Cs408 lab1 packet analysis with wireshark instructor phd albert levi
1 / 18

CS408 Lab1 Packet Analysis With Wireshark Instructor PhD Albert Levi - PowerPoint PPT Presentation

  • Uploaded on

CS408 Lab1 Packet Analysis With Wireshark Instructor PhD Albert Levi. What is a Network Analyzer ?(a.k.a Packet sniffer ).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' CS408 Lab1 Packet Analysis With Wireshark Instructor PhD Albert Levi' - faunia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cs408 lab1 packet analysis with wireshark instructor phd albert levi
CS408 Lab1Packet Analysis With WiresharkInstructorPhD Albert Levi

What is a network analyzer a k a packet sniffer
What is a Network Analyzer?(a.k.a Packet sniffer)

Packet sniffers are software programs that can see the traffic passing over a network or part of a network. As data streams travel over the network, the program captures each packet and eventually decodes its content following the RFC specification.

Why do we need such an analysis?

  • Troubleshoot a network.

  • Detect network intrusion attempts.

  • Monitor the network usage and filter for suspicious content

  • Spy on other network users and collect their passwords.

How is it possible to capture other users packets
How is it possible to capture other users packets?

Ethernet was built around a "shared" principle: all machines on a local network share the same wire. So, all machines are able to "see" all the traffic on the same wire. Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it.

It does this by ignoring all frames whose MAC address doesn't match. If you put your Ethernet Hardware into "promiscuous mode“, you will deactivate the mentioned “filter” and start accepting packets rather than discarding them...

What is an ethernet mac address
What is an Ethernet MAC address?

  • MAC Adress is a 12-digit hex number (6 bytes), embedded in your ethernet card chipsets, that uniquely identifies you over the ethernet.

  • Example : 00:C0:49:A7:25:45

  • Windows:

  • Run the program "ipconfig /all" from the command-line. To see the MAC address for your adapter.

  • Linux:

  • Run the program "ifconfig". To see the MAC address for your adapter.

What is an ethernet mac address1
What is an Ethernet MAC address?

  • MAC stands for Media Access Control.

  • The Ethernet MAC address is a 48 bit number. This number is broken down into two halves, the first 24-bits identify the vendor of the Ethernet board, the second 24-bits is a serial number assigned by the vendor. This sufficiently guarantees that no two Ethernet cards have the same MAC address.

  • Example MAC Adress is 00:C0:49:A7:25:45

  • 00:C0:49 is Registered for the vendor U.S Robotics. This number is called OUI ("Organizationally Unique Identifier"). You can find the list of vendor/OUI codes at http://standards.ieee.org/regauth/oui/

How do hosts communicate over ethernet
How do hosts communicate over Ethernet?

Each Host in the same ethernet network has an IP adress.

Inorder to send data to a destination host, first we have to know the MAC Adress for the destination host. To get the IP adress of the destination, the source broadcasts an ARP packet over the network. ARP stands for Adress Resolution Protocol. (RFC 826)

Arp overview
ARP Overview

All network hosts maintain their own ARP tables (caches) to reduce the ARP broadcast overhead. The table is as follows

Simply Remeber this:

ARP translates IP address into a physical MAC address.

To see your computers ARP Cache type “arp –a” and hit enter

The ethernet frame
The Ethernet Frame

Remember the 4 Layer Model, in each layer, the data coming from the upper layer is encapsulated into the current layers PDU.

The Application data is sent to a host with the above encapsulation scheme.

The ethernet frame1
The Ethernet Frame

  • There are two kinds of Ethernet framing in common use today. The "official" standard is IEEE 802.3 framing, but TCP/IP traffic on Ethernet is usually carried in DIX (Digital / Intel / Xerox) type II (usually written “Ethernet II" or just "DIX") frames. Other transport-independent protocols, may use 802.3. The two frame types can coexist on the same wire.

  • The Ethernet II “Header” simply consist of (omitting preamble)

  • Destination MAC Address

  • SourceMAC Address

  • Type Of Encapsulated Data

The ethernet frame analysis with wireshark
The Ethernet Frame Analysis with Wireshark

The following ethereal screen shots are from the last frame containig HTTP response from a URL with the HTML data “ Hello CS 408”

The ethernet frame ip packet1
The Ethernet Frame – IP Packet

Bit 0: reserved, must be zero

Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.

Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.

010 =Dont fragment , Last Fragment

The ethernet frame http header
The Ethernet Frame – HTTP Header

There is not much to say about HTTP header as its mostly ASCII.

Observe that HTTP header is ending in two line-feeds (0D 0A 0D 0A) and then the data comes. <html><b> Hello CS 408 </b><html>