CS772872 Packet sniffers for network analysis - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

CS772872 Packet sniffers for network analysis

Description:

Also referred to as network analyzer or protocol analyzer. Analogy to a packet ... speed of data communication increased tremendously and the problem was solved ... – PowerPoint PPT presentation

Number of Views:174
Avg rating:3.0/5.0
Slides: 30
Provided by: csO9
Category:

less

Transcript and Presenter's Notes

Title: CS772872 Packet sniffers for network analysis


1
CS772/872Packet sniffers for network analysis
  • Lisa Mathews
  • 10/31/07

2
Outline
  • Introduction
  • Components
  • Implementation
  • Packet Sniffing Prevention/Detection
  • Example

3
Introduction - Definition
  • What is a "packet sniffer"?
  • wire-tap device that plugs into computer networks
  • eavesdrops on the network traffic
  • captures packets and eventually decodes its
    content
  • can be software or hardware
  • Also referred to as network analyzer or protocol
    analyzer
  • Analogy to a packet sniffer telephone wiretap
  • tap a telephone line to listen in on conversation
  • similarly, packet sniffers can be used to snoop
    on data currently being transmitted across
    network

4
Introduction Available Packet Sniffers
  • Software
  • Windows
  • Ethereal/Wireshark
  • windump - version of tcpdump for Windows
  • Unix
  • tcpdump
  • Ettercap
  • Hardware
  • EtherPeek
  • LANWatch32

5
Introduction - Picture
6
Introduction Uses (1)
  • 2 main applications
  • commercial packet sniffers help maintain
    networks
  • underground packet sniffers personal gain /
    malicious intent
  • Analyze network problems
  • in token ring network could detect that token has
    been lost or the presence of too many tokens
  • see that messages are being sent to a machine
  • if machine does not respond appropriately then
    failure localized to that machine
  • detect excessive messages being sent by a port,
    detecting an error in the implementation
  • Detect network intrusion attempts
  • Filter suspect content from network traffic

7
Introduction Uses (2)
  • Monitor network usage
  • analyze data sent to and from secure systems
  • understand and circumvent security measures for
    the purposes of penetration testing
  • Gather and report network statistics
  • locate bottlenecks present in the network
  • find part of the network where data is lost (due
    to network congestion)
  • collect statistics on the amount of traffic
    (number of messages) from a process detecting the
    need for more bandwidth or a better method

8
Introduction Uses (3)
  • Reverse engineer protocols used over the network
  • extract messages and reassemble to see
    step-by-step process of a protocol
  • Debug client/server communications
  • passively capture data going between a web
    visitor and the web servers, decode it at the
    HTTP and HTML level
  • create web log files as a substitute for server
    logs and page tagging for web analytics
  • Debug network protocol implementations
  • packet sniffer could be used to diagnose
    operating system connectivity issues like web,
    ftp, sql, active directory, etc.

9
Components (1)
Packet
10
Components (2)
  • The media
  • most products work from standard network adapters
  • if you use special hardware, you can analyze
    hardware faults like CRC errors, voltage
    problems, and "jitter"
  • Capture driver
  • captures the network traffic from the wire,
    filters it for the particular traffic you want
  • Buffer
  • once frames captured from network, they are
    stored in a buffer
  • captures modes
  • capture until the buffer fills up
  • use buffer as a "round robin" where the newest
    data replaces the oldest data

11
Components (3)
  • Real-time analysis
  • analysis of frames as they come off the wire
  • allows for identification of network performance
    issues and faults while capturing
  • many vendors have started to add minimal
    capabilities along this line to their products
  • Decode
  • displays contents of network traffic with
    descriptive text so analyst can figure out what
    is going on.
  • Packet editing/transmission
  • some products contain features that allow you to
    edit your own network packets and transmit them
    onto the network.

12
Implementation - Basics
  • Place packet sniffer where desired
    traffic/packets will pass
  • Internet built to survive any "single point of
    failure"
  • prevents any single point of sniffing
  • Packet sniffer needs necessary protocols
  • "protocol analysis", which allows for "decoding"
    of conversation

13
(No Transcript)
14
Implementation - Shared Networks
  • IEEE 802.3 Ethernet LANs employ a broadcast
    technology
  • all machines on local network share same wire
  • individual identifier needed
  • Media Access Control (MAC) address
  • Network Interface Card (NIC) checks destination
    address of arriving packet
  • Normal operation
  • accepts packets based off MAC address otherwise
    discard
  • promiscuous mode
  • look at all of the packets on the wires it is
    hooked to
  • Totally passive and very hard to detect

15
Implementation Promiscuous Mode
16
Implementation - Switched Networks
  • Switch maintains a table
  • each computers MAC address
  • physical port on the switch to which the MAC
    address is connected
  • switch delivers packets to intended machine
  • Switched network more secure, but there are still
    methods for packet sniffing
  • MAC flooding
  • fail open mode
  • ARP (Address Resolution Protocol)
    spoofing/poisoning
  • configure ports as "monitor" or "span" ports

