Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 60 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
60
Dung lượng
5,5 MB
Nội dung
Seminar Presentation Network Protocol Analyzer 2017.07.06 Presenter : Ma Van Linh Table of Content Overview of Network Analyzer Wireshark Wireshark – advanced features Wireshare – case studies Conclusion Overview of Network Analyzer 1.1 What is Network Protocol Analyzer? • The packet analyzer (also known as a network analyzer, protocol analyzer or sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network • Network sniffer is a program and/or device that monitors data travelling over a network Network sniffers can be used both for legitimate network management functions and for stealing information off a network Overview of Network Analyzer 1.2 What to use? • • • • • • • • • Analyze network problems Detect network intrusion attempts Gain information for effecting a network intrusion Monitor network usage Gather and report network statistics Filter suspect content from network traffic Spy on other network users and collect sensitive information suchas passwords (depending on any content encryption methods which may be in use) Debug client/server communications Debug network protocol implementations Overview of Network Analyzer 1.3 Protocols used on network Names of protocols Importance What it does ethernet, SLIP, PPP, Token Ring, ARCnet Essential Allows messages to be packaged and sent between physical locations IP,ICMP Essential Manages movement of messages and reports errors ARP Essential Communicates between layers to allow one layer to get information to support another layer TCP,UDP Critical Controls the management of service between computers DNS,RPC Important DNS provides address to name translation for locations and network cards RPC allows remote computer to perform functions on other computers RARP, BOOTP, DHCP, IGMP, SNMP,RIP, OSPF, BGP, CIDR Advanced Enhances network management and increases functionality FTP, TFTP, SMTP, Telnet, NFS, ping, Rlogin Useful Provides direct services to the user Overview of Network Analyzer 1.4 Network Analyzer Tools • • • • • • • Wireshark: Wireshark (formerly known as Ethereal) is a fantastic open source network protocol analyzer for Unix and Windows Snort: This is network intrusion detection and prevention system excels at traffic analysis on IP networks Netcat: This simple utility reads and writes data across TCP or UDP network connections Tcpdump: Tcpdump is the IP sniffer used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently Netfilter: Netfilter is a powerful packet filter implemented in the standard Linux kernel Capsa: Capsa Network Analyzer is an all-in-one & easy-to-use Ethernet network protocol analyzer for Windows platforms Other tools: Carnivore, dSniff, Clarified Analyzer, SoftPerfect, Snoop, NetScout etc; Wireshark 2.1 What is Wireshark • Wireshark is a network packet analyzer A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible Ø You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course) Ø In the past, such tools were either very expensive, proprietary, or both However, with the advent of Wireshark, all that has changed Ø Wireshark is perhaps one of the best open source packet analyzers available today Wireshark 2.2 People use Wireshark for Network administrators use it to troubleshoot network problems Network security engineers use it to examine security problems Developers use it to debug protocol implementations People use it to learn network protocol internals Beside these examples, Wireshark can be helpful in many other situations too Wireshark 2.3 Feature (1) • • • • • • • • • Available for UNIX and Windows Capture live packet data from a network interface Display packets with very detailed protocol information Open and Save packet data captured Import and Export packet data from and to a lot of other capture programs Filter packets on many criteria Search for packets on many criteria Colorize packet display based on filters Create various statistics Wireshark 2.3 Feature (2) • Live capture from many different network media ü Wireshark can capture traffic from many different network media types - and despite its name including wireless LAN as well Which media types are supported, depends on many things like the operating system you are using • Import files from many other capture programs ü Wireshark can open packets captured from a large number of other capture programs • Export files for many other capture programs ü Wireshark can save packets captured in a large number of formats of other capture programs • Open Source Software ü Wireshark is an open source software project, and is released under the GNU You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such In addition, all source code is freely available under the GPL Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do! 10 Wireshark – advanced features 3.5 Time / Sequence Graph (Stevens) (1) • Time / Sequence representes how sequence numbers advances with time • In a good connection (like in the example), the line will be linear • The angle of the line indicates the speed of the connection In this example – fast connection 46 Wireshark – advanced features 3.5 Time / Sequence Graph (Stevens) (2) 47 • In this case, we see a noncontiguous graph • Can be due to: – Severe packet loss – Server response (processing) time Wireshark – advanced features 3.6 Example - Stable Performance File Transfer (1) 48 Wireshark – advanced features 3.6 Example - Stable Performance File Transfer (2) A stable throughput of around 1MB/8Mb per second It is important to test in parallel with SNMP tool for channel capacity 49 Wireshark – advanced features 3.6 Example – Non-Stable Performance Mail Transfer (1) 50 Wireshark – advanced features 3.6 Example – Non-Stable Performance Mail Transfer (2) Something happened here (After ~5.25 Seconds) 51 Wireshark – advanced features 3.6 Example – Non-Stable Performance Mail Transfer (3) 5.25 seconds after start of stream, we don’t see any connectivity problems – probably slow server/applications 52 Wireshark – advanced features 3.6 RTP Connectivity Stable stre am BW 53 Wireshark – case studies 4.1 Slow Application (Analyze => Exert Info) (1) 54 Wireshark – case studies 4.1 Slow Application (Analyze => Exert Info) (2) Something here stinks … 55 Wireshark – case studies 4.1 Slow Application (Analyze => Exert Info) (3) Ooops … Nearly no events over here …… 56 Wireshark – case studies 4.1 Slow Application (Analyze => Exert Info) (4) Interactive open/close read/write application This his what it requires from the network … 57 Conclusion • Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can with it • Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals 58 Q&A Thank You ... use the Wireshark? (3) • Capture Packet Packet List Packet Details Packet Bytes 22 Wireshark 2.7 How to use the Wireshark? (4) • TCP Packet Example 23 Wireshark 2.7 How to use the Wireshark? (5)... Opened 24 Wireshark 2.7 How to use the Wireshark? (6) • Statistics => Flow Graph… 25 Wireshark 2.7 How to use the Wireshark? (7) • Statistics => Flow Graph… 26 Wireshark 2.7 How to use the Wireshark?... 27 Wireshark 2.7 How to use the Wireshark? (9) • Display Filters 28 Wireshark 2.7 How to use the Wireshark? (10) • Example – Filter Traffic Between Hosts 29 Wireshark 2.7 How to use the Wireshark?