SlideShare ist ein Scribd-Unternehmen logo

Analyze Network Traffic and Monitor Wireshark

S
ssuserafc27c

This document discusses network monitoring and packet analysis using Wireshark. It provides an overview of Wireshark and tcpdump, examples of how to use capture and display filters to filter traffic, and how to analyze network traffic such as following TCP streams, endpoint statistics, and HTTP analysis. It also discusses improving Wireshark performance and using grep to further analyze saved packet files.

Internet
1 von 52
Downloaden Sie, um offline zu lesen
Traffic Analysis–Wireshark CIS 6395, Incident ResponseTechnologies Fall 2016, Dr. Cliff Zou czou@cs.ucf.edu
Motivation for Network Monitoring — Essential for Network Management ◦ Router and Firewall policy ◦ Detecting abnormal/error in networking ◦ Access control — Security Management ◦ Detecting abnormal traffic ◦ Traffic log for future forensic analysis 2
3 Tools Overview — Tcpdump ◦ Unix-based command-line tool used to intercept packets – Including filtering to just the packets of interest — Wireshark ◦ GUI for displaying tcpdump/tshark packet traces
4 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
5 Filters — We are often not interested in all packets flowing through the network — Use filters to capture only packets of interest to us — How to write filters? ◦ Refer the tcpdump/tshark man page ◦ Many example webpages on the Internet
6 Example 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
7 Example (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
8 Example (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets andTCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
9 Running tcpdump — Requires superuser/administrator privileges on Unix ◦ http://www.tcpdump.org/ ◦ You can do it on your own Unix machine ◦ You can install a Linux OS inVmware on your windows machine — Tcpdump forWindows ◦ WinDump: http://www.winpcap.org/windump/ – Free software
SoWhat isWireShark? — Packet sniffer/protocol analyzer — Open Source NetworkTool — Latest version of the ethereal tool
What is tShark? — The command-line based packet capture tool — Equivalent toWireshark 11
12 Network Layered Structure — What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
Wireshark Interface 13
14 Wireshark Interface
Status Bar 15
Capture Options Promiscuous mode is used to Capture all traffic In many cases this does not work: • Network driver does not support • You are on a switch LAN
Capture Filter There are some pre-built capture filters that you can use:
Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
Capture Buffer Usage
Display Filters (Post-Filters) — Display filters (also called post-filters) ◦ Only filter the view of what you are seeing ◦ All packets in the capture still exist in the trace — Display filters use their own format and are much more powerful then capture filters
Display Filter There are some basic pre-built display filters, too
Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
Display Filter 24 There are thousands of pre-defined protocol fields that You can use in the display filter!
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
Display Filter — String1, String2 (Optional settings): ◦ Sub protocol categories inside the protocol. ◦ Look for a protocol and then click on the "+" character. ◦ Example: ◦ tcp.srcport == 80 ◦ tcp.flags == 2 – SYN packet – Or use “Tcp.flags.syn==1” ◦ tcp.flags == 18 – SYN/ACK ◦ Note ofTCP Flag field: 26
Display Filter Expressions — snmp || dns || icmp ◦ Display the SNMP or DNS or ICMP traffics. — tcp.port == 25 ◦ Display packets with TCP source or destination port 25. — tcp.flags ◦ Display packets having aTCP flags — tcp.flags.syn == 0x02 ◦ Display packets with aTCP SYN flag. 27 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
Save Filtered Packets asText After Using Display Filter — We can save all filtered packets in text file for further analysis — Operation: 28 FileàExport packet dissections àas “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
Save Filtered Packets inWireshark format After Using Display Filter — We can also save all filtered packets in the original wireshark format for further analysis — Operation: 29 1. Enter Display filter to show packets you want 2. Go to "Edit>" and choose "Mark all displayed packets“ 3. Go to “File” à Export specific packets… 4. Choose the option “Marked packets” to save the file
Protocol Hierarchy
Protocol Hierarchy
FollowTCP Stream
FollowTCP Stream red - stuff you sent blue - stuff you get
Filter out/in SingleTCP Stream — When click “filter out this TCP stream” in previous page’s box, new filter string will contain like: ◦ http and !(tcp.stream eq 5) — So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 34
Expert Info
Expert Info
Conversations
Conversations
— Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 39
Find EndPoint Statistics — Menu “statistics” à “endpoint list” à “TCP” — You can sort by field — “Tx” : transmit “Rx” : receive 40
Find EndPoint Statistics — Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 41
Export HTTP
Export HTTP Objects Now you can save all files transmitted in Web traffic!
HTTP Analysis
HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
HTTP Analysis – Packet Counter
HTTP Analysis – Requests
Improving WireShark Performance — Don’t use capture filters — Increase your read buffer size — Don’t update the screen dynamically — Get a faster computer — Use aTAP — Don’t resolve DNS hostnames
Post-ProcessingText File — For saved text-format packet files, further analysis needs coding or special tools — One useful tool on Unix: Grep ◦ OnWindows: PowerGrep http://www.powergrep.com/ ◦ Command-line based utility for searching plain-text data sets for lines matching a regular expression. 49
Basic usage of Grep — Command-line text-search program in Linux — Some useful usage: ◦ Grep ‘word’ filename # find lines with ‘word’ ◦ Grep –v ‘word’ filename # find lines without ‘word’ ◦ Grep ‘^word’ filename # find lines beginning with ‘word’ ◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2 ◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature ◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4 ◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines ◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case — Many tutorials on grep online ◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/ ◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 50
On-lineWiresharkTrace Files — Public available .pcap files: ◦ http://www.netresec.com/?page=PcapFiles — http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/ — Wiki Sample capture ◦ https://wiki.wireshark.org/SampleCaptures 51
Example Trace File and Questions — Network Forensic Puzzle Contests ◦ http://forensicscontest.com/2010/02/03/puzzle -4-the-curious-mr-x — SharkFest'15 Packet Challenge ◦ https://sharkfest.wireshark.org/assets/presenta tions15/packetchallenge.zip 52

