Title: CS772872 Packet sniffers for network analysis
1CS772/872Packet sniffers for network analysis
2Outline
- Introduction
- Components
- Implementation
- Packet Sniffing Prevention/Detection
- Example
3Introduction - Definition
- What is a "packet sniffer"?
- wire-tap device that plugs into computer networks
- eavesdrops on the network traffic
- captures packets and eventually decodes its
content - can be software or hardware
- Also referred to as network analyzer or protocol
analyzer - Analogy to a packet sniffer telephone wiretap
- tap a telephone line to listen in on conversation
- similarly, packet sniffers can be used to snoop
on data currently being transmitted across
network
4Introduction Available Packet Sniffers
- Software
- Windows
- Ethereal/Wireshark
- windump - version of tcpdump for Windows
- Unix
- tcpdump
- Ettercap
- Hardware
- EtherPeek
- LANWatch32
5Introduction - Picture
6Introduction Uses (1)
- 2 main applications
- commercial packet sniffers help maintain
networks - underground packet sniffers personal gain /
malicious intent - Analyze network problems
- in token ring network could detect that token has
been lost or the presence of too many tokens - see that messages are being sent to a machine
- if machine does not respond appropriately then
failure localized to that machine - detect excessive messages being sent by a port,
detecting an error in the implementation - Detect network intrusion attempts
- Filter suspect content from network traffic
7Introduction Uses (2)
- Monitor network usage
- analyze data sent to and from secure systems
- understand and circumvent security measures for
the purposes of penetration testing - Gather and report network statistics
- locate bottlenecks present in the network
- find part of the network where data is lost (due
to network congestion) - collect statistics on the amount of traffic
(number of messages) from a process detecting the
need for more bandwidth or a better method
8Introduction Uses (3)
- Reverse engineer protocols used over the network
- extract messages and reassemble to see
step-by-step process of a protocol - Debug client/server communications
- passively capture data going between a web
visitor and the web servers, decode it at the
HTTP and HTML level - create web log files as a substitute for server
logs and page tagging for web analytics - Debug network protocol implementations
- packet sniffer could be used to diagnose
operating system connectivity issues like web,
ftp, sql, active directory, etc.
9Components (1)
Packet
10Components (2)
- The media
- most products work from standard network adapters
- if you use special hardware, you can analyze
hardware faults like CRC errors, voltage
problems, and "jitter" - Capture driver
- captures the network traffic from the wire,
filters it for the particular traffic you want - Buffer
- once frames captured from network, they are
stored in a buffer - captures modes
- capture until the buffer fills up
- use buffer as a "round robin" where the newest
data replaces the oldest data
11Components (3)
- Real-time analysis
- analysis of frames as they come off the wire
- allows for identification of network performance
issues and faults while capturing - many vendors have started to add minimal
capabilities along this line to their products - Decode
- displays contents of network traffic with
descriptive text so analyst can figure out what
is going on. - Packet editing/transmission
- some products contain features that allow you to
edit your own network packets and transmit them
onto the network.
12Implementation - Basics
- Place packet sniffer where desired
traffic/packets will pass - Internet built to survive any "single point of
failure" - prevents any single point of sniffing
- Packet sniffer needs necessary protocols
- "protocol analysis", which allows for "decoding"
of conversation
13(No Transcript)
14Implementation - Shared Networks
- IEEE 802.3 Ethernet LANs employ a broadcast
technology - all machines on local network share same wire
- individual identifier needed
- Media Access Control (MAC) address
- Network Interface Card (NIC) checks destination
address of arriving packet - Normal operation
- accepts packets based off MAC address otherwise
discard - promiscuous mode
- look at all of the packets on the wires it is
hooked to - Totally passive and very hard to detect
15Implementation Promiscuous Mode
16Implementation - Switched Networks
- Switch maintains a table
- each computers MAC address
- physical port on the switch to which the MAC
address is connected - switch delivers packets to intended machine
- Switched network more secure, but there are still
methods for packet sniffing - MAC flooding
- fail open mode
- ARP (Address Resolution Protocol)
spoofing/poisoning - configure ports as "monitor" or "span" ports
17Packet Sniffing Prevention (1)
- Problem HTTP (Hypertext Transfer Protocol)
- many web sites use authentication technique which
prompts the user for a username and password,
which are sent across the network in plain-text - data sent in clear-text
- Solution HTTPS SSL (Secure Sockets Layer)
- built into all popular web browsers and web
servers - allows encrypted web surfing
- ex during e-commerce users enter credit card info
18Packet Sniffing Prevention (2)
- Problem POP (Post Office Protocol) IMAP
(Internet Message Access Protocol) - passwords sent in the clear
- data sent in clear
- Solution PGP (Pretty Good Privacy) and S/MIME
(Secure Multipurpose Internet Mail Extensions) - use public key cryptography
19Packet Sniffing Prevention (3)
- Problem FTP (File Transfer Protocol) telnet
- passwords sent in the clear
- data sent in clear
- Solution SFTP / SSH (Secure Shell)
- has become the de facto standard for logging into
UNIX machines from the Internet
20Packet Sniffing Detection - Ping
- Most packet sniffers run on normal machines with
normal TCP/IP stack - if you send a request to these machines, they
will respond - Send a request to IP address of the machine, but
not to its Ethernet adapter - machine suspected of running the packet sniffer
has IP address 10.0.0.1 and Ethernet address
00-40-05-A4-79-32 - you are on the same Ethernet segment as the
suspect - transmit an ICMP Echo Request (ping) with the
correct IP address but wrong destination MAC
address - nobody should see this packet
- if a response is received, then the machine
suspected is sniffing the wire - There are ways defending against this. Now that
this technique is widely publicized, newer
hackers will enable a virtual MAC address filter
in their code.
