7
Networks
Computer Network
Lab - Introduction to Network Sniffing
Text:
The Complete Reference: Network Security, Bragg, Rhodes-Ousley, Strassberg
Chapter 9
Objectives:
The student should be able to:
· Interpret output for ARP, IP, TCP, UDP, ICMP on a sniffer: Wireshark.
Class Time:
Lecture:
Lab 1.5 hour
Summary of Networks & Protocols
Protocol Layers of the Internet Stack:
Application:
· SMTP: Simple Mail Transfer Protocol (Email): 25
· HTTP: HyperText Transfer Protocol (Web): 80
· FTP: File Transfer Protocol: 20/21
· SNMP: Simple Network Management Protocol: 161
· DNS: Domain Name Server: 53
· SSL: Secure Socket Layer: 443
Transport:
· TCP: Transport Control Protocol (End-to-End Error control: Retransmission)
· UDP: User Datagram Protocol (Only Port Addressing)
Network:
· IP: Internet Protocol (Routing)
· ICMP: Internet Control Message Protocol (Reports errors, performs tests for IP)
Medium Access Control (MAC):
· Ethernet Protocol
· ARP: Address Resolution Protocol (Translates IP to MAC addresses)
High-Level Review of Protocols
Transport Control Protocol (TCP)
TCP is responsible for end-to-end retransmission, and reordering of packets received out-of-order.
· Addresses applications via 16-bit Port number
· Performs error control on an end-to-end basis:
· Reorders out-of-sequence segments
· Retransmits segments when acknowledgements are not received
· Performs flow control on an end-to-end basis (using the window)
· Performs congestion control to ensure network is not overwhelmed
Protocol:
TCP is connection-oriented, which means that it must explicitly establish and break down a connection before transmission occurs.
· Establishes a connection
· Sends data
· Each side gracefully disconnects
Windump TCP Data Format:
14:54:55.100898 IP 192.168.0.5.23 > 192.168.0.4.1226: F 1330:1330(0) ack 312 win 17209 (DF)
time prot sourceIP.port > destIP.port: flag begSeq:endSeq(length) ackNr windowSize DF
Where:
Time: Time packet sent/received
Prot: protocol (IP)
SourceIP: Source IP address
DestIP: Destination IP address
Flag: S=SYN, F=FIN, P=PUSH, R=RESET
BegSeq: Beginning Sequence number (byte #)
EndSeq: Ending sequence number (byte #)
Length: Number of bytes
AckNr: Acknowledgment sequence number (=next expected seq #)
WindowSize: Size of empty space in receive buffer (in bytes)
DF: Don’t Fragment
The flags within segments that TCP uses includes:
S=SYN: Request to establish a connection
P=PUSH: Request from application to flush (or force) transmission.
F=FIN: Request to close a transmission - graceful
R=RESET: Notification of aborting of a connection
ack: Contains an ack for previous data
Segments with data in them have a byte count > 0.
Initiate a connection:
SYN à
ß SYN,ACK
ACK à
Windump of establish connection:
14:54:50.191132 IP 192.168.0.4.1226 > 192.168.0.5.23: S 262694098:262694098(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
14:54:50.192200 IP 192.168.0.5.23 > 192.168.0.4.1226: S 116356462:116356462(0) ack 262694099 win 17520 <mss 1460,nop,nop,sackOK> (DF)
14:54:50.192249 IP 192.168.0.4.1226 > 192.168.0.5.23: . ack 1 win 17520 (DF)
Send data:
· Each byte of TCP data has a sequence number associated with it.
· The acknowledgment indicates the sequence number of the byte of data expected next
(PUSH)à
ß ACK
Windump of data transmission:
14:54:54.898690 IP 192.168.0.5.23 > 192.168.0.4.1226: P 1300:1315(15) ack 309 win 17212 (DF)
14:54:54.929536 IP 192.168.0.4.1226 > 192.168.0.5.23: P 309:310(1) ack 1315 win 16206 (DF)
Terminate connection:
· Graceful Disconnect: Both sides must disconnect
FIN à
ß ACK
ß FIN
ACK à
Session Abort:
· Uses Reset
RST à
Windump of close connection:
14:54:55.100898 IP 192.168.0.5.23 > 192.168.0.4.1226: F 1330:1330(0) ack 312 win 17209 (DF)
14:54:55.100964 IP 192.168.0.4.1226 > 192.168.0.5.23: . ack 1331 win 16191 (DF)
14:54:55.101465 IP 192.168.0.4.1226 > 192.168.0.5.23: F 312:312(0) ack 1331 win 16191 (DF)
14:54:55.102295 IP 192.168.0.5.23 > 192.168.0.4.1226: . ack 313 win 17209 (DF)
User Datagram Protocol (UDP)
UDP can be used instead of TCP to address an application
· Does NOT support end-to-end retransmission, reorder out-of-order packets, or perform flow control or congestion control.
