Network Sniffer Analysis

Others 2020-03-25 21:07:51 views: null

Network sniffer and protocol analyzer

Note

Belongs courses: network attack and defense practice

Job requirements: Fourth operation

1. learning summary

  • Wired / wireless sniffer; hardware / software sniffer
  • Some concepts and principles:
    • Ethernet: shared broadcast; network interface device is a network card receives the broadcast data frame address (the MAC is encapsulated); NIC driver receives all the data frames which are connected via a shared medium in promiscuous mode.
    • Shared / switching network (stored forwarding, MAC mapping).
    • Some means of sniffing in a pure switching network: MAC address of flooding attack (multiple failure mechanisms overflow); MAC spoofing (fake MAC sends data to the switch to modify the mapping table); the ARP spoofing.
    • BPF: Data packet transmit-receive interface link layer UNIX-like systems; filtering packets (plus test bits calculated).
    • Libpcap (UNIX-like systems), the packet capture tool library, the BPF with the same, saving the captured data packet is pcap format, the same general field format similar packets.
    • NPF and WinPcap (packet.dll, wpcap.dll), BPF, and the win system libpcap
    • Libpcab calling library functions to help individuals of small body mass network sniffing tools.
    • tcpdump (call libpcab, using the BPF grammar rules)
    • Detection: linux kernel using more than just the promiscuous mode ip check to confirm whether the received data packets, the normal mode is configured to receive only valid MAC address destination MAC characteristics native address or a broadcast address, an ICMP ip effective actively request, detecting segment whether there is a host in sniff mode.
    • Network protocol analysis: save level protocol header of each data field information and field information; analyzing step determines the order of the frame header, the network layer protocol information (protocol type ip (0800), source and destination IP), recombinant IP datagram transport layer information (protocol type (tcp: 6, udp: 17 ), the source and sink port), a transport layer segment recombination, and determines the type of application protocol data recombinant information (mainly call libpcap packet handler database according to corresponding protocol processpacket()).
    • wireshark some filtering commands: [src|dst] host \<host>(listening on the specified source or destination address for the host), less|greater\<length>selected in line with the requirements of the packet length, \[tcp|udp][src|dst] port \<port>filtered tcp, udp and port number.
    • Is Present, Contains, Matchs

2. The practical part

  • tcpdump sniffer, use the command tcpdump -n src 主机ip and tcp port 80 and "tcp[13]&18==2", simultaneous access tianya.cn, will find access to three web servers:

  • wireshark sniffing telnet login bbs:

    Open the start wireshark capture, use the command telnet bbs.fudan.edu.cn(telnet 23 port state guarantee open; assurance can register Login bbs ..) enter the account password after you log bbs.fudan.edu.cn. In wireshark command input filter ip.dst ==202.120.225.9 and tcp.dstport == 23, wherein 202 .. . . Ip server for the bbs. After the reorganization of dialogue that follow tcp stream, obtain information:

    For the purpose of ip 202.120.225.9, port 23.

    Account password (data) represented by ascll code, tcp transfers data packets.

    Track tcp streams available plaintext:

    Also can be examined in the packet.

  • Analysis given pcap:

    Attack aircraft and target ip ip address:

    Before answering the questions that follow, to analyze the data:

    The first eight groups, first 188: d1 (ip: mac) broadcast a packet and then routing it updated its ARP mapping table. Guess this time 178: a0 card belonging to promiscuous mode, the traffic on the network segment being monitored. After 178: a0 request and get to know 188: d1mac address. When d1 return packet received information desired (ack), 178:: Start packets from the ninth 178: a0 start trying with 188: d1 different tcp connection port number, but 188 a0 returned status word disconnected rst , it is speculated case 178: a0 to 188: d1 for tcp port scan, a single connection using the transmission mode status word is not confirmed for the third time, it is speculated might nmap scanning tool to the SYN :

    After the data, the emergence of such http, SMTP and other reference layer protocol field, guess 178: a1 been scanning open network services:

    Use a filter: tcp.flags.ack == 1 and tcp.flags.syn ==1filter port (178: a0 for the first time sent seq == 0) Open:

    As attack aircraft operating system, given the NBNS packets, and guess its honeypot host is linux it.

3. Problems and Solutions

  • If the library function calls are the same, the same protocol execution request, how to analyze the data from a given attack attack tools and operating system type it? Intrusion detection package unless it is given it (this feeling like tcpdump traffic data Honeywall given).

4. sentiment

。。

reference

。。

Guess you like

Origin www.cnblogs.com/chl233/p/12569401.html
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com