21Packet Sniffing Detection - ARP
- When sending out a single ARP to the broadcast
address, IP-to-Ethernet address mapping is
included - everyone else on wire remembers this information
for next few minutes - Send out non-broadcast ARP, then a broadcast ping
- anybody who responds to ping without ARPing could
only have gotten the MAC address from a sniffed
ARP frame - to make double-sure, use a different source MAC
address in the ping
22Packet Sniffing Detection Tools
- AntiSniff
- http//web.archive.org/web/20050221103207/http//w
ww.l0pht.com/antisniff/ The most comprehensive
sniffer-detection tool. - CPM (Check Promiscuous Mode)
- http//web.archive.org/web/20050221103207/ftp//co
ast.cs.purdue.edu/pub/tools/unix/cpm/ A tool from
Carnegie-Mellon that checks to see if promiscuous
mode is enabled on a UNIX machine. - neped
- http//web.archive.org/web/20050221103207/http//w
ww.apostols.org/projectz/neped/ A tool from The
Apostols that detects packet sniffers running on
the local segment.
23Example 1 - Troubleshooting a Slow Router (1)
24Example 1 Troubleshooting a Slow Router (2)
- Packet 18 - client (172.17.8.66) makes request to
get website www.packet-level.com - Packet 19 - next packet over 1 second later is
client requesting webpage a second time - Packet 20 - finally see response from DNS server
pointing to IP address of web server - Packets 21 to 23 - TCP/IP handshake (SYN,
SYN/ACK, ACK) - see fast response from client, slow response from
server - begin to see that it is something other than the
client causing the network latency
25Example 1 Troubleshooting a Slow Router (3)
- Packet 26 - reply to second DNS request
- Packet 27 - client already established a
connection with the server - no real need for this second connection so client
sends ICMP destination unreachable packet
immediately following receipt of DNS response
26Example 1 Troubleshooting a Slow Router (4)
- Packet 25 - after making initial TCP/IP handshake
the client requests the actual content of webpage - Packet 29 - a little under 3 seconds goes by
before first TCP Retransmission packet - Packet 32 - about 6 seconds goes by before
second TCP Retransmission packet - Packet 33 finally see response
27Example 1 Fixing the Problem
- Given information just seen, we know client is
not at fault for slow communication - Principal rule of thought for figuring out
problem location is to move upstream along the
network - In this network, next step would be to look at
router to to see if it is malfunctioning in any
way - Upon rebooting the router on this particular
network, the speed of data communication
increased tremendously and the problem was solved
28References
- http//web.archive.org/web/20050221103207/http//w
ww.robertgraham.com/pubs/sniffing-faq.html - http//ieeexplore.ieee.org.proxy.lib.odu.edu/iel5/
45/26303/01166620.pdf?tparnumber1166620isnumbe
r26303 - http//www.irongeek.com/i.php?pagesecurity/AQuick
IntrotoSniffers - http//www.cse.ohio-state.edu/xuan/courses/551/55
1_2006_6_rock.ppt35 - http//engr.smu.edu/rewini/5-7339/raoudha-9-28-04
.ppt24 - http//en.wikipedia.org/wiki/Packet_sniffer
- http//www.chrissanders.org/?cat11
29Questions/Comments