1.prof.ysu.ac.kr/pds_update/network analysis with wireshark... · web viewwhen you launch capsa,...
TRANSCRIPT
Network Analysis using Wireshark
10152076
하스비시 지하드 알라외
Cyber Forensic
Youngsan UniversityA. Description of Network Analysis
Network analysis is a branch of graph theory which aims at describing
quantitative properties of networks of interconnected entities by means of mathematical
tools. Any domain which can be described as a set of interconnected objects is a
domain application for network analysis. Its methods and tools work on top of this
abstraction, and as such they are totally indifferent to the nature and properties of the
entities involved, be they train stops in a railway network, individuals of a given social
group bound by kinship relationship, or hosts in a computer network. In particular,
network analysis has recently provided successful algorithms to tackle some important
problems connected to Internet search technologies.
A common search engine can very well return thousands of webpages as the
answer to a single query. In order for the user to be able to quickly identify what
answer best matches the query, results must be ranked according to a relevance
criterion. In-depth content analysis of the results is neither effective nor efficient for a
task which must be accomplished in fractions of seconds over tens of thousands of
webpages. Network analysis provides content-independent effective metrics for
relevance which exclusively rely on the analysis of hyperlink structure of results.
B. Top 20 Free Network Monitoring and Analysis Tools
1. Microsoft Network Monitor
Microsoft Network Monitor is a packet analyzer that allows you to capture,
view and analyze network traffic. This tool is handy for troubleshooting network
problems and applications on the network. Main features include support for over
300 public and Microsoft proprietary protocols, simultaneous capture sessions, a
Wireless Monitor Mode and sniffing of promiscuous mode traffic, amongst others.
When you launch Microsoft Network Monitor, choose which adapter to bind to
from the main window and then click “New Capture” to initiate a new capture tab.
Within the Capture tab, click “Capture Settings” to change filter options, adapter
options, or global settings accordingly and then hit “Start” to initiate the packet
capture process.
2. Nagios
Nagios is a powerful network monitoring tool that helps you to ensure that
your critical systems, applications and services are always up and running. It
provides features such as alerting, event handling and reporting. The Nagios Core is
the heart of the application that contains the core monitoring engine and a basic web
UI. On top of the Nagios Core, you are able to implement plugins that will allow you
to monitor services, applications, and metrics, a chosen frontend as well as add-ons
for data visualisation, graphs, load distribution, and MySQL database support,
amongst others.
Tip: If you want to try out Nagios without needing to install and configure it
from scratch, download Nagios XI and enable the free version. Nagios XI is the pre-
configured enterprise class version built upon Nagios Core and is backed by a
commercial company that offers support and additional features such as more
plugins and advanced reporting.
Note: The free version of Nagios XI is ideal for smaller environments and will
monitor up to seven nodes.
Once you’ve installed and configured Nagios, launch the Web UI and begin to
configure host groups and service groups. Once Nagios has had some time to
monitor the status of the specified hosts and services, it can start to paint a picture of
what the health of your systems look like.
3. OpenNMS
OpenNMS is an open source enterprise grade network management application
that offers automated discovery, event and notification management, performance
measurement, and service assurance features. OpenNMS includes a client app for the
iPhone, iPad or iPod Touch for on-the-go access, giving you the ability to view
outages, nodes, alarms and add an interface to monitor.
Once you successfully login to the OpenNMS web UI, use the dashboard to get
a quick ‘snapshot view’ of any outages, alarms or notifications. You can drill down
and get more information about any of these sections from the Status drop down
menu. The Reports section allows you to generate reports to send by e-mail or
download as a PDF.
4. Advanced IP Scanner
Advanced IP Scanner is a fast and easy to use network scanner that detects any
network devices (including wireless devices such as mobile phones, printers and
WIFI routers) on your network. It allows you to connect to common services such as
HTTP, FTP and shared folders if they are enabled on the remote machine. You are
also able to wake up and shut down remote computers.
The installer allows you to fully install the application on your machine or run
the portable version. When you launch Advanced IP Scanner, start by going to
Settings > Options to select which resources to scan and how fast/accurate you want
the results to be. You can then choose which subnet to scan and proceed with
pressing the “Scan” button. Once the scan is complete, expand the results to see
which resources you are able to connect to for each discovered device.
5. Capsa Free
Capsa Free is a network analyzer that allows you to monitor network traffic,
troubleshoot network issues and analyze packets. Features include support for over
300 network protocols (including the ability to create and customize protocols),
MSN and Yahoo Messenger filters, email monitor and auto-save, and customizable
reports and dashboards.
When you launch Capsa, choose the adapter you want it to bind to and click
“Start” to initiate the capture process. Use the tabs in the main window to view the
dashboard, a summary of the traffic statistics, the TCP/UDP conversations, as well as
packet analysis.
6. Fiddler
Fiddler is a web debugging tool that captures HTTP traffic between chosen
computers and the Internet. It allows you to analyze incoming and outgoing data to
monitor and modify requests and responses before they hit the browser. Fiddler gives
you extremely detailed information about HTTP traffic and can be used for testing
the performance of your websites or security testing of your web applications (e.g.
