Task 9.4: Capturing Packets with the Packet Analyzer: Wireshark

Wireshark is a free, commonly used packet analyzer. Packet analyzers—also called network analyzers, protocol analyzers, or sniffers—monitor the network and record the packets (frames, actually) on the network that it is connected to. Packet analyzers are useful for analyzing traffic patterns, identifying rogue protocols and nodes on the network, and troubleshooting many types of network- or protocol-related problems.

A rogue protocol is a protocol that should not be present on your network. If your network only uses TCP/IP for a transport protocol, there should be no TP4 or IPX/SPX frames on the network. We are using the word node to represent a system or device that communicates on the network.

In the early days of networking, a network interface card (NIC) in a computer (node) could accept all frames that existed on the segment that the NIC was attached to. This is called promiscuous mode. Over time, it became recognized that accepting all those frames wasn’t necessary, and it introduced two specific concerns:

• Since the NIC accepted every frame, even those that were not destined for the node, it made it easier for malware to infect the node.
• Bad guys could capture all frames, including conversations between others that did not include the bad guy, and access the information in those frames. This is a compromise of confidentiality on the network.

In later days of networking, to secure the network further, standards for NIC drivers required that the NIC may only accept the following:

• Frames sent from the computer
• Unicast frames sent to the computer that specify the node’s unique address
• Broadcast frames that are destined for all nodes
• Multicast frames that the node has registered to receive

With the new NIC driver, a node may not accept frames that were not intended for the node. In other words, the node could not eavesdrop on network conversations that it was not participating in. This is called nonpromiscuous mode. By default, today all NICs operate in nonpromiscuous mode. When you launch a sniffer, the specialized network analysis tool, on your computer, it changes the mode of the NIC from nonpromiscuous mode to promiscuous mode so it can accept and capture all frames that are transmitted on the segment.

To get a clear picture of sniffers, in addition to understanding the difference between nonpromiscuous mode and promiscuous mode, we must examine hubs and switches. In the past, networks all ran on hubs. The ports on hubs share a common backplane. In other words, each node could see all the traffic that existed on the hub, and even on multiple, daisy-chained hubs, up until the segment connected to a bridge or router. Bridges and routers perform filtering functions. Hubs do not filter. Using a sniffer (placing the NIC into promiscuous mode), you could monitor (eavesdrop on) network conversations between two nodes that did not include your node. Again, this is useful for analytical purposes, but it can also be dangerous, since the system running the sniffer is more likely to get infected with all sorts of malware, and if the sniffer is in the hands of an attacker, they may be accessing data they are not authorized to see—a compromise of the confidentiality of your information assets. With a NIC in promiscuous mode, and with the NIC attached to a hub, you could see all traffic on a segment.

There is a problem with sniffers these days, since most networks have replaced their hubs with switches. Switches are essentially multiport bridges that isolate each node from all other nodes, unless there is specific traffic (frames) destined for the node. Your sniffer can only see and record (capture) traffic destined for your node. The filtering that switches perform occurs because the switch learns your Media Access Control (MAC) address, and then makes forwarding decisions based on a frame’s destination MAC address. If the destination MAC address of a frame matches that on your NIC, the switch will forward the frame to your NIC. If the destination MAC address of a frame doesn’t match that on your NIC, the switch will not forward the frame to your NIC. Even though the sniffer places the NIC in promiscuous mode, the sniffer will never see any traffic except what the switch forwards to it. For your sniffer to see all traffic, the real picture of your networking protocols, you must attach the sniffer to a point in the network where traffic to your NIC is not being filtered by a switch. You must understand where you have connected into the network with your sniffer, and consider what types of traffic you should expect to see at that point (filtered or unfiltered).

For administrative purposes, many of the industrial-class switches can implement promiscuous mode, in which all frames get forwarded to all nodes. This is typically accomplished through a diagnostic (or spanning) port on the switch that connects directly to the backplane, or a diagnostic mode that can be toggled on or off for a specified port by a system administrator.

