Scribd
Upload
66 views

Introduction To Packet Sniffing

Ethereal is a packet sniffer that allows users to capture and analyze data packets traveling over a network. It displays packet details such as source/destination addresses and ports to help understand network activity. Ethereal uses WinPcap to interface with network cards and capture packets. It organizes captured packets and allows filtering by protocol, hosts, strings to focus analysis. Ethereal provides insights into network applications and troubleshooting connectivity issues by examining packet streams and payloads.

Uploaded by

vaibhavshali01
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
66 views

Introduction To Packet Sniffing

Ethereal is a packet sniffer that allows users to capture and analyze data packets traveling over a network. It displays packet details such as source/destination addresses and ports to help understand network activity. Ethereal uses WinPcap to interface with network cards and capture packets. It organizes captured packets and allows filtering by protocol, hosts, strings to focus analysis. Ethereal provides insights into network applications and troubleshooting connectivity issues by examining packet streams and payloads.

Uploaded by

vaibhavshali01
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 63

Introduction to Packet Sniffing

using Ethereal 0.10.9


Rob Bergin
Network Engineer
The Timberland Company
Non-Technical
Currently Data just travels
around your network like a
train. With a packet sniffer, get
the ability to capture the data
and look inside the packets to
see what is actually moving
long the tracks.
Technical
Ethereal (and WinPcap)

Ethereal – Application for Sniffing Packets

WinPcap – open source library for packet capture

Operating System – Windows & Unix/Linux

NPF device driver Network Driver


(WinPcap runs as a protocol driver like TCP.SYS)

Network Card Drivers


WinPcap Architecture
WinPcap is an open source library for packet capture and network analysis for
the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic
link library (packet.dll), and a high-level and system-independent library
(wpcap.dll, based on libpcap version 0.6.2).

The packet filter is a device driver that adds to Windows 95, 98, ME,  NT, 2000,
XP and 2003 the ability to capture and send raw data from a network card, with
the possibility to filter and store in a buffer the captured packets. 

Packet.dll is an API that can be used to directly access the functions of the
packet driver, offering a programming interface independent from the Microsoft
OS.

Wpcap.dll exports a set of high level capture primitives that are compatible with
libpcap, the well known Unix capture library. These functions allow to capture
packets in a way independent from the underlying network hardware and
operating system.
Frame 1
WinPcap is released under a BSD-style license.
Ethereal Application
• Requires WinPcap for Captures
• Can run standalone to examine captures
A Capture
• Let’s define a capture as a period of time that Ethereal
captured data frames.
• Frames can be assembled to examine application traffic

Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6


Recap
• Packet Sniffing
• Ethereal
• Data Frame Architecture
• WinPcap
• Network Capture
Basic TCP/IP Stuff
Interoperable TCP/IP
• TCP/IP is Transmission Control Protocol/Internet Protocol)
is a suite of network protocols.

• TCP and IP are two separate protocols

• TCP handles the data (HTTP vs. FTP vs. Telnet)

• IP handles the data transmission (i.e. between routers).

• TCP/IP protocols were designed to allow different


applications running on dissimilar operating systems to
communicate across a network.
Watch your Headers

TCP / UDP
- Ports not Addresses
- Layer 4 not 3
- FTP uses 20 and 21

IP
- Addresses not Ports
- Layer 3 not 4
- 192.168.1.1 (octet)
TCP
• TCP is connection-oriented transport layer protocol
designed to provide a reliable connection for data
exchange between two systems.

• TCP ensures that all packets are properly sequenced


and acknowledged and that a connection is established
before data is sent.

• TCP provides it reliability through the use of an


acknowledgement or ACK.
TCP
• If a receiving system had to send an ACK for every
packet, the result would be an incredible amount of
overhead for the network.

• To reduce the overhead, a mechanism called


windowing is used.

• Windowing is a method of flow control.


TCP
• The receiving system advertises a certain number of
packets that it can receive at a time (input buffer size.)

• The sending system watches for an ACK after the


designated number of packets is sent.

