0

(W01M01) Introduction to Basics

This is a brief article with the goal of introducing the reader to the awesome world of Kali Linux. This is not an exhaustive introduction to this Operating System (OS), but its purpose is just to give an idea of the many possibilities provided by this Linux OS which is born as Pen Testing distro but can be used in several others ways.
Back to Course

Packet Analysis

 

Almost every computer today is connected.  Their communication with others takes the form of packets which can be analyzed to determine the facts of a case.  Packet sniffers are also called as network analyzers as it helps in monitoring every activity that is performed over the Internet.  The information from packet sniffing can be used to analyze the data packets that uncover the source of problems in the network.  The important feature of packet sniffing is that it captures data that travels through the network, irrespective of the destination.  A log file will be generated at the end of every operation performed by the packet sniffer and the log file will contain the information related to the packets.  Every packet has a header and body, where the header contains information about the source of the packet and the body contains the actual information about the transfer.  There are packet sniffer tools that are available online and many of them are open source tools and hence they are available free of cost.  How, when and where should this be performed to collect the best data in a defensible manner? Attend this workshop to find out.

What is packet analysis?

 

Investigations cannot always be contained to a single computer, especially with the way systems are connected these days.  Right now, your computer may be connected to dozens of different computers, some to check for software updates, others to gather tweets, email, or RSS feeds.  Some connections could be used to authenticate to a domain or access network resources.  Now consider an investigation and the potential importance this information could have to it.

Network communication over an Internet Protocol (IP) network can best be understood as a set of packets that form a communication stream.  A machine may send and receive thousands of packets per minute and computer networks are used to send these packets to their destination.  Packet capture tools can be used to analyze this communication to determine how a computer or user interacted with other devices on the network.  Packet analysis can capture these packets so that they can be reviewed to determine what communication took place.

Packet analysis is called as packet sniffing or protocol analysis.  A tool that is used for packet analysis is called packet sniffer or packet capture tool.  It captures raw data across the wire which helps in analyzing which parties are communicating on the network, what data is flowing, how much data is being transmitted and what network services are in use.

 

Packet sniffing process

 

Packet sniffing can be divided into three steps.  The first step is collection when the software gathers all data traversing the network card it is bound to.  Next, the data is converted to a form that the program can read and lastly, the program presents the data to be analyzed and can perform pre-programmed analysis techniques on the data.

OSI network model

 

Before you can analyze packets, you need to understand how network communication takes place.  The OSI network model is a conceptual framework that describes that activities performed to communicate on a network.

Tools

 

There are various packet sniffing tools available on the market.  Some popular packet capture tools include Wireshark, Network Miner and NetWitness Investigator, which we will see in detail.  All three of these tools are free to download and use and they can be operated in both command line program format and GUI format.

Of the three, Wireshark is the most popular packet sniffer tool that is used worldwide for its ease of installation, ease of use, etc.  More importantly, it is an open source tool that is available free of cost.  The tool also provides advanced options that will enable forensic investigator or network administrators to delve deep in the packets and capture information.  It supports operating systems and numerous protocols, and media types.

There are numerous packet sniffer tools available for network administrators to analyze and understand the traffic flow across the network.  It is always difficult to zero down on the best of the lot as almost of them perform required functions seamlessly.  Still, there are factors in which they can be ranked and classified as the top packet sniffing tools.  The following three tools are identified to be the best in the market, already serving millions of computers from identifying serious threats.  Let's get in detail with each of the three packet sniffing tools and understand why they are ranked in such order.

Wireshark

 

Wireshark is a popular open source packet sniffer that performs functions such as network troubleshooting, data analysis, protocol development, etc.  The tool uses latest available platforms and forensic investigator or network administrator interface toolkit for serving network administrators.  The development version of Wireshark uses Qt while the current releases use GTK+ toolkit.  The major advantage of using Wireshark is that it supports multiple platforms, operating systems and protocols.  Wireshark comes in both graphical forensic investigator or network administrator interface format and command mode format.  Wireshark includes network interface controllers that make it possible for the traffic flowing across the network to be captured via packets.  Otherwise, only specified data that is routed to a destination will be captured.

Wireshark supports various protocols and media types.  The approximate number of protocols supported by Wireshark is more than 900, and this count goes on increasing as and when an update is released.  The primary reason for the increase in count of supported protocols is the open source nature of the tool. Developer has the freedom to develop code for including their new protocol into Wireshark.  The Wireshark development team reviews the code that you send and include them in the tool.  This makes it possible for protocol to be supported by Wireshark.  Also, Wireshark supports major operating systems ranging from Windows; MAC to Linux-based operating systems.

