CAP6135: Malware and Software Vulnerability Analysis Network Traffic
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013 Acknowledgement http://ilta.ebiz.uapps.net/ProductFiles/ productfiles/672/wireshark.ppt
UC Berkley course EE 122: Intro to Communication Networks http://www.eecs.berkeley.edu/~jortiz/courses/ ee122/presentations/Wireshark.ppt
Other resources: http://openmaniak.com/wireshark_filters.php 2 Motivation for Network Monitoring Essential for Network Management
Router and Firewall policy Detecting abnormal/error in networking Access control Security Management
Tcpdump Unix-based command-line tool used to intercept packets Reads live traffic from interface specified using -i
option or from a previously recorded trace file specified using -r option You create these when capturing live traffic using -w option Tshark
Including filtering to just the packets of interest Tcpdump-like capture program that comes w/ Wireshark Very similar behavior & flags to tcpdump Wireshark
GUI for displaying tcpdump/tshark packet traces 4 Tcpdump example Ran tcpdump on a Unix machine First few lines of the output: 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-2307.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-2307.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-2307.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 5 What does a line convey? Timestamp This Source is an IPhost
packet name Source port number (22) 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Destination host name
Destination port number TCP specific information Different output formats for different packet types 6 Similar Output from Tshark 1190003744.940437 22.214.171.124 -> 126.96.36.199 SSH Encrypted request packet len=48 1190003744.940916 188.8.131.52 -> 184.108.40.206
7 Demo 1 Basic Run Syntax: tcpdump [options] [filter expression]
Unfortunately, Eustis machine does not allow normal users to run tcpdump I will demonstrate it on my groups Unix machine: cnsserver.eecs.ucf.edu $ sudo tcpdump i eth0 On your own Unix machine, you can run it using
sudo or directly run tcpdump Observe the output 8 Filters We are often not interested in all packets
flowing through the network Use filters to capture only packets of interest to us 9 Demo 2 Capture only udp packets 1.
tcpdump udp Capture only tcp packets 2. tcpdump tcp 10
Demo 2 (contd.) Capture only UDP packets with destination port 53 (DNS requests) 1. tcpdump udp dst port 53
Capture only UDP packets with source port 53 (DNS replies) 2. tcpdump udp src port 53 Capture only UDP packets with source or destination port 53 (DNS requests and
replies) 3. tcpdump udp port 53 11 Demo 2 (contd.) Capture only packets destined to
quasar.cs.berkeley.edu 1. tcpdump dst host quasar.cs.berkeley.edu Capture both DNS packets and TCP packets to/from quasar.cs.berkeley.edu
2. tcpdump (tcp and host quasar.cs.berkeley.edu) or udp port 53 12 How to write filters
Refer the tcpdump/tshark man page Many example webpages on the Internet 13 Running tcpdump Requires superuser/administrator privileges on
Unix http://www.tcpdump.org/ You can do it on your own Unix machine You can install a Linux OS in Vmware on your machine
Tcpdump for Windows WinDump: http://www.winpcap.org/windump/ Free software 14
So What is WireShark? Packet sniffer/protocol analyzer Open Source Network Tool Latest version of the ethereal tool What is tShark?
The command-line based packet capture tool Equivalent to Wireshark 16 Wireshark Interface
17 Wireshark Interface 18 Status Bar 19 Capture Options
Capture Filter Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace Display filters use their own format and are much more powerful then capture filters
Sub protocol categories inside the protocol. Look for a protocol and then click on the "+" character. Example:
tcp.srcport == 80 tcp.flags == 2 tcp.flags == 18
SYN packet Tcp.flags.syn==1 SYN/ACK Note of TCP Flag field: 33 Display Filter Expressions
snmp || dns || icmp tcp.port == 25
Display packets with TCP source or destination port 25. tcp.flags Display the SNMP or DNS or ICMP traffics.
