NETWORK ANALYSIS WITH OPEN SOURCE.pdf
Document Details
Uploaded by BrainyRo
2016
Tags
Full Transcript
Bachelor's thesis (TUAS) Information Technology Network Technology 2016 Jeewan Bhusal NETWORK ANALYSIS WITH OPEN SOURCE PACKET ANALYZERS - CASE: WIRESHARK BACHELOR'S THESIS | ABSTRACT TURKU UNIVERSITY OF APPLIED SCIENCES Information Technology | Network Technology May 2016 | 72 Instructor: Ossi Vään...
Bachelor's thesis (TUAS) Information Technology Network Technology 2016 Jeewan Bhusal NETWORK ANALYSIS WITH OPEN SOURCE PACKET ANALYZERS - CASE: WIRESHARK BACHELOR'S THESIS | ABSTRACT TURKU UNIVERSITY OF APPLIED SCIENCES Information Technology | Network Technology May 2016 | 72 Instructor: Ossi Väänänen Jeewan Bhusal NETWORK ANALYSIS WITH OPEN SOURCE PACKET ANALYZERS CASE: WIRESHARK Computer Network is a growing field every day. Networking has made life easy. This world-wide computer network is accessed by more than 3 billion people in the world. The growth rate is quick and this shows the complexity of internet world. The defense research of USA gave birth to ARPANET which later created protocols to link two different computers. This creation is called TCP/IP protocols and this is how internet was born. Computers are connected to different topologies in a network and they communicate because of networks protocols. Small home, office network, local area network (LAN) of computers then become linked with Wide area networks (WAN). In this thesis, architecture of computer networks together with analysis of packet is studied. Packet analysis is carried out with the open packet analyzer software “Wireshark”. This thesis also focuses on security challenges for a network and also presents some solutions. Wireshark can play an important role to keep the network secure and fully operational. Wireshark helps analyzing network, protocols, troubleshooting network and preventing attacks. KEYWORDS: Wireshark, TCP/IP, Packet analyzer, computer network, network security, protocols, packet capture, network attacks, sniffing, tapping, network analyzer CONTENTS LIST OF FIGURES 5 LIST OF ABBREVIATIONS (OR) SYMBOLS 7 1 INTRODUCTION 9 2 DATA NETWORK 11 2.1 OSI Network Architecture 11 2.2 TCP/IP Network Architecture 12 2.3 Hybrid model 13 2.3.1 Physical layer 14 2.3.2 Link layer/Data Link layer 14 2.3.3 Network layer 15 2.3.4 Transport layer 15 2.3.5 Application layer 16 2.4 End-to-end principle 17 3 SECURITY PERSPECTIVES IN NETWORKING 19 3.1 AIC Triad 19 3.2 3.1.1 Availability 19 3.1.2 Integrity 20 3.1.3 Confidentiality 20 Network Attacks 20 3.2.1 ARP spoofing 21 3.2.2 PORT Flooding 22 3.2.3 DNS spoofing 23 3.2.4 Session hijacking 25 3.2.5 Man-in-the-Middle attack 26 4 NETWORK ANALYZERS 28 4.1 Meaning and Features 28 4.2 Common Uses 29 4.3 Famous Network Analyzers 29 4.3.1 Wireshark 29 4.3.2 tcpdump 30 4.3.3 Cain & Abel 30 4.3.4 Colasoft Capsa 31 4.3.5 General comparison 31 4.3.6 More description on analyzers 32 5 WIRESHARK 33 5.1 Installation process and getting started 33 5.2 Graphical User Interface (GUI) of Wireshark 35 5.3 Wireshark customization 41 5.4 Controlling Capture with Filter 43 5.5 Other features of Wireshark 46 6 TRAFFIC ANALYSIS WITH WIRESHARK 48 6.1 Where to capture data 48 6.2 6.3 7 6.1.1 Using a Hub 48 6.1.2 Switched and Routed environment 48 Investigating Protocols 51 6.2.1 IP 51 6.2.2 ARP 52 6.2.3 TCP 55 6.2.4 HTTP 57 6.2.5 ICMP 58 Network security with network analyzers 59 6.3.1 Network troubleshooting 60 6.3.2 Discovering malicious traffic patterns 61 6.3.3 Network Forensics 62 CONCLUSION REFERENCES 69 70 LIST OF FIGURES Figure 1. Example of computer network...................................................................... 10 Figure 2. Layers of OSI Model.................................................................................... 12 Figure 3. Hybrid network model.................................................................................. 14 Figure 4. ARP request and ARP reply........................................................................ 17 Figure 5. ARP Spoofing.............................................................................................. 22 Figure 6. DNS cache poisoning using ID spoofing method......................................... 25 Figure 7. Man-in-the-middle attack............................................................................. 27 Figure 8. Wireshark GUI Screenshot.......................................................................... 30 Figure 9. Selecting an interface to start packet capture.............................................. 35 Figure 10. The Main Window...................................................................................... 36 Figure 11. The Menu.................................................................................................. 36 Figure 12. The main toolbar........................................................................................ 38 Figure 13. The filter toolbar......................................................................................... 39 Figure 14. The packet list pane................................................................................... 39 Figure 15. The packet details pane............................................................................. 40 Figure 16. The packet bytes pane............................................................................... 40 Figure 17. The initial empty Status bar....................................................................... 41 Figure 18. The Status bar after a capture is loaded.................................................... 41 Figure 19. The coloring rules dialog box..................................................................... 42 Figure 20. Colors used in Wireshark........................................................................... 43 Figure 21. An example of ICMP capture filter used in Capture interfaces dialog box.. 45 Figure 22. Capture Modes.......................................................................................... 50 Figure 23. The IP header of the source packet........................................................... 52 Figure 24. ARP request captured in Wireshark........................................................... 54 Figure 25. ARP reply captured in Wireshark............................................................... 54 Figure 26. TCP connection and header captured in Wireshark................................... 56 Figure 27. HTTP Get request packet.......................................................................... 57 Figure 28. HTTP packets captured in Wireshark......................................................... 57 Figure 29. ICMP packets captured in Wireshark......................................................... 59 Figure 30. Traffic using nonstandard port................................................................... 62 Figure 31. Duplicate IP addresses captured by Wireshark during ARP attack............ 63 Figure 32. ICMP redirection packet showing better path............................................. 64 Figure 33. ACK scanning to attack TCP ports............................................................. 65 Figure 34. Xmas Scan................................................................................................ 65 Figure 35. FIN-ACK scanning..................................................................................... 66 Figure 36. TCP-SYN scan.......................................................................................... 66 Figure 37. Unsuccessful password cracking attempt.................................................. 67 LIST OF TABLES Table 1. Layers of TCP/IP network model................................................................... 13 Table 2. Characteristic comparison of Wireshark, tcpdump, Cain & Abel, Colasoft Capsa......................................................................................................................... 31 Table 3. Examples of Capture Filters.......................................................................... 45 Table 4. Wireshark Filter expression operators and some display filters..................... 