Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Packet Sniffing

Posted on 2003-11-11
7
Medium Priority
?
1,573 Views
Last Modified: 2011-10-03
I need a little help with packet sniffing. I'm trying to explain this as best I can. I have a firm working knowledge of TCPIP and network protocols. However, I really don't know how to interprit or decode stuff in a packet sniffer such as Ethereal, Analyzer. I can sense some stuff liike an IPX packet storm.. Duh, but I'm still in the dark about reading packets as a whole.

I want to:
1. Be able to tell if there is a virus moving around on my network causing problems.
2. Tell if I have a faulty NIC
3. Tell if someone is using a hack tool to gain access to my network.

I'm just trying to get a good general understaning of what the symbols mean like ACK, and SYN_SENT, SYN, things of that nature.

When I do a search on the internet, I get very general info. Some places wont say because they think I want to be a hacker. I don't, I just want to be able to interprit a darn packet sniff from a sniffer program.

Please help
0
Comment
Question by:haasjoh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 375 total points
ID: 9729054
This would be a full day class, but here some basics:

The most usefull thing a sniffer can provide in a general sense is statistics.
Ethereal is a very basic tool, though there are some analysis tools, they're northing like the kinds of reports you can generate with a commercial prodcut like Sniffer Pro.
http://www.bolthole.com/solaris/networkpacket.html shows what's in a basic packet.

>1. Be able to tell if there is a virus moving around on my network causing problems.
Viruses  per-se can be difficult to detect because they can appear to be a web page script or an email attachments, and may only affect the local system. Some worms use the network for propagation, such as code red and msblaster, and these can be detected with a protocol analyser. What you would see is an abnormal amount of traffic from a host or packets destined for a particular port which is associated with the vulnerability the worm uses. Automated systems called Intrusion Detection Systems use a library of known vulnerabilities to compare packets on the network against and alert you if there's a match. Malware that uses email for propagation will generate a lot of traffic destined for port 25 from hosts that usually wouldn't be sending email directly.

>2. Tell if I have a faulty NIC
You have to have a network card and sniffer that can use promiscuous mode. This captures all data on the network without regard to protocol. Again, statistics will show a lot of packets from a particular mac address and lead you to the machine.

>3. Tell if someone is using a hack tool to gain access to my network.
Again a simple sniffer might be a difficult tool to use for this on a busy network. If it's a vulnerability probe the issues in #1 above would apply. If it's a password cracking attempt at a low rate it would be lost in the background noise. Host based Intrusion Detection is a better tool for this sort of thing as the host concentrated rejected login attempts.

Start with http://www.freesoft.org/CIE/Topics/84.htm and www.sans.org 
The tech support areas of the commercial sniffers might make for some interesting reading as well.





0
 
LVL 2

Expert Comment

by:Jason_Deckard
ID: 9730842
Chicagoan has posted some good information for you.  I would like to add that RFCs 791 and 793 are very useful when it comes to interpreting IP and TCP packet headers.

RFC 791: ftp://ftp.rfc-editor.org/in-notes/rfc791.txt
RFC 793: ftp://ftp.rfc-editor.org/in-notes/rfc793.txt


Regards,
Jason Deckard
0
 
LVL 2

Expert Comment

by:jlindq
ID: 9731213
For 1 and 3, check out a network based intrusion detection system with public source, e.g. Snort (www.snort.org)
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 9731883
I'll second jlindq's recommendation to check out Snort.
0
 
LVL 2

Expert Comment

by:joele23
ID: 9733224
I just helped someone with a similar problem here
    http://www.experts-exchange.com/Security/Q_20788052.html

Snort is probably the best answer but as you stated in your original question that you do not want to try to decipher packets.
My tool of choice is PureSecure which has a free personal version. It uses snort as your network sniffer but it also has a mangement console that puts snort in a more readable format, it even decrypts your hex payload into a human readable format when it can. You can get it here http://www.demarc.com
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9736039
Snort is cool. I also agree with chicagoan comments as well. There are some toolz out there that can recognize what we can call a "data signature". Now a signature meaning that its data packets present repeat patterns. It matters not what is actually contained in the packet whatsoever, simply the pattern of it and the protocol used. You can tell that you have a nasty one when it has the ability to randomize its data signature across the network. This is how the engines in most AV programs work as well; they look for specific data signatures (patterns) in files.

Remember from TCP\IP that every communication that takes place has that 3-way handshake before communication (session) can begin? Those ACK's and SYN's are the establishment of these sessions across the network. Other commands that you see are for control and such. There will also be ones for termination.

The best way to use a sniffer is to filter out what you know should be there i.e. traffic belonging to DHCP, DNS, ect..

Understanding the communications of the client\server part of your network along with your applications and what it looks like through the eyes (or should I say nose) of the sniffer will help you in your quest to achieve skills in the sniffer area. The more you can weed down what you know should be there the better you will be able to identify what shouldn't. You'll know what a broadcast looks like when you see it, you'll know when that Netbus datagram flew across you network.

Here is a site with simular things in mind:
http://www.foundstone.com

Just some thoughts,
HTH
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9740255
Need more help?
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Check out what's been happening in the Experts Exchange community.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question