Fiddler can decrypt HTTPS traffic).
When you launch Fiddler, HTTP traffic will start to be captured automatically.
To toggle traffic capturing, hit F12. You can choose which processes you wish to
capture HTTP traffic for by clicking on “All Processes” in the bottom status bar, or
by dragging the “Any Process” icon from the top menu bar onto an open application.
7. NetworkMiner
NetworkMiner captures network packets and then parses the data to extract
files and images, helping you to reconstruct events that a user has taken on the
network – it can also do this by parsing a pre-captured PCAP file. You can enter
keywords which will be highlighted as network packets are being captured.
NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT) that can
obtain information such as hostname, operating system and open ports from hosts.
In the example above, I set NetworkMiner to capture packets, opened a web
browser and searched for “soccer” as a keyword on Google Images. The images
displayed in the Images tab are what I saw during my browser session.
When you load NetworkMiner, choose a network adapter to bind to and hit the
“Start” button to initiate the packet capture process.
8. Pandora FMS
Pandora FMS is a performance monitoring, network monitoring and
availability management tool that keeps an eye on servers, applications and
communications. It has an advanced event correlation system that allows you to
create alerts based on events from different sources and notify administrators before
an issue escalates.
When you login to the Pandora FMS Web UI, start by going to the ‘Agent
detail’ and ‘Services’ node from the left hand navigation pane. From here, you can
configure monitoring agents and services.
9. Zenoss Core
Zenoss Core is a powerful open source IT monitoring platform that monitors
applications, servers, storage, networking and virtualization to provide availability
and performance statistics. It also has a high performance event handling system and
an advanced notification system.
Once you login to Zenoss Core Web UI for the first time, you are presented
with a two-step wizard that asks you to create user accounts and add your first few
devices / hosts to monitor. You are then taken directly to the Dashboard tab. Use the
Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss
Core and review reports and events that need attention.
10. PRTG Network Monitor Freeware
PRTG Network Monitor monitors network availability and network usage
using a variety of protocols including SNMP, Netflow and WMI. It is a powerful tool
that offers an easy to use web-based interface and apps for iOS and Android.
Amongst others, PRTG Network Monitor’s key features include:
(1) Comprehensive Network Monitoring which offers more than 170 sensor
types for application monitoring, virtual server monitoring, SLA monitoring, QoS
monitoring
(2) Flexible Alerting, including 9 different notification methods, status alerts,
limit alerts, threshold alerts, conditional alerts, and alert scheduling
(3) In-Depth Reporting, including the ability to create reports in HTML/PDF
format, scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times)
and report templates.
Note: The Freeware version of PRTG Network Monitor is limited to 10
sensors.
When you launch PRTG Network Monitor, head straight to the configuration
wizard to get started. This wizard will run you through the main configuration
settings required to get the application up and running, including the adding of
servers to monitors and which sensors to use.
11. The Dude
The Dude is a network monitoring tool that monitors devices and alerts you
when there is a problem. It can also automatically scan all devices on a given subnet
and then draw and layout a map of your network.
When you launch The Dude, you first choose to connect to a local or remote
network and specify credentials accordingly. Click ‘Settings’ to configure options
for SNMP, Polling, Syslog and Reports.
12. Splunk
Splunk is a data collection and analysis platform that allows you to monitor,
gather and analyze data from different sources on your network (e.g. event logs,
devices, services, TCP/UDP traffic, etc). You can set up alerts to notify you when
something is wrong or use Splunk’s extensive search, reporting and dashboard
features to make the most of the collected data. Splunk also allows you to install
‘Apps’ to extend system functionality.
Note: When you first download and install Splunk, it automatically installs the
Enterprise version for you to trial for 60 days before switching to the Free version.
To switch to the Free version straight away, go to Manager > Licensing.
When you login to the Splunk web UI for the first time, add a data source and
configure your indexes to get started. Once you do this you can then create reports,
build dashboards, and search and analyze data.
13. Angry IP Scanner
Angry IP Scanner is standalone application that facilitates IP address and port
scanning. It is used to scan a range of IP addresses to find hosts that are alive and
obtain information about them (including MAC address, open ports, hostname, ping
time, NetBios information, etc).
When you execute the application, go to Tools > Preferences to configure
Scanning and Port options, then go to Tools > Fetchers to choose what information
to gather from each scanned IP address.
14. Icinga 2
Icigna is a Linux based fully open source monitoring application which checks
the availability of network resources and immediately notifies users when something
goes down. Icigna provides business intelligence data for in depth analysis and a
powerful command line interface.
When you first launch the Icigna web UI, you are prompted for credentials.
Once you’ve authenticated, use the navigation menu on the left hand side to manage
the configuration of hosts, view the dashboard, reports, see a history of events, and
more.
15. Total Network Monitor
Total Network Monitor continuously monitors hosts and services on the local
network, notifying you of any issues that require attention via a detailed report of the
problem. The result of each probe is classified using green, red, or black colors to
quickly show whether the probe was successful, had a negative result or wasn’t able
to complete.
