15Contact time – 5:25 – 6:15 Instructor – John Kowalski Instructor – John Kowalski

– [email protected]@sc4.edu


Silly-busSilly-bus Course websiteCourse website Grading scaleGrading scale SlidesSlides Course outcomesCourse outcomes White hat agreementWhite hat agreement


1.1. NameName

2.2. Background/Experiences/Certifications, Background/Experiences/Certifications, etc?etc?

3.3. What do you know about the use of What do you know about the use of sniffers?sniffers?


Network analysis – definedNetwork analysis – defined– The process of capturing network traffic The process of capturing network traffic

for the purpose of troubleshooting for the purpose of troubleshooting network anomalies with various tools network anomalies with various tools and techniques.and techniques.

What is a sniffer ?What is a sniffer ?– Technically it is a product produced by Technically it is a product produced by

NetScoutNetScout– It is a tool that converts bits and bytes It is a tool that converts bits and bytes

into a format that we can understand.into a format that we can understand.


What is a network analyzerWhat is a network analyzer– Can be anything!Can be anything!

Portable laptopPortable laptopDedicated hardwareDedicated hardwareGeneric PC used for packet capturesGeneric PC used for packet captures

What does an analyzer tool look like?What does an analyzer tool look like?


SUMMARY

DETAIL

DATA


A packet analyzer is composed of A packet analyzer is composed of five basic componentsfive basic components

1.1. HardwareHardware

2.2. DriverDriver

3.3. BufferBuffer

4.4. Real-Time Analysis ToolReal-Time Analysis Tool

5.5. Decode Decode


What is a protocol analysis tool used for?What is a protocol analysis tool used for?– Converting binary to EnglishConverting binary to English– TroubleshootingTroubleshooting– Performance analysisPerformance analysis– Logging trafficLogging traffic– Establishing benchmarksEstablishing benchmarks– Discovering faulty devicesDiscovering faulty devices– Intrusion detectionIntrusion detection– Virus detectionVirus detection


The Good, the Bad and the UglyThe Good, the Bad and the Ugly– Like any tool the possibility for misuse Like any tool the possibility for misuse

existsexistsHackers can steal infoHackers can steal infoThe “curious” can snoopThe “curious” can snoopPasswords can be capturedPasswords can be capturedLearn what viruses would be most effectiveLearn what viruses would be most effectiveLearn IP addressing schemes for DOS Learn IP addressing schemes for DOS

attacksattacks


Other network analyzersOther network analyzers– WinDumpWinDump– Network General Sniffer (now NetScout)Network General Sniffer (now NetScout)– Network MonitorNetwork Monitor– EthehrPeekEthehrPeek– TCP DumpTCP Dump– SnoopSnoop– SnortSnort– DsniffDsniff– EttercapEttercap– Etc….Etc….


How does a sniffer……sniff?How does a sniffer……sniff?– All Ethernet enabled devices see all of the All Ethernet enabled devices see all of the

traffic on “the wire”traffic on “the wire”– Ethernet is not a secure protocol so sniffers are Ethernet is not a secure protocol so sniffers are

the perfect tool for troubleshootingthe perfect tool for troubleshooting Normal NIC behaviorNormal NIC behavior

– Unicasts, bcasts, mcastsUnicasts, bcasts, mcasts Promiscuous modePromiscuous mode

– All-Unicasts, all-bcasts, all-mcasts, all-traffic!All-Unicasts, all-bcasts, all-mcasts, all-traffic!


MAC 103

MAC 101 MAC 102

MAC 104

MAC 100

I have a packet here for MAC Address 103

ROUTER

It’s not for me! It’s not for me! It’s not for me!

It’s not for me!

That’s my address!

End node in Normal mode


MAC 103

MAC 101 MAC 102MAC 100

I have a packet here for MAC Address 103

ROUTER

It’s not for me! It’s not for me! It’s not for me!

It’s not my address but I’ll

take it!

That’s my address!