The other major reason for Wireshark to remain on top of a user’s list of best packet sniffers is its ease of use.  The graphical user interface of the tool is one of the simplest and easiest, available in the online world.  The menus are clear with a simple layout, and raw data are represented graphically.  This makes it easier for novices to get along with the tool in the early stages of their career.  The common problem that users face when using open source software is a lack of proper program support.  Wireshark has a highly active forensic investigator or network administrator community that can be ranked as the best among the open source projects.  The development team also provides an email subscription of forensic investigator or network administrators on latest updates and FAQs.

Wireshark is very easy to install, and the required system configuration is very minimal as well.  Wireshark requires a minimum of 400 MHz of processor speed and 60 MB of free storage.  The system should have WinPCap capture driver and a network interface card that supports promiscuous mode and this requires user to have administrator access on the system being used.

Once you are sure that your system has the given configuration, you can install the tool in very short time.  Since there will not be data for the first time you open Wireshark, it will not be easier to judge the forensic investigator or network administrator interface.

Installing Wireshark tool is as simple as installing other software in the Windows system. All you need to do is double click the executable file for the installer to open up.  Agree to the terms and conditions and select the components you need to be installed along with the packet sniffing tool.  Certain components are selected by default, and they are enough for basic operations.  Ensure that you select the Install WinPCap option and verify that the WinPCap installation window is displayed some time after Wireshark main installation has started.  When the installation is complete, open the tool and select Capture button from the main drop down menu and select interfaces from which you need data to be captured.  This will initiate your first data capture using Wireshark, and the main window will then be filled with data that can be used by the user.

32

Picture 1: Home Window of Wireshark

32

Picture 2. Selecting Interfaces

 

The main window of Wireshark is where the data that are collected are presented to the forensic investigator or network administrator.  Hence, this will be a place where most of the time in the tool will be spent.  The main window is broken down into three panes that are interlinked with each other.

The three panes are packet list pane, packet details pane and packet bytes pane.  The packet list displays the packets that are available for forensic investigator or network administrator analysis.  On selecting packet, the corresponding packet details are displayed in the packet details pane.  The corresponding size of the packets will be displayed in the packet bytes pane.  The packet list pane displays the packet number and the time at which the packet was captured by the tool.  It also displays the source and destination of the packet and other information related to the packet such as packet protocol, etc.  The packet bytes pane displays the raw data in the same form as it was originally captured and cannot be of more use. More information about Wireshark can be found at https://www.wireshark.org/. The tool can also be downloaded from the site.

 

32

Picture 3: Main Window: 

Network Miner

 

Network Miner is a packet analysis tool that also includes the ability to perform packet sniffing.  It is available for Windows, Linux and MAC OS.  It is passive packet capturing tool that detects operating systems, traffic, and network ports. On the contrary, Wireshark is an active packet capturing tool.

The difference between an active and passive packet sniffing tool is that in active sniffing, the sniffing tool sends the request over the network and uses the response to capture packets while passive sniffing does not send request for receiving a response.  It simply scans the traffic without getting noticed in the network.

The places where passive sniffing comes in handy are radar systems, telecommunication and medical equipment, and many others.  Another difference between active and passive sniffing technique is that the latter uses host-centric approach which means it uses hosts for sorting out data while active sniffing uses packets.  Similar to Wireshark, network miner also comes with easy to use interface, simple installation and ease of use.

NetWitness Investigator

 

The NetWitness Investigator is the packet sniffing tool that is a result of 10 years of research and development has been used in most complex threat environments.  The Netwitness investigator has been used only with critical environments for so long, but the company has released the free version of the software, making it available for the public as well.  The investigator captures live packets from both wireless and wired network interfaces.  It supports most major packet capture systems.  The free version of the tool allows 25 simultaneous users to capture data up to a maximum of 1 GB.

The tool has other interesting features such as effectively analyzing the data in layers of networking, from users email addresses, files, IPv6 support, full content searching, exporting the information collected in PCAP format, and others. As the number of users using the internet has grown over the years, it was important for the Internet Engineering Task Force to come up with unique IP addresses that can be used for new devices. IPv6 will replace the current generation IPv4 protocol. The introduction of IPv6 allows increased number of IP addresses which helps more users to communicate over the internet. This is because, IPv4 addresses are only 32 bits long that supports 4.3 billion addresses whereas IPv6 addresses are 128 bits long and supports over hundred trillion and trillion addresses. With new set of protocols used for communication, it is important for the forensic tools to provide support for the protocols for seamless operation. NetWitness Investigator thus provides support for IPv6 which will be the future of all internet communication. Every new release of the tool comes in which many new features that may not be available in other packet sniffing tool.  Netwitness investigator requires certain minimum configuration support for installation.  The tool can be installed in windows operating system, with at least 1 GB RAM, 1 Ethernet port, a large amount of data storage, etc.  The free version of the tool supports only the Windows operating system while the commercial version provides support for Linux as well.  One important feature of investigator is that it does not alert forensic investigator or network administrators for problems in network based on known threats.  Instead, it catches packets in real time and analyzes the network for differences in behavior and reports the same to the forensic investigator or network administrator immediately.  The commercial version of the software brings in more benefits when compared to the free version.  Some of the features that are present only in enterprise version are support for Linux platform, remote network monitoring, informer, decoder and automated reporting engine.

