CS772872 Packet sniffers for network analysis

1
CS772/872Packet sniffers for network analysis

• Lisa Mathews
• 10/31/07

2
Outline

• Introduction
• Components
• Implementation
• Packet Sniffing Prevention/Detection
• Example

3
Introduction - Definition

• What is a "packet sniffer"?
• wire-tap device that plugs into computer networks
• eavesdrops on the network traffic
• captures packets and eventually decodes its
  content
• can be software or hardware
• Also referred to as network analyzer or protocol
  analyzer
• Analogy to a packet sniffer telephone wiretap
• tap a telephone line to listen in on conversation
• similarly, packet sniffers can be used to snoop
  on data currently being transmitted across
  network

4
Introduction Available Packet Sniffers

• Software
• Windows
• Ethereal/Wireshark
• windump - version of tcpdump for Windows
• Unix
• tcpdump
• Ettercap
• Hardware
• EtherPeek
• LANWatch32

5
Introduction - Picture
6
Introduction Uses (1)

• 2 main applications
• commercial packet sniffers help maintain
  networks
• underground packet sniffers personal gain /
  malicious intent
• Analyze network problems
• in token ring network could detect that token has
  been lost or the presence of too many tokens
• see that messages are being sent to a machine
• if machine does not respond appropriately then
  failure localized to that machine
• detect excessive messages being sent by a port,
  detecting an error in the implementation
• Detect network intrusion attempts
• Filter suspect content from network traffic

7
Introduction Uses (2)

• Monitor network usage
• analyze data sent to and from secure systems
• understand and circumvent security measures for
  the purposes of penetration testing
• Gather and report network statistics
• locate bottlenecks present in the network
• find part of the network where data is lost (due
  to network congestion)
• collect statistics on the amount of traffic
  (number of messages) from a process detecting the
  need for more bandwidth or a better method

8
Introduction Uses (3)

• Reverse engineer protocols used over the network
• extract messages and reassemble to see
  step-by-step process of a protocol
• Debug client/server communications
• passively capture data going between a web
  visitor and the web servers, decode it at the
  HTTP and HTML level
• create web log files as a substitute for server
  logs and page tagging for web analytics
• Debug network protocol implementations
• packet sniffer could be used to diagnose
  operating system connectivity issues like web,
  ftp, sql, active directory, etc.

9
Components (1)
Packet
10
Components (2)

• The media
• most products work from standard network adapters
• if you use special hardware, you can analyze
  hardware faults like CRC errors, voltage
  problems, and "jitter"
• Capture driver
• captures the network traffic from the wire,
  filters it for the particular traffic you want
• Buffer
• once frames captured from network, they are
  stored in a buffer
• captures modes
• capture until the buffer fills up
• use buffer as a "round robin" where the newest
  data replaces the oldest data

11
Components (3)

• Real-time analysis
• analysis of frames as they come off the wire
• allows for identification of network performance
  issues and faults while capturing
• many vendors have started to add minimal
  capabilities along this line to their products
• Decode
• displays contents of network traffic with
  descriptive text so analyst can figure out what
  is going on.
• Packet editing/transmission
• some products contain features that allow you to
  edit your own network packets and transmit them
  onto the network.

12
Implementation - Basics

• Place packet sniffer where desired
  traffic/packets will pass
• Internet built to survive any "single point of
  failure"
• prevents any single point of sniffing
• Packet sniffer needs necessary protocols
• "protocol analysis", which allows for "decoding"
  of conversation

13
(No Transcript)
14
Implementation - Shared Networks

• IEEE 802.3 Ethernet LANs employ a broadcast
  technology
• all machines on local network share same wire
• individual identifier needed
• Media Access Control (MAC) address
• Network Interface Card (NIC) checks destination
  address of arriving packet
• Normal operation
• accepts packets based off MAC address otherwise
  discard
• promiscuous mode
• look at all of the packets on the wires it is
  hooked to
• Totally passive and very hard to detect

15
Implementation Promiscuous Mode
16
Implementation - Switched Networks

• Switch maintains a table
• each computers MAC address
• physical port on the switch to which the MAC
  address is connected
• switch delivers packets to intended machine
• Switched network more secure, but there are still
  methods for packet sniffing
• MAC flooding
• fail open mode
• ARP (Address Resolution Protocol)
  spoofing/poisoning
• configure ports as "monitor" or "span" ports

17
Packet Sniffing Prevention (1)

• Problem HTTP (Hypertext Transfer Protocol)
• many web sites use authentication technique which
  prompts the user for a username and password,
  which are sent across the network in plain-text
• data sent in clear-text
• Solution HTTPS SSL (Secure Sockets Layer)
• built into all popular web browsers and web
  servers
• allows encrypted web surfing
• ex during e-commerce users enter credit card info

