Packet Analysis for

Beginners
Lisa Bock, Pennsylvania College of
Technology
Topics Covered
Overview of Packet Analysis
The OSI Model
The TCP/IP Protocol Suite
 Normal Network Communication - TCP and UDP
Abnormal Communication
 Scanning
 Malware
Overview of Packet Analysis
Packet analysis uses a packet sniffer, network monitor or analyzer, to
monitor and troubleshoot network traffic.
As data flows across the network, the sniffer captures each packet
decodes the packet's raw bits
 Showing the field values in the packet according to the appropriate
RFC or other specifications.
The information can identify bottlenecks and help maintain efficient
network data transmission.
Uses for Packet Analysis
Analyze network problems
Detect network intrusion attempts and network misuse
Perform regulatory compliance through content monitoring perimeter and
endpoint traffic
Monitor bandwidth utilization
Verify endpoint security status
Gather and report network statistics
Some Common Packet Analyzers
Cain and Abel
Carnivore (FBI - monitors all of a target user's Internet traffic)
dSniff
ettercap
ngrep, Network Grep
OmniPeek
Snoop
Tcpdump
Wireshark (formerly known as Ethereal)
Packet Capture
Traffic captured is dependent on the placement of the
device.
On a switch, the packet sniffer will see only data going to
and from the switch to the capture device
Traffic seen will be unicast, broadcast, or multicast.
To see all traffic, port monitoring or SPAN on a switch is
used, or use a full duplex tap in line with traffic

http://wiki.wireshark.org/CaptureSetup/Ethernet
The OSI Model
In order to understand packet analysis you must understand the way
data is prepared for transit.
The OSI model, is a seven-layer representation of how data changes in
form as each layer provides services to the next layer
 Data encapsulates or de-encapsulates
The OSI Model

PDU Address

Data

Segment Port

Packet IP

Frame
MAC
Bits
Wireshark
The tool we will use for demonstration is Wireshark, formerly Ethereal, an
open-source packet analyzer http://www.wireshark.org
Download and install Wireshark – make sure you install WinPCap
(Windows Packet Capture) if you are using Windows
For a live capture, launch Wireshark and click the name of an interface
under Capture Interfaces to start capturing packets on that interface.
Wireshark

Checkmark
the interface
you want to
capture on

Configure advanced features by clicking Options

Select the interface with active packet exchange
The OSI Model

In Wireshark, select any TCP frame and you will see the frame contents
from layer 2-7

Frame
Packet
Segment
Data

For a review go to http://wiki.wireshark.org/Ethernet

Help in Wireshark

Easily find help in

Wireshark-including
Sample Captures
Capture Packets
We will be use pre-captured packets found in your folder and review they
normal traffic versus abnormal traffic
Once you open a capture you will see three panes:
 The Packet List view - a list of all of the packets received during the
capture session.
 The middle window is the Details view.
 The bottom is the individual Packet Bytes
TCP Example
Normal traffic
Three-way handshake packets 1,2,3
Review port numbers, flags, SEQ ACK numbers, stream index
Packets 38-39 FIN packets
Packet 4 get image: File->export objects

http://www.symantec.com/connect/articles/studying-normal-traffic-part-three-tcp-headers
UDP Example
Provides connectionless Transport Layer service to other applications
on the internet without having to go through a handshake or connection
process.
It is a simple protocol and that does not provide any ordering or data
integrity services.
UDP is an unreliable service.
Few problems occur with UDP.
What uses UDP?
Commonly used in video streaming and time-sensitive applications.
UDP Applications:
 Domain Name System (DNS)
 Routing Information Protocol (RIP)
 Voice over IP (VoIP)
 Trivial File Transfer Protocol (TFTP)
 Domain Host Configuration Protocol (DHCP)

17 2015 Cengage Learning Computing Conference

DNS
Filter UDP and you will see the DNS packets
Convert symbolic host names such (google.com) to an IP address
(72.14.204.103)
Transfers name information between DNS servers
 DNS uses TCP in a zone transfer
Look up other host names such as mail exchange (MX) records
DNS is essential to any network
Normal DNS Queries/Responses

Client sends query to DNS server for an IP address

Server responds with information it has or asks other DNS servers for the
information
All DNS packets have four (4) sections:
 Questions
 Answer Resource Records
 Authority Resources Records
 Additional Resource Records
DNS Packet Structure - Flags

