ethereal: network security
DESCRIPTION
Ethereal: Network Security. Team Members: Anthony Anderson, Jerome Mitchell, and Napoleon Paxton Team Mentors: Mr. C. Edwards & Mr. K. Hayden. Abstract. - PowerPoint PPT PresentationTRANSCRIPT
Ethereal: Network Ethereal: Network SecuritySecurity
Team Members: Anthony Anderson, Team Members: Anthony Anderson, Jerome Mitchell, and Napoleon PaxtonJerome Mitchell, and Napoleon Paxton
Team Mentors: Mr. C. Edwards & Mr. Team Mentors: Mr. C. Edwards & Mr. K. HaydenK. Hayden
AbstractAbstract
The Office of Navel Research Network Team actively listened to network traffic to fingerprint The Office of Navel Research Network Team actively listened to network traffic to fingerprint transmitted data packets that could potentially affect the availability of resources within the transmitted data packets that could potentially affect the availability of resources within the ONR Local Area Network (LAN) segment. Network traffic was examined using ethereal ONR Local Area Network (LAN) segment. Network traffic was examined using ethereal graphical user interface to identify and analyze Transmission Control and User Datagram graphical user interface to identify and analyze Transmission Control and User Datagram Protocol packets to and from end-user hosts and Elizabeth City State University (ECSU) Protocol packets to and from end-user hosts and Elizabeth City State University (ECSU) campus intranet servers. Captured packet frames were decoded to see if a problem exists campus intranet servers. Captured packet frames were decoded to see if a problem exists with a packet. Capture statements were created to find out what traffic is crossing the with a packet. Capture statements were created to find out what traffic is crossing the network, identify unauthorized protocols, and identify the top talkers.network, identify unauthorized protocols, and identify the top talkers.During the 2004 – 2005 Network Research Program the ONR Network Team limited its During the 2004 – 2005 Network Research Program the ONR Network Team limited its research and discovery phase to understanding the various methods to observe, capture, research and discovery phase to understanding the various methods to observe, capture, identify, analyze, and decode packets within a packet switched Local Area Network. To identify, analyze, and decode packets within a packet switched Local Area Network. To further the analysis of packet capturing the ONR Network Research Team will expand its further the analysis of packet capturing the ONR Network Research Team will expand its research and discovery during the 2005 - 2006 program to develop a network diagram to research and discovery during the 2005 - 2006 program to develop a network diagram to determine the best place to capture traffic for analysis campus wide monitoring during different determine the best place to capture traffic for analysis campus wide monitoring during different times of the day instead of once a day two times a week during ONR mentoring sessions.times of the day instead of once a day two times a week during ONR mentoring sessions.The development of an active packet monitoring network team can help the ONR network The development of an active packet monitoring network team can help the ONR network mentoring program strengthen the capabilities of the team members, help the ECSU Math and mentoring program strengthen the capabilities of the team members, help the ECSU Math and Computer Science department develop a new course to its program, and/or turnover over the Computer Science department develop a new course to its program, and/or turnover over the research to the ECSU IT department for them to develop an network analysis vulnerability research to the ECSU IT department for them to develop an network analysis vulnerability prevention program using packet analyzers and sniffers.prevention program using packet analyzers and sniffers.
What is EtherealWhat is Ethereal
Ethereal is a network packet analyzer. A Ethereal is a network packet analyzer. A network packet analyzer will try to network packet analyzer will try to capture network packets and tries to capture network packets and tries to display that packet data as detailed as display that packet data as detailed as possible possible
Ethereal Intended Ethereal Intended Purposes Purposes
network administrators use it to network administrators use it to troubleshoot network problemstroubleshoot network problems
network security engineers use it to network security engineers use it to examine security problemsexamine security problems
developers use it to developers use it to debug protocol debug protocol implementationsimplementations
people use it to people use it to learn network protocollearn network protocol internals internals
Ethereal FeaturesEthereal Features
Available for Available for UNIXUNIX and and WindowsWindows.. CaptureCapture live packet data from a network interface. live packet data from a network interface. Display packets with Display packets with very detailed protocol very detailed protocol
informationinformation. . Open and SaveOpen and Save packet data captured. packet data captured. Import and ExportImport and Export packet data from and to a lot of packet data from and to a lot of
other capture programs. other capture programs. Filter packetsFilter packets on many criteria. on many criteria. SearchSearch for packets on many criteria. for packets on many criteria. ColorizeColorize packet display based on filters. packet display based on filters. Create various Create various statisticsstatistics..
