A Deeper Look into Network Traffic Analysis using Wireshark PDF

Preview

Summary

A Deeper Look into Network Traffic Analysis using Wireshark ∗ Muhammed Alfawareh King Hussein School of Computing Sciences Princess Sumaya University for Technology,Amman,Jordan Abstract— Networks and the Internet are the backbones of educators. this tool support several type of protocols, such the ...

Description

Accelerat ing t he world's research.

A Deeper Look into Network Traffic Analysis using Wireshark Mohammad Al-Fawa'reh

Related papers

Download a PDF Pack of t he best relat ed papers 

Final T hesis 12 95364 1 (New) Kamrul Shaker

An Insight in t o Net work Traffic Analysis using Packet Sniffer Myt est Bug A Set of Policies and Guidelines for Deploying Safer VoIP Solut ions Eric Gamess

A Deeper Look into Network Traffic Analysis using Wireshark ∗ Muhammed

Alfawareh

King Hussein School of Computing Sciences Princess Sumaya University for Technology,Amman,Jordan

Abstract— Networks and the Internet are the backbones of the businesses in terms of sending and receiving data, as it saves time, effort and cost. And using traffic analysis performance issues can be optimized, network Forensics and spam can be detected, network proofing with penetration Testing can be done, policies can be formed to accommodate with using habits, and integrated systems can be made sure they deliver the data.Traffic analysis can also be used for malicious intents, it can be used to monitors the contents of the transmitted data like password, file names and communication parties, this paper will discuss all of these things how the attacker can obtain the traffic ,also will discuss some countermeasures to reduce this risk .

Keywords: Wireshark, Traffic Analyzing ,Hijack attacks. I. INTRODUCTION Networks and the Internet are the backbone of business in term of sending and receiving data, as it saves time, effort and cost,Analysis of the network traffic is one of the most important tools used in network for performance analysis and detection of problems such as slow network and detect the spammer cause problems in the network, but at the same time double-edged weapon where it is the most important and dangerous tools used by the adversary to obtain information that helps them in gaining unauthorized access and stealing valuable informations [1] . A. Traffic Analysis Traffic analysis is collection of process intercepting and examining packets in order to extract the information from communication parties . It can be performed even when the communication are encrypted and cannot be decrypted. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security. We can know the communion parties, time of conversation, and we can obtain helpful information , passwords,file names,etc.. Traffic analysis is a special type of inference attack technique that looks at communication patterns between entities in a system[1,2]. B. Wireshark Wireshark ( Previously was known as Ethereal). Wire shark is one of the best efficient tools are used for traffic analyzing, this tool is free ,open source and compatible with all platforms, based on libpcap. It is widely used in network to solve the problems like performance issues , the issues between integrated system like Avaya Communication manager and tiger system in hotels, Also we can use the wireshark in network forensics and by network professionals as well as

educators. this tool support several type of protocols, such as TCP, IP, ARP and HTTP[1-3]. • Performance Issues: the most famous issue on the companies is slow connection to the web server,the complexity is every team (Networks, System administrators, developers and security )in the company say the problem on the other team,so the Wireshark is helpful tool ,by analyzing the traffic in all path in the same time , problems can be determined. • Integrated System: the major problem in integrated systems synchronization and losing the data , but using powerful tools like wireshark we can determine the cause of problem by runing the wireshark in both sides in the same time . • Network Forensics: some companies they have bad employs , try to manipulate by the network and the systems , by sending Spam packets to all network ,and some of them send data related to the company to outside the company to give it to the compositor,So to fired these guys you need hard evidence , so using Traffic analyzer like the wireshark using costume filters we can determine these bad guys[4]. • Formulation of policies: using Wireshark we can determine the major sites visited by the Employee in the companies , based on the result of analysis we can formulate policy to prevent them from access those sites. • Penetration Testing: Wireshark tool enables the penetration tester to discover the flaws and breaches in the system security at user level authentication ,Also allows to ensures that implementation of the system followed the standard[6]. • Education : WireShark is one of the most effective tools that help us in understanding and studying communication processes. For example How the clients get ip address from DHCP server?.DHCP is one of the most protocols used in the world in both LAN and WLAN networks, this protocol assigns parameters to the clients automatically, help the administrators from going to the devices and assign IP addresses.Also, it reduces IP addresses conflict issue. parameters are exchanged between the client and server in 4 stages as shown in figure 1[7]. II. N ETWORK ATTACKS The attacker can lunch server hijacks attack using traffic analysis ,these attacks can be classified into two types:-

Fig. 4.

Fig. 1.

DHCP Lease Allocation Process.

Active Attack .

like Arp spoofing, IP spoofing ..etc ,in this cases the attacker act as Man in the middle ,as shown in figure 4 [8-9]. III. METHODS TO SNIFF ON SWITCH Now we are going to discuss the methods that can be used to sniff the packets on the switch, being an intelligent device. A. ARP Spoofing

Fig. 2.

• •

Passive Attack.