MAC 104

End node in Promiscuous mode


A word about MAC addressesA word about MAC addresses– Media Access Control Addresses:Media Access Control Addresses:

Are uniqueAre uniqueCan be viewed by ipconfig (windows)Can be viewed by ipconfig (windows)Can be overridden (spoofing)Can be overridden (spoofing)

– DOS attackDOS attack– SYN attackSYN attack– Smurf AttackSmurf Attack

Consist of an Organization Unique IdentifierConsist of an Organization Unique Identifier– http://http://standards.ieee.org/regauth/oui/oui.txtstandards.ieee.org/regauth/oui/oui.txt

Addresses are 6 bytes longAddresses are 6 bytes long Generally written in hexadecimalGenerally written in hexadecimal Globally unique (unicast)Globally unique (unicast) Aka – Burned-in-addressAka – Burned-in-address

- Legal- Legal- Illegal

00.0C.12.34.AB.CD FF.FF.FF.FF.FF.FF00.00.01.10.45.G2

Ethernet address types

Local Area NetworksLocal Area Networks


The OSI ModelThe OSI Model– A method of moving data from point to A method of moving data from point to

point using seven distinct stepspoint using seven distinct steps The TCP/IP The TCP/IP

– TCP/IP (aka DoD model) is newer and TCP/IP (aka DoD model) is newer and only contains four layers only contains four layers

Packets and ProtocolsPackets and ProtocolsAllows users to transfer files, send mail, etc.Only layer that users can communicate with directlyKey features are ease of use and functionalityStandardized data encoding and decodingData compressionData encryption and decryption

Manages user sessionsReports upper-layer errorsSupports Remote Procedure Call activities

Connection management (e.g., TCP)Error and flow controlConnectionless, unreliable (e.g., UDP)

Internetwork packet routingMinimizes subnet congestionResolves differences between subnetsNetwork access control - MAC addressPacket framingError and flow control

ApplicationApplication77

66 PresentatioPresentationn

55 SessionSession

44 TransporTransportt

33 NetworkNetwork

22 Data LinkData Link

11 PhysicalPhysicalMoves bits across a physical mediumInterface between network medium and network devicesDefines electrical and mechanical characteristics of LAN

Pro

vid

es

Serv

ices

Moves

Data

Connect

spro

cess

es


OSI vs. TCP ModelOSI vs. TCP Model

The Physical Layer only transmits bits to, The Physical Layer only transmits bits to, and receives bits from, the physical and receives bits from, the physical medium. It does not “see” the bits as medium. It does not “see” the bits as organized into meaningful patterns, such organized into meaningful patterns, such as an address. as an address.

The Physical Layer operates depending on The Physical Layer operates depending on the chosen network topology.the chosen network topology.

The Physical Layer


A physical address is also referred to as a:A physical address is also referred to as a:– Hardware addressHardware address– Adapter addressAdapter address– Network interface card (NIC) addressNetwork interface card (NIC) address– Medium Access Control (MAC) addressMedium Access Control (MAC) address

A physical address is required for network A physical address is required for network devices to ultimately deliver information to devices to ultimately deliver information to a given network node. a given network node.

The Physical Layer cont.


We can categorize physical addresses, for the purposes We can categorize physical addresses, for the purposes of networking, into two general types: of networking, into two general types: – A LAN address is commonly found in an Ethernet or Token Ring A LAN address is commonly found in an Ethernet or Token Ring

LAN environment.LAN environment.– WAN addresses in High-Level Data Link Control (HDLC) or WAN addresses in High-Level Data Link Control (HDLC) or

frame relay network protocol addressingframe relay network protocol addressing

– Divided into two distinct partsDivided into two distinct parts– MACMAC

– The MAC address of the node – interfaces with lower layersThe MAC address of the node – interfaces with lower layers– LLCLLC

– Tags and identifies protocols - interfaces with upper layersTags and identifies protocols - interfaces with upper layers– Think of it as a universal adapterThink of it as a universal adapter

The Data Link Layer


A logical address is generally implemented A logical address is generally implemented as a software entity rather than a hardware as a software entity rather than a hardware entity. entity.

