Packet sniffing' guide

Ethereal Guide for WindowsSniffing the glue that holds

the Internet together™

Ethereal Guide for Windows Sniffing the glue that holds the Internet together™

Description

Ethereal is a free network protocol analyzer for UNIX and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

Installation

This resource can be obtained from www.ethereal.com as a 7.3mb [approx] download. Currently it can be implemented on the following platforms: - AIX, Compaq (formerly Digital) Tru64 Unix, Debian GNU/Linux, FreeBSD, HP-UX, Irix, LinuxPPC, Linux Mandrake, MacOS X, NetBSD, OpenBSD, Red Hat Linux, s/390 (Linux), SCO UnixWare 7, Solaris/Intel, Solaris/SPARC, Slackware Linux, SuSE Linux and Windows OT/NT (95/98/ME, NT4/2000/XP).

Installation for Windows

The following page is http://www.ethereal.com/distribution/win32/

©All rights www.ethereal.comPack produced by

[email protected] of 18

You must visit http://winpcap.polito.it/ to download and install the WinPCap driver. Ethereal requires this to capture packets sent via your NIC.Download and install the Ethereal binary

http://www.ethereal.com/


http://winpcap.polito.it/


How does a Packet Sniffer Work

“If, he thought to himself, such a machine is a virtual impossibility, then it must logically be a finite improbability. So all I have to do in order to make one is to work out exactly how improbable it is, feed that figure into the finite improbability generator, give it a fresh cup of really hot tea ... and turn it on!” Douglas Adams, Hitch Hikers Guide to the Galaxy

Packet SnifferProbe

[Capture Driver]

NIC or other Network

Interface Device

Network Medium

Operating System application of OSI layers

7 down to 2

The packet sniffer uses the probe to act as a ‘buffer’ to capture a copy of data packets on normal transit, to and from the computer.

It has no direct impact on the normal running of the computer and the network, effectively acting as a parasite.

“A program and/or device that monitors data travelling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favourite weapon in the hacker's arsenal.”

www.pcwebopedia.com




http://www.pcwebopedia.com/

http://www.pcwebopedia.com/TERM/s/hacker.html

http://www.pcwebopedia.com/TERM/s/network_management.html

http://www.pcwebopedia.com/TERM/s/network.html


Familiarisation with Ethereal

Ethereal is comprised of three main windows, or panes.

1. The top pane is the packet list pane. It displays a summary of each packet captured. By clicking on packets in this pane your control what is displayed in the other two panes.

2. The middle pane is the tree view pane. It displays the packet selected in the top pane in more detail.

3. The bottom pane is the data view pane. It displays the data from the packet selected in the top pane, and highlights the field selected in the tree view pane

In addition to the three main panes, there are four elements of interest on the bottom of the Ethereal main window.

A. The lower leftmost button labeled "Filter:" can be clicked to bring up the filter construction dialog.

B. The left middle text box provides an area to enter or edit filter strings. This is also where the current filter in effect it displayed. You can click on the pull down arrow to select past filter string from a list.

C. The right middle button labeled "Reset" clears the current filter.

D. The right text box displays informational messages. These message may indicate whether or not you are capturing, what file you have read into the packet list pane if you are not capturing. If you have selected a protocol field from the tree view pane and it is possible to filter on that field then the filter label for that protocol field will be displayed.





Starting a Capture Session

Firstly and almost obviously select Capture/Start

If you have a computer with more than one network interface device [for example; networks interface card and a MODEM].

Control size of packets [especially useful when avoiding HTTP traffic] normally this is not set.

Set session termination options if required.

Use DNS or another service to resolve names to addresses where possible, if required.

Click OK! To start





Whilst traffic-capture is taking place

Not the most exciting part of the process. Time taken can be based on either how many packets you want to analyse or how much time you wish to take.

Network administrators can leave ethereal running for hours.

Click on Stop when you have over 100 packets



If your system is not generating useful traffic. Open a DOS/Command window and type > ping www.barnfield.ac.uk -t


http://www.barnfield.ac.uk/


So what do we get from a traffic-capture?

"Come on," he droned, "I've been ordered to take you down to the bridge. Here I am, brain the size of a planet and they ask me to take you down to the bridge. Call that job satisfaction? ‘Cos I don't." Marvin the Paranoid Android

The packet list pane



Capture sequence number

Time elapsed

since the start of the

capture

Source address [from whence it

came!]

Destination Address [to where it goes]

Protocol = what type of packet it

is

A brief summary of the contents/role of

the packet



The tree view pane



Hardware [MAC] address of device packet is going to

Hardware [MAC] address of device that packet originated

from

Network layer protocol

Specific protocol of data packet

Destination Network Layer [3] address of packet [note ethereal

attempts name resolution]

Source Network Layer [3] address of packet.

Its worth noting that I have

captured an ICMP [Ping!] packet



The data view pane



Symbolic hexadecimal dump of ‘binary’ data bits sent in the

data packet.

