Introduction
Computers attached to networks communicate with each other using network protocols. Network data is packetized and transmitted to each other using strict protocol relationships. Most of these “conversations” are transparent to the user of the networked system and often only show up as a rotating hour glass, while the user waits for information to be transferred to his internet browser or other application.
Using a network packet analyzer can reveal the protocols used in the communications streams by capturing network data packets and allowing an administrator to examine what is actually going on across the wire. Ethereal is an open source (freeware) data packet analyzer. It can be used to troubleshoot network connections, examine security vulnerabilities, and debug protocol implementations.
Ethereal provides some important features such as:
1. Available for the Windows and Linux operating systems
2. It can capture live packet data from a network interface placed in promiscuous mode.
3. Data can be captured from Ethernet, Token-Ring, FDDI, Serial and Wireless 802.11 on supported operating systems.
4. Display and save highly detailed protocol information from a captured network session which can then be exported into other analysis applications.
5. Provide packet filtering and searching based on preferred criteria.
6. Follow a TCP Data Stream and inspect it’s ASCII contents which can reveal valuable information in troubleshooting a HTTP, SMTP, or POP3 server problem.
7. Ethereal can show detailed RPC statistics for a specific RPC program, general statistics for all programs, and list programs supported.
LAB SETUP:
an Ethernet based network was deployed including the following hardware:
1. Time Warner Cable Modem Broadband Internet connection.
2. Linksys WRT54G – (ROUTER) Wireless Broadband router providing an Internal Firewall, Network Address Translation (NAT), & a 4 port Ethernet Switch.
(RUBBLE) - 1.8 Ghz Gateway Tablet PC running Windows XP Tablet OS.
IP Address: 192.168.1.10 , MAC Address: 00-50-t8-88-Bc-08
(RASTAR) – 866 Mhz Dell laptop running Windows 2000 OS.
IP Address: 192.168.1.11 , MAC Add: 05-26-E8-6y-4r-3t
This Network Diagram displays a logical configuration for the network lab:
Eight protocols were captured during this lab including:
1. ARP – Address Resolution Protocol – which resolves MAC addresses to IP addresses. 2
This dialog box indicates the captured ARP protocol:
2. TCP – Transmission Control Protocol – One of the core protocols of the internet protocol suite. Networked hosts create connections and exchange data using TCP. 3
This dialog box indicates the TCP protocol being captured. This also shows the beginning of a TCP handshake with a SYN packet being sent from IP 192.168.1.1 (Linksys – ROUTER) and a SYN / ACK being sent from IP 192.168.1.10 (RASTAR):
3. UDP – User Datagram Protocol – a transport layer protocol that provides an unreliable service that guarantees no delivery of data. Used because of its’ low overhead. - 4
This dialog box indicates the UDP protocol captured when the DNS (Domain Name System) was queried on UDP port 53 to get www.google.com IP address resolved:
4. HTTP – Hypertext Transfer Protocol – underlying protocol used by the World Wide Web. Defines how messages are formatted and transferred from web servers to client browsers - 5
This dialog box indicates HTTP protocol being captured when logging into my Linksys Broadband Router web based administration interface. :
5. HTTPS – Hypertext Transport Protocol Secured – Port 443 is a protocol for accessing a secure web server where authentication and encrypted communication in required. 6
This dialog box indicates HTTPS captured protocol:
6. FTP – File Transfer Protocol – Port 20 & 21 used for exchanging files over the internet. 7
This dialog box indicates the FTP captured protocol:
7. SMB – Server Message Block protocol – used to allow client applications to read and write to files and to request services from server programs in a computer network. 8
This dialog box indicates the SMB captured protocol:
8. ICMP – Internet Control Message Protocol – Used to announce network errors, network congestion or timeouts and assist in troubleshooting. Also used in the PING program. 9
This dialog box indicates the ICMP captured protocol:
Several websites were pinged including:
www.garyneubauer.org which is a linux server (TTL = 47)
www.hotmail.com server unknown (TTL= 53)
vspacelab.seoassault.com server is a Microsoft IIS Server (TTL = 119)
Conclusion
Network traffic sniffing and packet capture can be very useful in analyzing and diagnosing network topologies, TCP handshake communications, and detailed information on the inner workings of networked devices. Ethereal provides a robust open sourced software application to assist the security administrator in solving network related problems and provide confident solutions.
Bibliography
1. Ethereal Website– Frequently Asked Questions (FAQ link) –
http://www.ethereal.com/faq.html
2. ARP – Address Resolution Protocol – Gorry Fairhurst
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html
3. TCP – Transport Control Protocol – Wikipedia website
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
4. UDP – User Datagram Protocol – Gorry Fairhurst
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html
5. HTTP – Hypertext Transfer Protocol – Webopedia
http://www.webopedia.com/TERM/H/HTTP.html
6. HTTPS – Hypertext Transfer Protocol Secured – Globalscape Secure FTP Server Website
http://help.globalscape.com/help/secureserver3/HTTPS1.htm
7. FTP – File Transfer Protocol – Webopedia
http://www.webopedia.com/TERM/F/FTP.html
8. SMB – Server Message Block Protocol - SearchNetworking.com Website
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214214,00.html
9. ICMP – Internet Control Message Protocol – eLook.org Website
http://www.elook.org/internet/81.html
|
