* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Packets and Protocols - St. Clair County Community College
Survey
Document related concepts
Wireless security wikipedia , lookup
TCP congestion control wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Airborne Networking wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Network tap wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
Distributed firewall wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Packets and Protocols Chapter One Introduction Packets and Protocols Course title: Introduction to TCP/IP Course No: CIS Prerequisite: CIS Credit Hrs: 4 Text Book: Wireshark and Ethereal - Syngress – We cannot troubleshoot networks until we understand how they work. To know how protocols work at their most basic level means that you have a clear understanding of how protocols and their associated packets work. With this knowledge you will be able to troubleshoot a myriad of network problems. Packets and Protocols Class structure - http://cis.sc4.edu/ Start – 6:15 Breaks – 2 –various times End – NLT 10:00 Contact time – 5:25 – 6:15 Instructor – John Kowalski – [email protected] Packets and Protocols Silly-bus Course website Grading scale Slides Course outcomes White hat agreement Packets and Protocols 1. 2. 3. Name Background/Experiences/Certifications, etc? What do you know about the use of sniffers? Packets and Protocols Network analysis – defined – The process of capturing network traffic for the purpose of troubleshooting network anomalies with various tools and techniques. What is a sniffer ? – Technically it is a product produced by NetScout – It is a tool that converts bits and bytes into a format that we can understand. Packets and Protocols What is a network analyzer – Can be anything! Portable laptop Dedicated hardware Generic PC used for packet captures What does an analyzer tool look like? Packets and Protocols SUMMARY DETAIL DATA Packets and Protocols A packet analyzer is composed of five basic components 1. 2. 3. 4. 5. Hardware Driver Buffer Real-Time Analysis Tool Decode Packets and Protocols What is a protocol analysis tool used for? – – – – – – – – Converting binary to English Troubleshooting Performance analysis Logging traffic Establishing benchmarks Discovering faulty devices Intrusion detection Virus detection Packets and Protocols The Good, the Bad and the Ugly – Like any tool the possibility for misuse exists Hackers can steal info The “curious” can snoop Passwords can be captured Learn what viruses would be most effective Learn IP addressing schemes for DOS attacks Packets and Protocols Other network analyzers – – – – – – – – – – WinDump Network General Sniffer (now NetScout) Network Monitor EthehrPeek TCP Dump Snoop Snort Dsniff Ettercap Etc…. Packets and Protocols How does a sniffer……sniff? – All Ethernet enabled devices see all of the traffic on “the wire” – Ethernet is not a secure protocol so sniffers are the perfect tool for troubleshooting Normal NIC behavior – Unicasts, bcasts, mcasts Promiscuous mode – All-Unicasts, all-bcasts, all-mcasts, all-traffic! Packets and Protocols It’s not for me! End node in Normal mode It’s not for me! It’s not for me! I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 That’s my address! MAC 104 It’s not for me! Packets and Protocols It’s not for me! End node in Promiscuous mode It’s not for me! It’s not for me! I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 That’s my address! MAC 104 It’s not my address but I’ll take it! Packets and Protocols A word about MAC addresses – Media Access Control Addresses: Are unique Can be viewed by ipconfig (windows) Can be overridden (spoofing) – DOS attack – SYN attack – Smurf Attack Consist of an Organization Unique Identifier – http://standards.ieee.org/regauth/oui/oui.txt Local Area Networks Ethernet address types Addresses are 6 bytes long Generally written in hexadecimal Globally unique (unicast) Aka – Burned-in-address 00.0C.12.34.AB.CD FF.FF.FF.FF.FF.FF 00.00.01.10.45.G2 - Legal - Legal - Illegal Packets and Protocols The OSI Model – A method of moving data from point to point using seven distinct steps The TCP/IP – TCP/IP (aka DoD model) is newer and only contains four layers Moves Data Connects processes Provides Services Packets and Protocols 7 Application Allows users to transfer files, send mail, etc. Only layer that users can communicate with directly Key features are ease of use and functionality 6 Presentation Standardized data encoding and decoding Data compression Data encryption and decryption 5 Session Manages user sessions Reports upper-layer errors Supports Remote Procedure Call activities 4 Transport Connection management (e.g., TCP) Error and flow control Connectionless, unreliable (e.g., UDP) 3 Network Internetwork packet routing Minimizes subnet congestion Resolves differences between subnets 2 Data Link Network access control - MAC address Packet framing Error and flow control 1 Physical Moves bits across a physical medium Interface between network