Wireshark Flashcards
What is packet sniffing?
The process of capturing network traffic for analysis to determine what is happening on the network
What does a network analysiser do?
Decodes raw data packets of common protocols and displays the network traffic in human readable form
What will a network analyiser normally consist of? (5 things)
- Hardware – Capture Driver – Buffer – Real time analysis – Decoder
What is the capture driver?
The part of a network analyzer that is responsible for actually capturing the raw network traffic from the cable
What is the data buffer?
This component stores the captured data
What are the decodes?
This component displays the contents of the network traffic with descriptions that allow it to be human readable
What can a network analyiser be used for?
-Network analyzers are valuable tools for
diagnosing and troubleshooting network
problems
-They are used by system administrators, network
engineers, security engineers etc
What are some good reasons for packet sniffing?
- Troubleshooting network problems
- Intrusion detection
- Detecting spyware or compromised computers
- Discovering the origin of denial of service (DoS) attacks
- Logging traffic for evidence of wrongdoing
What are some bad reasons for packet sniffing?
-Sniffers can be a significant threat to network
security by discovering system vulnerabilities
-Intruders use network sniffing to capture
valuable and confidential information
What are some possible uses for bad packet sniffing?
-Capturing clear-text usernames and passwords -Compromising proprietary information -Capturing and replaying voice over IP conversations -Mapping a network -Passive OS fingerprinting
What are some ways an unauthroised person could gain access to install packet sniffing software?
- Breaking into a target computer and installing remotely controlled sniffing software
- Breaking into a communications access point, such as an ISP and installing sniffing software
- Locating/finding a system at the ISP that already has sniffing software installed
- Use social engineering to gain physical access to the network or the ISP to install a packet sniffer
- Having an insider accomplice on the target network or the ISP to install the sniffer
- Redirecting communications to take a path that includes the intruder’s computer
What are rootkits?
-Sniffing programs are included with most “rootkits” that are typically installed on compromised systems
-They may install other programs such as sniffers,
key loggers and backdoor access software
What is promiscuous mode?
Normally NICs will only accept and pass up to the
system those packets destined for themselves, In promiscuous mode, the NIC accepts all packets on the segment, regardless of who they are addressed to, and passes them on to the system for processing
What can you do if the network uses a switch?
-Install a hub between the target PC and the switch
-Configure the switch to forward all traffic out a
particular port and sniff on that port
-Overload the switch’s internal table of
destinations, forcing it to act like a hub.
On wireshark what is the difference between:
- Colour filters
- Capture filters
- Display filters
- Colour filter - lets you highlight different types of traffic
- Capture filter - Let you capture only traffic you want
- Display filter - Lets you sort all captured traffic to display only traffic you want to see