There are two primary types of logical There are two primary types of logical addresses, as follows:addresses, as follows:– Network addresses, processed at the Network Network addresses, processed at the Network

LayerLayer– Port or process addresses, processed at the Port or process addresses, processed at the

Transport LayerTransport Layer

The Network Layer


The Well-Known Port The Well-Known Port Numbers Table lists Numbers Table lists some of the more some of the more commonly used TCP commonly used TCP and User Datagram and User Datagram Protocol (UDP) Protocol (UDP) addresses.addresses.

The Transport Layer


The Transport Layer is responsible not only The Transport Layer is responsible not only for application addressing, but also for for application addressing, but also for providing reliable communications over the providing reliable communications over the best effort Layer 3 protocols. best effort Layer 3 protocols.

The Transport Layer provides:The Transport Layer provides:– Flow controlFlow control– WindowingWindowing– Data sequencingData sequencing– RecoveryRecovery

The Transport Layer cont.


Two protocols most commonly associated Two protocols most commonly associated with layer 4with layer 4– TCPTCP

High overheadHigh overhead Connection orientedConnection oriented ReliableReliable

– UDPUDP Low overheadLow overhead ConnectionlessConnectionless UnreliableUnreliable FastFast

The Transport Layer cont.


The Session Layer: The Session Layer: – establishes, manages, and terminates establishes, manages, and terminates

sessions between applications. sessions between applications. – provides its services to the Presentation provides its services to the Presentation

Layer.Layer.– synchronizes dialog between synchronizes dialog between

Presentation Layer entities and manages Presentation Layer entities and manages their data exchange.their data exchange.

The Session Layer


The Presentation Layer: The Presentation Layer: – ensures that information sent by the ensures that information sent by the

Application Layer of one system is Application Layer of one system is formatted in a manner in which the formatted in a manner in which the destination system’s Application Layer destination system’s Application Layer can read it. can read it.

– can translate between multiple data can translate between multiple data representation formats, if necessary.representation formats, if necessary.

The Presentation Layer


The Application Layer: The Application Layer: – is the layer closest to the user.is the layer closest to the user.– provides user application services to application provides user application services to application

processes outside the OSI model’s scope and does processes outside the OSI model’s scope and does not support the other layers.not support the other layers.

– identifies and establishes the intended identifies and establishes the intended communication partners availability, synchronizes communication partners availability, synchronizes cooperating applications, and establishes agreed cooperating applications, and establishes agreed procedures for application error recovery and data procedures for application error recovery and data integrity control. integrity control.

– determines whether sufficient resources exist for determines whether sufficient resources exist for the intended communications.the intended communications.

The Application Layer



ArbitrationArbitration—Determines when it is —Determines when it is appropriate to use the physical mediumappropriate to use the physical medium

AddressingAddressing—Ensures that the correct —Ensures that the correct recipient(s) receives and processes the data recipient(s) receives and processes the data that is sentthat is sent

Error detectionError detection—Determines whether the —Determines whether the data made the trip across the physical data made the trip across the physical medium successfullymedium successfully

Identification of the encapsulated dataIdentification of the encapsulated data——Determines the type of header that follows the Determines the type of header that follows the data link headerdata link header

Ethernet communication steps


CSMA/CD

CSMA

1. Node Listens

2. Node Sends Data

3. Node Listens

CD

1. Collision detected

2. Nodes “back off”

3. Node retransmits



Top four protocols:Top four protocols:– IPIP– ICMPICMP– TCPTCP– UDPUDP

While there are certainly more than While there are certainly more than four protocols these make up the four protocols these make up the bulk of network traffic.bulk of network traffic.


IPIP– ConnectionlessConnectionless– Moves data from one layer three Moves data from one layer three

address to anotheraddress to anotherSeveral fields:Several fields:

– IPID FieldIPID Field– ProtocolProtocol– TTLTTL– Source IPSource IP– Destination IPDestination IP


ICMPICMP– The “tattle tale” protocolThe “tattle tale” protocol

EchoEcho– Request/replyRequest/reply

UnreachableUnreachable– DestinationDestination– NetworkNetwork– PortPort

Time exceededTime exceeded– TTLTTL


TCPTCP– The protocol you can count onThe protocol you can count on

Uses includeUses include– WebWeb– E-mailE-mail– FTPFTP– SSHSSH

ReliableReliable– AckAck– HandshakeHandshake

SequencingSequencing– Disassembles and reassembles large payloadsDisassembles and reassembles large payloads


