Showing posts with label Wireshark. Show all posts
Showing posts with label Wireshark. Show all posts

Wednesday, 19 February 2020

Wireshark Series: Part 3- TCP and UDP


• Transmission Control Protocol (TCP):

○ TCP makes sure that the data goes to destination in a reliable manner
○ TCP sends data b/w ports which range from 0 to 65535
§ Ports from 1- 1023 are called Standard Ports. These can be Port 80 for HTTP
§ Ports 1024- 65535 are called ephimeral ports. These are randomly selected when a device needs to find an open port. Both the destination and the client need to know what port the other one is listening on to be able to transmit data between them
○ TCP communications start with a handshake to ensure both source and destination are up and ready to communicate. It checks the open port and send the sequence number so that the data is sent reliably.
○ To establish a TCP session the sending and receiving TCP applications us a process called the three way handshake.
STEP 1 - The sender send a SYN packet to begin establishment of the session. It waits
STEP 2 - The receiver replies with an ACK packet to acknowledge the SYN that it received and also sends a SYN packet.
STEP 3 - The sender sends an ACK to acknowledge receipt of the SYN from the receiver.
The connection is now set up and data transfer can commence.
○ Now to terminate a connection you can do it the graceful way which is a four way process. Lets assume that the sender is finished with data transmission and now wants to end the session, similar to logging off an application.
STEP 1 - The sender sends a FIN packet and waits for a reply
STEP 2 - The receiver send and ACK packet
STEP 3 - The receiver also sends a FIN packet
STEP 4 - The sender sends an ACK packet and the session is closed.
○ You can also do an abrupt termination by just sending a RST packet from either sender or transmitter and the session ends abruptly. For example if you are using telnet CTRL-D will send a RST to close the session.
○ In Wireshark,
§

§
§ First, we see Source Port which was used to transmit the packet
§ Second, we have Destination Port to where the packet will be transmitted
§ Next, we have the Sequence Number  makes sure that none of the TCP segments are missing and it shows the current segement no.
§ Acknowledgement Number is the sequence number of the next packet
§ Flags are after this and they can be:
□ URG for Urgent
□ PSH for push
□ RST for Reset. If the connection is halted all of a sudden by accident, then TCP  will reset the connection and stop all communications
□ SYN
□ FIN for finished
(Here, we have a FIN, ACK packet going on, so we know that this is a packet that includes acknowledgement. Also, because FIN=1, it means that it is also a finishing packet)
§ Below Flag, we have the Window Size. Window Size is the size of the TCP receiver buffer (in bytes).
§ After that, we have the Checksum

• User datagram Protocol (UDP):
○ It is a connectionless protocol used for faster transmissions
○ It does not have a start handshake and a cutoff handshake like TCP. Because of this, it helps other protocols transfer data at a much faster pace
○ In Wireshark,
§
§ It is a super small packet
○ It has 4 parts:
§ Source Port (here: 33233)
§ Destination port (here: 59329)
§ Length (in bytes)
§ Checksum


Wednesday, 12 February 2020

WireShark Series: Part 2- ARP and IP

• Address Resolution Protocol (ARP):
○ First, inorder to send TCP/IP , the computer first sends out an ARP request
○ It means, the computer wants to send to another IP address but it doesnt know the MAC address. The other computer will respond back by telling its MAC address
○ ARP is sent as an broadcast.
○ ARP format is as below:

§ Hardware Type: Ethernet is type 1
§ Protocol Type: This could be IPv4 which will be listed as 0X0800
§ Hardware Address Length: This could be like a number 6 for Ethernet
§ Protocol Address Length: This is number 4 for IPv4 
§ Operation: Tells the operation that the sender is doing. 1 stands for ARP request and 2 stands for ARP reply
§ Then , we have senders hardware address and the protocol address
§ Lastly, we have target's hardware and protocol address
○ In Wireshark, 

§ We will see that the MAC address listed under Target MAC is bunch of zeros  since the sender doesnt know the MAC and is asking for it using ARP request (1)
○ ARP helps to resolve the MAC address so that we can then go onto next layer
○ It is a Layer 2 protocol. But, it has Layer 3 information(IP address)
○ Each device has an ARP table and both the source and destination will add each other to its ARP table entry
• Internet Protocol:
○ We can denote the IP and net mask using cidr notation also. (cidr= classless interdomain routing notation)
○ For eg., 192.168.0.1  with netmaskof 255.255.0.0 can be represented using cidr notation as 192.168.0.1 /16
○ In Wireshark,
§ Use the IPv4 Packet Format that we saw previously