Attackers can also cause this to happen. One approach is to flood the switch with so many frames that, instead of dropping frames, the switch connects all ports to the backplane, stops filtering, and acts as a hub. It’s faster and easier to not think about each frame and just send each frame to all ports. Another way that attackers cause the switch to forward all frames to their NIC is to report to the switch that your node is every node, every MAC address. You’re telling the switch to “Send me every frame.” A good switch will detect this attack and not permit it to take place.

Scenario

You have recently become responsible for several segments on your corporate network. You want to understand more about the nature about the traffic on these segments. You are looking for traffic flow patterns, and you always have your eye open for rogue nodes and protocols on the network.

Scope of Task

Duration

This task should take 45 minutes.

Setup

You will need to download Wireshark. As of this writing, the latest version of Wireshark is v1.4.3. Wireshark was previously called Ethereal. Ethereal was first written for the Unix/Linux family of operating systems. Because of this, it is open source licensing and free for you to use. Ethereal and Wireshark have been ported over to run on the Microsoft platform.

Caveat

Downloading and installing software from the Internet is always risky. Be sure your system is fully patched, and that you are running recently updated antivirus and antispyware applications. Scan these downloaded files before you install them. Scan your system after installing them and before using them.

Procedure

You will first download and install Wireshark. You will then initiate a scan and surf the Internet for a while. Then you will stop and save your capture. You will then review the scan.

Equipment Used

For this task, you must have:

• Windows Vista system
• Administrator access
• Internet access

Details

Downloading Wireshark

1. Log on to the Windows Vista system as the Administrator.

2. To download Wireshark v1.4.4, launch Internet Explorer and browse to www.wireshark.org/download.html.

3. Select to download the appropriate version of the sniffer (32-bit or 64-bit based on your operating system).

4. On the File Download – Security Warning screen, select to save the file. Save the file to your desktop using the default name, such as wireshark-win64-1.4.3.exe.

Installing Wireshark

1. Upon completion of the file download, double-click the executable, which should be located on your desktop.

2. In the Open File – Security Warning dialog box, click Run to execute the installation application for Wireshark.

3. Note that the installation application confirms that the package has not been corrupted.

4. On the Wireshark Setup Wizard’s Welcome screen, click Next.

5. On the License Agreement screen, click I Agree.

6. On the Choose Components screen, leave the defaults and click Next.

GTK2 is the newest interface for Wireshark. Loading or removing additional components is optional, but may alter the application’s user interfaces or performance or cause other potentially undesirable manifestations.

7. On the Additional Tasks screen, leave the defaults and click Next.

8. On the Choose Installation Location screen, leave the default and click Next.

9. On the Install WinPcap? screen, leave the defaults and click Next.

NPF refers to the Netgroup Packet Filter—npf.sys—a system driver that is essential for the operation of Wireshark. If you start NPF at startup, nonadministrator users can use Wireshark to capture packets. This could be a bad thing. If nonadministrator users can capture frames on a network, they could be gaining unauthorized access to sensitive information. We trust that administrators adhere to a higher standard of ethics and would not exceed their intended level of privilege and access.

Feel free to click the What Is WinPcap? button. This opens a browser on an informational web page regarding WinPcap.

10. An installation screen is presented.

11. About halfway through the installation, WinPcap installation is triggered. Click Next to proceed.

12. On the License Agreement screen, click I Agree.

13. A progress screen is displayed. Upon completion, click Finish.

14. The Wireshark installation now continues. Upon completion, click Next.

15. On the Completing screen, enable the Run Wireshark 1.4.3 check box and click Finish.

Using Wireshark to Perform a Network Capture

1. When Wireshark launches, you must specify which network interface, or network adapter, you wish to have Wireshark monitor to perform the capture. Select Capture ⇒ Interfaces.

2. In the Capture Interfaces dialog box, identify each adapter. On the adapter that you are using to connect to the Internet, click the Options button to the right.

