![Page 1: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/1.jpg)
Packet Analysis Using Wireshark
for Beginners 22AFLisa Bock
Pennsylvania College of Technology
Monday October 5, 2015 9:30am - 10:45amTrack AF | Level 1 | Atlantic VI
![Page 2: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/2.jpg)
Learning Objectives
• Understand Traffic Capture and Analysis• Layers and Encapsulation• Explore the Wireshark interface• Examine Common Protocols
– TCP, HTTP, DNS, and FTP
![Page 3: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/3.jpg)
UNDERSTAND TRAFFIC CAPTURE AND ANALYSIS
![Page 4: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/4.jpg)
Overview of Packet Analysis
• Packet analysis uses a packet sniffer• Monitor and troubleshoot network traffic• As data flows across the network
– Sniffer captures each packet and decodes the packet's raw bits
– Showing the field values in the packet according to the appropriate RFC or other specification
![Page 5: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/5.jpg)
Uses for Packet Analysis
• Analyze network problems• Detect intrusion attempts • Identify network misuse • Content monitoring• Assess bandwidth utilization • Verify endpoint security status• Gather network statistics
![Page 6: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/6.jpg)
Common Packet Analyzers
• Cain and Abel• Carnivore – now NarusInsight • dSniff• ettercap• Ngrep• OmniPeek• Snoop• Tcpdump
![Page 7: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/7.jpg)
Carnivore
![Page 8: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/8.jpg)
Packet Capture
• Dependent on where you capture• On a switch
– Packet sniffer will see only data going to and from the switch to the capture device
http://wiki.wireshark.org/CaptureSetup/Ethernet
![Page 9: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/9.jpg)
Packet Capture
• Traffic on a wired switch– Unicast, broadcast, or multicast.
• To see all traffic– Port monitoring or SPAN – Use a full duplex tap in line with traffic
http://wiki.wireshark.org/CaptureSetup/Ethernet
![Page 10: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/10.jpg)
LAYERS AND ENCAPSULATION
![Page 11: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/11.jpg)
The OSI Model
To understand packet analysis you must understand the
encapsulation process
![Page 12: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/12.jpg)
The OSI Model
• A seven-layer representation • How data changes as each layer
provides services to the next layer –Data encapsulates –Data de-encapsulates
![Page 13: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/13.jpg)
The OSI Model
MAC
Port
IP
Address
Data
Frame
Segment
Packet
PDU
Bits
![Page 14: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/14.jpg)
EXPLORE THE WIRESHARK INTERFACE
![Page 15: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/15.jpg)
Wireshark
• The tool for this lab is Wireshark• Download and install Wireshark
– Install WinPCap if you are using Windows
http://www.wireshark.org
![Page 16: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/16.jpg)
Wireshark
• For a live capture–Launch Wireshark –Go to -> Capture Interfaces–Click the name of an interface–Start capturing packets on that
interface
![Page 17: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/17.jpg)
Wireshark
• Configure advanced features by clicking Options• Select the interface with active packet exchange
Checkmark the interface you want to capture
![Page 18: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/18.jpg)
The OSI Model
• In Wireshark, select any http frame and you will see the layers 2-7
Data
Frame
Segment
Packet
For a review go to http://wiki.wireshark.org/Ethernet
![Page 19: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/19.jpg)
Help in Wireshark
Easily find help in Wireshark-including Sample Captures
![Page 20: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/20.jpg)
Capture Packets
• We will use pre-captured packets • Review normal traffic
![Page 21: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/21.jpg)
Capture Packets
• Once you open a capture you will see three panes:– Top: packet list of all of the packets
received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame
![Page 22: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/22.jpg)
EXAMINE COMMON PROTOCOLS - TCP
![Page 23: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/23.jpg)
A TCP Example
• Normal traffic• Three-way handshake packets 1,2,3• Review
– Port numbers– Flags– SEQ ACK numbers– Stream index
![Page 24: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/24.jpg)
EXAMINE COMMON PROTOCOLS - UDP
![Page 25: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/25.jpg)
UDP Example
• Connectionless Transport Layer service • No handshake, sequencing or
acknowledgement• Few problems occur with UDP
![Page 26: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/26.jpg)
UDP Applications
• Commonly used in video streaming and time-sensitive applications. – Domain Name System (DNS) – Routing Information Protocol (RIP)– Voice over IP (VoIP) – Trivial File Transfer Protocol (TFTP) – Domain Host Configuration Protocol (DHCP)
![Page 27: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/27.jpg)
EXAMINE COMMON PROTOCOLS - DNS
![Page 28: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/28.jpg)
DNS
• DNS is essential to any network• Converts host names (google.com) to
an IP address (72.14.204.103)• Client sends query to DNS server for
an IP address• Server responds with information
– Or asks other DNS servers for the information
![Page 29: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/29.jpg)
DNS
• Transfers name information between DNS servers– DNS uses TCP in a zone transfer
• Look up other host names such as mail exchange (MX) records
![Page 30: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/30.jpg)
DNS
• All DNS packets have four (4) sections:– Questions– Answer Resource Records– Authority Resources Records– Additional Resource Records
![Page 31: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/31.jpg)
DNS Packet Structure - Flags
If RD is set, it directs the name server to pursue the
query recursively.