UDPUDP– Quick but unreliableQuick but unreliable

Guaranteed fast! (but not guaranteed to get Guaranteed fast! (but not guaranteed to get there)there)

– UsesUses VoIPVoIP DHCPDHCP DNSDNS GamingGaming

Repeaters are used toRepeaters are used to– Amplify signals and pass them to other network Amplify signals and pass them to other network

segments segments – Packets are received, amplified and retransmittedPackets are received, amplified and retransmitted

Repeaters have limited abilitiesRepeaters have limited abilities– Repeaters cannotRepeaters cannot filter or error check packetsfilter or error check packets– They are physical level devices with no built in They are physical level devices with no built in

algorithmsalgorithms– Function is limited to digital signal amplificationFunction is limited to digital signal amplification

Repeaters


Hubs are multi-port repeatersHubs are multi-port repeaters– Multi-port repeaters are also known as Multi-port repeaters are also known as HubsHubs– Connect workstations to the networkConnect workstations to the network– Hubs can have multiple port connections an be stackedHubs can have multiple port connections an be stacked– Use Twisted-pair cablingUse Twisted-pair cabling

Hubs


A bridge provides forA bridge provides for– Creation of a single “logical” LAN longer than any one cableCreation of a single “logical” LAN longer than any one cable– Offers electrical & traffic isolation between cable segments Offers electrical & traffic isolation between cable segments – Keeps local traffic local on the LANKeeps local traffic local on the LAN– Forwards only necessary traffic on to the WANForwards only necessary traffic on to the WAN

Bridges are protocol independentBridges are protocol independent– Can support any protocol on the LAN Can support any protocol on the LAN – Most common use of a bridge is to filter traffic Most common use of a bridge is to filter traffic – Purpose is to separate LAN traffic based on MAC addresses Purpose is to separate LAN traffic based on MAC addresses – Supports asynchronous or synchronous WAN connectionsSupports asynchronous or synchronous WAN connections

Bridge



LAN Segmentation

• Ethernet bridges are known as TRANSPARENT BRIDGES

because they are invisible – or – transparent to the end devices

Transparent Bridges perform three functions:

1. Learn MAC addresses by examining the source MAC address of each frame received by the bridge

2. Deciding when to forward a frame or when to filter (not forward) a frame, based on the destination MAC address

3. Create a loop-free environment with other bridges by using the Spanning Tree Protocol


•Bridges observe traffic as it passes and record the MAC addresses

•Bridges forward all broadcast and unknown unicast packets


Used to alleviate network congestion Used to alleviate network congestion – Divide networks into virtual LAN (Divide networks into virtual LAN (VLANVLAN) segments ) segments – Ability to dedicate more bandwidth Ability to dedicate more bandwidth – Function at data link layer of workgroupsFunction at data link layer of workgroups– Function at Network layer of network backbonesFunction at Network layer of network backbones

Switches provide 100 Mbps ports for user Switches provide 100 Mbps ports for user connectionsconnections– Ethernet switches have replaced bridges in large Ethernet switches have replaced bridges in large

networksnetworks– Can also filter traffic based on MAC addressCan also filter traffic based on MAC address– Ethernet switches function as a repeater and a bridgeEthernet switches function as a repeater and a bridge

Switch (multi-port bridge)



Switches actually make packet analysis more difficult

Layer 3 deviceLayer 3 device Interconnects networksInterconnects networks A Layer 3 switch is a multi-port routerA Layer 3 switch is a multi-port router

Router



Routers stop the flow of broadcasts

How many

collision domains

are there?

