network traffic analysis course
TRANSCRIPT
![Page 1: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/1.jpg)
Network Traffic Analysis
Presented ByAhmed ElshaerSecurity Operation Specialist
![Page 2: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/2.jpg)
Agenda
● Why Traffic Analysis
● TCP/IP Review
● The Protocols
● Tcpdump/Tshark Basics
● Wireshark Foundation
● Hands-On Network Forensics
![Page 3: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/3.jpg)
Why Traffic Analysis ?
● Gain special knowledge about the network.
● Investigate and troubleshoot abnormal behavior
– Abnormal packets.
– Network slow performance.● Congestion.● Retransmission.
– Unexpected traffic.
– Broken applications.
– Load balancer issues.
![Page 4: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/4.jpg)
Why Traffic Analysis ?
● Network Forensics
– Collecting evidence.
– Incident Handling.
– Tracing attacks.
– Linking infected hosts.
– Determining patient zero.● Stealing Sensitive information
● Pen-testing.
● Developing IPS/IDS signatures.
![Page 5: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/5.jpg)
How Packet Sniffer Works
● Collection
– the packet sniffer collects raw binary data from the wire.● Conversion
– the captured binary data is converted into a readable form● Analysis
– the actual analysis of the captured and converted data.
– The packet sniffer verifies its protocol based on that protocol’s specific features.
![Page 6: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/6.jpg)
TCP/IP Overview: OSI Model
![Page 7: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/7.jpg)
TCP/IP Overview: OSI Model
![Page 8: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/8.jpg)
Network Traffic Analysis
![Page 9: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/9.jpg)
Network Traffic Analysis
● Protocols
– Ethernet
– IP
– TCP/UDP
– DNS
– DHCP
– FTP
– Telnet
– HTTP
![Page 10: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/10.jpg)
Ethernet Frame
![Page 11: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/11.jpg)
IP Packet
![Page 12: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/12.jpg)
TCP Packet
![Page 13: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/13.jpg)
TCP session initiation/termination
![Page 14: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/14.jpg)
TCP session initiation/termination
![Page 15: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/15.jpg)
UDP
![Page 16: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/16.jpg)
The Big Picture !!!
![Page 17: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/17.jpg)
Network Traffic Analysis
● BPF Filters, what !!!
– Berkley Packet Filter
– A knowledge of BPF syntax is crucial as you dig deeper into networks at the packet level.
– Allow you to specify exactly which packets you want to capture.
– Get rid or Packets you don't want to capture
– BPF is how you talk to the Network Drivers :)
![Page 18: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/18.jpg)
Network Traffic Analysis
![Page 19: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/19.jpg)
Network Traffic Analysis
● Command Line Tools:
– TCPdump
– Tshark
– Dumpcap, why !!!● Graphical Tools:
– Wireshark
![Page 20: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/20.jpg)
Network Traffic Analysis
● TCPDUMP Basics (1)
![Page 21: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/21.jpg)
Network Traffic Analysis
● TCPDUMP Basics (2)
![Page 22: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/22.jpg)
Network Traffic Analysis
● TCPDUMP Basics (3)
![Page 23: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/23.jpg)
Network Traffic Analysis
● TCPDUMP Examples (1):
– $sudo tcpdump -n -i eth0 -c 5
– $sudo tcpdump -n -i eth0 -c 10 -w test01.pcap
– $tcpdump -n -r test01.pcap
– $sudo tcpdump -n -i eth0 -c 10 - w icmp.pcap icmp
– $sudo tcpdump -n -i eth0 -s 0 port 53
– $sudo tcpdump -n -i eth0 -s 0 port 53 and tcp
– $sudo tcpdump -n -i eth0 -s 0 tcp port 53
– $sudo tcpdump -n -r icmp.pcap host 192.168.56.104
![Page 24: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/24.jpg)
Network Traffic Analysis
● TCPDUMP Examples (2):
– $sudo tcpdump -n -r icmp.pcap src host 10.10.5.10
– $sudo tcpdump -n -r icmp.pcap dst host 10.18.6.10
– $sudo tcpdump -n -r icmp.pcap net 10.10.56.0
– $sudo tcpdump -n -r icmp.pcap src net 10.10.56.0
– $sudo tcpdump -n -r icmp.pcap dst net 10.10.56.0● Bash !!!
for file in ` find /pcaps/ -name '*.pcap' `; do \tcpdump -r $file 'port 21' -A|grep -iE 'USER|PASS' \; done
![Page 25: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/25.jpg)
Network Traffic Analysis
● Tshark, Advanced analysis capabilities
● Tshark = tcpdump++
● Tshark Examples(1):
– To list the interfaces● tshark -D
– To listen on interface● tshark -i eth0● tshark -i 1
![Page 26: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/26.jpg)
Network Traffic Analysis
● Tshark Example (2):
● tshark -n -i wlan0 -p -a filesize:1000 -w 1MB.pcap
● tshark -n -i 7 -c 1000 -w test01.pcap -f 'tcp port 80'
● tshark -n -i 7 -f 'port 53'
● tshark -R "ip.addr == 192.168.56.101" -r test01.pcap
● tshark -R "not arp and not (udp.port == 53)" -r test.pcap
● tshark -Y "http contains user" -r httpcap.pcap -x
● tshark -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -E header=y -r test01.pcap
![Page 27: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/27.jpg)
Network Traffic Analysis
● Dumpcap
– a network traffic dump tool
– It captures packet data from a live network and writes the packets to a file.
– Why should I use it !!!
![Page 28: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/28.jpg)
Network Traffic Analysis
● Wireshark Basic Operations
– Live Capture
– Open PCAP File
– Basic Filters
– Follow TCP Stream
– Time Stamps
– Expert Info
– Statistics
![Page 29: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/29.jpg)
Network Traffic Analysis
● Wireshark Packet Inspection
– ARP
– IP
– TCP
– HTTP
– FTP
– DNS
– DHCP
![Page 30: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/30.jpg)
Network Traffic Analysis
● Wireshark Advanced Tasks
– SSL Decryption
– Network Forensics and File Carving● Extract Files from FTP● Extract Files from HTTP
![Page 31: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/31.jpg)
Network Traffic Analysis
CTF Time
![Page 32: Network traffic analysis course](https://reader031.vdocuments.mx/reader031/viewer/2022020218/55a9e2c61a28ab77318b4862/html5/thumbnails/32.jpg)
References/more resources
● http://www.chrisbrenton.org/category/security/network/
● http://packetlife.net/library/cheat-sheets/
● Practical Packet Analysis - NoStarchPress
● http://packetlife.net/captures/
● http://wiki.wireshark.org/SampleCaptures
● http://www.netresec.com/?page=PcapFiles
● Network Analysis Sessions By Ahemd Adel