46 LIST OF ABBREVIATIONS (OR) SYMBOLS LAN Local Area Network WAN Wide Area Network HAN Home Area Network CAN Campus Area Network NIC Network Interface Card PAN Personal Area Network MAN Metropolitan Area Network OSI Open System Interconnection ISO International Organization of Standardization TCP Transmission Control Protocol IP Internet Protocol RIP Routing Information Protocol OSPF Open Shortest Path First ICMP Internet Control Message Protocol IPsec Internet Protocol Security ARP Address Resolution Protocol UDP User Datagram Protocol HTTP Hyper Text Transfer Protocol FTP File Transfer Protocol URL Unique Resource Locator DNS Domain Name System MAC Media Access Control SSL Secure Sockets Layer SSH Secure Socket Shell TLS Transport Layer Security GUI Graphical User Interface CAM Content Addressable Memory RR Resource Records HTTPS HTTP Secure MITM Man-in-the-Middle BPF Berkeley Packet Filter IDS Intrusion Detection System IPS Intrusion Prevention System DoS Denial-of-Service IPv4 Internet Protocol version 4 TTL Time to Live IPv6 Internet Protocol version 6 SMTP Simple Mail Transfer Protocol POP Post Office Protocol CSV Comma-Separated Values DDoS Distributed Denial-of-Service SNMP Simple Network Management Protocol TAP Test Access Point NAC Network Access Control No. Number 9 1 INTRODUCTION In the world of information technology, networking has become an essential part of our daily lives. Computer network is the interconnection of different computers by a single technology. Protocols, hubs, cabling, switch, router, network management software all play a vital role to construct a network. Topology, protocol and architecture are the key characteristics of network. Local area networks (LAN), home-area networks(HAN), Campus-area networks(CANs) etc. are linked together in geometric arrangement or topology, with common set of rules or protocols, using network architecture such as peer-to-peer or client/server to construct a network. In fact, these networks or millions of computers connected together in global scenario is called the Internet, network of networks. Computer networks always have a big risk of security problems, such as spyware injection, malware, configuration errors, and other different network attacks. However, to better understand real problems in a network and to solve them, it’s important to go to the packet level. It is believed that all network problems rise from the packet level. This is where packet analysis plays a big role in computer networks. Network analysis, protocol analysis or simply sniffing are the other names of packet analysis. In general, it is defined as the process of capturing live data flow in the network and analyzing the result to see what is happening on that network. Network Interface Card (NIC) is switched to promiscuous mode to listen all traffic. This mode helps to collect raw binary data from the wire. This collected raw data is converted into readable form and this finally ends up with analysis. Packet-sniffing software or programs are used to analyze the network and also known as packet analyzers, network analyzers or packet sniffers. Some examples of such software are tcpdump , Omni Peek and Wireshark. Packet analyzers are quite useful to detect bugs, errors in a network and help efficiently to monitor the network. Wireshark is chosen for this thesis because it is user-friendly, free and considered one of the leading programs in the market. The main purpose of thesis is to understand how computer networks operate, security issues in the network and to see them through the eye of network analyzers with some discussion in how to improve network security. Similarly, this thesis also includes how installation and initiation with Wireshark, along with its customization to get maximum benefit from this program. This thesis also explains how to capture data, how to find out network leakage and connectivity issues. Furthermore, this thesis investigates TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 10 some of the widely used protocols such as TCP/IP, HTTP and their communication strategy. This thesis consists of 7 chapters. Chapter 1 is an introduction to the topic and explanation of this thesis’s target. Chapter 2 discusses about the data network and its features, three different layers architecture of computer communication and sums up with some network connection principles. Chapter 3 defines and describes network analyzers, their uses and characteristics. It includes a brief comparison between some wellknown packet analyzers. Chapter 4 points out the security issues in computer network. It discusses the importance of protecting every bit of information and explains about the few possible attacks in a network. Chapter 5 mainly focuses on Wireshark. It describes its beginning procedure, some useful rules in the program, customizing as per needs and possible benefits from built-in features such as expert info and I/O graphs. Chapter 6 is the continuity of Chapter 5 about Wireshark. However, this chapter describes where to place Wireshark in a network and some detail investigation of important protocols and their operation. This chapter ends by discussing network troubleshooting, and some practical examples of attacks captured in the network. Finally, Chapter 7 concludes this thesis. Figure 1. Example of computer network TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 11 2 DATA NETWORK Data network is also known as computer network. A set of connected computers in a network via cables or radio waves to share information or data is called data network. Computers on a network are called nodes. Computer network provides many advantages such as resource sharing, exchanging emails, internet, IP phones, video conferences and many more. Examples of computer network are personal area network (PAN), local area network (LAN), metropolitan area network (MAN), wide area network (WAN). In order to connect two computers, we depend on topologies. In general, topology is a way to connect two computers in some structure, design or arrangement. Examples of topology are Point-to-Point, bus topology, star topology, mesh topology and more. This thesis is about traffic analysis, so our main focus is to see how computers communicate rather than connect. Networking is quite complex due to software, cables, physical devices, electric pulses. As a result, network communication is divided into layers. Layers are built on top of each other. These multiple layers exchange data, each layer performs a certain duty but they are independent of each other. Each layer contains a set of protocols or rules for communication. This mix of layers and protocols for communication builds network architecture. In order to clearly understand computer communication, three different network architectures are introduced in this thesis. However, a detailed explanation of all its layers is only given for the hybrid model. The whole networking process in layered network architecture is divided into small tasks. Each layer performs only one task. If one layer at the bottom starts the process, then it is passed onto another layer above it and vice versa. Generally, the task is started by topmost layer or lower layer and it is passed to next layer and continues to all other layers present in that model. 2.1 OSI Network Architecture The OSI model (Open System Interconnection) was developed by International Organization of Standardization (ISO) and also known as the ISO-OSI model. This model can be used for any open connection. However, the OSI model is no more considered as a recommended standard and developers are not required to follow it exactly. This model has seven layers. Each layer performs a specific function. However, this model does not tell the exact protocols to be used. The OSI model is criticized because it was planned theoretically giving certain function to each layers before protocols were even TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 12 invented. The top three layers are difficult to clearly understand and hardly give precise meaning. Figure 2. Layers of OSI Model 2.2 TCP/IP Network Architecture TCP/IP (Transmission Control Protocol/ Internet Protocol) is also known as Internet protocol suite. The name of this model comes from its 2nd and 3rd layer i.e. Transmission Control Protocol (TCP) from transport layer and Internet Protocol (IP) from Internet Layer. This model does not fulfill the three concepts in networking such as services, interfaces and protocols. It is also becoming harder for this model to describe new networks using new technologies. In general, it is suitable for the TCP/IP protocol stack only. It was the invention of ARPANET. This reference model was made after the invention of TCP/IP protocols. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 13 Table 1. Layers of TCP/IP network model Layer 4 Application layer Layer 3 Transport layer Layer 2 Internet layer Layer 1 Host-to-network layer 2.3 Hybrid model The OSI model and TCP/IP model have been criticized and also possess some problems. In today’s scenario, the hybrid form of OSI and TCP/IP model is used and known as the hybrid reference model or the hybrid TCP/IP-OSI reference model. In this model, host-to-network layer of TCP/IP model is replaced with the Datalink and the physical layer of the OSI model. And all other three layers of TCP/IP are exactly used, making it a five-layered model. The addition of the physical layer in this model is responsible for bit transmission through wired or wireless sources. For instance, the Bluetooth communication cannot be described using the TCP/IP model. However, this model can also explain the wireless transmission. Application programs on different computers cannot communicate directly. In order to communicate, they use the layered communication principle or layer network model through the encoding and decoding process. For example, if an HTTP request is made by a host. Then this request is encapsulated into TCP segment, IP packet, Frame and this information travels through physical transmission media which is received by another end. The de-encapsulation process occurs in the receiving end or web server in this scenario. The information is passed from the lower layers to the next-higher layer. The five layers of this model are described below. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 14 Figure 3. Hybrid network model 2.3.1 Physical layer The physical layer is the base of networking, networks and their layers. The main duty of this layer is to transmit a raw bit stream over a communication channel. Two devices can communicate because of this layer which acts as a media for information transmission. The physical layer has different roles such as establishing and breaking any connection, moving bits between devices, placing signal on the cable and many more. 2.3.2 Link layer/Data Link layer The data link layer is the 2nd layer of hybrid model. This layer generates and transmits frames from one end to the other. At the receiving end, this layer receives data from the physical layer in the form of electrical signals, converts them into frame format and passes to the layer above it. In sending end, this layer receives IP packets from the network layer and encapsulates them into frames. Framing uses physical address or the MAC address of the host, to make it unique. Sometimes bits of information can be lost in physical transmission, therefore, this layer also performs the task of error detection and recovering lost bits. It also helps to control speed during data exchange between machines with fluctuating speed, also called flow control. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 15 2.3.3 Network layer Layer 3 in hybrid model is called the network layer. This layer plays a vital role in network addressing, internetworking, and managing sub-networks. The network layer delivers information in packets from source to destination, maps addresses and protocols. This process of delivering packets to the destination in different networks, subnets is called routing and routers are used to connect these networks. At the sending end, it forwards data in packets containing source and destination ports, addresses to the link layer. Similarly, at the receiving end, this layer checks the host address and forwards the packet to Transport layer. In a network, every machine has to a unique address. This unique address is called Internet Protocol (IP) address. Currently, two versions of IP exists, i.e., IPv4, IPv6. When a host receives the IP address of its destination host, it forwards all its packets through a gateway. A gateway is simply a router which contains a routing table and data reaches the destination with the help of this table. This gateway router sends the packet to the next router which also follows the routing table to reach a destination within any subnet. Routing is a complex world in itself. This layer has routing protocols such as RIP (Routing Information Protocol), OSPF (Open Shortest Path First) and several other protocols for security and better control such as ICMP (Internet Control Message Protocol), IPsec (Internet Protocol Security), and ARP (Address Resolution Protocol). 2.3.4 Transport layer Layer 4 of the hybrid model is called the transport layer. This layer provides peer-topeer and end-to-end connection and exchanges data as segments and datagrams. The main task of this layer is to establish communication between application programs installed in two different computers in the network. In addition, it ensures the error-free transmission of data in a proper order marked with sequence numbers. Similarly, to uniquely process the data, every application program is marked with port numbers. In transport layer, every unit of data must contain the sending and receiving port numbers. For instance, port number 53 is used for communication between client and DNS server, port 80 is used to communicate with web server. Thus, this layer tries to provide error free transmission, flow control and also maintains the quality of service. The transport layer has two main protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP provides reliable connection. This protocol is reli- TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 16 able, connection-oriented, checks error, performs re-transmission, and maintains the order of the data sent. TCP uses three-way handshake method for connection and the actual data is sent only after this handshake succeeds between two hosts. However, UDP is an unreliable transport protocol. It is connectionless and does not maintain any order of data, but it is easy to process. UDP is really useful for streaming voice traffic, video traffic where even the loss of few packets is unnoticed. TCP and UDP communication happens through sockets, the unique end point in the network. Hosts use the combination of IP addresses and port numbers to transmit data segments in the correct network socket. The port numbers between 0 to 1023 contain some of the well-known ports and are reserved as system ports. Ports 1024 to 49151 are reserved as user ports. A user device randomly generates unique port number from user ports during TCP communication. 2.3.5 Application layer The application layer is the top layer of this model. A user fires a query directly or indirectly in the application programs and this layer with the help of layers below it transfers encapsulated data to the remote host. However, every user application cannot be considered as application layer programs. For instance, a text-editor does not interact with the communication system, so it is not included as an application of application layer. However, the whole idea is the interaction between an application on one host with another application on another host through communication channel. The application programs in a user device use the protocols of the application layer to communicate. For example, a web browser is an application program which uses HTTP (Hyper Text Transfer Protocol) for connecting web server. Similarly, software like FileZilla is used to upload files which use File Transfer Protocol (FTP) of application layer. The World Wide Web and email are also useful applications of the internet. The World Wide Web is the store house for files of different formats like video, images, games etc. This web store can be accessed by entering the URL (Uniform Resource Locator) or the domain names in a web browser, which are converted into IP addresses by Domain Name System (DNS) protocol of application layer to access the resource. Numeric IP addresses are confusing and hard to remember for humans. Therefore, domain names are used to address a particular resource in the network such as www.turkuamk.fi. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 17 2.4 End-to-end principle In computer networks, one host can communicate with another host, only if it knows the physical address of that host. ARP (Address Resolution Protocol) is the layer 2 protocol used to discover the physical address, commonly known as MAC address. A MAC (Media Access Control) address is a hardware address of network devices. When a packet arrives at layer 2 with source and destination IP addresses, the link layer needs to forward the packet in frame for which it needs source and destination MAC address. At first, ARP checks its ARP cache for the destination MAC address. ARP cache is the table which maps the IP address to the MAC address. If it is not found in the cache, the host sends the ARP request to every host connected in its local network as a broadcast. The broadcast traffic is sent with the source IP, the destination IP, the source MAC address and the destination MAC address as FF:FF:FF:FF:FF:FF, which means that the destination hardware address is unknown and this traffic is sent to every host in that network. The ARP request and reply process is shown in Figure 4. Figure 4. ARP request and ARP reply All the hosts in the network receive the ARP request. However, the host which resolves the same destination address replies to the ARP request and other host drop the broadcast frame. In the context of remote host, ARP request and reply process starts TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 18 from the default gateway or router of the sender host which continues through all the routers in between source and destination hosts. After the ARP process, hosts update their ARP table/cache which makes communication easy for the future. In the case of packet analyzer such as Wireshark, NIC (Network Interface Card) can be set to promiscuous mode which can capture traffic not destined to the host running this software. In an Ethernet network, packets would be dropped if MAC address of two ends are not exchanged. Basically, MAC address is always needed to forward packets in frame from layer 2. In order to achieve MAC address, ARP is an unforgettable protocol of networking. This is how end- to-end communication between hosts start. In Wireshark when capture starts, it begins from ARP request and reply. Hence, layered architecture of network, protocols, and end-to-end principle become an important part of this thesis. In the protocol tree of Wireshark, the highest layer protocol is shown at the bottom and lowest at the top which can be seen during packet analysis. The protocol analysis using Wireshark is explained in Chapter 6. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 19 3 SECURITY PERSPECTIVES IN NETWORKING This chapter discusses security issues in network from the aspect of network analyzers. The section 3.1 describes three key principles of protecting network. Section 3.2 points out different possible attacks in a network in which network analyzers can also be utilized. 3.1 AIC Triad The concept of secure system stands on three principles of security model. If these three principles are fulfilled, any system is considered secure. However, if any one of them is compromised any system can face serious outcomes. These three crucial components of security are availability, integrity and confidentiality and known as AIC triad or CIA triangle. 