Passive Attacks Active Attacks

A. Passive attack This attack occurs without Knowledge and touch the victim as shown in figure 2 ,where the attacker listen to the conversation,then analyze the information using packet analyzer and get helpful information like passwords, cookies, name files, sites visited by the victim , and even the attacker able to reconstruct the voice over IP (VOIP) conversations , as you can see in figure 3[8-9]. B. Active Attacks This type occurs without Knowledge the victim where the attacker the will touch the data of the victim and change the meaning and content,it can be implemented by several way

As we Know the Communication on L2 using the MAC Address , In most scenarios when we want to send /receive data we need the destination mac address , So we used the ARP protocol the main problem with this protocol is stateless, which means any device connected on the switch can lunch reply packet pretend he is the destination mac address or the gateway, in this way we poised the cash entry on the victim machine and on the SW, therefore Any packet send from any machine to different network the attacker can take copy from packets[10-11]. B. MAC-Flooding The switch is an smart device , contain Mac address table , mapping between the mac address and the port number , Therefore when the the sender send data this data will forward to the destination based on the mac table , but the main problem the Switches have limitation on the number of recodes on the mac table , therefore the attacker can use tools like hping3 generate massive number of mac addresses,in this case the switch will become like the hub(Dumy device) , will forward copy of the data to all devices connected on the switch , the attacker one of them[11]. C. Port Mirroring

Fig. 3.

VOIP Conversation

Is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.As you can see in figure 5.In this type the attacker need to Access the switch either direct connection using console or remotely using Management protocol like HTTP, Telnet, SSH, and add couple of command to the switch to take a copy from the victim traffic to the attacker machine[11-12].

D. Hardware Tool kits In this type the attacker use hardware tool and connect the kit to the victim cable , As shown figures 6,7. We can use another tool kit As shown in figure if the attacker connected by Wifi to the network IV. C OUNTERMEASURES

Fig. 5.

Port mirroring Architecture .

When the IT Staff Implement the network, they should aware of set of countermeasures • restrict the physical access to the Switches and cables only to the IT staff. • use TLS/SSL in the communication between the clients and the Servers. • allow only specific number of MAC address per Port , Depends on the Implementation requirement . • use feature Dynamic arp inspection to prevent the attacker to change the MAC Address. • use feature IP source guard to prevent the attacker from change his IP Address. • use feature DHCP snooping to prevent the attacker from violation (IP Source guard,Dynamic arp inspection). • adopt Encrypted protocols to manage the Switches and routers. V. CONCLUSIONS

Fig. 6.

Hardware Wired Tool kit Connections.

In this paper we discussed the importance of Network traffic analysis using wireshark and its role of solving the problems , network fornices ..etc. Also we discussed risk of network traffic analysis can be used to obtain helpful information to lunch the attack or stealing information . We also addressed many solutions that prevent the adversary from obtaining data and in case of access to the data , he will get encrypted data. VI. F UTURE WORK For future work, I will take the research in this paper further step to make comparing between all types of Traffic analysis tools And find the best environment to make analyzing in less cost and with minimal delay to response to the clients Incidents . VII. ACKNOWLEDGMENT I would like to express My gratitude to all those who gave me the possibility to complete this paper. I want to thank the Computer Science Department for giving me permission to commence this paper in the first instance, to do the necessary research work and to use departmental data. I am deeply indebted to Dr. Ali Hadi from the CS Department for his guidance, stimulating suggestions and encouragement. R EFERENCES

Fig. 7.

Alfa Tool Kit For wireless connections .

[1] Ming-Hsing Chiu, Kuo-Pao Yang, Randall Meyer, and Tristan Kidder,Analysis of a Man-in-the-Middle Experiment with Wireshark. [2] Mohammed Abdul Qadeer,Mohammad Zahid,Network Traffic Analysis and Intrusion Detection using Packet Sniffer,2010 . [3] Mustapha Adamu Mohammed*, Ashigbi Franlin Degadzor, Botchey Francis Effrim,Kwame Anim Appiah,BRUTE FORCE ATTACK DETECTION AND PREVENTION ON A NETWORK USING WIRESHARK ANALYSIS,2017.

. [4] Natarajan Meghanathan, Sumanth Reddy Allam and Loretta A. Moore,TOOLS AND TECHNIQUES FOR NETWORK FORENSICS,IJNSA, Vol .1, No.1,April 2009 . [5] Zhifeng Xiao,Yang Xiao,Network forensics analysis using Wireshark,2015. [6] Brandon F. Murphy,Network Penetration Testing and Research,2013. [7] Te-Shun Chou, East Carolina University,TEACHING NETWORK SECURITY THROUGH SIGNATURE ANALYSIS OF COMPUTER NETWORK ATTACKS . [8] Ashwani Kumar,Security Attacks in Manet - A Review,2011. [9] D.Madhavi,TCP Session Hijacking Implementation by Stealing Cookies,Vol. 2, Issue 11, 2015 [10] Ankita Gupta, Kavita, Kirandeep Kaur,Vulnerability Assessment and Penetration Testing,International Journal of Engineering Trends and Technology- Volume4Issue3- 2013. [11] Mohammed Abdul Qadeer,Misbahur Rahman Siddiqui,Network Traffic Analysis and Intrusion Detection Using Packet Sniffer,January 2010. [12] Jian Zhang and Andrew Moore,Traffic Trace Artifacts due to Monitoring Via Port Mirroring....