Wireshark Primerwith an emphasis on WLAN’s Gary Hampton Kentuckiana ISSA Workshop 3/12/2011
Outline • Objective • Types of Sniffers • Wireshark background • 802.11 Physical Layer • 802.11 MAC Layer • 802.11 Security • Capturing basics • Wireless traces • How to’s: tcp stream, statistics, filters, profiles
Objective • Improve your knowledge of Wireshark and how sniff traffic • Be able to create filters and navigate Wireshark • Improve your knowledge of the 802.11 protocol and wireless networking
Types of sniffers • Specialty sniffers • Cain and Able • Dsniff • Tcpdump/windump • Device specific • Intrusion detection systems • Modern access points • Microsoft’s Netmon • Commercial grade • Wild Packet’s Omnipeek • NetScout • Wireshark • CACE Pilot (Wireshark interface); Riverbed Technology
Why Wireshark? • Why use Wireshark? • Excellent price $0 • Full blown sniffer • Supports multiple file formats: • MS Netmon, Wild Packets, Sun Snoop, Kismet • Sharing traces with other work groups • When to use a commercial sniffer? • When sniffing large amounts of data (e.g. 1GB) • When presenting graphs and documents to upper level management
Wireshark • Created by Gerald Combs • 1998 Ethereal • 2006 Cace Technologies “Wireshark” • Purchased by Riverbed Technology 2010 • Maintained by a group of developers today • Released under GNU General Public License (GNU GPL) • Free downloads available for Windows, Mac OS X, Linux, FreeBSD and U3 devices • www.wireshark.org/download.html • Graphical and command versions • Mailing list for new releases • www.wireshark.org/lists
Wireshark Requirements • Any modern 32-bit/64-bit x86 or AMD processor • Minimum 128MB available RAM (more is better ) • 75MB available disk space • Network cards • Any Ethernet card supported by Windows • Wireless • Windows – AirPcap adaptors only • Linux – not all, but most Linux drivers will support monitor mode • http://wireless.kernel.org/en/users/drivers
Uses for Wireshark • Troubleshoot performance issues • Identify device configuration issues • Identify malicious traffic • Perform intrusion detection • Evaluate response times • Baseline bandwidth usage • Identify application protocols and ports • Assess wireless networks
What does it take to be good at analyzing traces? • Be familiar with the sniffer’s features • Be familiar with networking protocols • Your effectiveness is directly proportional • Research RFC’s, Google, etc. • Know your network and the applications that utilize it • Baseline
802.11b/g/n 2.4GHz band • 3 non-overlapping channels in the 2.4GHz band • CSMA/CA • Unlicensed spectrum • Microwave ovens • Bluetooth • Wireless cameras • Cordless phones • Other 802.11 devices • Ham radio operators
802.11a/n 5 GHz band • Unlicensed National Information Infrastructure (U-NII) band • 12 non-overlapping channels in the 5 GHz band • In 2004, the FCC allocated the 5.32 – 5.745 GHz band, providing 12 additional channels • Devices must support IEEE 802.11h Dynamic Frequency Selection 2 and Transmit Power Control • Radar usage • Terminal Doppler Weather Radar (TDWR) operate between5.6 – 5.65 GHz • FCC recommends not using those channels when within 35km of a TDWR
Spectrum Analyzers • Kismet (not a SA, but can identify AP’s) • WIDS/WIPS/modern AP’s • Metageek • Wi-Spy - Chanalzer • Berkley Varitronics Systems • Bumblebee • Air Magnet • Spectrum XT • Cisco • Spectrum Expert • Anritsu/Tektronix/HP/Bird Technologies
Frame Comparison 802.3 Frame 802.11 Frame
802.11 Frame Control Fields • Version – specifies the protocol number. • Type – Specifies frame type (Mgmt, Control or Data) • Subtype – e.g. association, CTS
802.11 Frame Control Fields continued • To DS/From DS • To DS set -> to the wired network • From DS set -> from the wired network • Both bits set -> wireless bridge (WDS network) • Both bits cleared -> ad-hoc network
802.11 Frame Control Fields continued • MF – More fragments • Retry • Pwr – Power mgmt • More – More data • W – WEP
802.11 Power Management • CAM (Continuous awareness mode): Radio never shuts down. Provides best network performance, uses the most battery power • PSP 1: Excellent network performance, uses less battery power • PSP 2: Great network performance, uses less battery power • PSP 3: Good network performance, uses less battery power • PSP 4: Adequate network performance, uses less batterypower • PSP 5: Acceptable network performance, uses the least battery power
802.11 Frame To DS/From DS bits • To DS/From DS • To DS set -> to the wired network • From DS set -> from the wired network • Both bits set -> wireless bridge (WDS network) • Both bits cleared -> ad-hoc network
802.11 MAC Frames • ManagementUsed for connecting and disconnecting from the WLAN. Includes beacons, probes, authentication and association request/responses. • ControlUsed to acknowledge receipt of data (Data-ACK, RTS-CTS-Data-ACK, CTS-Data-ACK). • DataThe only frames that include an encrypted payload in a WLAN. Encapsulates user data over the WLAN (e.g. IP and ARP traffic).