medium and network devices Defines electrical and mechanical characteristics of LAN Packets and Protocols OSI vs. TCP Model Packets and Protocols The Physical Layer The Physical Layer only transmits bits to, and receives bits from, the physical medium. It does not “see” the bits as organized into meaningful patterns, such as an address. The Physical Layer operates depending on the chosen network topology. Packets and Protocols The Physical Layer cont. A physical address is also referred to as a: – – – – Hardware address Adapter address Network interface card (NIC) address Medium Access Control (MAC) address A physical address is required for network devices to ultimately deliver information to a given network node. Packets and Protocols The Data Link Layer We can categorize physical addresses, for the purposes of networking, into two general types: – A LAN address is commonly found in an Ethernet or Token Ring LAN environment. – WAN addresses in High-Level Data Link Control (HDLC) or frame relay network protocol addressing – Divided into two distinct parts – MAC – The MAC address of the node – interfaces with lower layers – LLC – Tags and identifies protocols - interfaces with upper layers – Think of it as a universal adapter Packets and Protocols The Network Layer A logical address is generally implemented as a software entity rather than a hardware entity. There are two primary types of logical addresses, as follows: – Network addresses, processed at the Network Layer – Port or process addresses, processed at the Transport Layer Packets and Protocols The Transport Layer The Well-Known Port Numbers Table lists some of the more commonly used TCP and User Datagram Protocol (UDP) addresses. Packets and Protocols The Transport Layer cont. The Transport Layer is responsible not only for application addressing, but also for providing reliable communications over the best effort Layer 3 protocols. The Transport Layer provides: – – – – Flow control Windowing Data sequencing Recovery Packets and Protocols The Transport Layer cont. Two protocols most commonly associated with layer 4 – TCP High overhead Connection oriented Reliable – UDP Low overhead Connectionless Unreliable Fast Packets and Protocols The Session Layer The Session Layer: – establishes, manages, and terminates sessions between applications. – provides its services to the Presentation Layer. – synchronizes dialog between Presentation Layer entities and manages their data exchange. Packets and Protocols The Presentation Layer The Presentation Layer: – ensures that information sent by the Application Layer of one system is formatted in a manner in which the destination system’s Application Layer can read it. – can translate between multiple data representation formats, if necessary. Packets and Protocols The Application Layer The Application Layer: – is the layer closest to the user. – provides user application services to application processes outside the OSI model’s scope and does not support the other layers. – identifies and establishes the intended communication partners availability, synchronizes cooperating applications, and establishes agreed procedures for application error recovery and data integrity control. – determines whether sufficient resources exist for the intended communications. Packets and Protocols Packets and Protocols Ethernet communication steps Arbitration—Determines when it is appropriate to use the physical medium Addressing—Ensures that the correct recipient(s) receives and processes the data that is sent Error detection—Determines whether the data made the trip across the physical medium successfully Identification of the encapsulated data— Determines the type of header that follows the data link header Packets and Protocols CSMA/CD CSMA 1. Node Listens 2. Node Sends Data 3. Node Listens CD 1. Collision detected 2. Nodes “back off” 3. Node retransmits Packets and Protocols Top four protocols: – IP – ICMP – TCP – UDP While there are certainly more than four protocols these make up the bulk of network traffic. Packets and Protocols IP – Connectionless – Moves data from one layer three address to another Several fields: – IPID Field – Protocol – TTL – Source IP – Destination IP Packets and Protocols ICMP – The “tattle tale” protocol Echo – Request/reply Unreachable – Destination – Network – Port Time exceeded – TTL Packets and Protocols TCP – The protocol you can count on Uses – – – – include Web E-mail FTP SSH Reliable – Ack – Handshake Sequencing – Disassembles and reassembles large payloads Packets and Protocols UDP – Quick but unreliable Guaranteed there) fast! (but not guaranteed to get – Uses VoIP DHCP DNS Gaming Packets and Protocols Repeaters Repeaters are used to – Amplify signals and pass them to other network segments – Packets are received, amplified and retransmitted Repeaters have limited abilities – Repeaters cannot filter or error check packets – They are physical level devices with no built in algorithms – Function is limited to digital signal