Module 3 - Analyzing Network Traffic Flashcards
Install Wireshark on a computer Analyze a network packet capture Recover files from a network packet capture
WireShark Source
www.wireshark.org
WireShark Installation Prerequisite
WinPcap
WireShark Filters and View Columns
- IP addresses (Source and Destination)
- Protocols
- Info (includes GET commands and paths)
Analyzing Streams in WireShark
“Follow TCP Stream”
Exporting Files in WireShark
File - Export - Objects - HTTP
WireShark Filters
Use Filters box
“Expression” button shows syntax.
WireShark Time Reference
- Display format must be “Seconds Since Beginning of Capture”.
- Edit - Time Reference
- Not saved when file is closed.
Transmissions work due to __________
encapsulation
Ethernet Frame Characteristics
- Size: 1526 bytes
- Contain source and destination MAC addresses
- Payload contains IP datagram
IP Data gram contains __________
source and destination IP addresses
What is used to parse frames and datagrams?
Packet sniffers
Name a Packet Sniffer Tool
tcpdump
Characteristics of tcpdump
- open source packet sniffer
- command line
- recent version: 4.2.1 (01/2012)
- www.tcpdump.org
- Replaying requires “tcpreplay or tcpopera”
Solutions to capture traffic
- Packet Sniffer (tcpdump)
- Hubs
- Network Tap
- Port Mirroring
Hubs for Capturing Traffic
- No logic
- Low Cost
- Rebroadcast traffic to all connected ports
- can be easily used to sniff traffic between computers on the same hung
(usually a security concern).
What is a network tap?
- hardware device that provides a way to access the data flowing across a computer network.
- intercepts data flowing through a cable
- Has at least three ports - A port, B port, monitor port
- pass traffic through unimpeded, but copies data to the monitor port
What use-cases are network taps used for?
- network intrusions systems
- VOIP recording
- network probes
- RMON probes
- packet sniffers
Why are network taps used?
- non-obtrusive
- not detectable (no physical or logical address)
- can deal with full duplex and non-shared networks,
- pass traffic even if it stops working or loses power
What is Port Mirroring?
- Used on network switch
- Sends copy of all network packets seenon one switch port (or an entire VLAN) to a network monitoring connection on another switch port.
What use-case for Port Mirroring?
- network appliances that require monitoring of network traffic, such as IDS
Names for Port Mirroring on common switches
Cisco Systems: Switched Port Analyzer (SPAN)
3Com: Roving Port Analysis (RAP)