Empfohlen

Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptssuser0a05422
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptToffeeLomerz
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptSenthil Vit
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 

Empfohlen

Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptssuser0a05422
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptToffeeLomerz
 
Traffic-Monitoring.ppt
Traffic-Monitoring.pptTraffic-Monitoring.ppt
Traffic-Monitoring.pptSenthil Vit
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
Wireshark
Wireshark Wireshark
Wireshark antivirusspam
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Day2
Day2Day2
Day2Jai4uk
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3Shahid Beheshti University
 
project_docs
project_docsproject_docs
project_docsAndrey Lavrinovic
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorCharles Profitt
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdumpalex wade
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis courseTECHNOLOGY CONTROL CO.
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guideabhijitgnbbl
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Weitere ähnliche Inhalte

Ähnlich wie Analyze Network Traffic and Monitor Wireshark

Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorCharles Profitt
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 

Ähnlich wie Analyze Network Traffic and Monitor Wireshark (20)

Wireshark
Wireshark Wireshark
Wireshark
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-on
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domain
 
Day2
Day2Day2
Day2
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
 
Nmap
NmapNmap
Nmap
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3
 
project_docs
project_docsproject_docs
project_docs
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems Administrator
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture Filters
 
3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic3.7.10 Lab Use Wireshark to View Network Traffic
3.7.10 Lab Use Wireshark to View Network Traffic
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guide
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
 

