Three Tools to Help You Protect Your Network
The network administrator's constant fear is a compromised network due to hackers or unauthorised access. This article describes the use of Wireshark, NetworkMiner and Snort, three popular open source packet analysis tools that help to analyse hacking or
The task of monitoring and administering networks has become both important and difficult due to the huge amount of information flowing through different transmission channels. In any organisation, it's a challenging task for network administrators to analyse the financial, military, educational or social information passing through their networks. Network crackers are very keen to access the confidential data running inside a target’s network. Hence, there is the need for very effective tools that can analyse hacking or cracking attempts. Generally, crackers analyse the opponents’ networks and capture the information in their records. This task is classically known as network sniffing, by which the information flowing through a network is repeatedly analysed.
There are a number of software products available in the technology market that provide network sniffer modules, using which, the systems administrator can analyse the packets. Packet capturing is the procedure of capturing and logging movement. The packet analyser is also referred to as a network analyser, protocol analysis tool or protocol analyser, packet sniffer, Ethernet sniffer or, simply, a wireless sniffer. Such software is technically a program that intercepts, seizes and logs the traffic passing through a network infrastructure. As information streams over the system, the sniffer catches every packet and, if required, translates the packet's crude information, demonstrating the qualities of different fields in the parcel.
Active and passive sniffing
Sniffing is a technique for fetching network information by capturing network packets. There are two types of packet sniffing in networks—active sniffing and passive sniffing. In active sniffing, the packet sniffing tool or software sends the requests over the network and then, in response, calculates the packets passing through the network. Passive sniffing does not rely on sending requests. This technique scans the network traffic without being detected on the network. It can be useful in places where networks are running critical
systems in the realm of process control, radar systems, medical equipment or telecommunications.
Features of packet tracing/ analysis tools
There are a number of applications for which packet analysers or sniffers can be used in a constructive way. Given below is a list of the benefits of packet tracing tools: Analyse network problems Detect network intrusion attempts Detect network misuse by internal and external users Document regulatory compliance by logging all perimeter and endpoint traffic Gain information on network intrusion Isolate exploited systems Monitor WAN bandwidth utilisation Monitor network usage (including internal and external users and systems) Monitor data-in-motion Monitor WAN and endpoint security status Gather and report network statistics Filter suspect content from network traffic Serve as the primary data source for day-to-day network monitoring and management Spy on other network users and collect sensitive information such as login details or users’ cookies (depending on any content encryption methods that may be in use) Reverse engineer proprietary protocols used over the network Debug client/server communications Debug network protocol implementations Verify adds, moves and changes Verify the internal control system’s effectiveness (firewalls, access control, Web filter, spam filter, proxy, etc) The open source packet analysis tools available are Wireshark, NetworkMiner and Snort.
Wireshark
Wireshark is a free and open source network packet analysis tool. It is used for network troubleshooting, dissection, programming and communications protocol research, development and training. Initially, it was called Ethereal, and in May 2006, the venture was renamed Wireshark because of trademark issues. Wireshark is cross-platform. It runs on different UNIX-like frameworks including GNU/Linux, OS X, BSD and Solaris, and even on Microsoft Windows.
There is, likewise, a terminal-based (non-GUI) form called Tshark. Wireshark, and alternate projects distributed with it, like Tshark, are free software, released under the GNU General Public License.