· Addresses applications via 16-bit Port number
Protocol:
UDP is connectionless, which means it sends packets without establishing a connection first. If packets cannot be successfully sent, there may be no indication of failure.
· Sends data
Windump UDP Data Format:
14:54:55.100898 IP 192.168.0.5.138 > 192.168.0.4.138: UDP, length: 174
Internet Protocol (IP)
· Performs routing
· Addresses hosts
· Performs fragmentation/reassembly
· Security problem: Spoofed fragments replace or confuse real data
· Security problem: Fragmented attacks may not be noticed by firewalls, IDS (depending on their sophistication)
IP Header Nibbles:
First 8 nibbles:
0-3: IP Version
4-7: Header length (in 32-bit words)
8-15: Type of service
16-31: Total length
Second 8 nibbles:
0-15: Identification (used with fragmentation)
16-18: Flags: More bit, Don’t Fragment
19-31: Fragment offset
Third 8 nibbles:
0-7: Time to live
8-15: Protocol (e.g. TCP, ICMP)
16-31: Header Checksum
Fourth 8 nibbles: Source Address
Fifth 8 nibbles: Destination Address
15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168 (frag 924:1480@0+)
4500 05dc 039c 2000 8001 902b c0a8 0004
c0a8 0005 0800 2859 0200 1c00 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869 6a6b 6c6d
6e6f 7071 7273 7475 7677 6162 6364 6566
6768
Performs fragmentation:
(frag 924:1480@0+): Datagram ID=924 : Length=1480 @ Offset=0 +=More_Fragments
15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168 (frag 924:1480@0+)
15:19:42.744570 IP 192.168.0.4 > 192.168.0.5: icmp (frag 924:576@1480)
Internet Control Message Protocol (ICMP)
· Reports errors (e.g. Destination not reachable)
· Replies to requests (routing info)
· Test connectivity (ping)
Windump of Ping command:
15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168
15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: icmp 1480: echo reply seq 7168
Note: 1480 is the length
15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: 131.210.42.3 udp port 53 unreachable
Address Resolution Protocol (ARP)
· Converts an IP Address (192.164.53.25) to a MAC Address (e.g. 0:90:27:1c:50:d0)
Protocol:
· Requester broadcasts to all nodes on subnet: ARP Request (IP_Address)
· Replier (Me) sends: ARP Response (IP_Address, MAC Address)
Windump:
14:54:50.190823 arp who-has 192.168.0.5 tell 192.168.0.4
14:54:50.191108 arp reply 192.168.0.5 is-at 0:90:27:1c:50:d0
Domain Name Server (DNS)
· Converts a IP address name (e.g. www.cs.uwp.edu) to a numeric IP address, or vice versa.
Protocol:
· Request describes a name or numeric IP address to transfer
· Reply provides information about that IP address.
Protocol Sniffing Lab
Power up the Normal boot in the Security Lab. Your login and password is the same as in the regular CS computer lab.
1) Using IPCONFIG to learn your IP address
Learn your IP address using ipconfig:
Start->Run or Start->Command Prompt or Start and enter into textbox: cmd
Open: cmd
> ipconfig
1A) Your IP address is: (Get both IPv4 and IPv6)
1B) What is your default gateway? This is the router that you send most packets to.
2) Using Netstat to observe routing tables
At the Unix or Windows command prompt, enter the following command to see the routing table:
> netstat –r
Each computer has VMWare installed, and each VMWare has IP addresses associated with it. You will see the IP address for you as the Local Area Connection, and potentially for any VMware terminals.
2A) What IP addresses do you see?
2B) Where do packets go when no match in the routing table is defined? What subnet mask is used?
3) Getting Familiar with WireShark
To start wireshark execute:
Start->All Programs->Wireshark
Top right should say: Intel … Gigabit Network Connection …
Capture-> Options
Press Start
The screen has three parts:
o Top part: Abbreviated packet headers
o Middle part: Details about a selected packet header
o Bottom part: Application data details
When you click on a packet header in the top part, the bottom parts will show the details. Further protocol header details will be expanded or contracted by clicking on the + or - sign in front of each packet header.
If packets are flowing to quickly for you to observe, you can select
Capture->Stop
Capture->Restart or Capture->Start
(If asked, select “Continue without saving”)
OR the 4th icon from left stops the capture.
3A) What protocols do you see running? Many are described in the front of this handout. List the protocols and briefly describe them.
4) Filtering with Wireshark
You probably are seeing too much extraneous data to really observe anything. It is helpful to filter out all packets that are not going or coming from your terminal.
Select: Capture->Options
(If asked, select “Continue without saving”)
We need to select a number of options to collect packets and exclude translations, since they take time and will cause loss of packets:
Select all Display Options boxes
Clear all Name Resolution boxes EXCEPT Transport Name
Press Start
You will see again all sorts of packets. There is a Filter at the top left hand side, where you can enter text. Enter:
ip.addr==<your IP address>
Now you will see only those packets that are for your host – not part of the regular network noise.