TIP: Click on one of the numbers and its counterpart in the tree view window will be

highlighted

An ASCII dump of a data packet. Many network services operate a

‘plain text’ transmission process. This means that we can see the contends of

many data packets

The windows version of Ping! Sends the ASCII

alphabet A-W



So what protocols does ethereal support?

Currently [23/08/2002] ethereal supports 280 protocols: -

802.1q Virtual LAN802.1x AuthenticationAddress Resolution ProtocolAd hoc On-demand Distance Vector Routing ProtocolAd hoc On-demand Distance Vector Routing Protocol v6Aggregate Server Access ProtocolAndrew File System (AFS)AOL Instant MessengerApache JServ Protocol v1.3Appletalk Address Resolution ProtocolAppleTalk Filing ProtocolAppleTalk Session ProtocolAppleTalk Transaction Protocol packetAsync data over ISDN (V.120)ATMATM LAN EmulationAuthentication HeaderBACnet Virtual Link ControlBanyan VinesBanyan Vines Fragmentation ProtocolBanyan Vines SPPBlocks Extensible Exchange ProtocolBoot ParametersBootstrap ProtocolBorder Gateway ProtocolBuilding Automation and Control Network APDUBuilding Automation and Control Network NPDUCisco Auto-RPCisco Discovery ProtocolCisco Group Management ProtocolCisco HDLCCisco Hot Standby Router ProtocolCisco Interior Gateway Routing ProtocolCisco ISLCisco SLARP

Common Open Policy ServiceCommon Unix Printing System (CUPS) Browsing ProtocolDataDatagram Delivery ProtocolData Link SWitchingData Stream InterfaceDCE RPCDCE/RPC Conversation ManagerDCE/RPC Endpoint MapperDCE/RPC Remote ManagementDCOM OXID ResolverDCOM Remote ActivationDEC Spanning Tree ProtocolDHCPv6Diameter ProtocolDistance Vector Multicast Routing ProtocolDistributed Checksum Clearinghouse ProtocolDomain Name ServiceDynamic DNS Tools ProtocolEncapsulating Security PayloadEnhanced Interior Gateway Routing ProtocolEthernetExtensible Authentication ProtocolFiber Distributed Data InterfaceFile Transfer Protocol (FTP)FrameFrame RelayFTP DataGARP Multicast Registration ProtocolGARP VLAN Registration ProtocolGeneral Inter-ORB ProtocolGeneric Routing EncapsulationGnutella ProtocolGPRS Tunneling ProtocolGPRS Tunneling Protocol v0

GPRS Tunneling Protocol v1Hummingbird NFS DaemonHypertext Transfer ProtocolICQ ProtocolIEEE 802.11 wireless LANIEEE 802.11 wireless LAN management frameILMIInter-Access-Point ProtocolInternet Cache ProtocolInternet Content Adaptation ProtocolInternet Control Message ProtocolInternet Control Message Protocol v6Internet Group Management ProtocolInternet Message Access ProtocolInternet Printing ProtocolInternet ProtocolInternet Protocol Version 6Internet Relay ChatInternet Security Association and Key Management ProtocolInternetwork Packet eXchangeIP Payload CompressionIPX MessageIPX Routing Information ProtocoliSCSIISDN Q.921-User Adaptation LayerISDN User PartISO 10589 ISIS InTRA Domain Routeing Information Exchange ProtocolISO 8073 COTP Connection-Oriented Transport ProtocolISO 8473 CLNP ConnectionLess Network ProtocolISO 8602 CLTP ConnectionLess Transport Protocol





ISO 9542 ESIS Routing Information Exchange ProtocolITU-T Recommendation H.261Java RMIJava SerializationKerberosKernel Lock ManagerLabel Distribution ProtocolLayer 2 Tunneling ProtocolLightweight Directory Access ProtocolLine Printer Daemon ProtocolLink Access Procedure Balanced Ethernet (LAPBETHER)Link Access Procedure Balanced (LAPB)Link Access Procedure, Channel D (LAPD)Link Aggregation Control ProtocolLink Management Protocol (LMP)Linux cooked-mode captureLocal Management InterfaceLocalTalk Link Access ProtocolLogical-Link ControlLucent/Ascend debug outputMessage Transfer Part Level 2Message Transfer Part Level 3Microsoft Distributed File SystemMicrosoft Exchange MAPIMicrosoft Local Security ArchitectureMicrosoft Network LogonMicrosoft RegistryMicrosoft Security Account ManagerMicrosoft Server ServiceMicrosoft Spool SubsystemMicrosoft Telephony API ServiceMicrosoft Windows Browser ProtocolMicrosoft Windows Lanman Remote API ProtocolMicrosoft Windows Logon ProtocolMicrosoft Workstation Service

MMS Message EncapsulationMobile IPModbus/TCPMount ServiceMSNIP: Multicast Source Notification of Interest ProtocolMS Proxy ProtocolMTP2 Peer Adaptation LayerMTP 2 Transparent ProxyMTP 2 User Adaptation LayerMTP 3 User Adaptation Layer





