Introduction to Packet Sniffing using Ethereal 0.10.9 - PowerPoint PPT Presentation

About This Presentation
Title:

Introduction to Packet Sniffing using Ethereal 0.10.9

Description:

Frames can be assembled to examine application traffic Recap Packet ... network like a train. With a packet sniffer, ... packet capture and network analysis ... – PowerPoint PPT presentation

Number of Views:239
Avg rating:3.0/5.0
Slides: 64
Provided by: RobBe8
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Packet Sniffing using Ethereal 0.10.9


1
Introduction to Packet Sniffingusing Ethereal
0.10.9
  • Rob Bergin
  • Network Engineer
  • The Timberland Company

2
Non-Technical
Currently Data just travels around your network
like a train. With a packet sniffer, get the
ability to capture the data and look inside the
packets to see what is actually moving long the
tracks.
3
Technical
4
Ethereal (and WinPcap)
Ethereal Application for Sniffing Packets
WinPcap open source library for packet capture
Operating System Windows Unix/Linux
NPF device driver Network Driver(WinPcap runs as
a protocol driver like TCP.SYS)
Network Card Drivers
5
WinPcap Architecture
WinPcap is an open source library for packet
capture and network analysis for the Win32
platforms. It includes a kernel-level packet
filter, a low-level dynamic link library
(packet.dll), and a high-level and
system-independent library (wpcap.dll, based on
libpcap version 0.6.2). The packet filter is a
device driver that adds to Windows 95, 98, ME, 
NT, 2000, XP and 2003 the ability to capture and
send raw data from a network card, with the
possibility to filter and store in a buffer the
captured packets.  Packet.dll is an API that can
be used to directly access the functions of the
packet driver, offering a programming interface
independent from the Microsoft OS. Wpcap.dll
exports a set of high level capture primitives
that are compatible with libpcap, the well known
Unix capture library. These functions allow to
capture packets in a way independent from the
underlying network hardware and operating
system. WinPcap is released under a BSD-style
license.
Frame 1
6
Ethereal Application
  • Requires WinPcap for Captures
  • Can run standalone to examine captures

7
A Capture
  • Lets define a capture as a period of time that
    Ethereal captured data frames.
  • Frames can be assembled to examine application
    traffic

Frame 1
Frame 2
Frame 3
Frame 4
Frame 5
Frame 6
8
Recap
  • Packet Sniffing
  • Ethereal
  • Data Frame Architecture
  • WinPcap
  • Network Capture

9
Basic TCP/IP Stuff
10
Interoperable TCP/IP
  • TCP/IP is Transmission Control Protocol/Internet
    Protocol) is a suite of network protocols.
  • TCP and IP are two separate protocols
  • TCP handles the data (HTTP vs. FTP vs. Telnet)
  • IP handles the data transmission (i.e. between
    routers).
  • TCP/IP protocols were designed to allow different
    applications running on dissimilar operating
    systems to communicate across a network.

11
Watch your Headers
  • IP
  • Addresses not Ports
  • Layer 3 not 4
  • 192.168.1.1 (octet)

12
TCP
  • TCP is connection-oriented transport layer
    protocol designed to provide a reliable
    connection for data exchange between two systems.
  • TCP ensures that all packets are properly
    sequenced and acknowledged and that a connection
    is established before data is sent.
  • TCP provides it reliability through the use of an
    acknowledgement or ACK.

13
TCP
  • If a receiving system had to send an ACK for
    every packet, the result would be an incredible
    amount of overhead for the network.
  • To reduce the overhead, a mechanism called
    windowing is used.
  • Windowing is a method of flow control.

14
TCP
  • The receiving system advertises a certain number
    of packets that it can receive at a time (input
    buffer size.)
  • The sending system watches for an ACK after the
    designated number of packets is sent.
  • If an ACK is not received, data will be
    retransmitted from the point of the last ACK.