If RD is set, it directs
the name server to
pursue the query
recursively.
FTP – Grab a Pic
Purpose of FTP is to transfer files over TCP
Uses both ports 20 and 21
 Command channel is designated on port 21 for the FTP server.
 To transfer data like directory contents or files, a secondary channel,
port 20 is used.
Filter FTP-data traffic - then follow the TCP stream. Save as .jpg
Reassemble the Streams
Can reassemble and obtain content if data is not encrypted
Filter ftp-data traffic
Right click follow TCP stream and save the file as raw data and click
save as mystery.jpg
Go to where you saved the file and open it!
Internet Control Message Protocol
ICMP is used by routers, intermediary devices, or hosts to communicate
updates or error information to other routers, intermediary devices, or
hosts.
 Used to troubleshoot network issues
 Not used to exchange data between systems
ICMP is used by ping because it can generate echo-request/echo-reply
query messages.

A
Scout
for IP!
Internet Control Message Protocol
Four types of query messages that characterize the output generated by
the ping command.
 Echo request/echo reply:
 Used to test reachability

 Time stamp request/time stamp reply:

 Used to compute delay between time stamps

 Information request/information reply:

 Locates address of local IP network

 Subnet mask request/subnet mask reply:

 Subnet information is exchange
ICMP-Dest Unreachable

RFC 792 –” ICMP is actually an integral part of IP, and must be

implemented by every IP module.”
ICMP Error Codes
Type 3 Destination Unreachable Codes
 0 - Net Unreachable
 1 - Host Unreachable
 2 - Protocol Unreachable
Type 5 Redirect Codes
 0 – Redirect Datagram for Network
 1 – Redirect Datagram for Host
 2 - Redirect Datagram for Type of Service
ICMP Error Codes
Type 11 Time Exceeded Codes
 0 – TTL Exceeded
 1 – Fragment Reassembly Time Exceeded
Type 12 Parameter Problem Codes
 0 – Pointer Indicates the Error
 1 – Missing Required Option
 2 - Bad Length
ICMP - Errors
Frame 5 Destination unreachable port unreachable snmp 161
A response with a nested packet
 We have the IP header to send the packet to the target
 After the destination unreachable message returns it sends back the
IP header and 64 bits of original datagram
ICMP is used in reconnaissance by Kali Linux

http://it-ebooks.info/book/3000/
DDOS
Go to http://map.ipviking.com/

29 2015 Cengage Learning Computing Conference

Network Scans
Nmap is a tool used to discover hosts and services on a network, and
create a "map" of the network.
 It can be either legitimately or maliciously used to quickly scan
thousands of ports, and discrimination between ports in open, closed
and filtered states.
By default, Nmap performs a SYN Scan, which works against any TCP
stack.
Nmap
Scanning can be used as a passive attack in the form of reconnaissance.
After running a scan, the software will output results from the IP range
you selected:
 PortslHosts - the results of the port scan, including the well-known
services for those ports.
 Topology - an interactive view of the connections between hosts in a
network.
 Host Details – Details such as the number of ports, IP addresses,
hostnames, operating systems, and more.
Normal Three Way Handshake

32 2015 Cengage Learning Computing Conference

Port Scan
A command line tool such as tcpdump will provide a way to analyze
traffic
Open Wireshark OUT
Do you see a pattern?
An Ack Reset sent in response to a Syn frame is sent to acknowledge
the receipt of the frame but then to let the client know that the server
cannot allow the connection on that port.

33 2015 Cengage Learning Computing Conference

Port Scan
Same source and destination IP address
Only the SYN flag is set
The destination port numbers of each packet changes as it tries every
port

http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-
part-two
Port Scan
Packets 14, 15 and 16 we see an actual connection
Then it continues to attempt another connection in Packet 18, 19, 20
Enable SYN flood protection

35 2015 Cengage Learning Computing Conference

SEC-Bittorrent

BitTorrent uses a distributed sloppy hash table (DHT) for storing peer
contact information for "trackerless" torrents and consists of a number of
different queries and corresponding responses.
 Ping G used to check if a peer is available.
 Find_node G used to find the contact information for a peer.
 Get_peers G requests a list of peers which have pieces of the
content.
 Announce_peer G announces the contact information for the peer to
the network.

Right click on packet 22 and

follow UDP Stream
More Resources
For more Packet Captures go to
http://www.netresec.com/?page=PcapFiles
Wireshark Network Analysis, by Laura Chappell, Chappell Binding
Paperback ISBN 978-1-893939-99-8
Practical Packet Analysis: Using Wireshark to Solve Real-World Network
Problems, by Chris Sanders, No Starch Press, Incorporated ISBN-13:
9781593272661 2010