Multicast Router DISCovery protocolMulticast Source Discovery ProtocolMultiProtocol Label Switching HeaderName Binding ProtocolName Management Protocol over IPXNetBIOSNetBIOS Datagram ServiceNetBIOS Name ServiceNetBIOS over IPXNetBIOS Session ServiceNetWare Core ProtocolNetwork Data Management ProtocolNetwork File SystemNetwork Lock Manager ProtocolNetwork News Transfer ProtocolNetwork Status Monitor CallBack ProtocolNetwork Status Monitor ProtocolNetwork Time ProtocolNFSACLNFSAUTHNIS+NIS+ CallbackNSPINull/LoopbackOpenBSD Packet Filter log fileOpen Shortest Path FirstPC NFSPoint-to-Point ProtocolPoint-to-Point Tunnelling ProtocolPortmapPost Office ProtocolPPP Bandwidth Allocation Control ProtocolPPP Bandwidth Allocation ProtocolPPP Callback Control ProtocolPPP Challenge Handshake Authentication ProtocolPPP Compressed DatagramPPP Compression Control ProtocolPPP IP Control ProtocolPPP Link Control ProtocolPPP Multilink ProtocolPPP Multiplexing

PPPMux Control ProtocolPPP-over-Ethernet DiscoveryPPP-over-Ethernet SessionPPP Password Authentication ProtocolPPP VJ CompressionPragmatic General MulticastPrismProtocol Independent MulticastQ.2931Q.931Quake III Arena Network ProtocolQuake II Network ProtocolQuake Network ProtocolQuakeWorld Network ProtocolQualified Logical Link ControlRadio Access Network Application PartRadius ProtocolRaw packet dataReal Time Streaming ProtocolReal-time Transport Control ProtocolReal-Time Transport ProtocolRemote Procedure CallRemote QuotaRemote ShellRemote Wall protocolResource ReserVation Protocol (RSVP)RFC 2250 MPEG1RIPngRlogin ProtocolRouting Information ProtocolRouting Table Maintenance ProtocolRPC BrowserRSTATRX ProtocolSADMINDSCSISecure Socket LayerSequenced Packet eXchangeService Advertisement ProtocolService Location ProtocolSession Announcement ProtocolSession Description ProtocolSession Initiation Protocol

Short Message Peer to PeerSignalling Connection Control PartSimple Mail Transfer ProtocolSimple Network Management ProtocolSinec H1 ProtocolSkinny Client Control ProtocolSliMP3 Communication ProtocolSMB MailSlot ProtocolSMB Pipe ProtocolSMB (Server Message Block Protocol)SNA-over-EthernetSNMP Multiplex ProtocolSocks ProtocolSpanning Tree ProtocolSPRAYSS7 SCCP-User Adaptation LayerSSCOPStream Control Transmission ProtocolSyslog messageSystems Network ArchitectureTACACSTACACS+TelnetTime ProtocolTime Synchronization ProtocolToken-RingToken-Ring Media Access ControlTPKTTransmission Control ProtocolTransparent Network Substrate ProtocolTrivial File Transfer ProtocolUniversal Computer ProtocolUser Datagram ProtocolVirtual Router Redundancy ProtocolVirtual Trunking ProtocolWeb Cache Coordination ProtocolWellfleet CompressionWhoWireless Session ProtocolWireless Transaction ProtocolWireless Transport Layer SecurityX11X.25





X.25 over TCPX Display Manager Control ProtocolYahoo Messenger ProtocolYellow Pages BindYellow Pages PasswdYellow Pages ServiceYellow Pages TransferZebra Protocol





What can I do with my captured traffic?

“It says that the effect of a Pan Galactic Gargle Blaster is like having your brains smashed out by a slice of lemon wrapped round a large gold brick.” A quote from the guide.. Hitch Hikers Guide to the Galaxy

Like all good applications select File/Save

The traffic you have captured can be saved in many other sniffer formats. All of them readable in an ASCII text editor [notepad for example].



Save as mytraffic.txt in a location you have read/write rights



Open the file mytraffic.txt in Notepad ………….…..

Whilst the file will appear to be ‘garbage’ you can see the A-W plain text from each ICMP packet.

Many hackers use this technique to locate plain text passwords and logins.

Try this on a web surfing exercise and you will find the HTML source code for the web page.





Other features

This guide like many only scrapes the surface of the power of this application please visit www.ethereal.com where you will find up to date guides and information on this resource.

Ethereal can be run in a command line environment and is supported by Tethereal and Editcap.

Ethereal [ -B byte view height ] [ -c count ] [ -f filter expression ] [ -h ] [ -i interface ] [ -k ] [ -m font ] [ -n ] [ -o preference setting ] ... [ -p ]

[ -P packet list height ] [ -Q ] [ -r infile ] [ -R filter expression ] [ -S ]

[ -s snaplen ] [ -T tree view height ] [ -t time stamp format ] [ -v ] [ -w savefile]





Packet sniffing' guide

Documents

Transcript of Packet sniffing' guide