Analyzing Network Traffic

Overview

The most common task involved in Network Forensics is analyzing network traffic. Such analysis is commonly done using a packet analyzer; a tool that captures network traffic, decodes the raw data, and analyzes each packet based on the protocols within it. In this section we first look at “pcap files,” files containing network traffic, and then look at some of the most commonly used packet analyzers starting with Wireshark and tcpdump.

pcap files

“pcap” or packet capture, is the term used to represent the means of capturing network traffic. Such data can then be stored to a file (often using the “.pcap” file extension) for later analysis. Analysis is accomplished using a packet analyzer, as mentioned above, which will first analyze the raw captured packets, interpreting them and determining the values of various fields based on the specific protocols contained within each packet.

More information on pcap can be found at: http://en.wikipedia.org/wiki/Pcap

Wireshark

Wireshark is the most well-known and easy to use packet analyzer. It, along with much documentation, videos, and other resources, can be found at http://www.wireshark.org/. The best way to learn Wireshark is simply to use it so I encourage you to download it, install it, and start capturing traffic. A couple small notes are in order. First, when you install Wireshark make sure you install the pcap driver (called WinPcap if you are using Windows) or else you won’t be able to capture any traffic. Second, if you are plan on capturing traffic other than your computer’s traffic, make sure you have permission to do so.

The purpose of this lab is to provide a quick hands-on introduction to what can be done with Wireshark. Wireshark has an incredible amount of features and we won’t cover most of them. The point of this lab is to introduce you to Wireshark so that you can play around with it further on your own.

  1. Download and install Wireshark from:
    http://www.wireshark.org
  2. Watch the following video introduction to Wireshark created by the lead developer of the Wireshark project:
    http://wiresharkdownloads.riverbed.com/video/wireshark/introduction-to-wireshark/

    Note: Many of the remaining steps in this lab assume you have watched the video. Therefore, it is important that you do so.

     
  3. We are going to use Wireshark to capture some HTTP traffic. It will be easiest to understand the captured traffic if you first close any open web browser windows and only browse to the websites specified below. Open Wireshark, select the interface you want to capture on,[1] and start capturing packets.[2]
  4. Browse to the following website:
    http://isis.poly.edu/~cyfor/wiresharkLab1.html
  5. Stop capturing packets

    You have now obtained your first Wireshark capture. You may see a variety of captured packets that don’t seem to relate to the website you browsed to. This is normal as other network activities may be occurring at the same time.
  6. Below are a series of challenges to complete using your capture.

Challenges

  1. What is your IP address?

  2. Filter the packets for those using the DNS protocol. Using the results determine the IP address of the DNS server and isis.poly.edu. If you have previously browsed to this site before beginning the packet capture there may not be a DNS request for this site. Research and explain why this is so.

  3. Find the packet containing the HTTP GET Request for the website we browsed to in the capture and split the request into the three components of an HTTP request

  4. Create a couple of interesting filters and indicate what they are filtering.

  5. Utilize the “Follow TCP Stream” feature to follow the conversation between your computer and isis.poly.edu.

  6. Find the TCP three-way handshake for the connection to isis.poly.edu.

 

[1] If you have multiple capture interfaces and are unsure which interface you should be using click on the capture pull-down bar and then select “Interfaces.” This window will show you how many packets are passing through each interface. Browse to a website and see which interface shows a large number of packets going over it. That is the correct interface for this initial lab.

[2] If you aren’t sure how to start a capture, there are a few ways. The easiest way would be to press the “Start a new live capture” button which is located on the header toolbar on the main Wireshark window.

Further information on this module can be found at the following links.


You must Sign-In to post a comment.