Ethernet-analyzer

avatar
Created by
CGPS BSNL

Cards (52)

  • An Intro to Network Analyzers
    View source
  • References
    • "Introduction to Wiresharkl", Dr. Farid Farahmand, Fall 2014
    • "Packet analyzer", Wikipedia, March 2013
    • "Wireshark User's Guide", For Wireshark 1.99
    • "Wireshark Installation & packet Chapter", August 2011
    View source
  • Network Analysis & Sniffing
    Process of capturing, decoding, & analyzing network traffic
    View source
  • Why network analysis & sniffing is done
    • Why is the network slow
    • What is the network traffic pattern
    • How is the traffic being shared between nodes
    View source
  • Other names for network analysis & sniffing
    • traffic analysis
    • protocol analysis
    • sniffing
    • packet analysis
    • eavesdropping
    View source
  • Network Analyzer
    A combination of hardware & software tools what can detect, decode, & manipulate traffic on the network
    View source
  • Types of network analyzer operation
    • Passive monitoring (detection) - Difficult to detect
    • Active (attack)
    View source
  • Examples of network analyzers
    • Wireshark / Ethereal
    • Windump
    • Etherpeak
    • Dsniff
    View source
  • Sniffer
    A program that monitors the data traveling through the network passively
    View source
  • Read: Basic Packet-Sniffer Construction from the Ground Up! by Chad Renfro
    View source
  • Checkout his program: sniff.c
    View source
  • Network Analyzer Components
    • Hardware
    • Capture driver
    • Buffer
    • Real-time analysis
    • Decoder
    View source
  • Capture driver
    NIC Card - capturing the data
    View source
  • Buffer
    • memory
    • Special hardware devices
    • CRC & Parity Errors
    • Monitoring voltage fluctuation
    • Jitter (random timing variation)
    • Jabber (failure to handle electrical signals)
    • or disk-based
    View source
  • Real-time analysis
    Analyzing the traffic in real time; detecting any intrusions
    View source
  • Decoder
    Making data readable
    View source
  • Who uses network analyzers
    • System administrators
    • Malicious individuals (intruders)
    • Test engineers
    View source
  • System administrators use network analyzers to
    Identify system problems & Analyze performance
    View source
  • What malicious individuals use network analyzers for
    • Capture cleartext data
    • Passively collect data on vulnerable protocols
    • Mapping the target network
    • Traffic pattern discovery
    • Actively break into the network (backdoor techniques)
    View source
  • Vulnerable protocols
    • FTP
    • HTTP
    • IMAP
    • POP3
    • rlogin
    • SNTP
    View source
  • Test engineers use network analyzers to
    Generate traffic & thus act as the reference device
    View source
  • Port Monitoring
    The traffic to each port is mirrored to the sniffer
    View source
  • If you want to capture Ethernet traffic that is sent by host A to host B, & both are connected to a HUB, just attach a sniffer to this hub. All other ports see the traffic between hosts A & B.
    View source
  • On a SWITCH, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer DOES NOT see this traffic.
    View source
  • Span port
    An extra feature that artificially copies unicast packets that host A sends to the sniffer port
    View source
  • Ways to protect against sniffers
    • Spoofing the MAC address
    • Detecting a sniffer in Linux
    • Detecting a sniffer in Windows
    View source
  • Remember: 00:01:02:03:04:05 MAC address (HWaddr) = Vender Address + Unique NIC #
    View source
  • Ways to protect against sniffers
    • Using switches
    • Using encryption
    View source
  • VPN Methods
    • Secure Shell (SSH): headers are not encrypted
    • Secure Sockets Layer (SSL): high network level packet security; headers are not encrypted
    • IPsec: Encrypted headers but does not use TCP or UDP
    View source
  • Remember: Never use unauthorized Sniffers at work!
    View source
  • Wireshark
    Formerly called Ethereal, an open source program with many features that decodes over 750 protocols
    View source
  • Wireshark components
    • TSHARK (CLI)
    • Editcap
    • Mergecap
    • Text2pcap
    View source
  • Editcap
    Similar to "Save As" to translate the format of captured packets
    View source
  • Mergecap
    Combines multiple saved captured files
    View source
  • Text2pcap
    Converts ASCII Hexdump captures & writes the data into a libpcap output file
    View source
  • Installing Wireshark
    1. Download from www.wireshark.org/download.html
    2. Install capture drivers
    3. Monitor ports & capture all traveling packets
    View source
  • If you did not succeed, search for "Wireshark" in the Ubuntu Dash and install, or go to Firefox and Google "Wireshark for Ubuntu 14.04" and follow the instructions.
    View source
  • Enabling root privileges for Wireshark
    1. sudo -s
    2. usermod -a -G wireshark your-user-name
    3. chgrp wireshark /usr/bin/dumpcap
    4. chmod 4750 /usr/bin/dumpcap
    View source
  • You can safely run Wireshark to inspect, edit or filter packet dumps without root privileges, e.g., wireshark -i eth0 -c 5
    View source
  • Ethernet
    Most popular protocol standard to enable computer communication, based on shared medium & broadcasting
    View source