3.1.1 Availability The concept of availability can be described as a guarantee of easy access of information by authorized users whenever they want. In general, authorized users must be able to access information without any disturbance, all the times, and in the desired format. In order to make this happen, the system, accessibility channels, and authentication mechanisms should always be working. It is always necessary to upgrade and update system, maintain backups to protect data loss, use of firewalls and proxy servers should be considered in a system to keep data available. The denial of service (DoS) attack and distributed denial-of-service (DDoS) attack are most common cyber-attacks against availability. In DoS attack, the intruder crashes system by sending floods of requests which eventually makes system unavailable. This results in great loss of time and money. Many websites stop their operation temporarily and recover system after negotiating great loss, which directly impacts authorized users and negotiates the availability issue. However, in DDoS attack the attacker controls many computers and uses them to flow false traffic requests which directly denies service to real users. These types of attack can be hard to stop, but maintaining updated system and being pro-active by performing hardware repairs, using security software always helps. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 20 3.1.2 Integrity Integrity is another important principle for maintaining a secure system. Integrity is defined as the way of protecting stored data and preventing its modification or destruction from any unauthorized users. In order to maintain integrity, data should not be easily accessible to anyone and only authorized persons or network administrators should be permitted to modify and monitor stored data. Therefore, integrity plays a great role to provide accurate data with consistency and maintain its trustworthiness. However, there are many cyber-attacks which can force systems to negotiate integrity aspect of network security. One of the main threats to integrity is code injection. The SQL injection, cookie poisoning etc. can control and modify data. There are many viruses and worms in the internet which are intentionally designed by hackers to corrupt and leak data. In order to maintain data integrity, the physical access should only be granted to network administrators and system administrators. It can also be secured by preventing tapping, documenting administration procedures, using encryption and being prepared with recovery plans for virus attacks, server failures etc. 3.1.3 Confidentiality Confidentiality concept in AIC triad refers to privacy. In other words, the private information of an individual should not reach to wrong hands. For instance, credit card numbers, personal information should only be in the hands intended user. This kind of personal information is highly sensitive and information on wrong hands can result in identity theft to big loss. Network analyzers are also used by hackers to compromise confidentiality by sniffing into the network and stealing unencrypted data. There are many ways to protect confidentiality of a user. Data encryption can be used to encrypt information and protect user IDs, passwords, credit card information and other personal information. Users can also be pre-informed and trained to protect from many social engineering thefts. 3.2 Network Attacks When we connect a computer to a network, we should be aware of the fact that we are not just using resources from the internet but we are open and prone to network attacks. Although, internet helps to make our daily life easy. But the risk of digital theft is always high and the attackers, sniffers, hackers can always compromise our three basic principle of network connectivity i.e. confidentiality, integrity, and availability. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 21 Network analyzers are also used in many network attacks. Many network applications and protocols send packets in clear text. Therefore, a network sniffer can easily steal the sensitive information, such as user names, passwords, credit card information from any database. Although, encryption is helping to make these important information secure. However, some applications still deal in plain text which can easily cause huge loss of sensitive information by simply capturing packets in local area network. And there are some packet sniffers which are built for cracking encrypted passwords, decrypting hash values and breaking many more strong security features. Some common network attacks which utilize packet sniffer for the attacking process are described below. 3.2.1 ARP spoofing ARP spoofing is the process of poisoning the Address Resolution Protocol (ARP) and also known as ARP cache poisoning or ARP poison routing. Address Resolution Protocol provides mapping between layer 3 IP addresses and layer 2 MAC addresses. When a host sends IP packets to another host, it needs to know the MAC address of its next node. If the host and receiver are in the same subnet, then next node is the destination host. If not, gateway or router becomes the next node. The IP-to-MAC mapping is stored in ARP cache. At first when two devices have to communicate, the MAC address of destination is searched in ARP table. However, if the physical address of destination is not found there, then ARP sends broadcast traffic to every host in the local network. The ARP responds with ARP reply. ARP request is a broadcast traffic and ARP reply is unicast traffic. During ARP request the IP address of next node is sent, and the machine matching this IP address should respond with ARP reply. The ARP reply contains MAC address of that host. After this process, the IP-to-MAC mapping is stored in ARP table for future. ARP is considered a stateless protocol, which means machine simply update their table if they receive ARP reply and it does not matter if they have not sent any ARP request before. During ARP spoofing, attacker sends unreliable ARP request and reply packets to the victim. In this attack, attacker updates victim’s ARP cache table with its own MAC address and convinces the host to send packets to attacker machine, which now sits as a destination node. This is how ARP cache is poisoned. In switched network, a packet analyzer can be utilized during ARP spoofing attack. Some sniffers such as Cain & Abel, Ufasoft Sniff have built-in features to perform this TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 22 kind of poisoning. Network sniffers can also be tapped in a certain part of local area network, to gather required information of the host before attacking them. Sniffers can collect IP and MAC address of the host, which supports the attacker to plan the attack. It is believed that ARP spoofing opens door for man-in-the-middle attacks, DOS attacks, and session hijacking, which is strong enough to steal any sort of information from the network. The figure below shows the ARP poisoning attack and how network traffic is redirected because of this attack. Figure 5. ARP Spoofing 3.2.2 PORT Flooding PORT flooding is also known as MAC flooding. In computer networks, switches map various MAC addresses to the physical ports on the switch which are stored in CAM (Content Addressable Memory) table. Switches have limited memory, therefore they can’t store many MAC addresses. The benefit of CAM table is to send data only to the port for the destined computer. In this attack, an attacker connected to a switch port floods the switch interface by sending frames with large number of fake MAC addresses. As a result, the switch reaches a state where it cannot store any more MAC address. This is because of its limited memory, which results CAM table overflow. This overflow pushes switch into fail open mode, which makes switch behave like a hub. Thus, switch does not behave normally and starts sending traffic as a broadcast to all the ports, instead of sending to a correct port. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 23 PORT flooding can be performed from some sniffer tools. Macof is a Linux tool which can easily perform MAC address flooding. It can send random MAC addresses and IP address to the switch, which is good enough to fill switch’s CAM table with fake MAC address. Yersinia is another popular tool for performing PORT flooding. Similarly, network sniffers play an important role to attackers after PORT flooding attack becomes successful. This is because after PORT flooding, the traffic is broadcasted to all the ports. As a result, an attacker can capture all the traffic in that network and can easily steal sensitive information from other machines. Some protocols such as HTTP, TELNET, POP, SMTP, FTP etc. are vulnerable to network sniffers. Hence, an attacker can steal unencrypted passwords, e-mail, and instant messages from the network. 