There are six collision domains


FirewallsFirewalls– Specialized devicesSpecialized devices– Ability to examine packets at virtually Ability to examine packets at virtually

every layer of the OSI modelevery layer of the OSI model– Generally placed at the “edge” of the Generally placed at the “edge” of the

networknetwork– Offloads “policing” policies from the Offloads “policing” policies from the

core routerscore routers



Typical

Switch

Port


Spanned Switch Port

Sniffer PC


Spanned Uplink Port

Internet

Sniffer PC

Placement of the sniffer is critical


Disparate Spanned Ports

This will work, but you are bound to loose some data1

1 Gigabyte

1 Gigabyte

1 Gigabyte

100 Megabyte


Detecting Sniffers on your networkDetecting Sniffers on your network– Look for DNS reverse lookupsLook for DNS reverse lookups

Sniffers often used reverse lookupsSniffers often used reverse lookups

– Send the pump-fake packetSend the pump-fake packetLook for a RST packetLook for a RST packet

– Monitor hub portsMonitor hub portsMaintain physical security/disable unused Maintain physical security/disable unused

portsports

– Send a fake-arpSend a fake-arpSniffers respond to non-b-cast arp requestsSniffers respond to non-b-cast arp requests


Wireless sniffer toolsWireless sniffer tools– NetstumblerNetstumbler

Network scanner, not really a snifferNetwork scanner, not really a sniffer

– KismetKismetGood all around open source all free toolGood all around open source all free tool

– WiresharkWiresharkSniffer; does not show SSID/Signal strengthSniffer; does not show SSID/Signal strength

– CommViewCommViewCommercial wireless monitor for WiFiCommercial wireless monitor for WiFi

– And others…(P36)And others…(P36)


Commonly seen protocolsCommonly seen protocols– DHCPDHCP– DNSDNS– NTPNTP– HTTPHTTP– SMTPSMTP


DHCPDHCP– Used to give clients the necessary information Used to give clients the necessary information

they need to function on the networkthey need to function on the network IP addressIP address Subnet maskSubnet mask DGDG WINS serverWINS server DNS serverDNS server

– Sniff for: Sniff for: The last ACK packet to gather the most informationThe last ACK packet to gather the most information


DNSDNS– Used to determine the IP address of a Used to determine the IP address of a

hostname and visa-versahostname and visa-versaUses UDP port 53 – TCP for zone transfers Uses UDP port 53 – TCP for zone transfers

and packets >512kand packets >512kUsed to remotely look up records in a DNS Used to remotely look up records in a DNS

databasedatabase

– Sniff for:Sniff for:The DNS response packetThe DNS response packet


NTPNTP– Used to reference a time source for Used to reference a time source for

synchronizationsynchronizationUses UDP port 123Uses UDP port 123Uses a server/client modelUses a server/client model

– Sniff for:Sniff for:The NTP response packet with the time and The NTP response packet with the time and

synchronization packet in it.synchronization packet in it.


HTTPHTTP– Most commonly used protocolMost commonly used protocol– Payload is text dataPayload is text data

Uses TCP port 80Uses TCP port 80Uses a server/client modelUses a server/client model

– Sniff for:Sniff for:Uses TCP, make sure the handshake takes Uses TCP, make sure the handshake takes

place, then look for data to followplace, then look for data to follow


SMTPSMTP– Used to transfer e-mail from place to Used to transfer e-mail from place to

mail server to mail server and mail mail server to mail server and mail server to clientserver to clientUses TCP port 25Uses TCP port 25Payload is text dataPayload is text data

– Non-textual data is converted to text via MIMENon-textual data is converted to text via MIME


Protecting your network from sniffersProtecting your network from sniffers

Physical security is Physical security is the best methodthe best methodLock closetsLock closetsDisable portsDisable portsBe alert for hubs, Be alert for hubs,

WAPs etcWAPs etc

As a last resort, just make sure that whatever is sniffed is useless to a hacker


How to ward off the evil doersHow to ward off the evil doers– Use SSH – not TELNETUse SSH – not TELNET

SSH encrypts it’s payloadSSH encrypts it’s payload

– Use SSL – not HTTPUse SSL – not HTTPSSL encrypts HTTP dataSSL encrypts HTTP data

– Use IPSecUse IPSec IPSec is layer three encryption (tunneling)IPSec is layer three encryption (tunneling)

– Use VPNUse VPNVPN encrypts data into IP tunnels (layer 2 VPN encrypts data into IP tunnels (layer 2

tunneling)tunneling)

Packets and Protocols

Documents

associated packets work

control handles

network traffic

width height of box

width height of oval

analyzer tool

protocol analysis tool

network analyzercan