Kürzlich hochgeladen

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 

Kürzlich hochgeladen (9)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 

Analyze Network Traffic and Monitor Wireshark

  • 1. Traffic Analysis–Wireshark CIS 6395, Incident ResponseTechnologies Fall 2016, Dr. Cliff Zou czou@cs.ucf.edu
  • 2. Motivation for Network Monitoring — Essential for Network Management ◦ Router and Firewall policy ◦ Detecting abnormal/error in networking ◦ Access control — Security Management ◦ Detecting abnormal traffic ◦ Traffic log for future forensic analysis 2
  • 3. 3 Tools Overview — Tcpdump ◦ Unix-based command-line tool used to intercept packets – Including filtering to just the packets of interest — Wireshark ◦ GUI for displaying tcpdump/tshark packet traces
  • 4. 4 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
  • 5. 5 Filters — We are often not interested in all packets flowing through the network — Use filters to capture only packets of interest to us — How to write filters? ◦ Refer the tcpdump/tshark man page ◦ Many example webpages on the Internet
  • 6. 6 Example 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
  • 7. 7 Example (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
  • 8. 8 Example (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets andTCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
  • 9. 9 Running tcpdump — Requires superuser/administrator privileges on Unix ◦ http://www.tcpdump.org/ ◦ You can do it on your own Unix machine ◦ You can install a Linux OS inVmware on your windows machine — Tcpdump forWindows ◦ WinDump: http://www.winpcap.org/windump/ – Free software
  • 10. SoWhat isWireShark? — Packet sniffer/protocol analyzer — Open Source NetworkTool — Latest version of the ethereal tool
  • 11. What is tShark? — The command-line based packet capture tool — Equivalent toWireshark 11
  • 12. 12 Network Layered Structure — What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
  • 16. Capture Options Promiscuous mode is used to Capture all traffic In many cases this does not work: • Network driver does not support • You are on a switch LAN
  • 17. Capture Filter There are some pre-built capture filters that you can use:
  • 18. Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
  • 20.
  • 21. Display Filters (Post-Filters) — Display filters (also called post-filters) ◦ Only filter the view of what you are seeing ◦ All packets in the capture still exist in the trace — Display filters use their own format and are much more powerful then capture filters
  • 22. Display Filter There are some basic pre-built display filters, too
  • 23. Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
  • 24. Display Filter 24 There are thousands of pre-defined protocol fields that You can use in the display filter!
  • 25. TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
  • 26. Display Filter — String1, String2 (Optional settings): ◦ Sub protocol categories inside the protocol. ◦ Look for a protocol and then click on the "+" character. ◦ Example: ◦ tcp.srcport == 80 ◦ tcp.flags == 2 – SYN packet – Or use “Tcp.flags.syn==1” ◦ tcp.flags == 18 – SYN/ACK ◦ Note ofTCP Flag field: 26
  • 27. Display Filter Expressions — snmp || dns || icmp ◦ Display the SNMP or DNS or ICMP traffics. — tcp.port == 25 ◦ Display packets with TCP source or destination port 25. — tcp.flags ◦ Display packets having aTCP flags — tcp.flags.syn == 0x02 ◦ Display packets with aTCP SYN flag. 27 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
  • 28. Save Filtered Packets asText After Using Display Filter — We can save all filtered packets in text file for further analysis — Operation: 28 FileàExport packet dissections àas “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
  • 29. Save Filtered Packets inWireshark format After Using Display Filter — We can also save all filtered packets in the original wireshark format for further analysis — Operation: 29 1. Enter Display filter to show packets you want 2. Go to "Edit>" and choose "Mark all displayed packets“ 3. Go to “File” à Export specific packets… 4. Choose the option “Marked packets” to save the file
  • 33. FollowTCP Stream red - stuff you sent blue - stuff you get
  • 34. Filter out/in SingleTCP Stream — When click “filter out this TCP stream” in previous page’s box, new filter string will contain like: ◦ http and !(tcp.stream eq 5) — So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 34
  • 39. — Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 39
  • 40. Find EndPoint Statistics — Menu “statistics” à “endpoint list” à “TCP” — You can sort by field — “Tx” : transmit “Rx” : receive 40
  • 41. Find EndPoint Statistics — Use the “Copy” button to copy all text into clipboard — Then, you can analyze this text file to get what statistics you want 41
  • 43. Export HTTP Objects Now you can save all files transmitted in Web traffic!
  • 45. HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
  • 46. HTTP Analysis – Packet Counter
  • 47. HTTP Analysis – Requests
  • 48. Improving WireShark Performance — Don’t use capture filters — Increase your read buffer size — Don’t update the screen dynamically — Get a faster computer — Use aTAP — Don’t resolve DNS hostnames
  • 49. Post-ProcessingText File — For saved text-format packet files, further analysis needs coding or special tools — One useful tool on Unix: Grep ◦ OnWindows: PowerGrep http://www.powergrep.com/ ◦ Command-line based utility for searching plain-text data sets for lines matching a regular expression. 49
  • 50. Basic usage of Grep — Command-line text-search program in Linux — Some useful usage: ◦ Grep ‘word’ filename # find lines with ‘word’ ◦ Grep –v ‘word’ filename # find lines without ‘word’ ◦ Grep ‘^word’ filename # find lines beginning with ‘word’ ◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2 ◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature ◦ grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4 ◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines ◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of case — Many tutorials on grep online ◦ http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/ ◦ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 50
  • 51. On-lineWiresharkTrace Files — Public available .pcap files: ◦ http://www.netresec.com/?page=PcapFiles — http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/ — Wiki Sample capture ◦ https://wiki.wireshark.org/SampleCaptures 51
  • 52. Example Trace File and Questions — Network Forensic Puzzle Contests ◦ http://forensicscontest.com/2010/02/03/puzzle -4-the-curious-mr-x — SharkFest'15 Packet Challenge ◦ https://sharkfest.wireshark.org/assets/presenta tions15/packetchallenge.zip 52