• The packet analyzer also known as a network analyzer, protocol analyzer or sniffer iscomputer software or computer hardware that can intercept and log traffic passing over a digital ne
Trang 1Presenter : Ma Van Linh
2017.07.06
Trang 21 Overview of Network Analyzer
2 Wireshark
3 Wireshark – advanced features
4 Wireshare – case studies
5 Conclusion
Trang 3• The packet analyzer (also known as a network analyzer, protocol analyzer or sniffer) is
computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network.
• Network sniffer is a program and/or device that monitors data travelling over a network Network sniffers can be used both for legitimate network management functions and for stealing information off a network.
Trang 4• Analyze network problems.
• Detect network intrusion attempts.
• Gain information for effecting a network intrusion.
• Monitor network usage.
• Gather and report network statistics.
• Filter suspect content from network traffic.
• Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
• Debug client/server communications.
• Debug network protocol implementations.
1.2 What to use?
Trang 5Names of protocols Importance What it does
ethernet, SLIP, PPP, Token Ring,
ARCnet
Essential Allows messages to be packaged and sent between physical
locations
information to support another layer
network cards RPC allows remote computer to perform functions on other computers
RARP, BOOTP, DHCP, IGMP,
SNMP,RIP, OSPF, BGP, CIDR
Advanced Enhances network management and increases functionality
FTP, TFTP, SMTP, Telnet, NFS,
ping, Rlogin
Useful Provides direct services to the user
Trang 6• Wireshark: Wireshark (formerly known as Ethereal) is a fantastic open source network protocol analyzer for Unix and Windows.
• Snort: This is network intrusion detection and prevention system excels at traffic analysis on
IP networks.
• Netcat: This simple utility reads and writes data across TCP or UDP network connections.
and many of us continue to use it frequently.
• Netfilter: Netfilter is a powerful packet filter implemented in the standard Linux kernel.
analyzer for Windows platforms.
• Other tools: Carnivore, dSniff, Clarified Analyzer, SoftPerfect, Snoop, NetScout etc;
1.4 Network Analyzer Tools
Trang 7• Wireshark is a network packet analyzer A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.
Ø You could think of a network packet analyzer as a measuring device used to examine what's going
on inside a network cable, just like a voltmeter is used by an electrician to examine what's going oninside an electric cable (but at a higher level, of course)
Ø In the past, such tools were either very expensive, proprietary, or both However, with the advent ofWireshark, all that has changed
Ø Wireshark is perhaps one of the best open source packet analyzers available today
Trang 81 Network administrators use it to troubleshoot network problems.
2 Network security engineers use it to examine security problems.
3 Developers use it to debug protocol implementations.
4 People use it to learn network protocol internals.
5 Beside these examples, Wireshark can be helpful in many other situations too.
2.2 People use Wireshark for
Trang 9• Available for UNIX and Windows.
• Capture live packet data from a network interface
• Display packets with very detailed protocol information
• Import and Export packet data from and to a lot of other capture programs
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.
Trang 10• Live capture from many different network media
ü Wireshark can capture traffic from many different network media types and despite its name including wireless LAN as well Which media types are supported, depends on many things like theoperating system you are using
ü Wireshark can open packets captured from a large number of other capture programs
ü Wireshark can save packets captured in a large number of formats of other capture programs
ü Wireshark is an open source software project, and is released under the GNU You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such In addition, all source code is freely available under the GPL Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do!
2.3 Feature (2)
Trang 11• Wireshark is not an intrusion detection system It will not warn you when someone does strange things on your network that he/she isn't allowed to do.
• Wireshark will not manipulate things on the network, it will only "measure" things from it.
Wireshark does not send packets on the network or do other active things
Trang 122.5 Where to locate the Wireshark?
To ISP
For server monitoring:
Connect the laptop to the LAN switch, with port mirror to the monitored server
For WAN monitoring:
Connect the laptop to the LAN switch, with port mirror to the monitored router
For Internet connectivity monitoring:
Before or after the Firewall
Trang 13• TCP/IP Protocol Stack - Reminder
Trang 14Err (Op.)
Err (Op.)