How packet analyzers work

 

Packet analyzers intercept network traffic that travel through the wired and wireless network interfaces that they have access to.  The structure of the network along with how network switches and other tools are configured decides what information can be captured.  In a switched wired network, the sniffer can capture data from only the switch port it is attached to unless port mirroring is implemented on the switch.

However, with wireless, the packet sniffing tool can capture data from only one channel, unless there are multiple interfaces that allow data to be captured from more than one channel. RFC 5474 is a framework that is used for selection of packets and reporting them. It uses the PSAMP framework which selects packets in statistical methods and exports the packets to the collectors. RFC 5475 describes the various techniques of packet selection that are supported by PSAMP. These frameworks help users perform the processes seamlessly.

The data that is received initially will be in raw format that only the software can understand.  It needs to be converted to human readable form for the forensic investigator or network administrator to interpret.  The tool performs this operation in the process called conversion.  The data can then be analyzed, and necessary information can be obtained.  Thus, the place where the fault is present can be identified, and necessary actions can be taken.  Normally, there are three basic types of packet sniffing, and they are ARP sniffing, IP sniffing and MAC sniffing.

In ARP sniffing, the information is transferred to the ARP cache of the hosts.  The network traffic is directed towards the administrator.  In IP sniffing, the information corresponding to an IP address filter is captured.  MAC sniffing is similar to IP sniffing except for device sniffing information packets of a particular MAC address.

 

Components of packet sniffer:

 

Before delving in detail on how packet sniffers work, it is important to understand the components that are part of the sniffer.  The four major parts of a sniffer are hardware, driver, buffer and packet analysis.  Most packet sniffers work with common adapters, but some require multi adapters, wireless adapters and others.  Before installing the sniffer in the system, diagnose whether the system contains the necessary adapter for the sniffer.  Next important component for a sniffer to work is the drive program.  Without the driver, the sniffer cannot be installed in the system.  Once the sniffer is installed, it requires a buffer that is the storage device for capturing data from the network.

There are two types in which data can be stored in the buffer.  In the first method, the data can be stored in the buffer until the storage space runs out.  This prevents new data from being stored as there is no storage space.  The other method is to replace the old data with new data as and when the buffer overflows.  The forensic investigator or network administrator has the option to select buffer storage method.  Also, the size of the buffer depends on the EMS memory (Expanded memory specification) of the computer.  When the EMS memory of the computer is higher, more data can be stored in the buffer.

The packet analysis is the most essential and core part of the sniffing process as it captures and analyses the data from the packets.  Many advanced snipping tools have been introduced of late which allows users to replay the stored contents so that they can be edited and retransmitted based on requirements.

 

Working Principle:

 

The working principle of a sniffing tool is very simple. The network interfaces present in the segment will usually have a hardware address, and they can see the data that is transmitted over the physical medium.  The hardware address of one network interface is designed to be unique so it should be different from the address of another network interface.  Hence, packet that is transmitted over the network will pass through the host machines, but will be ignored by the machines except for the one to which the packet is destined to.  However, in practice, this is not always the case because hardware addresses can be changed in software and virtualization technologies are frequently used to generate hardware addresses for virtual machines from a set pool.

In IP networks, each network has a subnet mask, network address and broadcast address. An IP address consists of two parts namely network address and host address. The subnet mask helps in separating the IP address into network and host address. The host address is further broken down as subnet address and host address. The subnet mask identifies the IP address of the system by performing AND operation on netmask. It converts the network bits to 1 and host bits to 0. Any network will have two special reserved host addresses, 0 for network address and 255 for host address.  Subnetting a network helps in breaking down bigger networks into smaller multiple networks. Network address is an address that identifies a node in a network. The network addresses are unique within a network and there can be more than one network address within any network. A broadcast address is a special address that is used to transmit messages to multiple recipients. Broadcast addresses help network administrators in verifying successful data transmission over the network. Broadcast address is used by various clients and the most important of them are dynamic host configuration protocol and bootstrap protocol that use the address to transmit server requests.