3.2.3 DNS spoofing The Domain Name System (DNS) protocol is one of the hugely important protocols in the internet. This application layer protocol is defined as a zonal, hierarchical collection of name servers which resolves domain names to IP addresses. IP addresses are hard to be remembered by humans. In order to make it easier to remember and use, domain names are introduced such as www.turkuamk.fi. However, computers only understand IP addresses like 80.86.90.220. Therefore, Domain Name System protocol was introduced to map domain names and IP addresses. A DNS client just needs to enter domain names into web browsers or email services to access a particular website or other web resources, and all other task is done by DNS server to fetch IP address for that particular query. At first, to resolve this query search starts from looking at the local cache of client’s computer. A DNS server stores database of entries as resource records (RR) of IP address to DNS name mappings. If the website was not visited before, it cannot be found in the local cache of user’s database. Now, this DNS query is send as a recursive query to nearest DNS server. This DNS server also checks its cache, but if the match is not found then this query is forwarded to root DNS server. DNS servers are separated into.com DNS server,.org DNS server etc. Therefore, if this root DNS server cannot resolve the query, it replies the local DNS server to send iterative query to other zonal name servers like.com,.org and eventually the domain name is resolved through this recursive and iterative queries. Finally, local DNS server receives the reply, sends it to the client and the client receives connection to the IP address. The local cache would easily solve this query in the future, which maintains this mapping in records. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 24 There are various ways of conducting DNS spoofing attacks. Some of them are DNS cache poisoning, DNS ID spoofing, Birthday attack. The first two attacks are widely used to misuse DNS servers. In DNS cache poisoning, attacker sits in between the host and DNS server. The attacker captures the traffic, plans and performs this attack. DNS protocol is an UDP based, which makes it unreliable. An attacker sends unknown domain query to the local DNS server, redirects traffic from local DNS server to the DNS server higher in the hierarchy as an iterative query. After that, an attacker becomes successful to capture the superior server and can easily send response to the local DNS servers. This happens because DNS server replies to the attacker without authentication, an attacker zone transfer of a query between DNS servers, poisons the cache of the superior DNS server. Thus, an attacker can direct any user to a fake websites, or login pages. In this kind of attack, the attackers create their own fake pages for banking websites, social-networking websites, online shopping etc. In the case of a user, he/she receives connection to a fake page and if they enter their personal details such as passwords, usernames they are saved in attacker’s database. As a result, attacker can easily misuse their identity, property etc. The cache poisoning remains, until the cache is updated, or deleted. Each query send to the DNS servers always contain randomly generated unique ID numbers. In DNS ID spoofing attack, the attacker can steal this ID number through ARP spoofing attack, and sends DNS response back to the user pretending to be a DNS server. It acts as a DNS server to the user and performs many different kinds of social engineering attacks like phishing to steal sensitive information from the user. The attacker can easily redirect traffic from the user’s machine to the fake webpages and so on. The packet analyzers play an important role to assist the attacker for performing DNS spoofing attacks. Network analyzers help the attacker to view traffic flow in between user and DNS server, guessing query ID numbers. The attacker mainly sits in the same network, studies traffic flow through tapping the network and quickly replies to any query to fully control the conversation between the user and DNS servers. Similarly, there are some packet sniffers which have built-in features to perform DNS spoofing attacks. Some of them are dsniff suite for Linux, Ettercap, Cain & Abel. The DNS cache poisoning attack using ID spoofing method is shown in Figure 6. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 25 Figure 6. DNS cache poisoning using ID spoofing method 3.2.4 Session hijacking In this attack, the attacker tries to misuse existing connection or session between two network devices. This attack is also known as cookie hijacking, HTTP cookie theft. When a device has to access web pages or web resources, it needs to connect through HTTP protocol. The Hypertext Transfer Protocol (HTTP) in the web server and web applications or browsers in user side establish a session, when user receives connection to the server. However, HTTP is not a secure protocol. It communicates in plain text. Therefore, the sensitive information of the user such as online banking, shopping, and login process are handled in a secure way with session cookies. Cookies are stored and exchanged by web browser and web server, which tracks the user’s activity. However, session cookies are temporary and usually deleted after the web browser is closed. These secured session cookies are transmitted via encrypted connection such as HTTPS, SSL. The browser and web server store the important information of the user in the form of secure cookies, with the help of unique identifier key called session ID. However, the encryption takes place mostly during authentication. After authentication by HTTPS, the server and web browser communicate mostly in HTTP. Therefore, the attacker can see the user’s traffic easily and can steal any sensitive information. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 26 There are four different ways of performing this attack, in which packet sniffers play a big role. The attacker uses network analyzers to understand traffic flow, steal session key and cookies. Once the session key is obtained by the attacker, it can be used to exploit webmail, online banking by simply modifying the cookie request to the server. The main idea behind this attack is that, the communication between browser and the server is encrypted only during authentication but not the whole session is secure. There is some software available which can easily perform session hijacking. For instance, Hamster and Ferret is a tool used by Backtrack (Linux distribution) to perform session hijacking. Another great example is Firesheep, which is an extension developed for Mozilla Firefox browsers. This extension can easily access the unencrypted session after the login process. DroidSheep, CookieCadger are some other examples of tools and apps developed to perform session hijacking network attack. 3.2.5 Man-in-the-Middle attack Man-in-the-Middle (MITM) attack is one of the strong hacking techniques, and whose presence is hard to identify in the computer network. In general, the attacker tries to control traffic, modifies it and plays the role of communication controller. In this attack, the attacker sits in between two hosts such host A and hosts B, eavesdrops the traffic, edits messages and forwards them in real time. For instance, if host A sends email to host B. The attacker sits in the middle of host A and B, and can easily encapsulate and de-encapsulate their conversation. Thus, the attacker can collect useful information. This kind of attack redirects traffic to a different location and acts as a legitimate host, proxy server. The HTTP connection between a client and a web server is considered unsecure because HTTP is a stateless protocol and communicates in plain text. However, protocols like Secure Socket Layer (SSL), HTTPS (HTTP Secure) layer up the HTTP protocol which provides security during authentication. But, it does not stop here. The hackers can easily steal public key of web server and client‘s communication through eavesdropping their traffic. Eventually, the attacker can create fake signature certificate and the client accepts this signature, believing it as a secure communication channel between it and the server. Hence, the attacker can capture, decrypt, and edit any message between the client and the server. The attacker can steal banking credentials, and misuse the client’s personal information, usernames, passwords, email. This attack becomes hard to detect in the network because the client feels normal communication, but the attacker controls the traffic all the time by sitting in the middle. This type of attack is mostly seen in public Wi-Fi TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 27 networks. Spoofing attacks and some forms of session hijacking such as side jacking, evil Twin, sniffing are considered different forms of man-in-the-middle attack. Packet analyzers play an important role in this attack because this attack is also known as eavesdropping attack. Eavesdropping also means listening to the traffic, this can be easily performed through packet sniffers. In Figure 7, the MITM attack is shown. Figure 7. Man-in-the-middle attack TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 28 4 NETWORK ANALYZERS 4.1 Meaning and Features Network analyzers are also known as packet sniffer, protocol analyzers or packet analyzers. Network analyzers can be defined as computer programs or sometimes a hardware device which can listen to all the traffic flowing inside that network. In computer networks, information flows as raw binary data. However, these network analyzers can convert these raw binary data into human-readable format which helps to analyze the network. The legal use of network analyzer is to manage, troubleshoot and maintain network security by network administrators. However, network analyzers are used illegally too. Generally, the illegal use can be by a hacker who wants to gain unauthorized access and gather sensitive information and data from that network. Network analyzers can be tapped into many parts of the network, without the knowledge of IT administrator. In Ethernet networks, Ethernet adapters are built with the feature called “filter”, which ignores any traffic not meant for it. However, network sniffing program puts the adapter into “promiscuous mode” and thus network adapters accept all frames even if the MAC address doesn’t match to its own. Hardware, capture filter, buffers, decoder etc. are the components of network sniffers. The network sniffing procedure is described below: Collecting - It is the first task of network analyzers. In general, analyzers put the network interface card (NIC) into promiscuous mode. Thus, the NIC of that computer can listen to all the traffic in its network segment and captures all the raw binary data. Converting - This process is carried out by decoder component of packet sniffers. In this second step, captured binary data from process one is converted into human readable form. Analyzing - This is the last step of sniffing process. It is the step to perform protocol analysis. The protocols used in the network traffic can be viewed from the information gathered from second process. All the packets can be analyzed and explained from the viewpoint of protocols. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 29 4.2 Common Uses Network analyzers can be used for both legal and illegal tasks. If used legally, it can provide lots of advantages to the network. Network administrators use network analyzers to give fruitful benefits to the network. Network administrators and people who work to secure network sees this tool as an efficient medium to protect and troubleshoot network problems. These tools are really useful to find out network latency or slowness in the network. It can always help to study the effectiveness of firewalls, access control lists, and protocol functionality. It can even help to gather network statistics. It helps to clearly see network speed, leakage by converting these statistics into graphs and reports. Therefore, network analyzers are really useful to smoothly run networks if used in a good manner. On the other hand, there are people who use these tools to perform malicious activities which is against the law. Black hat hackers, crackers use these programs to eavesdrop in other’s network and steal sensitive information. Networks are exploited to obtain private information of users such as bank details, credit card numbers, passwords, usernames etc. Anyone who performs spying and illegal activities is punished by the law. Nowadays cryptographic protocols are used to encrypt and protect the network. Protocols such as SSL, SSH, TLS etc. are used for end-to-end security. But network can still be attacked through different attacks such as MITM attacks, brute force attack etc. 4.3 Famous Network Analyzers There are lots of network analyzer programs available in the market. However, I have included some of the well-known widely used programs below : 4.3.1 Wireshark Wireshark is a famous network packet analyzer. It is free, open source which is used for protocol analysis, monitoring and troubleshooting network. The original name of Wireshark is Ethereal and written in C, C++ programming language. And the current stable release is 2.0.2, released on February 26, 2016. Wireshark can capture live data flowing in network interface. Some of the well-known features are capturing and filtering live traffic, coloring packets on the basis of protocols, creating I/0 graphs and other statistics, and it can also export packets data in different file formats. The graphical TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 30 user interface (GUI) is easy to use and makes packet analysis easier, which is another reason for the popularity of this sniffer. It can also be used in command-line interface as Tshark. Another reason for choosing this program for protocol analysis is due to its support for more than thousand protocols. The figure below shows the graphical user interface of Wireshark. Figure 8. Wireshark GUI Screenshot 4.3.2 tcpdump tcpdump is also a well-known network analyzer which runs in command-line interface only. It can analyze network behavior, view network login IDs, passwords, websites and its contents visited by a user. It is also a multi-platform analyzer like Wireshark. The latest stable release of tcpdump is 4.7.4 in April 22, 2015. It is also free to use. In order to use tcpdump, user should be logged in as root. However, tcpdump is not as easy to use and understand as Wireshark. It understands very limited number of protocols and can also be difficult for a normal user to read and understand printed output from command line. 4.3.3 Cain & Abel Cain & Abel is free software for Microsoft Windows platforms, which can recover passwords. It can break security signatures by different attacks such as dictionary attacks, brute force attacks, cryptanalysis attacks to crack passwords. It can also recover passwords by sniffing packets in the network. The stable release of this software was TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 31 in April 7, 2014 as 4.9.56. This network sniffer can also crack wireless security like WEP cracking, and can also record VOIP conversations. This software can be used as a network tester, to find out its strength to stand out against attacks and improve network performance. 4.3.4 Colasoft Capsa Colasoft Capsa is another advance network analyzer. However, its strong features are only available after paying certain price. It can also perform real-time packet capturing, network monitoring, protocol analysis and resolving application problems. It has quite strong in built features, well-designed GUI and can also capture both wired and wireless traffic. Other features of Colasoft Capsa are VOIP analysis, alarm notification by emails and audio for network problems, and it also provides automatic packet capture for pre-defined time. Similarly, another advance feature of Capsa is visual graphs and matrix feature to pinpoint network communication and protocol analysis. However, it is available for windows platform only. 4.3.5 General comparison The following table, Table 2 points out the general properties of above mentioned network analyzers. It compares different features such as the operating system they support, disk space used, cost, and protocol support. Table 2. Characteristic comparison of Wireshark, tcpdump, Cain & Abel, Colasoft Capsa s.no. Property Wireshark tcpdump Cain & Colasoft Cap- Abel sa 1 Os supported Windows, Unix Unix Windows Windows 2 Disk usage 81mb(windows), 448 kb 10 mb 32mb Free Free starts at 995 448mb(unix) 3 Cost Free euros 4 User interface GUI and CLI CLI GUI GUI 5 Open source Yes Yes No No 6 No. Of protocols more than 1000 Tcp/ip 7 UDP traffic Yes No 300 Yes TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal Yes 32 4.3.6 More description on analyzers Although, only some examples of network analyzers are shown in this chapter there are other many kinds of network analyzers present in the market. Other widely used network sniffers are Ettercap , Kismet , Dsniff , NetStumbler , Ngrep, Ntop, Nmap and more. Ettercap is traditional terminal-based sniffer which supports lots of protocols and even ciphered protocols. Kismet and NetStumbler sniffs wireless traffic. Nmap is another useful tool for network scanning. There are so many tools and programs available as network analyzers, sniffers, packet analyzers in the networking world. And they can be of different shape, size and price. However, the proper use of these analyzers can provide strong and worry-free network. The most basic functionality of these packet analyzers is to capture and filter network packets in real traffic flow. Some provide command line feature only and some of them provide GUI. Graphical user interface can be user-friendly for normal users and can always increase efficiency. Some of the programs can perform real attacks such as Ettercap, Cain & Abel and the main reason behind it is to point out network weakness. These real attacks can help to solve network vulnerabilities. Network analyzing software can perform penetration testing and injection attacks in the network. But the main reason for choosing Wireshark for further network analysis in this thesis, is because of its easy availability, and is considered one of the famous network protocol analyzer with strong built-in features. Wireshark can perform protocol analysis for more than 1000 network protocols, and supports almost all operating systems in the market. And its GUI is so well designed and easy to use. It is free and fulfills most of the requirements for network analysis. If these programs are used for good reasons, it can provide strong network security. And there are people and groups who use this software in illegal activities which can steal any kind of information from other people. The misuse of these sniffers can always raise one question in normal human mind, Is my identity secure in internet? TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 33 5 WIRESHARK This section of thesis describes how to install Wireshark in a machine, and the minimum requirements to install this protocol analyzer. And it further describes how to use its graphical user interface (GUI), which makes it easy and efficient to use. Similarly, the other benefits such as coloring rules, customizing its toolbars to make the analyzer more personal and helpful are also discussed. The Wireshark is also known for capture filters, display filters and huge benefits of expert Info function, I/O graphs which are also included in this section. 