15
UDP
  • UDP (User Datagram Protocol) provides an
    unreliable, connectionless protocol to deliver
    packets.
  • This protocol allows messages, called datagrams,
    to be sent without the overhead of ACKs,
    established connections, and sequencing.
  • Applications that use UDP as their communications
    mechanism include NFS (2049), TFTP (79), DNS (53)
    and Unreal Tournament (7777).

16
IPv4
  • IP (Internet Protocol) is used to handle datagram
    services between hosts.
  • IP handles the addressing, routing, and
    reassembly
  • IP addresses are 32 bits long, are organized into
    4 octets (8 bits) separated by periods
  • IPv4 address examples 192.168.10.20.
  • IPv6 is a next generation form of addressing.

17
IPv6
  • IP (Internet Protocol) is used to handle datagram
    services between hosts.
  • IP handles the addressing, routing, and
    reassembly
  • IP addresses are 32 bits long, are organized into
    4 octets (8 bits) separated by periods
  • IPv4 address examples 192.168.10.20.
  • IPv6 is a next generation form of addressing.

18
What will IPv6 look like?
  • IPv6 Addresses
  • CDFE910A235657098475102439112021
  • 208000000000000000907AEB1000123A
  • Combo IPv4 and IPv6
  • 1800000000007AEF0000000016.114.67.16
  • Compacted IPv6 Address
  • 2080000907AEB1000123A Legal compaction
  • 2080907AEB1000123A Legal compaction
  • 18007AEF0010724310 Legal compaction

19
IPv4 vs. IPv6
  • IPv4 RFC came out in 1981.
  • IPv6 RFC came out in 1998.

Mobile Subscribers
PCs Connected to Web
Mobile Internet Users
Sources ABN AMRO/IDC/Ovum
20
Recap
  • TCP vs. IP
  • Headers
  • TCP
  • UDP
  • IP
  • IPv4 vs. IPv6

21
Ethereal Overview
22
View of Ethereal
Packet List
Packet Details
Packet Bytes
23
Packet List
Packet Order
Time Order
Destination IP
Information
Source IP
Protocol
24
Packet Details
Source and Destination TCP Ports
Source and Destination IP
Breakdown of the Frame, the Packet, the TCP
portion
25
Packet Bytes
View of the data Hexidecimal and Raw Data
26
Ethereal Capture
27
Running Ethereal
28
Ethereal Analysis
29
Logging on to FTP Server
30
What Ethereal saw
31
What Ethereal saw
32
What Ethereal saw
33
What Ethereal saw
34
What Ethereal saw
35
Ethereal Filtering.
36
Filtering!!!!
37
Saving Captures
  • Captured Views
  • Range of Packets
  • All Packets
  • Naming is critical
  • Was it the client?
  • Was it the Server?

38
After Filter/Save/Open
39
Time Column Delta
40
FTP Only Filter
41
Ethereal Packet Analysis
42
What Username?
43
Is Password Required?
44
What Password?
45
Why cant I log in?
46
Follow the Stream
47
Advanced Filtering
  • Filter for just that stream
  • (ip.addr eq 207.46.133.140 and ip.addr eq
    172.17.22.56) and
  • (tcp.port eq 21 and tcp.port eq 3511)
  • Filter for traffic between two hosts
  • ip.addr 207.46.133.140 and ip.addr
    172.17.22.56
  • Filter for IP Traffic and removal of other
    traffic
  • ip and !(nbns) and !(msnms) and !(browser) and
    !(rip)

48
Summary Info
49
Ethereal Encryption
50
HTTP
51
HTTPS
52
HTTP vs. HTTPS
53
HTTP vs. HTTPS
54
HTTP vs. HTTPS
55
TCP Stream vs. HTML Source
56
Ethereal Miscellaneous
57
Protocol Hierarchy
58
I/O Graphing
59
HTTP Breakdown
60
Coloring Packets
61
Commercial Sniffers
  • Sniffer Pro
  • OmniPeek
  • Observer
  • IT Guru and ACE

62
(No Transcript)
63
Final Words
  • If you cant measure it, you cant manage it
  • - Peter Drucker
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Introduction to Packet Sniffing using Ethereal 0.10.9" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!