18
Packet Sniffing Prevention (2)

• Problem POP (Post Office Protocol) IMAP
  (Internet Message Access Protocol)
• passwords sent in the clear
• data sent in clear
• Solution PGP (Pretty Good Privacy) and S/MIME
  (Secure Multipurpose Internet Mail Extensions)
• use public key cryptography

19
Packet Sniffing Prevention (3)

• Problem FTP (File Transfer Protocol) telnet
• passwords sent in the clear
• data sent in clear
• Solution SFTP / SSH (Secure Shell)
• has become the de facto standard for logging into
  UNIX machines from the Internet

20
Packet Sniffing Detection - Ping

• Most packet sniffers run on normal machines with
  normal TCP/IP stack
• if you send a request to these machines, they
  will respond
• Send a request to IP address of the machine, but
  not to its Ethernet adapter
• machine suspected of running the packet sniffer
  has IP address 10.0.0.1 and Ethernet address
  00-40-05-A4-79-32
• you are on the same Ethernet segment as the
  suspect
• transmit an ICMP Echo Request (ping) with the
  correct IP address but wrong destination MAC
  address
• nobody should see this packet
• if a response is received, then the machine
  suspected is sniffing the wire
• There are ways defending against this. Now that
  this technique is widely publicized, newer
  hackers will enable a virtual MAC address filter
  in their code.

21
Packet Sniffing Detection - ARP

• When sending out a single ARP to the broadcast
  address, IP-to-Ethernet address mapping is
  included
• everyone else on wire remembers this information
  for next few minutes
• Send out non-broadcast ARP, then a broadcast ping
• anybody who responds to ping without ARPing could
  only have gotten the MAC address from a sniffed
  ARP frame
• to make double-sure, use a different source MAC
  address in the ping

22
Packet Sniffing Detection Tools

• AntiSniff
• http//web.archive.org/web/20050221103207/http//w
  ww.l0pht.com/antisniff/ The most comprehensive
  sniffer-detection tool.
• CPM (Check Promiscuous Mode)
• http//web.archive.org/web/20050221103207/ftp//co
  ast.cs.purdue.edu/pub/tools/unix/cpm/ A tool from
  Carnegie-Mellon that checks to see if promiscuous
  mode is enabled on a UNIX machine.
• neped
• http//web.archive.org/web/20050221103207/http//w
  ww.apostols.org/projectz/neped/ A tool from The
  Apostols that detects packet sniffers running on
  the local segment.

23
Example 1 - Troubleshooting a Slow Router (1)
24
Example 1 Troubleshooting a Slow Router (2)

• Packet 18 - client (172.17.8.66) makes request to
  get website www.packet-level.com
• Packet 19 - next packet over 1 second later is
  client requesting webpage a second time
• Packet 20 - finally see response from DNS server
  pointing to IP address of web server
• Packets 21 to 23 - TCP/IP handshake (SYN,
  SYN/ACK, ACK)
• see fast response from client, slow response from
  server
• begin to see that it is something other than the
  client causing the network latency

25
Example 1 Troubleshooting a Slow Router (3)

• Packet 26 - reply to second DNS request
• Packet 27 - client already established a
  connection with the server
• no real need for this second connection so client
  sends ICMP destination unreachable packet
  immediately following receipt of DNS response

26
Example 1 Troubleshooting a Slow Router (4)

• Packet 25 - after making initial TCP/IP handshake
  the client requests the actual content of webpage
• Packet 29 - a little under 3 seconds goes by
  before first TCP Retransmission packet
• Packet 32 - about 6 seconds goes by before
  second TCP Retransmission packet
• Packet 33 finally see response

27
Example 1 Fixing the Problem

• Given information just seen, we know client is
  not at fault for slow communication
• Principal rule of thought for figuring out
  problem location is to move upstream along the
  network
• In this network, next step would be to look at
  router to to see if it is malfunctioning in any
  way
• Upon rebooting the router on this particular
  network, the speed of data communication
  increased tremendously and the problem was solved

28
References

• http//web.archive.org/web/20050221103207/http//w
  ww.robertgraham.com/pubs/sniffing-faq.html
• http//ieeexplore.ieee.org.proxy.lib.odu.edu/iel5/
  45/26303/01166620.pdf?tparnumber1166620isnumbe
  r26303
• http//www.irongeek.com/i.php?pagesecurity/AQuick
  IntrotoSniffers
• http//www.cse.ohio-state.edu/xuan/courses/551/55
  1_2006_6_rock.ppt35
• http//engr.smu.edu/rewini/5-7339/raoudha-9-28-04
  .ppt24
• http//en.wikipedia.org/wiki/Packet_sniffer
• http//www.chrissanders.org/?cat11

29
Questions/Comments

• ?