It is also possible to capture certain tcp applications in the Capture Filter, such as web (80):
ip.addr==10.1.1.130 & tcp.port==80
Enter a filter that monitors only your own IP address (i.e., no broadcast messages).
Now you should be seeing reduced traffic.
Stop and restart your capture so that you will be looking at a reduced amount of traffic.
Now open a web browser (e.g. Internet Explorer).
4A) What filter did you enter?
When the webpage is fully open, close it.
Stop the capture display using
Capture->Stop.
4B) Scroll back to the first SYN packet. Fill in what you see:
Application protocol used (HTTP):
Transport protocol used (TCP/UDP):
Source / DestinationIP Address
Port Numbers
4C) Look for the SYN packets and fill in the following information:
Opening Window SizeMaximum Segment Size
Starting Sequence Number
4D) Look for FIN packets. (If you don’t see them, restart the session and see if you can cause them to occur.) Who initiates the FIN, when does the FIN sequence occur, and how does the FIN sequence occur?
4E) Look at the IP protocol headers. Do you see fragmentation occurring during the web page download sequence? Remember that the IP Identification field is used in fragmentation. Are these numbers allocated sequentially?
4F) Restart the capture. If you open a new web page, or change web pages, does a new TCP session open?
5) IP & Fragmentation
IP is responsible for routing. IP version 4 is also responsible for fragmentation and reassembly. Below we will do a ping message that is so large it requires fragmentation. (‘L’ength=2048.) Monitor transmissions to/from your IP addresses using Wireshark to a lab machine (e.g. ginger):
> ping ginger.cs.uwp.edu -l 2048
5a) Number of fragments:
5b) Size of each fragment:
5c) Fragment number:
5d) Next fragment number (Are fragment numbers sequential)?
6) TCP
For this part of the lab, we need to be in the Security Lab boot. You will need to restart your computer and select Security Lab.
The Login=Student_SL and Password=n0tsecure.
Pull up Wireshark and start it up, first to receive all packets. If you don’t see any packets, go back to the Options page and see which device you are monitoring. You want to avoid VMware devices.
The application we will be running is telnet, which is an unencrypted command control application (kind of like an unencrypted ssh). This machine uses IP version 6 (IPv6) and it is more difficult to filter IP addresses. Telnet has a port number of 23, so set your filter to
Filter: tcp.port==23
We are now ready to start the application. At a shell command prompt, enter:
% telnet mystery
Login: Student Password: badpass
You should see the telnet application use TCP.
6A) What port number does the client and server use?
IP Address
Port Number
Starting Sequence #
Type in some DOS commands at the prompt, such as ‘dir’ and ‘cd <directory’ or ‘cd ..’
6B) Look at the data that is transmitted back and forth. How many bytes of data is sent each packet? What data is received back? Is the push flag set? What do you think of the efficiency?
6C) What is the largest receive window that you see? Do you see other receive windows or does the application keep up with TCP?
6D) What do you need to do to get a FIN to be sent? Can you cause the communication to send SYNs and FINs on command? How?
6E) Try telneting to other devices, such as ginger or another PC in the security room. (Ask someone for their computer name). Can you connect? What happens?
7. Traceroute
Traceroute is a useful utility that tracks the route between a source and destination IP address.
Restart the protocol analyzer with a new buffer. At the windows command prompt enter:
> tracert www.microsoft.com
The technique used is to implement increasing Time-To-Live values in the IP header, and ICMP messages to report back routers when the Time-To-Live runs out.
6a) What protocols and packets do you see?
8) Monitoring ARP and ICMP
Next learn which IP addresses are in your ARP cache. The ARP protocol is responsible for translating IP addresses to MAC addresses. Perform the following command at Windows cmd prompt to see your ARP cache:
> arp -a
Find a machine that is NOT in your arp cache. Open another cmd window and try doing a PING to the IP address that is not in your arp cache. This will force the ARP protocol to run. Ping uses ICMP. ICMP is a protocol that provides error messages and implements network tools for IP. Ping sends an echo request packet to a remote destination and expects an echo reply packet back.
Open a second window to run ping, while the first window runs windump. Select another machine to ping, using the Windows cmd prompt:
> ping 10.1.1.20q
8A) You should now see both arp and icmp messages. The arp messages provide the MAC address for the ping messages to use. Copy down the arp sequence. Circle the MAC address.
8B) Now copy down the ping exchange (one request-response sequence) seen in wireshark.
8C) Attempt to ping a machine that does not exist: 10.1.1.300. What sequence of protocols do you see? What ICMP message is eventually returned? What are the contents of the ICMP message?
8D) Attempt to access web pages that you know are and are not accessible. For example, access www.tomato.uwp.edu. What protocol informs you that the web page is not available?