Using Wireshark or another tool, packet analysis is a valuable skill for the ethical hacker review phases of packet analysis: gather, decode, display, and analyze.
- [Instructor] Sniffing the network or packet analysis, is a valuable skill for the ethical hacker and should be part of every network administrator's skill set. Instead of scanning an individual system, we now look at traffic that is flowing across the network. Devices such as, intrusion detection intrusion prevention systems monitor the network for threats and allowable protocols. However, network administrators should spend a few minutes every day and monitor the traffic.
This will give us a great deal of information on the status of the network. Sniffing traffic can gather network statics, monitor protocol use, for example, are there any protocols that should not be on your network, such as BitTorrent or unauthorized instant messaging, and detect network misuse. Packet analysis can run in real time or you can capture traffic for later analysis, such as baselining traffic at various points in the network.
Although there are many packet analysis tools available, the tool I prefer is Wireshark. An open source tool with a rich graphical user interface, and many built in features. For this demonstration, I'm going to use the Old Stable Release. Here we can see on the download page, it's going to be Release 1.12.13. Many people are familiar with that interface so that's what I'll be using. When you install Wireshark for the first time, you'll be prompted to install WinPcap for Windows, LibPcap for Linux, or AirPcap for wireless.
And these are the capture engines that allow you to capture traffic as it passes through your network interface card. The Phases of Packet Analysis are gather, decode, display and analyze. Now after you choose an interface to listen on, and place it in promiscuous mode, the interface scoops up network traffic. Keep in mind that traffic enters the network interface card in binary form, one frame at a time. Packet analysis software converts the bits into readable form for analysis.
Now we'll take a look at the heart of this, and this is where the decoding takes place. Wireshark was ethereal before 2006, but the main core is still the same. In this illustration we see the Ethereal Packet Analyzer, or epan. This is the packet analyzing engine for Wireshark. In display in Wireshark, and many other packet analysis tools, there are many options to enhance your graphical experience.
For analysis, we can do analysis in real time or use a pre-captured file. When we look at it we're asking ourselves, is this normal traffic? Do we see any unusual TCP flags or excessive duplicate acknowledgements? Examine for Malware signatures or traffic in clear text, or router advertisements. In general we have a lot to cover but we can see how sniffing and analyzing traffic on a network will reveal a great deal of information for the ethical hacker.
Note: The topics in this course will prepare you for key objectives on the Certified Ethical Hacker exam. Find an overview of the certification and the exam handbook at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Sniffing network traffic
- Passive vs. active attacks
- Comparing IPv4 to IPv6
- MAC and macof attacks
- Investigating DHCP attacks
- Detecting ARP and DNS spoofing
- Sniffing tools and techniques