When you launch Total Network Monitor, go to Tools > Scan Wizard to have
the wizard scan a specified network range automatically and assign the discovered
hosts to a group. Alternatively, create a new group manually to start adding
devices/hosts individually.
16. NetXMS
NetXMS is a multi-platform network management and monitoring system that
offers event management, performance monitoring, alerting, reporting and graphing
for the entire IT infrastructure model. NetXMS’s main features include support for
multiple operating systems and database engines, distributed network monitoring,
auto-discovery, and business impact analysis tools, amongst others. NetXMS gives
you the option to run a web-based interface or a management console.
Once you login to NetXMS you need to first go to the “Server Configuration”
window to change a few settings that are dependent on your network requirements
(e.g. changing the number of data collection handlers or enabling network
discovery). You can then run the Network Discovery option for NetXMS to
automatically discover devices on your network, or add new nodes by right clicking
on “Infrastructure Services” and selecting Tools > Create Node.
17. Xymon
Xymon is a web-based system – designed to run on Unix-based systems – that
allows you to dive deep into the configuration, performance and real-time statistics
of your networking environment. It offers monitoring capabilities with historical
data, reporting and performance graphs.
Once you’ve installed Xymon, the first place you need to go is the hosts.cfg
file to add the hosts that you are going to monitor. Here, you add information such as
the host IP address, the network services to be monitored, what URLs to check, and
so on.
When you launch the Xymon Web UI, the main page lists the systems and
services being monitored by Xymon. Clicking on each system or service allows you
to bring up status information about a particular host and then drill down to view
specific information such as CPU utilization, memory consumption, RAID status,
etc.
18. WirelessNetView
WirelessNetView is a lightweight utility (available as a standalone executable
or installation package) that monitors the activity of reachable wireless networks and
displays information related to them, such as SSID, Signal Quality, MAC Address,
Channel Number, Cipher Algorithm, etc.
As soon as you execute WirelessNetView, it automatically populates a list of
all reachable Wi-Fi networks in the area and displays information relevant to them
(all columns are enabled by default).
Note: Wireless Network Watcher is a small utility that goes hand in hand with
WirelessNetView. It scans your wireless network and displays a list of all computers
and devices that are currently connected, showing information such as IP adddress,
MAC address, computer name and NIC card manufacturer – all of which can be
exported to a html/xml/csv/txt file.
19. Xirrus Wi-Fi Inspector
Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and
troubleshoot connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect
rogue Access Points. Xirrus Wi-Fi Inspector comes with built-in connection, quality
and speed tests.
Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-
Fi connections is displayed in the “Networks” pane. Details related to your current
Wi-Fi connection are displayed in the top right hand corner. Everything pretty much
happens from the top ribbon bar – you can run a test, change the layout, edit settings,
refresh connections, etc.
20. WireShark
This list wouldn’t be complete without the ever popular WireShark. WireShark
is an interactive network protocol analyzer and capture utility. It provides for in-
depth inspection of hundreds of protocols and runs on multiple platforms.
When you launch Wireshark, choose which interface you want to bind to and
click the green shark fin icon to get going. Packets will immediately start to be
captured. Once you’ve collected what you need, you can export the data to a file for
analysis in another application or use the in-built filter to drill down and analyze the
captured packets at a deeper level from within Wireshark itself.
C. Wireshark to Capture, Filter and Inspact Packets
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real
time and display them in human-readable format. Wireshark includes filters, color-
coding and other features that let you dig deep into network traffic and inspect
individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering
them, and inspecting them. You can use Wireshark to inspect a suspicious program’s
network traffic, analyze the traffic flow on your network, or troubleshoot network
problems.
Getting Wireshark
You can download Wireshark for Windows or Mac OS X from its official website. If
you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its
package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the
Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on
their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an
interface under Interface List to start capturing packets on that interface. For example,
if you want to capture traffic on the wireless network, click your wireless interface.
You can configure advanced features by clicking Capture Options, but this isn’t
necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real
time. Wireshark captures each packet sent to or from your system. If you’re capturing
on a wireless interface and have promiscuous mode enabled in your capture options,
you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you want to
stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses
colors to help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP
packets with problems — for example, they could have been delivered out-of-order.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you
covered. The wiki contains a page of sample capture files that you can load and inspect.
Opening a capture file is easy; just click Open on the main screen and browse for a file.
You can also save your own captures in Wireshark and open them later.
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when
phoning home, it helps to close down all other applications using the network so you
can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift
through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the
window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see
only DNS packets. When you start typing, Wireshark will help you autocomplete your
filter.
You can also click the Analyze menu and select Display Filters to create a new filter.
Another interesting thing you can do is right-click a packet and select Follow TCP
Stream.
You’ll see the full conversation between the client and the server.
Close the window and you’ll find a filter has been applied automatically — Wireshark
is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the
Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface
of what you can do with it. Professionals use it to debug network
protocol implementations, examine security problems and inspect network protocol
internals.
A.
D. References1. http://www.colasoft.com/resources/network_analysis.php 2. http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-
inspect-packets/3. http://www.gfi.com/blog/the-top-20-free-network-monitoring-and-analysis-tools-
for-sys-admins/