If you are not sure which adapter to select, click the Details button adjacent to each adapter to try to identify the correct adapter.

3. You are presented with the Capture Options dialog box. This dialog box is a busy one; spend some time reviewing its options:

• You can limit the capture file size with buffer size.
• You can turn off promiscuous mode of operation.
• You can discard the trailing end of the frame by limiting the packet size. This gets more frames in the buffer limit but loses payloads.
• You can implement a prebuilt filter. Filters are used to capture only certain types of traffic, like a specific protocol, or traffic to a specific IP or MAC address, etc., rather than all traffic.
• You can configure the display during an active capture. This may consume some resources and cause the capture to miss some frames.
• You can implement automatic name resolution to more easily identify who is sending frames to whom.
• You can preprogram the end of the capture by number of packets, by file size, or by time.

Once you’ve reviewed this dialog box, click Start to begin the capture.

4. You will be presented with an active Capture dialog box indicating that you are currently recording frames on the selected network interface.

5. To generate network traffic, launch Internet Explorer and go to www.google.com. Type Wireshark in the search box and click Google Search.

6. From the hits list, select the hyperlink for www.Wireshark.org. Browse around on the Wireshark website.

7. In the address bar of Internet Explorer, type www.sybex.com and press Enter.

8. Browse the Internet for a minute or two.

9. Click the toolbar icon with the red X on it, located directly under the View menu item, to end the capture.

Using Wireshark to Perform Network Analysis

1. Review the frames that Wireshark captured during the exercise.

If you followed the steps properly, your capture should resemble the one in the graphic, but with the exception that your home page in Internet Explorer may be configured to something other than Google, as ours is. If you scroll down your capture you should see a Protocol / DNS, Info / Standard query for an A record for www.google.com (like frame 7 in the following graphic). Begin your review there.

2. You can find a tremendous amount of information and learn a lot by carefully studying captures, even as innocuous as this one. You are looking at the true mechanics of the network and protocols, the nuts and bolts. You can verify details that you have been told about how protocols work.

In the preceding graphic, notice the Source IP address in frame 7. This is the IP address of the local computer. The Destination IP address is that of the configured DNS server for the local computer.

Now look at frame 8. This is the DNS response providing the IP address of the web server www.google.com.

Notice frames 9, 10, and 11. These frames are the three-way TCP handshake to establish a TCP session with the Google web server:

• Frame 9 – SYN
• Frame 10 – SYN / ACK
• Frame 11 – ACK

Frame 12 is the HTTP GET frame where the local computer is requesting the web page from www.google.com.

The next few frames contain the content from the website that will populate your browser with the Google web page.

Now find this similar sequence in your capture.

3. Take a closer look at frames 7 and 8 in the previous graphic: the DNS query for www.google.com.

Explore the details of frame 7 by clicking on it in the top pane and expanding the lines in the center section of the display.

Notice that the DNS query (frame 7) uses User Datagram Protocol (UDP) to the DNS server’s destination port (Dst port) 53.

In the next frame (frame 8, or one of the following frames in your capture), notice that the DNS server replies using UDP from the DNS server’s source port of 53 to the randomly selected port number 52580 on the local client.

Now find this similar sequence in your capture.

The bottom section of Wireshark displays the contents of the highlighted section of the selected frame. This is where attackers find valuable information, such as unencrypted passwords when users log on with applications like FTP and Telnet.

4. The more you look at captures, the more you will see. Ten seconds of captured data can become hours of incredibly worthy study time. Expand one of the frames of interest to expose all lines of data and review each section.

You may want to review the basics of TCP/IP online. A good starting point for this review is www.w3schools.com/tcpip/default.asp.

5. When you have finished reviewing the capture, close Wireshark.

Criteria for Completion

You have completed this task when you have downloaded and installed Wireshark, the protocol analyzer, performed a capture, and reviewed the capture data.