資料包的捕獲與分析

###LinuxCBT Packet Capture | Analysis Edition###

Topics of coverage:

 1. Topology

 2. Features of Ethereal

 3. Explore Interface

 4. TCPDump - default format and capture filter syntax (BPFs) used in Ethereal

 5. Snort NIDS - produce TCPDump-compliant binary file

 6. Sun Snoop - comes with Solaris

 7. Capture ARP, Layer-2(MAC), ICMP and ICMPv6 with Ethereal and analyze

 8. Capture UDP for IPv4 & IPv6 and analyze

 9. Capture TCP for IPv4 & IPv6 and analyze

10. Analyze captures using 'Display Filters' - used during post-processing of packets

11. Statistics

12. Capture packets using Tethereal - TTY version - used in shell

13. Capture and analyze Intranet & DMZ traffic

14. Capture and analyze Internet traffic

15. Capture and analyze wireless traffic

16. Ethereal Windows 2003 Server

Topology Overview:

Primary Host: 192.168.75.15 - linuxcbtsuse1 - linuxcbtsuse1.linuxcbt.internal

Common DNS Suffix: linuxcbt.internal

Internal Subnet IPv4: 192.168.75.0/24

DMZ Subnet IPv4: 10.10.10.0/24

Both subnets (Internal(Intranet)/DMZ) are RFC-1918 compliant

Note: linuxcbtsuse1 box has a dedicated sniffing/port monitoring interface - eth1

Note: eth0 can be used simultaneously to sniff traffic linuxcbtsuse1

Identify connections router of various boxes:

Steps:

 1. SSH or connect to router/switch

 2. list ports using - sh int status

 3. Match server to port - sh mac-address-table address 0011.435A.BCE5

 4. Navigate to global config mode - config t

 5. Navigate to interface configuration mode - int fa5

 6. Assign a description to the interface - Description linuxcbtsuse1 eth0

Ethereal Features:

rpm -qa | grep -i ethereal - lists whether Ethereal is installed

rpm -ql ethereal

 1. Modular - functionality can be added via modules

 2. Provides primary 'ethereal' binary - GUI

 3. Runs multiple platforms:

  a. Linux

  b. Unix - Solaris, AIX, FreeBSD, OpenBSD

  c. Windows

 4. Supports over 750 networking protocols - i.e. IPv4, TCPv4, UDPv4, ICMPv4, ICMPv6, IPv6, IPX/SPX, Netbeui, NETBIOS, AppleTalk, Ethernet

 5. Captures Packets - However, excels at analyzing packets

 6. Supports Berkeley Packet Filters (BPFs) - uses primitives to parse traffic

 8. Supports binding to specific or all interfaces

 9. Ability to display packets as they're captured - use when packet-loss is not an issue

Note: subject to packet loss

10. Supports 'Display Filters' language for post-processing packets

11. Includes an expression builder to help build 'Display Filters'

12. Ability to save expressions(Display Filters) for reuse

13. Displays packets in fractions of a second:

  a. Second

  b. Decisecond - tenth - 3.5

  c. Centisecond - hundredth - 3.55

  d. Millisecond - thousandth - 3.555

  e. Microsecond - millionth - 3.654321

  f. Nanosecond - billionth - 3.987654321

14. Provides numerous statistics

15. Color-codes protocols in the packet list display

16. Reconstructs TCP sessions - i.e. connecting to an FTP server

17. Ability to spread captured data across multiple files based criteria

  a. Useful in long-term capturing

18. Ability to stop capture based criteria:

  a. packet count - i.e. stop capture after 500 packets

  b. size of capture

  c. Time (min,hour,days)

19. Performs name resolution at various OSI layers:

  a. Layer-2 (MAC) - i.e. 00:11:43:5A:BC:E5

  b. Layer-3 (IPv4/IPv6) - i.e. 192.168.75.15 -> linuxcbtsuse1.linuxcbt.internal - /etc/hosts or DNS

20. Imports 3rd party captures:

  a. TCPDump

  b. Sun Snoop - Solaris

  c. Sniffer

  d. MS Network Monitor

21. Ability to import GZ compressed captures - requires Zlib library

22. Exports captures to 3rd party formats - i.e. Sun Snoop

23. Ability to merge capture files - i.e. import multiple dump/capture files

24. Ability to print captures in TXT or Postscript formats

25. Includes the text/TTY version - Tethereal - used from shell

26. Extensible via plug-ins

27. Highly-customizable GUI

Explore Etheral GUI:

Launch using: ethereal - which is located in /usr/bin

Note: MUST be root to place network interface(s) into promiscuous mode, providing a view of packets NOT destined for sniffing system

Note: You may sniff packets without promiscuous mode, however, will ly obtain traffic sourced or destined to sniffing host

Note: MUST alter X.org permissions to permit 'root' to write to ethereal to screen

execute from shell: 'xhost +' - permits ALL users to write to current screen

Main GUI Components:

 1. 3 Display windows

  a. Packet List - reveals the chronological order of captured packets

  b. Packet Details - reveals details of packet

  c. Packet Bytes - reveals the actual HEX sent/received across the wire

TCPDump:

Note: TCPDump is the default supported format of Ethereal

Features:

 1. Captures, by default, packets to and from the machine default eth0 interface

 2. Able to sniff in promiscuous mode if root or equivalent invokes it

Usage:

 1. tcpdump -v - capture ALL packets to and from the machine in verbose mode

Note: captures to screen usually yield dropped packets

 2. tcpdump -v -w tcpdump.capture.all.1.out - writes output of ALL layers to file

 3. tcpdump -D - returns usable interfaces

 4. tcpdump -v -c 50 - captures 50 packets and then exits

 5. tcpdump -i eth1 | lo | eth0 | any | interface_name - binds tcpdump to a specific interface

 6. tcpdump -n - disables layer-3 name resolutions (/etc/hosts and/or DNS)

Berkeley Packet Filters (BPFs)

Terminology:

 1. Define Qualifiers (3 Exist):

  a. Type - host|net|port - i.e. host 192.168.75.15 OR net 192.168.75.0 OR port 21

  b. Dir - src, dst, src or dst, src and dst -i.e. src and dst 192.168.75.15

  c. Proto - ip, ip6, icmp, icmp6, tcp, udp, ether, etc.

 1. tcpdump -w tcpdump.capture.SSH.1.out src host 192.168.75.10 and dst port 22

 2. tcpdump -w tcpdump.capture.FTP.2.out dst port 21

WinDump:

 Features:

  1. TCPDump for Windows

  2. Supports virtually identical switches to TCPDump

 Requires:

  1. WinPcap

  2. WinDump.exe - EXE

Note: Use CTRL-C to kill

 1. windump - binds to default interface and sniffs ALL packets

 2. windump -D - returns usable interfaces

 3. windump -i 2

 4. windump -i 2 dst port 80

 5. windump -w filename -i 2 dst port 80

Snort NIDS:

 1. Packet Logger

 2. Packet Sniffer

 3. NIDS

 Requirements:

 1. pcre-devel*

 2. GCC - c compiler

 3. libpcap

 Download: [url]www.snort.org[/url]

 1. snort*gz - contains source code

 2. MD5SUM - confirms integrity

 3. SIG file - confirms integrity

 4. download and import P/GPG key used to sign the latest release of Snort

Note: Copy and paste appropriate key after running: 'gpg --import'

 5. Verify SIG downloaded: gpg --verify snort*sig snort*.gz

 6. Confirm MD5SUM: md5sum snort*gz

 Compile & Install Snort:

 1. tar -xzvf snort*gz

 2. ./configure - checks for pre-requisites

 3. make - creates the binaries - including 'snort'

 4. make install - as 'root' - to copy binaries to public directories - /usr/local/bin

Note: Snort supports Berkeley Packet Filters (BPFs)

 1. snort -v - binds to default 'eth0' interface

 2. snort -v -i lo - binds to non-default interface

 3. snort -v -b -l ./ -L snort.capture.SSH.5.out src host 192.168.75.10 and dst port 22

 4. snort -v -b -l ./ -L snort.capture.FTP.6.out dst port 21

Note: when logging using binary logging, Snort captures ALL OSI layers

Note: use CTRL-C to terminate

Sun Solaris Snoop:

  1. Packet Capturing

  2. Replays captured packets

  3. Snoop supports a language similar to BPFs

  4. Supports writing output to binary, Snoop file - parseable by Ethereal

 Usage:

 1. snoop - sniffs ALL traffic in promiscuous mode - similar to tcpdump

 2. snoop -o output_file tcp port 22

 3. snoop -o output_file tcp port 80

 4. snoop -o output_file tcp port 21

 5. snoop -o output_file host 10.10.10.2 tcp port 21

Ethereal Capturing - ARP, Layer-2(MAC), ICMP and ICMPv6, IP6 Multicast

ARP - relies upon broadcasts to ALL FFs address, which ALL hosts listen to:

 1. ether broadcast

Ethereal returns useful information in its 3 main windows:

 1. packet number - Packet List window

 2. Frame number - Packet Details window

 3. OSI layers are represented from frame(layer-1) to Application(layer-7)

  a. This is a representation of the Protcol Data Unit (PDU)

Layer-2

 1. ether host mac_address ; ethere host 0:e:a6:1e:61:53 - sniffs where MAC is in packet

ICMPv4

 1. icmp

 2. icmp and src host 192.168.75.5

ICMPv6

 1. icmp6

UDP Traffic:

Network Time Protocol (NTP):

  1. Same source and destination port number (123)

  2. Synchronizes clocks

DNS:

TCP Captures for IPv4 & IPv6:

Note: The overwhelming majority of packets any LAN/WAN consists of TCP packets because more applications are designed to use TCP

 1. Guaranteed delivery of packets

  a. Acknowledgements

  b. Connection-oriented services

Capture Filter Usage:

 1. ip - captures ALL IP packets: ICMPv4, IP, TCP, UDP, SSH, FTP, HTTP

 2. ip and tcp - captures IPv4 and TCPv4

 3. tcp

Note: Pseudo-device 'any' does NOT operate in promiscuous mode because e of its members does NOT have real network access: lo = loopback adapter, which is an in-memory device

Note: Ethereal supports TCP streams reassembly - 'Follow TCP Streams'

Note: Follow TCP Stream allows you to track:

 1. bytes used from client to server

 2. bytes used from server to client

 3. total bytes betwen client and server - in both directions

Note: 'Follow TCP Stream' builds a 'Display Filter'

Note: TCP sessions employ a 3-way handshake:

 1. SYN - synchronization - Client

 2. SYN-ACK - synchronization acknowledgement - Server

 3. ACK - acknowledgement - Client

Display Filters:

  1. The ability to post-process packets, providing filtration

  2. Includes a GUI expression builder

  3. Ability to save display filters in profiles

 General Syntax:

  1. protocol.field search criteria

  a. ip.src == IP_ADDR - i.e. ip.src == 192.168.75.15

Note: 3 methods are available to define useful 'Display Filters':

 1. Manually

 2. Context menu in 'Packet List' view

 3. Using the expression builder

 1. tcp.port == 21

 2. udp.port == 53

 3. tcp.port == 80 - filters based HTTP traffic

 4. tcp.dstport == 21 - filters where destination port is equal to 21

Note: Display Filters can NOT be used to capture traffic

Ideal Data Capturing/Analysis Strategy:

 1. Define useful capture filters: i.e. using BPFs

 2. Apply capture filters to the utility: Snort, Snoop, TCPDump, WinDump, Ethereal

 3. Post-process data with Ethereal, using Display Filters

Statistics:

  1. Myriad statistics or views of data that's listed in the 'Packet List' window

Summary:

 a. Provides myriad info. related to capture; i.e. filename, length, duration, etc.

Protocol Hierarchy Statistics:

 1. Represents OSI layers from 1(Physical) to 7(Application);

  Layer-1 - Frame

   Layer-2 - Ethernet

    Layer-3 - Internet Protocol

     Layer-4 - TCP | UDP

      Layers 5-7 - FTP | HTTP | etc. - Represents Packet Payload

Tethereal:

 Note: Execute 'tethereal' as 'root' to be able to capture data

 Note: 'root' access is NOT required to post-process data

 1. Ability capture

 2. Ability post-process (Analyze) data

 3. Default behaviour is to capture data default 'eth0' interface

 4. Defaults to creating dump file (TCPDump-compliant) in '/tmp/ether*'

 1. tethereal - defaults to capturing data 'eth0'

 2. tethereal -D - dumps usable interfaces

 3. tethereal -i interface_name - i.e. tethereal -i lo

 4. tethereal -w file_name - dumps data to file AND screen

 5. tethereal -c packet_count - captures n number of packets

 6. tethereal -f udp

 7. tethereal -r capture_file - reads supported capture file

 8. tethereal -r capture_file -R "display_filter" - reads supported capture file and post-processes using display filter

Intranet Snooping/Sniffing:

 Note: Switched traffic can ly be intercepted if the following is true:

  1. Traffic is unicast - traffic to and fro the sniffing box

  2. Traffic is broadcast - Switches flood broadcasts to all VLAN members

  3. Port mirroring/SPAN is enabled layer-2 switch - permits the copy of traffic from source(port or VLAN) to destination(port or VLAN)

  4. Hub

Configure port mirroring for 'eth1' SUSE10 box:

 Steps:

  1. Configure interface to be up SUSE10 box

   a. ifup eth1 - brings interface up and makes it usable by programs (Snort/TCPDump/Ethereal)

   b. tcpdump -D OR tethereal -D or ethereal -D

Note: Configure 'eth1' and other sniffing interfaces to NOT use TCP/IP

  2. Confirm the configuration of the Cisco Router/Switch

   a. sh int status - returns interface status

   b. config t

   c. monitor session 1 source interface fa6 both

   d. monitor session 1 destination interface fa9

  3. Begin sniffing using - Ethereal, Snort, TCPDump, etc.

Internet Snooping/Sniffing:

Configure port mirroring for 'eth2' SUSE10 box:

   a. ifup eth2 - brings interface up and makes it usable by programs (Snort/TCPDump/Ethereal)

Note: Configure 'eth2' and other sniffing interfaces to NOT use TCP/IP

   c. monitor session 1 source interface fa2 both

   d. monitor session 1 destination interface fa8

Wireless Capturing - WLAN

 1. Support is included by indicating correct adapter

 2. wlan display filters provide reports

Note: 192.168.75.190 - is a dual-homed machine

 a. Wired connection - eth0 - 192.168.75.190

 b. Wireless connection - eth1 - unconfigured

ssh -X [email protected] - this will redirect X11 to our local system

ifup eth1 - brings wireless, eth1 interface up remote system

/etc/sysconfig/network - stores configuration files for NICs

iwconfig - provides configuration information and configuration of wireless interfaces

Ethereal Windows:

  1. Same features, for the most part, as Nix-based Ethereal

[url]www.ethereal.com[/url]