• If an ACK is not received, data will be retransmitted from


the point of the last ACK.
UDP
• UDP (User Datagram Protocol) provides an unreliable,
connectionless protocol to deliver packets.

• This protocol allows messages, called datagrams, to be


sent without the overhead of ACKs, established
connections, and sequencing.

• Applications that use UDP as their communications


mechanism include NFS (2049), TFTP (79), DNS (53)
and Unreal Tournament (7777).
IPv4
• IP (Internet Protocol) is used to handle datagram
services between hosts.

• IP handles the addressing, routing, and reassembly

• IP addresses are 32 bits long, are organized into 4


octets (8 bits) separated by periods

• IPv4 address examples: 192.168.10.20.

• IPv6 is a next generation form of addressing.


IPv6
• IP (Internet Protocol) is used to handle datagram
services between hosts.

• IP handles the addressing, routing, and reassembly

• IP addresses are 32 bits long, are organized into 4


octets (8 bits) separated by periods

• IPv4 address examples: 192.168.10.20.

• IPv6 is a next generation form of addressing.


What will IPv6 look like?
IPv6 Addresses:
CDFE:910A:2356:5709:8475:1024:3911:2021
2080:0000:0000:0000:0090:7AEB:1000:123A

Combo IPv4 and IPv6


1800:0000:0000:7AEF:0000:0000:16.114.67.16

Compacted IPv6 Address:


2080:0:0:0:90:7AEB:1000:123A Legal compaction
2080::90:7AEB:1000:123A Legal compaction
1800::7AEF:0:0:1072:4310 Legal compaction
IPv4 vs. IPv6
• IPv4 RFC came out in 1981.
1600
Mobile
1400 Subscribers

1200
1000 PCs Connected
Millions

to Web
800
600 Mobile
400 Internet
Users
200
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

Sources: ABN AMRO/IDC/Ovum

• IPv6 RFC came out in 1998.


Recap
• TCP vs. IP
• Headers
• TCP
• UDP
• IP
• IPv4 vs. IPv6
Ethereal Overview
View of Ethereal

Packet List

Packet Details

Packet Bytes
Packet List
Packet Order

Time Order
Destination IP Information

Source IP Protocol
Packet Details

Source and Destination TCP Ports

Source and Destination IP

Breakdown of the Frame, the Packet, the TCP portion


Packet Bytes

View of the data – Hexidecimal and Raw Data


Ethereal Capture
Running Ethereal
Ethereal Analysis
Logging on to FTP Server
What Ethereal saw
What Ethereal saw
What Ethereal saw
What Ethereal saw
What Ethereal saw
Ethereal Filtering.
Filtering!!!!
Saving Captures
• Captured Views
• Range of Packets
• All Packets
• Naming is critical:
– Was it the client?
– Was it the Server?
After Filter/Save/Open
Time Column & Delta
FTP Only Filter
Ethereal Packet Analysis
What Username?
Is Password Required?
What Password?
Why can’t I log in?
Follow the Stream
Advanced Filtering
Filter for just that stream
(ip.addr eq 207.46.133.140 and ip.addr eq 172.17.22.56) and
(tcp.port eq 21 and tcp.port eq 3511)

Filter for traffic between two hosts


ip.addr == 207.46.133.140 and ip.addr == 172.17.22.56

Filter for IP Traffic and removal of other traffic


ip and !(nbns) and !(msnms) and !(browser) and !(rip)
Summary Info
Ethereal: Encryption
HTTP
HTTPS
HTTP vs. HTTPS
HTTP vs. HTTPS
HTTP vs. HTTPS
TCP Stream vs. HTML Source
Ethereal: Miscellaneous
Protocol Hierarchy
I/O Graphing
HTTP Breakdown
Coloring Packets
Commercial Sniffers
• Sniffer Pro

• OmniPeek

• Observer

• IT Guru and ACE


Final Words
“If you can’t measure it, you can’t manage it”
- Peter Drucker

You might also like