Display packets having a TCP flags tcp.flags.syn == 0x02 Display packets with a TCP SYN flag. the filter syntax is correct, it will be highlighted in green, therwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
34 Save Filtered Packets After Using Display Filter We can also save all filtered packets in text file for further analysis Operation:
FileExport packet dissections as plain text file 1). In packet range option, select Displayed 2). In choose summary line or detail 35 Protocol Hierarchy
Protocol Hierarchy Follow TCP Stream Follow TCP Stream red - stuff you sent blue - stuff you get Filter out/in Single TCP Stream
When click filter out this TCP stream in previous pages box, new filter string will contain like: http and !(tcp.stream eq 5) So, if you use tcp.stream eq 5 as filter string, you keep this HTTP session
40 Expert Info Expert Info Conversations Conversations
Use the Copy button to copy all text into clipboard Then, you can analyze this text file to get what statistics you want 45
Find EndPoint Statistics Menu statistics endpoint list TCP You can sort by field Tx : transmit Rx : receive 46
Find EndPoint Statistics Use the Copy button to copy all text into clipboard Then, you can analyze this text file to get what statistics you want
47 Flow Graphs Flow Graphs The displayed packet option could let you only Show the flow of packets shown up for example, only display http traffic, then show The flow to analyze
Flow Graphs Export HTTP Export HTTP Objects HTTP Analysis HTTP Analysis Load Distribution Click Create Stat button
You can add filter to only Show selected traffic HTTP Analysis Packet Counter HTTP Analysis Requests Improving WireShark Performance
Dont use capture filters Increase your read buffer size Dont update the screen dynamically Get a faster computer Use a TAP Dont resolve names
Post-Processing Text File For saved text-format packet files, further analysis needs coding or special tools One useful tool on Unix: Grep
On Windows: PowerGrep http://www.powergrep.com/ Command-line based utility for searching plain-text data sets for lines matching a regular expression. 58 Basic usage of Grep
Command-line text-search program in Linux Some useful usage:
Grep word filename # find lines with word Grep v word filename # find lines without word Grep ^word filename # find lines beginning with word Grep word filename > file2 # output lines with word to file2 ls -l | grep rwxrwxrwx # list files that have rwxrwxrwx feature grep '^[0-4] filename # find lines beginning with any of the numbers from 0-4
Grep c word filename # find lines with word and print out the number of these lines Grep i word filename # find lines with word regardless of case Many tutorials on grep online http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-commandexamples/
Arial Calibri Office Theme Equation Hardness of Learning Halfspaces with Noise Spam Problem Halfspace Learning Problem Perspective Inseparability In Presence of Noise Related Work : Positive Results Related Work : Negative Results Open Problem Our Result Remarks Linear Inequalities Label...
Suspension of work/stop work notices. Standard form 30, block 13D applies. Cite the appropriate contract clause as authority. Unilateral Modifications Cont. Bilateral/ Supplemental Mods. Commercial Modification (Continued) IAW 52.212-4 (c) Changes. "Changes in the terms and conditions of this ...
The currency in Japan is the peso/euro/yen. Already finished? Write down any other facts you know about Japan. Japanese Quiz. Japan. ... chopsticks and sushi, karate and kimonos, but . also . lots . lots. more... Japan - a land...
Rotary District 7930 Long Range Public Relations Plan 2013-2016 Rotary District 7930 Public Relations Committee Josh Arnold Tracy Arabian Joan Arsenault Jo Broderick Nanci Carney Tanya DeGenova Carole Elliot Toni Joerees Amy Luckiwicz Peter Majane Betsy Manzilli Bonnie Michaleas David...
UM Pyramid Social EmotionalPilot and Research. All VPK Title I and Fee-Supported Teachers and Paraprofessionals trained in Pyramid Behavior Model during 16-17 and 17-18 school year. Pyramid Research Project: Partnership between the University of Miami, The Children's Trust and M-DCPS...
The Board of Directors. In recognition of state law requirements that require every corporation to have some form of constituted leadership, at the 2010 Grand Lodge convention a resolution was adopted by the delegates that made it mandatory that an...
Chapter Ten Cost Planning for the Product Life Cycle: Target Costing, Theory of Constraints, and Strategic Pricing Explain how to use target costing to facilitate strategic management Apply the theory of constraints (TOC) to strategic cost management Describe how life-cycle...
Analyze the ambiguous case of the sine law, ... The word "Ambiguous" means something that can have more than one interpretation, More than one answer. Consider the Following. Martina and Carl are both holding a rope that attached to a...
Ready to download the document? Go ahead and hit continue!