Platforms Ethereal Runs OnPlatforms Ethereal Runs On
UnixUnix Apple Mac OS XApple Mac OS X BeOSBeOS FreeBSDFreeBSD HP-UXHP-UX IBM AIXIBM AIX NetBSDNetBSD OpenBSDOpenBSD SCO UnixWare/OpenUnixSCO UnixWare/OpenUnix SGI IrixSGI Irix Sun Solaris/IntelSun Solaris/Intel Sun Solaris/SparcSun Solaris/Sparc Tru64 UNIX (formerly Digital UNIX)Tru64 UNIX (formerly Digital UNIX) LinuxLinux Debian GNU/LinuxDebian GNU/Linux Gentoo LinuxGentoo Linux IBM S/390 Linux (Red Hat)IBM S/390 Linux (Red Hat) Mandrake LinuxMandrake Linux PLD LinuxPLD Linux Red Hat LinuxRed Hat Linux Rock LinuxRock Linux Slackware LinuxSlackware Linux Suse LinuxSuse Linux Microsoft WindowsMicrosoft Windows Windows Me / 98 / 95Windows Me / 98 / 95 Windows Server 2003 / XP / 2000 / NT 4.0Windows Server 2003 / XP / 2000 / NT 4.0
The "Capture Options" dialog The "Capture Options" dialog boxbox
Lester Hall Connection To Lester Hall Connection To The WWWThe WWW
Internet
ECSU Network From Lester Hall to Internet
SD
SCISCO YSTEMS
SD
STAT
US
SUPERVISOR LINK
SYST
EM
PORT 2
LINKAC
TIVE
PWR
MGMTRE
SET
CONSOLE
SWITCHLOAD1-20%
CONSOLEPORT
1%EJECTPCMCIA
PORT 1
LINK
WS-X6K-SUP1-2GE
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Supervisor A
48 Port 10/100Ethernet
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
SD
SCISCO YSTEMS
SD
STAT
US
SUPERVISOR LINK
SYST
EM
PORT 2
LINKAC
TIVE
PWR M
GMTRES
ET
CONSOLE
SWITCHLOAD1-20%
CONSOLEPORT
1%EJECTPCMCIA
PORT 1
LINK
WS-X6K-SUP1-2GE
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Supervisor A
48 Port 10/100Ethernet
SD
STATU
S0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ITC
Trigg
Lester Hall
Router
InternetFirewall
Protocol Analyzer Protocol Analyzer Monitoring Network TrafficMonitoring Network Traffic
What is a packet?What is a packet?
A piece of a message transmitted over a packet-switching network. The messages are divided into packets before they are sent. Each packet is then transmitted individually and can even follow different routes to its destination. Once all the packets forming a message arrive at the destination, they are recompiled into the original message.
Using Ethereal or Another Using Ethereal or Another Packer Analyzer:Packer Analyzer:
Formulate a “capture statement.” What do you want to find out? Formulate a “capture statement.” What do you want to find out? Do you want to identify what traffic is crossing your network? Do you want to identify what traffic is crossing your network? Identify unauthorized protocols? Identify unauthorized protocols? Identify top talkers? Identify top talkers? Other? Other?
Create a network diagram and determine the best place to capture traffic Create a network diagram and determine the best place to capture traffic that is related to your “statement.” that is related to your “statement.”
Create and save three capture files. Create and save three capture files. Limit capture files to 1000 packets. Limit capture files to 1000 packets. Capture network traffic during different times of the day. Capture network traffic during different times of the day.
Analyze the traffic you captured. Analyze the traffic you captured. What protocols do you see? What protocols do you see? Can you find any unauthorized traffic? Can you find any unauthorized traffic? Can you identify the two top talkers? Can you identify the two top talkers? Follow a TCP stream (HTTP) and save it as a file. Follow a TCP stream (HTTP) and save it as a file.
Write a brief description of what you found through network analysis.Write a brief description of what you found through network analysis.
The InterfaceThe Interface
““The "User Interface: The "User Interface: Columns Columns
No.No. The number of the packet in the capture file. This The number of the packet in the capture file. This number won't change, even if a display filter is used. number won't change, even if a display filter is used.
TimeTime The timestamp of the packet. The presentation The timestamp of the packet. The presentation format of this timestamp can be changed, see the format of this timestamp can be changed, see the section called “Time display formats and time section called “Time display formats and time references”. references”.
SourceSource The address where this packet is coming from. The address where this packet is coming from. DestinationDestination The address where this packet is going to. The address where this packet is going to. ProtocolProtocol The protocol name in a short (perhaps The protocol name in a short (perhaps
abbreviated) version. abbreviated) version. InfoInfo Additional information about the packet content. Additional information about the packet content.
The "Packet List" PaneThe "Packet List" Pane
The "Packet Details" The "Packet Details" Pane Pane
This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed.
The "Packet Bytes" Pane The "Packet Bytes" Pane
The packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in a hexdump style. the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or . if not appropriate) are displayed.
Following TCP Streams Following TCP Streams
To see the data from a TCP session in the order that the application layer sees it, such as, passwords in a Telnet stream, or just trying to make sense of a data stream. Ethereal has the capability to follow a TCP
stream.
TCP StreamTCP Stream