computer networks 2nd part...

Computer Networks2nd part - Introduction

Luca BedogniDepartment of Computer Science and EngineeringUniversity of Bologna

§ Dr. Luca Bedogni

§ Contacts:§ Website: http://cs.unibo.it/~lbedogni§ Mail: luca.bedogni4@unibo.it§ Phone: +39 051 20 9 4974§ Student meetings: Mon-Fri

• Mandatory to ask for a meeting by mail§ Office: Wireless Lab

Who I am

§ Understand protocols behavior

§ Getting hands dirty

§ Understand how to look for specific network information

§ Learning§ By observing§ By doing§ By experimenting§ By discussing

§ Be constructive: discussion are helpful. Participate in group discussion, raise questions, collaborate, help each other.

Objectives

Outline

Generalintroduction- packetsniffers

Wireshark

Hands-onlaboratories• Introduction,TCP/UDP/IP,ICMP/NAT,SSL,DNS/DHCP

LinuxonNetwork

§ Understanding network protocols pave the way to understand the network§ Can be done with simulators

• You don’t get the “real” action• You may not have the guarantee that a simulated protocol closely reflect the real one

§ A packet sniffer listens on the network§ Packets sent/received§ Stores and displays the content§ Handles copies of the packets

§ The packet capture library§ Receives the packets and sends

them to the packet analyzer§ The packet analyzer

§ Shows the packet contents§ Decodes nested fields

Packet sniffers

§ Wireshark is a packet sniffer

§ It has a GUI which makes intuitive to inspect network flows

§ Available for different platforms

§ Useful to inspect live network flows§ Live capture which makes you able to see live captures

§ Useful to gain experience§ It is possible to inspect pre-captured traces

Wireshark

§ The 2nd part is primarily a hands-on class§ Most of the classes (~3) will be with live exercises

§ Packet sniffers exercises – Kurose, Ross “Computer Networking: A Top-Down Approach”§ If you have one, bring your own laptop

§ 1 laptop is enough for a group of 2-3 students

§ What we need§ Wireshark (more on this later)§ Linux machine§ Advice: use a virtual machine

§ Modus operandi:§ Some exercises will be made during the class

• To foster discussion and to show examples§ Some will be assigned as homework

• No evaluation, part of them will be (briefly) discussed in the lecture following the assignment

Laboratories

§ We will see basic network operations on linux§ Not a system administrator class

§ The focus is on the use of Linux as a tool to§ Discover network problems§ Investigate network challenges§ Isolate issues

§ Not an operating system class§ Basic commands, basic operations§ Key is the combination of simple operations

Network on Linux

Computer Networks:Packet sniffers Introduction

Luca BedogniDepartment of Computer Science and EngineeringUniversity of Bologna

Outline

Packetsniffers

Wireshark

Wiresharkcapturefilters

Wiresharkdisplayfilters

§ Packet sniffing is the operation of capturing any data which goes through the network§ To look for information in network packets

§ Frequently used by system administrator to troubleshoot network issues§ Why traffic is slow§ Detect intrusions

§ Considered security tools§ Do not automatically provide security§ But gives all the tools to assess it

§ It is a passive technique§ You set one or more of your network interfaces to listen for everything§ Packets are copied and displayed to the user§ The packet sniffer is just listening

• Actually, it does not change information

What is a packet sniffer

§ Most of the people believes that when they communicate over the network with someone else, their packets go directly to the destination§ Instead they are sent in broadcast§ Every node in the network overhears the packet§ It checks if it is the destination, or if it needs to reroute it

How is that possible

A B

MSG

MSG

THISISFORME

§ Most of the people believes that when they communicate over the network with someone else, their packets go directly to the destination§ Instead they are sent in broadcast§ Every node in the network overhears the packet§ It checks if it is the destination, or if it needs to reroute it

How is that possible

A B

MSG

CMSG

THISISFORME

D

MSG MSG

THISISNOTFORME

THISISNOTFORME

§ Most of the people believes that when they communicate over the network with someone else, their packets go directly to the destination§ Instead they are sent in broadcast§ Every node in the network overhears the packet§ It checks if it is the destination, or if it needs to reroute it

How is that possible

A B

MSG

CMSG

THISISFORME

D

MSG MSG

THISISNOTFORME

THISISNOTFORME

S

THISISNOTFORME,BUTIAMSNIFFING

MSG

MSG

§ Suppose you want to visit unibo.it

§ Basically, you shout “Somebody give me unibo.it”

§ The message is overheard by anyone on the network§ Also the router

§ The router sends it to the destination

§ Once it receives the answer, it send the message again on the network

§ Everybody overhears it§ Including you

A simple example

§ Basically, all the information which is sent in clear

§ Anyone with a packet sniffer can gain access to such information

§ If the connection is crypted, the information is more secure§ But still, you are receiving it

§ Consider if you user credentials for a harmless website are sent in plain text§ And you use the same credentials for gmail§ … and for you bank account …

§ Example: cookie hijacking

What is possible to see

§ It is a network analyzer tool

§ It allows us to see all the packets that go through a network§ Why my network is stuck every Friday evening from 6PM to 8PM?§ Why computer X can’t connect to the Internet?§ Why the A department can’t connect to the internal servers?