5.1 Installation process and getting started Wireshark is already introduced in the section 3.3, as a famous network analyzer. In order to start using this software, at first the user needs to install it. Wireshark is always known for its strong features and benefits it provides in packet analysis. Some of its benefits are it supports more than 1000 protocols, well-known for its user-friendly GUI, and also supports all major operating systems in the market. However, Wireshark can only be installed in a machine which fulfills the following conditions : at least 400 MHZ processor minimum 128 MB RAM At least 75 MB of available hard disk. Promiscuous mode supported NIC WinPcap capture driver. Wireshark can be downloaded from the download section of its official webpage, http://www.wireshark.org. It supports Windows operating system, Mac OS X, and Linux based platforms. The download section contains its latest stable release installer for windows, DMG package for Mac OS and source code for Linux based platform. In windows, we can simply download.exe file and double click it to start the installation process. Wireshark needs WinPcap capture driver to run in windows platform. However, WinPcap comes together with the Wireshark installation package which can be installed during the same process. The official website for Wireshark provides all the necessary steps to install Wireshark for most of the operating systems. In Linux systems, we can first download the source code from the webpage. However, in debian- TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 34 based Linux distributions Wireshark can be installed from the system resource by simply entering the command apt-get install Wireshark in the console. And for other distributions it can be compiled from the source code. The steps to compile the source code are shown below: Download the source code from the official website of Wireshark. Extract the archive file as – tar –jxvf downloaded_filename-version.tar.bz2. However, the extracting command is different for different distributions. Create new directory and install it there. Use configure command, based on the distribution such as./configure. Enter make command to convert the source into binary format and complete final installation by using make install command. Similarly, the installation process for Mac OS X begins after downloading the disk images (.dmg) package from the official Wireshark web page. In order to install Wireshark, first open the disk image and run the installer file that comes with the download package. The installer package also contains all required command line utilities, and a launch daemon. And further details for installation can also be found from the official Wireshark page. After the installation process, the next step is packet capture and network analysis. First, the Wireshark might not look interesting at all. It amazes the user when the Wireshark performs the first capture of network activities. The steps to initiate and capture some data are shown below: Open Wireshark (can be started from shell or window manager) In the latest version of Wireshark, user can simply start capturing packets from the start window. The start-up window has capture option where it shows all the available interfaces in the network. The active interface is shown with the sparks. So, the capturing process can be started by just double-clicking the active interface and the capture begins. User can also start capture by going to Capture menu and selecting the Options from the Capture drop-down menu, which opens the capture interfaces window. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 35 This window also shows the available interfaces and the user can start his/her first capture, by simply clicking the interface in which he/she wants to perform the capture. Wait for some time until Wireshark captures some amount of data. When the user is ready, he/she can click the Stop button from the Capture drop-down menu. Figure 9. Selecting an interface to start packet capture 5.2 Graphical User Interface (GUI) of Wireshark The Graphical User Interface (GUI) of Wireshark has different sections with equally important function to make task easy and user-friendly. In Figure 10, we can see different sections of user interface after some packets are captured. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 36 Figure 10. The Main Window The main window of Wireshark consists of following parts: The menu The main menu of Wireshark is located at the top of Wireshark main window. The main menu items are shown in the Figure 11 below: Figure 11. The Menu File This menu contains drop-down items. These items can open and merge capture files, save, print, or export capture files and also contains quit function to quit the Wireshark application. Edit TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 37 This menu contains drop-down menu items. The items help to find a packet, move from one packet to another by find next and find previous. It also has items to mark and unmark packet. Similarly, the edit menu also contains item to create configuration profile. View The view menu has items to control toolbar display. It also controls the colorization of packets and their rules. Go This menu contains items to reach to one specific packet and also contains items which help to move from one packet to another. Capture This menu controls the capture function. The items in this menu can start and stop a capture. It also contains settings for capture interfaces and capture filters. Analyze This menu includes items to modify display filters, follow stream like TCP, UDP traffic, dissector and plugins function and also has item which provides expert information. Statistics This menu provides I/O graph and other different statistics for HTTP protocols, DNS protocols and many more. Similarly, it also provides information through Flow graph and many more. Telephony This menu contains items to display various statistic windows related to telephony. It provides media analysis. It includes information on VOIP calls, GSM packet analysis and more information through graphs for telephony streams. Wireless This menu has items to describe Bluetooth and Wireless LAN traffic statistics. Tools TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 38 This menu has items to write dissectors for Wireshark through Lua programming. It also has items for creating different Rules such as Firewall access control lists. Help This menu contains items to fully help the user benefits from this network analyzer. It provides help through manual pages, online access to documents and wiki in the web page. The user can remove any sort of confusion about Wireshark through the help of this menu. The main toolbar The main toolbar is a shortcut to the frequently used items from the menu. In general, the most used items from the menu are put with symbols to make work easy for the user. The figure below shows the main toolbar. Figure 12. The main toolbar The function of each item in the main toolbar can be obtained by just hovering the mouse cursor above those items. The filter toolbar The filter toolbar helps to edit and apply the display filters. This toolbar contains area to enter and edit a display filter string. The packets related to the specified display string and protocols are only shown because of the display filter. In Figure 13, we can see the example of filter toolbar. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 39 Figure 13. The filter toolbar The packet list pane The packet list pane is an important section of Wireshark main window. This packet list pane displays all the packets captured in a specific capture session. Each line in the packet list represents a single packet. The more details about a packet can be obtained in “Packet Details” pane and “Packet Bytes” pane by simply selecting a line from packet list pane. This list pane contains different columns to provide details about packets. The default columns are No. (Number of packets captured), Time (time spend), Source (source address of packet), Destination (destination address of packet), Protocol (name of used protocol), Length (length of each packet) and Info (additional information on packet content). In Figure-14, the packet list pane is shown. Figure 14. The packet list pane The packet details pane If the packet is selected in packet list pane, the more detail information can be obtained from the packet details pane. This pane provides information about the protocols and protocols fields of the selected packet. The protocols and fields of the packet are shown in the tree hierarchy which can be expanded and collapsed. In Figure 15, example of packet details pane is shown. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 40 Figure 15. The packet details pane The packet bytes pane When a packet is selected in the packet list pane of Wireshark, the packet byte pane shows the information of the selected packet in a hexdump style. An example of the packet byte pane is shown in the Figure 16 below: Figure 16. The packet bytes pane The left side shows the data offset in the packet, the middle part represents data in hexadecimal form and the right part shows packet data in ASCII characters in corresponding to middle data. Sometimes it can show packet information in different tabs, after Packet assembling done by Wireshark. The Status bar The status bar is a place to show the information about the number of captured packets, number of displayed packets in packet list panel, and configuration profile used to capture the data. In Figure 17, an example of the status bar is shown. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 41 Figure 17. The initial empty Status bar When Wireshark is just started or no capture file is loaded an empty status bar is shown. However, when a capture file is loaded or any capture is performed the status bar shows the following information as shown in the Figure 18. Figure 18. The Status bar after a capture is loaded In this loaded status bar, the left bottom corner shows the highest expert info, next to it is the name of the captured file. Similarly, on the right side number of captured and displayed packets are shown, and at the right bottom corner is the place for configuration profile used to capture data. 5.3 Wireshark customization Yes, Wireshark also has an amazing feature of changing settings to fit our needs. We can always customize Wireshark to make work faster, easier and to perform detail analysis. Wireshark can be customized in command line also. There are different commands available in command mode to perform different functions such as path setting, capture filter, capture interface setting, time stamp format and many more. Another important feature which can be customized in Wireshark is protocol dissection. Each protocol is dealt by its own dissector. Dissector performs the observation and disassembling of a protocol to study its functions. In Analyze menu, we can find an item called Enabled protocols. The enable protocol dialogue box helps a user to enable or disable some protocols. However, all protocols supported by Wireshark are enabled by default. And there are other features which help to temporarily divert some protocol route and to change its ports. Similarly, different user profiles can be created by right clicking in the profile tab in the right bottom corner of the Wireshark window. Configuration profiles can store different sets of preferences and configurations. In these profiles, recent changes in the settings are saved. It also saves pane size in the main window, number of columns and its width in packet list. Similarly, there are more features that can be customized such as display filter macros, database paths, user table, protocol table, color customization etc. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 42 Packet colorization is another significant feature of Wireshark. This feature helps to color a packet according to the display filters and protocols. There are two ways of coloring the packet. First one is temporarily saved and other one is permanent rule which is saved in the preference file and available next time. Inside View menu, there is an item called coloring rules. The color settings for different protocols can be performed from coloring rules dialog box. The figure below shows the default coloring rules dialog box for default configuration profile. Figure 19. The coloring rules dialog box New coloring rules can be created by simply clicking on the + button and some existing coloring rules can be deleted by clicking the – button. Similarly, we can duplicate a rule with the help of copy button which is next to - button. When a rule is selected, the options for foreground and background color become active. The foreground and background buttons open a color chooser dialog box which helps to select different colors for background and foreground for a certain rule. The coloring rule higher in the order replaces the color for another similar protocol coming later. For instance, if there is a coloring rule for UDP traffic before the rule for DNS. The color for UDP traffic replaces the color for DNS traffic. This is because DNS is also considered as UDP traffic. The TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 43 figure below shows the color for bad TCP rule applied in the packets 176,177,287 and 1471 along with the tcp filter. Figure 20. Colors used in Wireshark 5.4 Controlling Capture with Filter Capturing data in a live network is considered one of the main duties of Wireshark. Most of the network analysis starts after capturing packets in the network. Wireshark can capture packets in Ethernet network or wireless network. Packet capture cannot be performed in any network. It is always important to make sure that we have permissions to capture packets in the network we are working on. Packet capturing in someone’s private network without permission is considered illegal. Capture privilege, proper capture driver, and right network interface are some basic requirements to start packet capture. Packets can be captured in local network or remote network. Therefore, it’s important to find out the place where the protocol analyzer can be tapped in to capture traffic. In section 6.1, the more description of where to capture data in a network will be done. The captured data can be saved in.pcap Wireshark’s default file format. Similarly, it is also possible to export these capture files in different formats such as plaintext, comma-separated values (CSV). Hence, several captures can be made at once, saved TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 44 and can be analyzed all together afterwards. In addition, it is important to fix correct time display during packet capture. The correct time display format is a great help during packet analysis. It gives the absolute timestamp about the exact moment when a packet was captured and it’s time relation with other captured packets. Filter is a language expression which can be used when capturing packets and when displaying packets to include or exclude packets in the capture. In other words, filters help to select and show packets depending on the user’s choice. There are two types of filters used in Wireshark and they are described below: Capture Filters Capture filters are applied when packets are being captured in a network. After applying capture filters, the Wireshark will capture only those packets which are asked to be included or excluded by applied capture filter expression. By applying capture filters during actual packet-capturing process saves processing power, time and improves performance. In Wireshark, choose Capture – options this opens the Capture interfaces dialog box. First, the desired interface where packets are to be captured should be selected and capture filter can be entered in the capture filter field in the left bottom corner. When a correct filter expression is entered in the text field the background changes to light-green color. WinPcap driver controls the implementation of capture filters. And in WinPcap libraries, the Berkeley Packet Filter (BPF) syntax is used to create capture filters. An expression is defined as the filter created using BPF syntax. This expression is also called primitive. Primitive can contain qualifier and ID. Capture filter can contain one or more primitives. However, to connect one or more expressions logical operators are used. In Figure 21, the dialog box to enter capture filter expression is shown. TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 45 Figure 21. An example of ICMP capture filter used in Capture interfaces dialog box Capture filters can be used in different forms to achieve different targets. In general, there are BPF syntax, hostname and addressing filters, port and protocol filters, and protocol field filters. In Table 3, some examples of these types are presented. Table 3. Examples of Capture Filters S.no. Types Description src 192.168.2.20 = primitive. port 80 = primitive. && = operator. captures traffic with a source Ip address of 192.168.2.20 and a source or destination port of 80 2 Hostname and Addressing Filters host 192.168.2.20 Only captures traffic for this specific IPV4 host address ether host 00-1a-a0-52-e2-a0 Using MAC address of a host as capture filter. Traffic to or from this MAC address is captured. 1 BPF Syntax 3 Port and Protocol Filters Example src 192.168.2.20 && port 80 port 80 !port 80 icmp ip6 ip udp Captures traffic only on port 80 excludes traffic from port 80 ICMP traffic only IPv6 traffic only IPv4 traffic only UDP traffic only Display Filters Display filters are applied to the capture file. When applied to the captured data display filters tell the Wireshark to only show the packets that match the applied filter. The dis- TURKU UNIVERSITY OF APPLIED SCIENCES THESIS | Jeewan Bhusal 46 play filter text box is shown above in Figure 13. Display filters are used more than capture filters. It is because packet analysis can be done for a specific data without actually removing all captured packets. It helps to simply see some form of traffic, work with that and also gives the opportunity to go back to the original capture. Display filters use comparison operators to compare values. For instance, ip.addr == 192.168.1.20 this expression filter shows all packets with the IP address of 192.168.1.20. Here, the equal- to (==) comparison operator is used. The Table 4 below shows some examples of comparison operators, logical operators and commonly used display filters. Table 4. Wireshark Filter expression operators and some display filters Comparison Operators Description == equal to > greater than