Encryption and Authentication Options • WPA-PSK and WPA2-PSK • Used a hierarchy of keys (see the in depth security slides at the end of this presentation for more information) • WPA-PSK and WPA2-PSK both use the 4-way handshake to generate the Pair wise Transient Key. • Pair wise Master Keys are the same for all systems on the same WPA-PSK or WPA2-PSK network • If you capture the 4-way handshake (EAPOL protocol) and know the PSK and SSID, Wireshark can decrypt WPA and WPA2 PSK packets • WPA and WPA2 Enterprise • Uses 802.1x with EAP (Extensible Authentication Protocol) to authenticate client (supplicant) and access point (authenticator) instead of PSK • Uses per user, per session keys; therefore Wireshark and sniffers in general, cannot decrypt packets • See security slides at the end of the presentation for more information
Wireshark capture flow • Libpcap – link layer interface for capturing on Linux or Unix (tcpdump) • WinPcap – Windows port of libpcap • AirPcap – link layer interface and network adaptor to capture 802.11 traffic on Windows
Capturing wireless traffic • Determine location for sniffer(s) • Select the appropriate interface and data capturing options • Performance issues • Disable, update list of packets in real time • Disable network name resolution • Reduce # of columns • Disclaimer • Only capture traffic on networks that you have permission to do so.
Sniffing wired traffic • Hub • Switched networks • Hub • Port Mirroring/Port Spanning • Taps
Promiscuous mode 802.11 adaptor only captures packets of the SSID the adaptor has joined. Monitor mode The driver does not make the adaptor a member of any SSID on the network. All packets of all SSID’s from the currently selected channel are captured. Windows – must use AirPcap from CACE Technologies Linux – most Linux drivers support monitor mode Sniffing Wireless traffic
Wireshark Startup Capture area Filesarea Online Help
Wireshark Layout Filter toolbar Wireless Toolbar Packet List Packet Details Packet Bytes Status bar
Capture Filters • Limit the packets saved while capturing traffic • Helpful when capturing traffic on a busy network or focusing on a specific problem • Problems: • You cannot get the discarded packets back • No error checking on syntax like display filters • Filter options: Type, Direction, and Protocol • Tcp – filters on TCP traffic • Ether src 00:A0:F8:12:34:56 – traffic from Ethernet address • host www.cnn.com – capture traffic to/from cnn.com
Setting up profiles • Wireshark allows you to configure profiles for displaying different uses. E.g. analyzing WLAN traces. • Edit->configuration profiles->new->enter profile name (e.g. WLAN) • Any capture or displayed filters, column changes will be saved under this profile when it is in use
Statistical Analysis Summary Provides summary of sniffer trace: • Date, length • Capture format • Packet and byte counts • Time elapsed • Capture filters used
Protocol Hierarchy Statistics • Displays a list of the types traffic and percentage. • Used to identify anomalies and suspect traffic. • Example: wpa-induction.pcap • Statistics->Protocol Hierarchy
Identifying top talkers • Conversations statistics will list pairs of devices that are communication with each other • Open trace wlan-ap-problem.pcap • Statistics->conversations • Select WLAN tab • End points is similar, but only shows a single end point or node.
Basic Display Filters • Display.field.name operator value • Operators • eq, == Equal • ne, != Not Equal • gt, > Greater than • lt, < Less than • ge >= Greater than or Equal to • le, <= Less than or Equal to • contains, Contains specified data • AND, && • OR, || • Negate, NOT or !
Coloring Rules for traffic • Color rules are used to help make reading the traces easier and identify problems. • Example • Open airodrop-ng2 trace and add the coloring rules: • View->coloring rules->new->name and filter expression->choose colors: • Deauthentication frames • Wlan.fc.type_subtype eq 12 • Packet retries • Wlan.fc.retry eq 1 • Affects load time for traces
IO Graphs • Allows Wireshark to graphical depict traffic flow trends. • Used to identify network performance issues • TCP round trip time (data – ACK) • Open the wlan-signalissue trace • Statistics ->IO graph • Add filter for signal strength • Ppi.80211-common.dbm.antsignal
Decrypting Frames • Wireshark can decrypt WEP, WPA-PSK and WPA2-PSK • If using driver, then only WEP can be decrypted • Trace must include the 4-way handshake frames to derive PTK to decrypt • Open trace wpa-induction • Verify 4-way handshake was captured in the trace • Apply protocol filter “EAPOL” and select Apply
Decrypting Frames continued • Clear the EAPOL filter • Edit->preferences->protocols->IEEE 802.11 • Enter PSK and SSID in format wpa-pwd:PSK:SSID • Wpa-pwd:Induction:Coherer • Check “enable decryption” • May have to toggle the “ignore vendor specfic HT elements” and “assume packets have FCS” • Select “Apply” and “OK” • Open the Protocol Hierarchy Statistics, and note the additional protocols that are listed.
DWEP client unable to connect to the AP • Open the tulcsp1 trace file • Examine the beacon frame #2 • What channel is the AP on? • What is the data rate for the beacon? • What type of security is in use? • Set filter to not show beacons • !wlan.fc.type_subtype eq 8 • Examine the association/authentication process, why does the client not associate? • Hint: Look at frames 12 and 15