§ Wireshark helps us troubleshoot the network

§ Open Source with GUI

§ Available for Windows/MAC OS/Linux§ Get it at https://www.wireshark.org/download.html

§ All the examples in this class will be made through the GUI§ Some shortcuts through the command line exist

What is Wireshark

How it looks like

§ Technically speaking, wireshark captures the packet going through a network and displays them

§ For what people uses wireshark for:§ Network administrators -> troubleshoot network problems§ Network security engineers -> examine security problems§ QA engineers -> verify network applications§ Developers -> debug protocol implementations§ People -> learn network protocol internals

§ Some features:§ Capture live packet data and display it§ Import network traces and save them§ Filtering/Coloring/Search§ Create network statistics

Deeper into Wireshark

A wireshark example

Packetslist

Packetdetails

Packetscontent

Wiresharktoolbar

Generalstatistics

Wireshark menus

File – Open, merge, export and print capture filesEdit – Search packets, mark them, preferencesView – Coloring packets and view optionsGo – Through this menu it is possible to go to a specific packetCapture – To start captures and edit capture filtersAnalyze – Filtering packets, dissecting protocolsStatistics – To generate and display statisticsTelephony – Telephony related statisticsWireless – To show wireless related statisticsTools – Various tools available in wiresharkHelp – Help, manual pages

§ Start§ Stop§ Restart§ Options§ Open§ Save§ Close§ Reload§ Find§ Go to packets§ Auto scroll§ Colorize§ Zoom options

The wireshark toolbar

§ Bookmarks§ Filter Input§ Clear§ Apply

§ It is probably one of the most powerful tools of wireshark

§ We’ll see how many packets are generated even in low populated networks in short time§ Filtering is essential

The filter toolbar

§ Each line corresponds to a packet§ It displays information such as the ID, the source, destination, protocol and others§ Icons help understand a conversation flow

The Packet list panel

§ It shows the details for a specific selected packet

§ It can display additional information enclosed in brackets

§ It also shows links if wireshark detects a link with another packet

The packet details panel

§ Shows the dump of the packet

§ More than one page may available§ In case wireshark has reassambled more than one packet together

The packet bytes panel

§ Capturing live network data is one of the core components of wireshark

§ Can capture from different network interfaces

§ Triggers to stop capturing data (elapsed time, number of packets..)

§ Live show of packet details

§ Live filtering of packets

§ Save packets

§ Can simultaneously capture from different network interfaces

Capturing live network data

Starting a new capture

§ It is possible to save a capture to a file (or multiple files)

§ Consider using this feature if you plan to work with a heavily congested network§ Or if you plan to perform a long-term capture

Capture Options

Filename Createanewfile…

Usearingbuffer…

Mode Resultingfilename

- - - Permanentfile wiresharkXXXXX

foo.cap - - Singlenamedfile foo.cap

foo.cap x - Multiplefiles,continuous

foo_00001_20100205110102.cap,foo_00002_20100205110318.cap,…

foo.cap x x Multiplefiles,ringbuffer

foo_00001_20100205110102.cap,foo_00002_20100205110318.cap,…

§ Wireshark uses the libpcap filter language§ The general syntax is as follows

§ Example:

§ Primitives:§ [src/dst] host <host>§ ether [src/dst] host <host>§ gateway host <host>§ [src|dst] net <net> [{mask <mask>}|{len <len>}]§ [tcp|udp] [src|dst] port <port>§ less|greater <length>§ ip|ether proto <protocol>§ ether|ip broadcast|multicast§ <expr> relop <expr>

§ Capture filters are different than Display filters

Capture filters

[not]primitive[and|or [not]primitive...]

tcp port23andhost10.0.0.5

§ We will 99% not work with live captures§ Live data can change, hence difficult to define exercises

§ We will instead work with capture file§ Pre-captured trace§ Simply hit File -> Open and select the file

§ Wireshark understands several capture file formats

§ Download the files for this class at: http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip

§ Keep in mind that is also possible to save your live capture data§ Useful for questions, appointments

In the remainder of this class

§ Along with wireshark, you’ll also install tshark

§ Simplyfying, wireshark without GUI§ Can capture traffic§ Command line tool which analyzes .pcap files

§ Useful for analyzing large trace data with command line tools

§ Examples:§ Out of a lot of lines, you want the unique IP addresses§ After monitoring all the traffic going to port 80, you want the unique source ports§ You want to convert .pcap data in a human readable format§ You want to count packets which match a certain expression

§ Outside the scope of this class§ But knowing how to use it can speed up operations

tshark