![Page 32: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/32.jpg)
EXAMINE COMMON PROTOCOLS FTP
![Page 33: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/33.jpg)
FTP – Grab a Pic
• Purpose of FTP is to transfer files over TCP • Uses both ports 20 and 21
– Command channel is designated on port 21 for the FTP server.
– To transfer data like directory contents or files, a secondary channel, port 20 is used.
![Page 34: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/34.jpg)
Reassemble the Streams
• Can reassemble and obtain content if data is not encrypted
• Filter ftp-data traffic• Right click follow TCP stream 74 and save the file
as raw data and click save as mystery.jpg• Go to where you saved the file and open it!
![Page 35: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/35.jpg)
EXAMINE COMMON PROTOCOLS HTTP
![Page 36: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/36.jpg)
HTTP 1.1
![Page 37: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/37.jpg)
Hypertext Transfer Protocol
Actors in Web interaction– HTML– HTTP– Browser and the Web Server
• HTTP is a stateless protocol • Two types of HTTP messages
– Request and response
![Page 38: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/38.jpg)
Hypertext Transfer Protocol
Web page consists of objects Identified by a URL or URI
• Request line (GET or POST methods) • Additional information about the request• Status code line• Header Fields • Data
![Page 39: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/39.jpg)
HTTP Response Status Codes
• 2xx: Success• 3xx: Redirection• 4xx: Client Error• 5xx: Server Error
![Page 40: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/40.jpg)
QUESTIONS?
Kobe
![Page 41: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/41.jpg)
More Resources
• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles
• Wireshark Network Analysis, by Laura Chappell, Chappell Binding
• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated
• Article on using Wireshark to troubleshoot Rational problems
![Page 42: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/42.jpg)
On IBMi
• Install the QSPTLIB library which is available as a save file PTF– V5R2M0 - SE06946– V5R3M0 - SE16633– V5R4M0 - SE24152– V6R1M0 - SE32507– V7R1M0 - SE45610
• Use a binary FTP transfer and load the save file onto the IBMi system.
![Page 43: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/43.jpg)
On IBMi
• Restore the library– RSTLIB SAVLIB(QSPTLIB) DEV(*SAVF)
SAVF(QGPL/QSE45610)
• Run Trace Connection command (x's are the IP address of the remote system)
TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(TRCCNNIP) SIZE(998000) TCPDTA(*N () () *N 'xxx.xxx.xxx.xxx')
![Page 44: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/44.jpg)
On IBMi
• Turn off tracing.– TRCCNN SET(*OFF) TRCTBL(TRCCNNIP) CCSID(*ASCII)
• Output is a spooled file called QSYSPRT. • Run to access support tools menu:
– ADDLIBLE SPTLIB– SPT
![Page 45: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/45.jpg)
On IBMi
• Option 12 to displays the Communications Trace menu.
• Option 15 to converts the spooled trace to a CAP file.– CVTTRCCNN SPLF(QSYSPRT * *LAST)
OUTF('/lisa_traces/mystery-trace.cap')• Copy out to a machine running Wireshark
![Page 46: Packet Analysis Using Wireshark for Beginners 22AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 9:30am - 10:45am Track AF | Level](https://reader036.vdocument.in/reader036/viewer/2022062321/56649e8e5503460f94b92290/html5/thumbnails/46.jpg)
Lynda.com
• See my course on Lynda.com!• Troubleshooting your Network with Wireshark