Network Monitoring - Wireshark and tcpdump

Ace your homework & exams now with Quizwiz!

tcpdump

A command-line protocol analyzer. Administrators use it to capture packets. lightweight command-line based utility that you can use to capture and analyze packets.

How packet capturing analysis fits into security

Like logs analysis, traffic analysis is also an important part of network security. Traffic analysis is done using packet captures and packet analysis. Traffic on a network is basically a flow of packets. being able to capture and inspect those packets is important to understanding what type of traffic is flowing on our networks that we'd like to protect.

what is the output of a tcpdump?

The first bit of information is fairly straightforward. a timestamp that represents when the packet on this line was processed by the kernel, in local time. Next the layer three protocol is identified, in this case, it's IPv4. After this, the connection quad is shown. This is the source address, source port, destination address, and destination port. Next, the TCP flags and the TCP sequence number are set on the packet, if there are any. This is followed by the ack number, TCP window size, then TCP options, if there are any set. Finally we have payload size in bytes. Tcpdump allows us to actually inspect these values from packets directly.

Wireshark's interface has

The list of packets are up top, followed by the layered representation of a selected packet from the list. Lastly the Hex and ASCII representation of the selected packet are at the bottom.

Wireshark is also able to view Bluetooth traffic with the right hardware, along with

USB traffic, and other protocols like Zigbee.

Wireshark is able to extract audio streams from unencrypted

VOIP traffic, Voice over Internet Protocol

Some other neat features of Wireshark is its ability to decode

WPA and WEP encrypted wireless packets, if the passphrase is known.

example: http.request.uri matches "q=wireshark" This filter string would locate packets in our capture that contain a

a URL request that has the specified string within it. In this case it would match a query parameter from a URL searching for Wireshark.

Tcpdump's default operating mode is to provide

a brief packet analysis.

tcpdump also supports reading packet captures back from

a file

Wireshark is a graphical utility that also uses the libpcap library for

capture and interpretation of packets.

tcpdump will also replace port numbers with

commonly associated services that use these ports. You could override this behavior with a -n flag.

In Wireshark, above the packet list pane, is a display filter box, which allows

complex filtration of packets to be shown. This is different from capture filters, which follows the libpcap standard, along with tcpdump.

tcpdump does things like

converting the source and destination IP addresses into the dotted quad format we're most used to. And it shows the port numbers being used by the communications.

libpcap library

cross-platform library that provides an API for receiving packets directly from the network. a very popular packet capture library that's used in a lot of packet capture and analysis tools.

While tcpdump can do basic analysis of some types of traffic, like DNS queries and answers, Wireshark can do

decode encrypted payloads if the encryption key is known. It can identify and extract data payloads from file transfers through protocols like SMB or HTTP.

In the wireshark interface, the packet list view is color coded to distinguish between

different types of traffic in the capture.

Wireshark also supports file carving, or extracting data payloads from

files transferred over unencrypted protocols, like HTTP file transfers or FTP.

Wireshark's understanding of application level protocols even extends to its

filter strings. This allows filter rules like finding HTTP requests with specific strings in the URL, which would look like, http.request.uri matches "q=wireshark".

In Wireshark, The color coded is user configurable, the defaults are

green for TCP packets, light blue for UDP traffic, and dark blue for DNS traffic. Black also highlights problematic TCP packets, like out of order, or repeated packets.

packets are just collections of data, or

groupings of ones and zeros. They represent information depending on the values of this data, and where they appear in the data stream.

The view tcpdump gives us lets us see the data that fits into the various fields that make up the

headers for layers in a packet.

tcpdump, by default, will attempt to resolve host addresses to

host names

Wireshark

is another packet capture and analysis tool that you can use, but it's way more powerful when it comes to application and packet analysis, compared to tcpdump.

Tcpdump also supports writing packet captures to a file for

later analysis, sharing, or replaying traffic.

Tcpdump uses the open source

libpcap library

With tcpdump it is also possible to view the raw data the makes up the

packet This is represented as hexadecimal digits, by using the -x flag, or capital X if you want the hex in ASCII interpretation of the data.

Wireshark is s way more extensible when it comes to

protocol and application analysis.

Wireshark's deep understanding of protocols allows filtering by

protocols, along with their specific fields.

tcpdump prints information about each packet to

standard out, or directly into your terminal.

Not only does Wireshark have very handy protocol handling infiltration, it also understands and can follow

tcp streams or sessions.

tcpdump It converts key information from layers

three and up into human readable formats. network, transport, and applications

With Wireshark, following tcp streams or sessions lets you quickly reassemble and view both sides of a tcp session, so you can easily

view the full two-way exchange of information between parties.


Related study sets

Micro Econ_Module 6 Quiz_Some Answers

View Set

Study Questions for Maternal Health Final Exam

View Set

2. Upper Cross Syndrome and Postural Distortions

View Set