amplification Packets and Protocols Hubs Hubs are multi-port repeaters – – – – Multi-port repeaters are also known as Hubs Connect workstations to the network Hubs can have multiple port connections an be stacked Use Twisted-pair cabling Packets and Protocols Bridge A bridge provides for – – – – Creation of a single “logical” LAN longer than any one cable Offers electrical & traffic isolation between cable segments Keeps local traffic local on the LAN Forwards only necessary traffic on to the WAN Bridges are protocol independent – – – – Can support any protocol on the LAN Most common use of a bridge is to filter traffic Purpose is to separate LAN traffic based on MAC addresses Supports asynchronous or synchronous WAN connections Packets and Protocols LAN Segmentation Packets and Protocols Transparent Bridges perform three functions: 1. Learn MAC addresses by examining the source MAC address of each frame received by the bridge 2. Deciding when to forward a frame or when to filter (not forward) a frame, based on the destination MAC address 3. Create a loop-free environment with other bridges by using the Spanning Tree Protocol • Ethernet bridges are known as TRANSPARENT BRIDGES because they are invisible – or – transparent to the end devices Packets and Protocols •Bridges observe traffic as it passes and record the MAC addresses •Bridges forward all broadcast and unknown unicast packets Packets and Protocols Switch (multi-port bridge) Used to alleviate network congestion – Divide networks into virtual LAN (VLAN) segments – Ability to dedicate more bandwidth – Function at data link layer of workgroups – Function at Network layer of network backbones Switches provide 100 Mbps ports for user connections – Ethernet switches have replaced bridges in large networks – Can also filter traffic based on MAC address – Ethernet switches function as a repeater and a bridge Packets and Protocols Switches actually make packet analysis more difficult Packets and Protocols Router Layer 3 device Interconnects networks A Layer 3 switch is a multi-port router Packets and Protocols Routers stop the flow of broadcasts Packets and Protocols How many collision domains are there? There are six collision domains Packets and Protocols Firewalls – Specialized devices – Ability to examine packets at virtually every layer of the OSI model – Generally placed at the “edge” of the network – Offloads “policing” policies from the core routers Packets and Protocols Typical Switch Port Packets and Protocols Spanned Switch Port Sniffer PC Packets and Protocols Spanned Uplink Port Sniffer PC Internet Placement of the sniffer is critical Packets and Protocols 1 Gigabyte 1 Gigabyte Disparate Spanned Ports 1 Gigabyte 100 Megabyte This will work, but you are bound to loose some data1 Packets and Protocols Detecting Sniffers on your network – Look for DNS reverse lookups Sniffers often used reverse lookups – Send the pump-fake packet Look for a RST packet – Monitor hub ports Maintain ports physical security/disable unused – Send a fake-arp Sniffers respond to non-b-cast arp requests Packets and Protocols Wireless sniffer tools – Netstumbler Network scanner, not really a sniffer – Kismet Good all around open source all free tool – Wireshark Sniffer; does not show SSID/Signal strength – CommView Commercial wireless monitor for WiFi – And others…(P36) Packets and Protocols Commonly – DHCP – DNS – NTP – HTTP – SMTP seen protocols Packets and Protocols DHCP – Used to give clients the necessary information they need to function on the network IP address Subnet mask DG WINS server DNS server – Sniff for: The last ACK packet to gather the most information Packets and Protocols DNS – Used to determine the IP address of a hostname and visa-versa Uses UDP port 53 – TCP for zone transfers and packets >512k Used to remotely look up records in a DNS database – Sniff for: The DNS response packet Packets and Protocols NTP – Used to reference a time source for synchronization Uses UDP port 123 Uses a server/client model – Sniff for: The NTP response packet with the time and synchronization packet in it. Packets and Protocols HTTP – Most commonly used protocol – Payload is text data Uses TCP port 80 Uses a server/client model – Sniff for: Uses TCP, make sure the handshake takes place, then look for data to follow Packets and Protocols SMTP – Used to transfer e-mail from place to mail server to mail server and mail server to client Uses TCP port 25 Payload is text data – Non-textual data is converted to text via MIME Packets and Protocols Protecting your network from sniffers Physical security is the best method Lock closets Disable ports Be alert for hubs, WAPs etc As a last resort, just make sure that whatever is sniffed is useless to a hacker Packets and Protocols How to ward off the evil doers – Use SSH – not TELNET SSH encrypts it’s payload – Use SSL – not HTTP SSL encrypts HTTP data – Use IPSec IPSec is layer three encryption (tunneling) – Use VPN VPN encrypts data into IP tunnels (layer 2 tunneling)