When a network interface card is configured, it will respond to the target network having addresses that exist in the same network as designated by the subnet mask and network address.  This is how packet sniffing works and the three basic steps of packet sniffing are collection, conversion and analysis.

Collection

 

The first step in packet sniffing technique is the collection of raw data from the packets that travel along the network.  The sniffer will switch the required network interface to promiscuous mode that will enable data packets from hosts in the system to be captured.  When this mode is turned off, only the packets that are addressed to a particular interface will be captured.  When this mode is turned on, all packets received on a particular interface will be captured.  Packets that are received by the NIC are stored in a buffer and then processed. 

It is important for forensic investigator or network administrator to understand where to fit in a packet sniffer for it to capture packets effectively.  This is called tapping the wire or getting on the wire in which the packet sniffer is placed in the correct physical location.  Placing the sniffer tool at the right position is as tough as analyzing the packets for information.  Since there are hardware devices in connecting a network, placing the tool at wrong position will not fetch packets.  As seen before, the network interface card should be in promiscuous mode for capturing the data that is flowing across the network.  Usually, the operating systems do not allow the forensic investigator or network administrators to turn promiscuous mode on.  Individual forensic investigator or network administrator privileges are required to enable this mode, and if that is not possible, packet sniffing cannot be carried out in that particular network.  It is much easier to sniff around the packets in a network that has hubs installed because, when traffic is sent over a hub; it traverses to every port that is connected to the hub.  Hence, once you connect the packet sniffer to an empty port of the hub, you will receive packets travelling across the hub.

Hadoop_01_2013-1

Picture 4. Example of one location where packet sniffer can be placed [Source: http://www.windowsecurity.com/articles-tutorials/misc_network_security/Network_Analyzers_Part1.html]

 

The most common type of network is a switched network as it allows broadcast, multicast and unicast traffic.  It also supports full duplex communication in which the host system can send and receive packets simultaneously.  This increases the complexity of setting up packet sniffing tool in a switched environment.  Also, the traffic that is sent to the broadcast address and the host machine can only be captured.  Hence the visibility window for the packet sniffer is far lower in a switched environment.

There are three common types of capturing data in a switched network and they are port mirroring, ARP Cache poisoning and hubbing out.  Port mirroring is the simplest of the three ways by which packets can be captured.  The forensic investigator or network administrator must be able to access the command line interface of the switch for enabling port mirroring.  As a forensic investigator or network administrator, you need to do is enter a command in the command line interface which enables the switch to copy traffic from one port to another.

Another method of capturing the data in switched environment is hubbing out, which is a technique in which the target device and the analyzer are localized within a network by connecting them directly to the hub.  In hubbing out method, forensic investigator or network administrator needs a hub and some network cables to connect the target to the hub.  First, unplug the host from the network, followed by plugging the target and the analyzer to the hub.  Then, connect the hub to a network switch which enables the data to be transferred to the nub and simultaneously to the analyzer.

In the seven layer OSI model, the second layer contains MAC addresses while the third layer contains IP addresses, and both these addresses should be used in conjunction for network data transfer.  The switches are present in the second layer and hence, the MAC addresses should be converted to IP addresses and vice versa for data transfer.  This translation process is called as address resolution protocol.  Whenever a computer needs to transfer data to another computer, an ARP request is sent to the switch, which then sends ARP broadcast packet to the systems that are connected to the computer.  The target computer which has the equivalent IP address responds to the request by sending out its MAC address.  This information is then stored in the cache so that future connections can use this data without sending out new request.  This method can easily capture the traffic across the network, and hence ARP cache poisoning is otherwise called as ARP spoofing.

Conversion

 

In this step, the raw data that is captured in the collection step is converted to human readable form.  The converted data can only be analyzed for information that can be useful for the network administrator.  The work of most of the command prompt packet sniffers stop at this point of time and the remaining work are left over to the end forensic investigator or network administrator.

Analysis

 

The third and final step of packet sniffing technique is analysis in which the data present in human readable form is analyzed to gather required information.  Multiple packets are compared to obtain the behavior of the network.  The GUI based packet sniffing tools are handy at this time as they have comparison tools as well.

All these methods ensure that the right packets are captured as part of packet sniffing technique. The network problems can be analyzed, and necessary actions can be taken by the network administrators to prevent further problem in the network.  The three packet sniffing tools mentioned above are used widely among the audiences around the globe.

The goal of analyzing data in computer forensics is to identify and explore the digital content for preserving and recovering the original data that is present. There are various instances where computer forensics has come in handy for network administrators. Live analysis is the most effective technique as it ensures that the encrypted file systems can also be captured and analyzed.

Attachments4

SEE ALL Add a note
YOU
Add your Comment
 

Certificate Validation

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023