Trang 16• Frame Format – Ethernet II / 802.3
IP IPX AppleTalk
CRC 4
Pad Data
PA 8
CRC 4 Pad
Length
Data
PA SFD
7 1
Trang 18or UDP segment)
16-bit identifier
Internet checksum
Time to live
32 bit source IP address
Head.
len
Type of service
flgs Fragment
offset
Upper layer
32 bit destination IP address
Options (if any)
IP protocol version number
Header Length (in bytes
Max no remaining hops
(decremented at each router)
Upper layer protocol to
which payload is delivered
E.g timestamp, record route taken, specify list of routers to
visit
Trang 19• UDP Frame Structure
Ø There are only four fields in the UDP header:
– Source port – Destination port – Message length – Message checksum
source port # dest port #
32 bits
Application data (message)
UDP segment format
Length, in bytes of UDP segment, including header
Frame checksum
Trang 20• The Interface (Version 2.2.1)
2.7 How to use the Wireshark? (1)
Trang 21• Choose the Interface and Start the Capture
Trang 22• Capture Packet
2.7 How to use the Wireshark? (3)
Packet List
Packet Details
Packet Bytes
Trang 23• TCP Packet Example
Trang 24• Example 1 – HTTP session Opened
2.7 How to use the Wireshark? (5)
Trang 25• Statistics => Flow Graph…
Trang 26• Statistics => Flow Graph…
2.7 How to use the Wireshark? (7)
Trang 27• Example 2– Capture traffic todic.naver.com
Trang 28• Display Filters
2.7 How to use the Wireshark? (9)
Trang 29• Example 3 – Filter Traffic Between Hosts
Trang 30• Example 3 – Filter Traffic Between Hosts
2.7 How to use the Wireshark? (11)
ip.addr == 168.131.39.188 and ip.addr == 168.131.39.187
Trang 31• Statistics – Protocol Hierarchy
Trang 32• Statistics - Conversations
2.7 How to use the Wireshark? (13)
Trang 33• Statistics – I/O Graph
Trang 34• Saving and Manipulating Files (1)
2.7 How to use the Wireshark? (15)
Save only displayed packets
Trang 35• Saving and Manipulating Files (2)
Save to XLS file
Trang 36• Filtering a Specific TCP Stream (1)
2.7 How to use the Wireshark? (16)
Trang 37• Filtering a Specific TCP Stream (2)
Trang 38• Colorizing Specific Data (1)
2.7 How to use the Wireshark? (17)
Trang 39• Colorizing Specific Data (2)
Trang 40• Colorizing Specific Data (3)
2.7 How to use the Wireshark? (17)
Trang 41• Colorizing Specific Data (TLS Connection Establishment) (4)
Trang 423.1 Analyze – Expert Info Composite
Trang 443.3 Statistics – TCP Stream Graph
Trang 45• RTT Vs Sequence numbers gives us the time that take to Ack every packet.
• In case of variations, it can cause DUPACKs and even Retransmissions
• Usually will happen on communications lines:
– Over the Internet – Over cellular networks
Trang 463.5 Time / Sequence Graph (Stevens) (1)
• Time / Sequence representes how sequence numbers advances with time
• In a good connection (like in the example), the line will be linear
• The angle of the line indicates the speed of the connection In this example – fast connection
Trang 47• In this case, we see a contiguous graph
non-• Can be due to:
– Severe packet loss– Server response (processing) time
Trang 483.6 Example 1 - Stable Performance File Transfer (1)
Trang 49A stable throughput of around 1MB/8Mb per second
It is important to test in parallel with SNMP tool for channel capacity
Trang 503.6 Example 2 – Non-Stable Performance Mail Transfer (1)
Trang 51Something happened
here (After ~5.25 Seconds)
Trang 523.6 Example 2 – Non-Stable Performance Mail Transfer (3)
5.25 seconds after start of stream,
we don’t see any connectivity problems – probably slow server/applications
Trang 53Stable stre
am BW
Trang 544.1 Slow Application (Analyze => Exert Info) (1)
Trang 55Something here stinks …
Trang 564.1 Slow Application (Analyze => Exert Info) (3)
Ooops …
Nearly no events over here ……
Trang 57Interactive open/close read/write application
This his what it requires from the network ….
Trang 58• Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it.
• Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
Trang 59Q & A
Trang 60Thank You