1. Network S niffing and P acket
Analysis Using Wireshark
C ombined null and O W A S P meet
B angalore
1101/0011/1010
ta m a g hna .ba s u@g m a il.c om
ta m a ha w k -tec hg uru.blo g s pot.c om
tw itter.c om /tita nla m bda
2. • D ifficult to put all these
things together
• E xisting sessions – 100 –
150 slides
• Time C onstraint
3. Topics
• Why?
• What?
• How ?
• B as ic sniffing techniques
• Intro to wireshark
• C losure look at protocols
• C ase S tudies
7. P urpose of sniffing and
packet analysis
● A million different things can go wrong with a computer network,
from a simple spyware infection to a complex router configuration
error.
● P acket level is the most basic level where nothing is hidden.
●Understand the network, who is on a network, whom your
computer is talking to, What is the network us age, any s uspicious
communication (D O S , botnet, Intrus ion attempt etc)
●Find uns ecured and bloated applications – FTP sends cleartext
authentication data
●O ne phase of computer forensic - could reveal data otherwise
hidden s omewhere in a 150 G B HD D .
8. What is this?
• Also known as packet sniffing, protocol analysis etc.
• Three P hases -
• C ollection – promiscuous mode
• C onversion – UI based tools are better
• Analysis – P rotocol level, setting rules etc
• G et various data like text content, files, clear text
authentication details etc.
• Tools
•S niffer – wireshark, cain and abel, tcpdump
(commnd line tool), networkminer
• P acket Analysis – wireshark, networkminer, xplico
etc
9. S niffing Techniques
• P romiscuous mode
• Hub environment
• S witch environment
• P ort mirroring
• Hubbing out the target network/machine
• AR P cache poisoning /AR P spoofing
10. Wireshark: History
G erald C ombs , a computer science graduate of
the University of M iss ouri at Kansas C ity,
originally developed it out of necessity.
The very firs t version of C ombs’ application,
called E thereal, was releas ed in 1998 under the
G NU P ublic Licens e (GP L).
E ight years after releasing E thereal, C ombs left
his job and rebranded the project as Wireshark
in mid-2006.
11. Wireshark: Features
• GPL
• Available in all platform
• Both live and offline analysis
• Understands almost all protocols, if not, add it – open
source
• Filter/search packets, E xpert's comment, Follow TC P
S tream, Flow G raph etc
• P lenty of tutorials /documentation available
• G et sample captured packets for study -
http:/ wiki.wireshark.org/ ampleC aptures
/ S
• D em o: L et's s ta rt ea ting . Feed yo ur bra in. :)
12. S tarters: P rotocol diagnosis
• AR P
• D HC P
•HTTP / PTC
• D NS
• FTP
• Telnet
• IC M P
• S M TP
13. D eserts: C ase S tudies
• FTP C rack
• B las ter worm
• OS fingerprinting
• P ort S canning
• IC M P C overt C hannel
• B rowser Hijacking - spyware
14. M outh Freshner: Honeynet C hallenge
• C hallenge 1
• P roblem S tatement
• Analysis
• Tools used
• S olution
15. M ainC ourse? ? ? ?
“Tell me and I forget. Show
me and I remember. Involve
me and I understand.” -
chinese proverb
16. Thank you for witnessing this
historical moment...
A ns w ers a nd D is c us s io ns ?
ta m a g hna .ba s u@g m a il.c om
ta m a ha w k -tec hg uru.blo g s pot.c om
tw itter.c om /tita nla m bda