Wireshark has also won some industry awards and recognition over the years, from the following: eWeek Infoworld Insecure.org system security devices survey Sourceforge Project of the Month in August 2010 McAfee SiteAdvisor Network Protocol Analysis Award VoIP Monitoring Award Wireshark is a specialised tool that automatically understands the structure and format of different networking protocols. It can intelligently parse and show the fields, along with their descriptions specified by assorted networking protocols. Wireshark makes use of pcap to capture the packets. This tool is able to capture packets on the types of networks that pcap supports. Wireshark has a rich set of features including: Detailed as well as deep inspection of hundreds of protocols. Live capturing of packets as well as offline investigation. It’s a cross-platform tool that can run on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others, without any specific configuration. The captured network packets and data can be viewed via a GUI, or via the TTY-mode T Shark utility. It has VoIP support and analysis. VoIP calls in the captured traffic can be analysed and detected. Captured files compressed with gzip can be decompressed, on the fly. Live data can be read from Ethernet, IEEE 802.11, PPP/ HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform). It has decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2. Colouring rules can be applied to the packet list for quick, intuitive analysis. It has the output export feature to XML, PostScript, CSV or plain text. Data can be captured from a live network connection or can be read from a file of already-captured packets. Live data can be analysed from many types of networks including Ethernet, IEEE 802.11, PPP, and loopback. The captured data can be edited or converted via commandline switches to the ‘editcap’ tool. The refinement in the data display can be implemented using the display filter. Plug-ins can be implemented and developed for new protocols. Raw traffic related to USB can be captured easily. The online manual of Wireshark is available at http://www. wireshark.org/docs/wsug_html_chunked/index.html.
NetworkMiner
NetworkMiner is a famous network forensic analysis tool (NFAT) that can detect various system parameters including OS, hostname and open ports of network hosts through packet sniffing or by parsing a pcap file. The tool can extract the transmitted files from network traffic. NetworkMiner
is classically used as a passive network sniffer/ packet capturing tool to detect the operating systems, sessions, hostnames, open ports and related information without placing any traffic on the network.
Using NetworkMiner
The GUI of NetworkMiner is divided into tabs. Each tab has a different approach towards analysing information of the captured data. The followings steps are used to analyse network traffic. First, select the network interface for which the data has to be captured.
By default, the Hosts tab is selected. You can sort hosts on the basis of IP address, MAC address, hostname, operating system, etc.
Press the Start button to begin the sniffing process.
Snort
Snort is an open source tool written in C, used as a network intrusion prevention and detection system (IDS/IPS) and has been developed by Sourcefire. It offers an excellent combination of benefits like signature, protocol and anomaly-based inspection. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
Snort can implement protocol analysis and content investigation with a number of other features including detection of a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. Snort makes use of a flexible rules language to explain the traffic that it should collect or pass, as well as a detection engine that has a modular plug-in architecture.
Snort can be configured in three different modes: sniffer, packet logger and network intrusion detection. In sniffer mode, the tool reads the network packets and displays them on the console. In packet logger mode, the tool implements the logging of the packets to the disk. In intrusion detection mode, the tool monitors the network traffic and analyses it against a rule set defined by the user.
The main configuration file is /etc/snort/snort.conf. In this configuration file, the actual information of the network or system that is under investigation is specified. All values and parameters are commented in the file so that the changes can be done very easily.
Some of the extracts from the configuration file are:
Basic commands of Snort
The simplest way to start Snort and see what it does is to use the following command:
This command instructs Snort to be verbose and display the results to the console using the eth0 interface (Ethernet).
The output contains a lot of information that you may find useful. Here you can tell that there is an ICMP packet coming from 192.168.1.2 and going to 192.168.1.1, and that it is an ECHO packet. This is the result of what you might find from a ping to this address. Then there's the ECHO REPLY from your machine sent to 192.168.1.2. The packets also contain the date stamp so you can see when something happened. When you stop Snort, using CONTROL-C, you will see the following output:
The breakdown, on the basis of protocols, is as follows:
Application layer data
You can display the application layer data using Snort. This data is related to the data packets being transmitted across the network, and is also used to sniff the passwords flowing in the network. You can implement it by adding ‘-d’ to the command:
Ethernet information
To check the Ethernet information, you can use ‘-e’:
The switch can also be merged to make it easy:
ARP
Generally, you can see the IP packets. You can add ‘-a’ to see the ARP packets:
Identifying the network
Often, you are required to log the packets relative to the network. To log the packets into directories where they are associated, use the ‘-h’ switch with the network address and the mask of home network.
Packet tracers or sniffers are also used by the hacking community to analyse data packets, but such tools are very useful for network administrators. They can use these sniffers to analyse the type of packets flowing in their network infrastructure, resolve bandwidth issues, and study the port and its protocols.