haasjoh
asked on
Packet Sniffing
I need a little help with packet sniffing. I'm trying to explain this as best I can. I have a firm working knowledge of TCPIP and network protocols. However, I really don't know how to interprit or decode stuff in a packet sniffer such as Ethereal, Analyzer. I can sense some stuff liike an IPX packet storm.. Duh, but I'm still in the dark about reading packets as a whole.
I want to:
1. Be able to tell if there is a virus moving around on my network causing problems.
2. Tell if I have a faulty NIC
3. Tell if someone is using a hack tool to gain access to my network.
I'm just trying to get a good general understaning of what the symbols mean like ACK, and SYN_SENT, SYN, things of that nature.
When I do a search on the internet, I get very general info. Some places wont say because they think I want to be a hacker. I don't, I just want to be able to interprit a darn packet sniff from a sniffer program.
Please help
I want to:
1. Be able to tell if there is a virus moving around on my network causing problems.
2. Tell if I have a faulty NIC
3. Tell if someone is using a hack tool to gain access to my network.
I'm just trying to get a good general understaning of what the symbols mean like ACK, and SYN_SENT, SYN, things of that nature.
When I do a search on the internet, I get very general info. Some places wont say because they think I want to be a hacker. I don't, I just want to be able to interprit a darn packet sniff from a sniffer program.
Please help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For 1 and 3, check out a network based intrusion detection system with public source, e.g. Snort (www.snort.org)
I'll second jlindq's recommendation to check out Snort.
I just helped someone with a similar problem here
https://www.experts-exchange.com/questions/20788052/I-need-Intrusion-Detection-Prevention-NOW.html
Snort is probably the best answer but as you stated in your original question that you do not want to try to decipher packets.
My tool of choice is PureSecure which has a free personal version. It uses snort as your network sniffer but it also has a mangement console that puts snort in a more readable format, it even decrypts your hex payload into a human readable format when it can. You can get it here http://www.demarc.com
https://www.experts-exchange.com/questions/20788052/I-need-Intrusion-Detection-Prevention-NOW.html
Snort is probably the best answer but as you stated in your original question that you do not want to try to decipher packets.
My tool of choice is PureSecure which has a free personal version. It uses snort as your network sniffer but it also has a mangement console that puts snort in a more readable format, it even decrypts your hex payload into a human readable format when it can. You can get it here http://www.demarc.com
Snort is cool. I also agree with chicagoan comments as well. There are some toolz out there that can recognize what we can call a "data signature". Now a signature meaning that its data packets present repeat patterns. It matters not what is actually contained in the packet whatsoever, simply the pattern of it and the protocol used. You can tell that you have a nasty one when it has the ability to randomize its data signature across the network. This is how the engines in most AV programs work as well; they look for specific data signatures (patterns) in files.
Remember from TCP\IP that every communication that takes place has that 3-way handshake before communication (session) can begin? Those ACK's and SYN's are the establishment of these sessions across the network. Other commands that you see are for control and such. There will also be ones for termination.
The best way to use a sniffer is to filter out what you know should be there i.e. traffic belonging to DHCP, DNS, ect..
Understanding the communications of the client\server part of your network along with your applications and what it looks like through the eyes (or should I say nose) of the sniffer will help you in your quest to achieve skills in the sniffer area. The more you can weed down what you know should be there the better you will be able to identify what shouldn't. You'll know what a broadcast looks like when you see it, you'll know when that Netbus datagram flew across you network.
Here is a site with simular things in mind:
http://www.foundstone.com
Just some thoughts,
HTH
Remember from TCP\IP that every communication that takes place has that 3-way handshake before communication (session) can begin? Those ACK's and SYN's are the establishment of these sessions across the network. Other commands that you see are for control and such. There will also be ones for termination.
The best way to use a sniffer is to filter out what you know should be there i.e. traffic belonging to DHCP, DNS, ect..
Understanding the communications of the client\server part of your network along with your applications and what it looks like through the eyes (or should I say nose) of the sniffer will help you in your quest to achieve skills in the sniffer area. The more you can weed down what you know should be there the better you will be able to identify what shouldn't. You'll know what a broadcast looks like when you see it, you'll know when that Netbus datagram flew across you network.
Here is a site with simular things in mind:
http://www.foundstone.com
Just some thoughts,
HTH
Need more help?
RFC 791: ftp://ftp.rfc-editor.org/in-notes/rfc791.txt
RFC 793: ftp://ftp.rfc-editor.org/in-notes/rfc793.txt
Regards,
Jason Deckard