17
Packet Sniffing Prevention (1)
  • Problem HTTP (Hypertext Transfer Protocol)
  • many web sites use authentication technique which
    prompts the user for a username and password,
    which are sent across the network in plain-text
  • data sent in clear-text
  • Solution HTTPS SSL (Secure Sockets Layer)
  • built into all popular web browsers and web
    servers
  • allows encrypted web surfing
  • ex during e-commerce users enter credit card info

18
Packet Sniffing Prevention (2)
  • Problem POP (Post Office Protocol) IMAP
    (Internet Message Access Protocol)
  • passwords sent in the clear
  • data sent in clear
  • Solution PGP (Pretty Good Privacy) and S/MIME
    (Secure Multipurpose Internet Mail Extensions)
  • use public key cryptography

19
Packet Sniffing Prevention (3)
  • Problem FTP (File Transfer Protocol) telnet
  • passwords sent in the clear
  • data sent in clear
  • Solution SFTP / SSH (Secure Shell)
  • has become the de facto standard for logging into
    UNIX machines from the Internet

20
Packet Sniffing Detection - Ping
  • Most packet sniffers run on normal machines with
    normal TCP/IP stack
  • if you send a request to these machines, they
    will respond
  • Send a request to IP address of the machine, but
    not to its Ethernet adapter
  • machine suspected of running the packet sniffer
    has IP address 10.0.0.1 and Ethernet address
    00-40-05-A4-79-32
  • you are on the same Ethernet segment as the
    suspect
  • transmit an ICMP Echo Request (ping) with the
    correct IP address but wrong destination MAC
    address
  • nobody should see this packet
  • if a response is received, then the machine
    suspected is sniffing the wire
  • There are ways defending against this. Now that
    this technique is widely publicized, newer
    hackers will enable a virtual MAC address filter
    in their code.

21
Packet Sniffing Detection - ARP
  • When sending out a single ARP to the broadcast
    address, IP-to-Ethernet address mapping is
    included
  • everyone else on wire remembers this information
    for next few minutes
  • Send out non-broadcast ARP, then a broadcast ping
  • anybody who responds to ping without ARPing could
    only have gotten the MAC address from a sniffed
    ARP frame
  • to make double-sure, use a different source MAC
    address in the ping

22
Packet Sniffing Detection Tools
  • AntiSniff
  • http//web.archive.org/web/20050221103207/http//w
    ww.l0pht.com/antisniff/ The most comprehensive
    sniffer-detection tool.
  • CPM (Check Promiscuous Mode)
  • http//web.archive.org/web/20050221103207/ftp//co
    ast.cs.purdue.edu/pub/tools/unix/cpm/ A tool from
    Carnegie-Mellon that checks to see if promiscuous
    mode is enabled on a UNIX machine.
  • neped
  • http//web.archive.org/web/20050221103207/http//w
    ww.apostols.org/projectz/neped/ A tool from The
    Apostols that detects packet sniffers running on
    the local segment.

23
Example 1 - Troubleshooting a Slow Router (1)
24
Example 1 Troubleshooting a Slow Router (2)
  • Packet 18 - client (172.17.8.66) makes request to
    get website www.packet-level.com
  • Packet 19 - next packet over 1 second later is
    client requesting webpage a second time
  • Packet 20 - finally see response from DNS server
    pointing to IP address of web server
  • Packets 21 to 23 - TCP/IP handshake (SYN,
    SYN/ACK, ACK)
  • see fast response from client, slow response from
    server
  • begin to see that it is something other than the
    client causing the network latency

25
Example 1 Troubleshooting a Slow Router (3)
  • Packet 26 - reply to second DNS request
  • Packet 27 - client already established a
    connection with the server
  • no real need for this second connection so client
    sends ICMP destination unreachable packet
    immediately following receipt of DNS response

26
Example 1 Troubleshooting a Slow Router (4)
  • Packet 25 - after making initial TCP/IP handshake
    the client requests the actual content of webpage
  • Packet 29 - a little under 3 seconds goes by
    before first TCP Retransmission packet
  • Packet 32 - about 6 seconds goes by before
    second TCP Retransmission packet
  • Packet 33 finally see response

27
Example 1 Fixing the Problem
  • Given information just seen, we know client is
    not at fault for slow communication
  • Principal rule of thought for figuring out
    problem location is to move upstream along the
    network
  • In this network, next step would be to look at
    router to to see if it is malfunctioning in any
    way
  • Upon rebooting the router on this particular
    network, the speed of data communication
    increased tremendously and the problem was solved

28
References
  • http//web.archive.org/web/20050221103207/http//w
    ww.robertgraham.com/pubs/sniffing-faq.html
  • http//ieeexplore.ieee.org.proxy.lib.odu.edu/iel5/
    45/26303/01166620.pdf?tparnumber1166620isnumbe
    r26303
  • http//www.irongeek.com/i.php?pagesecurity/AQuick
    IntrotoSniffers
  • http//www.cse.ohio-state.edu/xuan/courses/551/55
    1_2006_6_rock.ppt35
  • http//engr.smu.edu/rewini/5-7339/raoudha-9-28-04
    .ppt24
  • http//en.wikipedia.org/wiki/Packet_sniffer
  • http//www.chrissanders.org/?cat11

29
Questions/Comments
  • ?
Write a Comment
User Comments (0)
About PowerShow.com