= Capture and Analise Packets = In this lab session we will use tcpdump and wireshark to capture packets. To analise them we will use wireshark. == Packet Capturing using tcpdump == - Go to the ubuntu VM - use tcpdump command to pacture packets {{{ tcpdump -nn }}} - you will get outputs like following {{{ IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], length 53 }}} - You can try tcpdump with different attributes {{{ tcpdump –nni eth0 host 10.10.10.10 tcpdump –nni eth0 dst host 10.10.10.10 and tcp tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024 tcpdump –nni eth0 –s0 tcpdump –nni eth0 not port 22 –s0 –c 1000 tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24 -nn = don’t use DNS to resolve IPs and display port no -i = interface to watch dst = watch only traffic des0ned to a net, host or port src = watch only traffic whose src is a net, host or port net = specifies network host = specifies host port = specifies a port proto = protocol ie tcp or udp -s0 = seIng samples length to 0 m -c = number of packets }}} - You can capture packets and save them to a file {{{ # tcpdump –nni eth0 -w capture.pcap –vv –c 1000 # tcpdump –nni eth0 –r capture.pcap port 80 -w capture.pcap = save capture packet to capture.pcap –vv = display number of packet captured -r capture.pcap = read capt }}} - You can open the created file and see the captured packets == Wireshark == Download wireshark from [https://www.wireshark.org/download.html here] and istall wireshark. Installation is very simple. === Captureing Packets from wireshark === Once you open the wireshark you will get the following interface. [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/welcome.png)]] You can select the interface that you want to capture packets clicking on the intarface listed there. Then you can click the '''Start Capture''' to capture the packets. [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/start.png)]] You will see the packets capturing. Click the '''Stop Capture''' button when you want to stop the capturing. [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/stop.png)]] You can save the captured packets by clicking '''File>Save as...''' and Clicking '''Save''' after you select a Location You can change the interface and add or remove filter by clicking the '''Options''' button. [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/options.png)]] === Filters === Wireshark has lot of filters. Let's try a simple filter. Let's capture only the packets that are usinf ICMP protocol. You will the filter text field in the wireshark interface. Type '''icmp''' there and start capturing. You can try different filters. - '''ip.addr == ''' [Sets a filter for any packet with 10.0.0.1, as either the source or dest] - '''ip.addr== && ip.addr==''' [sets a conversation filter between the two defined IP addresses] - '''http or dns''' [sets a filter to display all http and dns] - '''tcp.port==53''' [sets a filter for any TCP packet with 4000 as a source or dest port] - '''http.request''' [displays all HTTP GET requests] - '''!(arp or icmp or dns)''' [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest] === Analysing === Download the sample packet capture files from here. Open them from wireshak to analyse them. Go to '''File>Open''' and select tha pcap file to be open. '''Telnet.pcap''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/telnet.pcap download] - Wht is the Username and Password? - What did the User do after log in? Open the file. Filter all the telnet traffic. Go to Analyse>Follow>TCP Stream. '''massivesyn.pcap''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/massivesyn.pcap download] - Is this an attack? If so what type of an attack? Open the file, Go to Statistics>Coversation. Check for the Type of packet, Sourse IP and the duration '''chat.dmp''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/chat.dmp download] - What are the email addresses of the chatters? - What were they planning to do? Open the file. Go to Analyse>Follow>TCP Stream. '''ftp.pcap''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/ftp.pcap download] - What is the IP address of the FTP server and the Client? - What is the error code 530? Open the file. Statistics>Coversation. Click TCP. Check the Statistics. Go to Analyse>Follow>TCP Stream '''foobar.pcap''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/foobar.pcap download] - What is the protocol use TCP 6346? - What could be this scenario? Open the file. Statistics>Coversation and check for source and destination IP and port. Go to Statistics>Protocol Hierarchy '''covertinfo.pcap''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/covertinfo.pcap download] - Is this a normal icmp packet? Open the file. Statistics>Coversation and check for packet length. '''sip.pcap''' [https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018wireshark/sip_chat.pcap download] - What is the protocol used for media? - Can you listen to the phone conversation? Statistics>Protocol Hierarchy check for UDP protocols. Use Telephony>(Protocol) > Analysis