Wireshark

and TCP/IP Basics

ACM SIG-SecurityLance Pendergrass

Network Concepts

Protocol - set of rules and procedures agreed upon for communication

Ex: USPS mailing network• Letter contained in envelope• Standard Source/Destination Address Format• Postage Based on Package Weight• Packaging->Addressing->Payment->Sending

Network Packets are like small digital envelopes

OSI ModelEvery layer adds/interprets additional information

TCP/IP Protocol Stack

Transport Layer Protocols

Transmission Control Protocol• Provides reliable data flow control• Stateful - connection established first• 3-Way Handshake• Sequencing• Checksums• Src/Dest Ports

Transport Layer Protocols

User Datagram Protocol• Stateless connection• No guarantee of delivery• Low overhead• Good for simple query & response, streaming• Used by: DHCP, DNS, streaming, VoIP

Internet Layer Protocols

Internet Protocol (IPv4)• Encapsulates Data Payload• Defines node addressing• Routes packets from source to destination

Address Resolution Protocol (ARP)• Resolves IP address into Ethernet address

Internet Control Message Protocol (ICMP)• Diagnostic and error messaging

Common Application Protocols

• HyperText Transfer Protocol• Domain Name System• File Transfer Protocol• Secure SHell• Simple Mail Transfer Protocol

IP Addresses

Used to identify network and host interfaceIPv4• 32bit address comprised of 4 binary octets• Dec Representation: 172.16.254.1• Subnet Masks

IPv6• 128bit address comprised of 8 16-bit fields• ex: 2001:0db8:0:1234:0:567:8:1

Wireshark

• Open Source Packet Analyzer• Places interface in Promiscuous Mode• Ability to parse most common protocols• Support for filters, graphing, plugins, etc

Traffic can be captured via:Switch Port Mirroring, Arp Cache Poisoning, UTM Router, LAN Tap

Demo

• Capture Interfaces• Filtering by Address• Following Streams: Sender vs Receiver• Extracting Files• Statistics– Protocol Hierarchy for traffic usage– Endpoints for host Tx/Rx bytes– Conversations for traffic flows– IO Graph usage, exporting images