§ IP version is 4
§ IP header length is 20 (here, no padding + option)
§ Total length is 40 (header +data)
§ ID is the ID number for the actual packet (here: 18242). So, we know exactly which packet we are using
§ Flag will be used if the packet is part of a larger sequence of packets
§ Here, Don't Fragment = 1 means no other fragments.
§ TTL (Time to Live ) here is 128. It is used to prevent the packet from looping around and around on the internet
§ Protocol for this packet is TCP
§ Then we have Source IP, Destination IP and any Options
○ The fragment size depends upon the MTU (Maximum transmission Unit of the layer-2 protocol). For eg., if we use ethernet, the maximum packet size is 1500 bytes. So, the IP fragmentation would occur if the IP packet was over 1500.
§ In above example, we see that More is set to 0 since there are no fragments along with it. Also, in a series, if this was the last packet even then this value will be zero as it is the last packet and no more packets are after this
§ The Fragment Offset gives details about where the fragment falls in the series

Tuesday, 4 February 2020

WireShark Series: Part 1- Getting Started, Filters, Expressions, Graphs

  • We can get already available captures using Tools -> Sample captures

  • To see the OSI Layers, goto Statistics -> Protocol hierarchy
    • Here, we see the protocols and based on the protocols we can tell the layers
    • If any error is there in any protocol, we can find out
    • Frame (Physical), then Ethernet (Datalink), then Internet Protocol (Network), then TCP (Transport), then SSL (session) and HTTP (application layer)

  • Wireshark Filters
    • Capture -> Filters
    • These will filter only those specific packets

  • BPF Filters
    • Capture -> Capture Options
    • Next to "Capture Filters" , we will have "Compile Selected BPFs"
    • BPFs stand for "Berkeley Packet Filte Syntax"
    • It is the expression that is used for filtering

  • Expressions
    • We need a qualifier and an ID
    • For eg: wlan.address ==b4:52:7e:62:6c:4d . Here, the first part is the qualifier and the second part is the ID
    • Operators can be && or || or just !
      • && means AND
      • || means OR
      • means not equal to
    • Qualifiers can either be:
      •  TYPE which would be like HOSTNET or PORT. These identify what the ID refer to. 
      • DIR which would be direction which tells whether the transfer is going to or from the ID. This can be either the source SRC or destination DST
      • PROTO which is the protocol. This could be either HTTP, TCP, UDP, FTP. This is a particular protocol specifically that the ID is also repeating again
    • A cheat sheet that tells all the different expressions that we can use. They also display operators as well as logic
packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  • For eg,
ip.src == 10.73.31.59 && tcp.port == 80
  • Here, ip qualifier tells it's type is IP address
  • src tells about the direction and it's Source
  • 10.73.31.59 tells us that it is the ID. So, we know that we are looking for a source that equals this IP address
  • && tells us that we also include the next expression while filtering
  • TCP is the type and the port tells us the port ID 80

  • Expressions Examples
    • ip addresses 
      • ip.src == 96.17.148.161 means we are looking for source Ip address as given
      • ip.src_host == 96.17.148.161 gives the same o/p as above and means we are looking for source hosts that have the IP address given
      • ip.addr == 96.17.148.161 means we are looking for IP address given that not only includes sources but also includes destinations
      • ip.dst == 96.17.148.161 or ip.dst_host == 96.17.148.161 means we are looking for destination ip address as given
      • For IPv6 addresses, we need to use ipv6.addr == ...
      • We can also packet capture using DNS host names, you can type ip.host == nameofthehost.
      •  Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
      • We can also filter by qualifier protocols using ip or http or udp directly. If we want to search by more than one protocol at a time, we can use &&. For eg, udp && http . Ot we can use udp || http
      • ip.dst != 10.73.31.59 gives ip address not equal to given one
    • We can also use the "expression" box next to the filter box to get the options possible directly and we can choose from that if we dont remember the syntax
    • We can also use the "save" button next to the filter box to make a bookmark of the filter and use it instead of having to type it out again
    • Instad of using the "save" option, we can also save the command as a permanent filter using Edit -> New Filter. Thusm, we can directly type the newfiltername in the filter box whenever we want to use that filter
    • We can also filter by the packet sizes using frame.len <= 128 and we will get packets less than or equal to 128


  • TCP Streams and Objects
    • If we visit many sites and don't know which packet is for what in the list, then right-click on the desired packet and click "Follow TCP Stream"

  • Decode As:
    • If we right click on desired packet and select "Decode As", we can convert it to any desired format.
    • For eg, TCP on the transport layer can be decoded to any user-specified protocol from the options

  • Name Resolutions:
    • Capture -> Options
    • Name Resolutions doesnt always work and needs network to be online and correctly configured
    • Resolve  MAC address means Wireshark will resolve the layer-2 or layer-2 mac address
    • Resolve network address means wireshark will  try to resolve IP address into a understandable DNS name
    • Resolve Transport Layer Name means that wireshark will try to convert a port number into whatever that port stands for. For eg, port 80 means HTTP

  • Graphs
    • Flow Graphs:
      • Statistics -> Flow Graph
      • We can choose whether we want all packets or displayed packets (ie. the packets that are shown after using a filter)
      • Then , we get a graph
      • We will see different time stamps and comments about each and every single packet in the middle under the green area with analysis of source and destination

  • This can help to visualize each and every packet flow during the packet capture. Also, we can find from which and to which ip address a specific packet has benn sent and also see the details using the comment