Ch1

Lesson1: Traffic Capture and Analysis

Traffic capture overview

- Network administrators use a packet sniffer, network monitor, or network analyzer to monitor and troubleshoot
network traffic. As data flows across the network, the sniffer captures each packet, decodes the packet's raw bits, and
then displays the field values in the packet according the appropriate RFC or other specification. This information can
help identify bottlenecks, and help maintain efficient network data transmission. There are many uses for packet
analysis.

We can analyze network problems, detect network intrusion attempts, and network misuse, perform regulatory
compliance through content monitoring perimeter and endpoint traffic, monitor bandwidth usage per application and
process, and verify endpoint security status to see unwanted protocols, such as, bogus ARP traffic and Multicast
DNS, and gather and report network statistics. The tool we will use for this demonstration is Wireshark, formerly
Ethereal, an open source packet analyzer.

In the late 1990s, Gerald Combs needed a tool for analyzing network problems. Portable sniffers were available at the
time, but they were costly. Gerald developed Ethereal with the help of some friends, and this later became Wireshark. It
has been around for over 15 years. In addition to Wireshark, there are some other packet analyzers. Cain and Abel
recovers passwords by sniffing the network and can record voice-over IP conversations. Narus Insight, formerly
Carnivore, can monitor all internet traffic.

dSniff, passively monitors a network for interesting traffic, such as, passwords, emails, and files. Ettercap, intercepts
traffic on a network segment, captures passwords and conducts active eavesdropping. Tcpdump, a common protocol
analyzer that runs from the command line. Placement is key. All traffic is not created equally. Dependent on the
placement, you may only capture a portion of the total network traffic. Off of a switch, the traffic may be unicast,
broadcast, or multicast.

To see all traffic on a switch, use Port Monitoring or SPAN. Also use a full duplex tap in line with traffic. You may need a
special adapter. Network administrators should be familiar with Wireshark because Wireshark is built into the Cisco
Nexus 7000 series, and many other devices.

Exploring the Wireshark interface

- Let's take a look at the Wireshark interface with a little more detail. Specifically, let's take a look at the menu
choices and five commonly accessed menu choices. File, Edit, View, Capture and Statistics. With File, File is where we
commonly go to obtain a file and maybe open recent files.I'm going to simply go to File and Open and I'm going to get a
TCP example.

Now that we have something to look at, let's take a look at Edit. Edit allows us to do common editing tasks such as Find
Packet, Find Next and also add a Packet Comment. At the end of Edit, we can see where we can modify the
preferences. I'm going to select that and it will take a second to load. Up at the top of your Preferences, you will see that
the Profile says Default.You can make additional Profiles but for now we're just going to stay with the default.

We'll start up at the top and just briefly look at the user interface. And the user interface is how you want Wireshark to
be displayed to you. Most commonly viewed is where you see the three Panes. The Packet List, the Packet Detail and
and the Packet Bytes. Protocols is where I can drill down and look at specific information about a certain protocol. If I
select any of those up on the top and simply start typing TCP the search will go down to what it thinks is the protocol I
would like to modify.

For example, in TCP, I can take a look at some of the preferences. Some of those that I would like to have and some of
those that possibly I would not like to have. For example, Validate the TCP checksum if possible is not checked. That is
because the checksum is used for error detection on our network. The fact is, in most cases that checksum is
offloaded and is incorrect, so I uncheck it so it does not look like an error. Relative sequence numbers, I would like to
check that.

That is so, the sequence number that is generated, which is generally a large number, is put more into relative to the
packet capture and it makes sense. So for example, instead of a large number like 592379 for my first sequence
number, the sequence number will simply be one.Now we're gonna look at View. If we look at View, we can see how we
want items to appear on our screen.

If we look at Packet List, Packet Details and Packet Bytes, this is the default, in which most cases when you open a
Wireshark interface, will default at. Now the Packet List and Packet Details are important but the Packet Bytes, that is
the Panel at the bottom of this screen. In a lot of cases, this won't make sense to anyone so I generally uncheck that. If
we go to View and the menu choice Time Display Format, you'll see that the Default is Seconds Since Beginning of
Capture.
However, if I want to see how fast the packets are coming into the network interface card, I will most likely
select Seconds Since Previously Captured Packet. Or if I have a display filter,Seconds Since Previously Displayed
Packet. Down at the bottom, you see the Precision. This is telling me how many decimal points that I'm going to add. In
most cases, it's best simply to leave it at Automatic File Precision. But if I want to see an attack and see possibly how
many Microseconds the attack packets are coming in, I would select Microseconds.

Let's take a look at the frame header. In the frame header, we have a source and destination MAC address. Where you
see it as a 12 digit hexadecimal number, when I add name resolution, we will look to see what manufacturer for the
network interface card. The first six digits represents the organizationally unique identifier or the manufacturer. Click on
View and go to Name Resolution and say Enable MAC Layer resolution.

Now instead of the 12 digit hexadecimal number, you see actually a manufacturer for the first six digits. This is helpful in
some ways so that I can see, perhaps maybe, I have a Cisco devicethat's communicating on my network. If we go to View
and Name Resolution, we also have other choices. One is Enable Transport Layer resolution. That's fine to
activate because the Transport Layer uses a port address and zero through 1,023 are the well known ports.

That just comes from a file so it can associate you with an application. The one that probably shouldn't be activated is
Enable Network Layer resolution. If you do activate this on a live capture, you may cause more traffic than you want
to because it will continually hit the DNS server. Capture, with Capture we see that there are some Capture specific
menu choices. If we go to Interfaces, we can see the Interface that is my ethernet adapter.

If I select this, I can go to Options which allows me to do more advanced options including adding a Capture Filter and
then using a ring buffer. With Statistics, there are many menu choices. Many of which actually should be in a course all
on its own. But take a look at a couple of things that are helpful. One being Summary. Summary just gives us a snapshot
of that individual capture. It tells us what the file name is, how long it was since the beginning and the end of the
capture and the average packet size.

If we did add comments, those would be in the capture file comments area. Within the Statistics you can see there are
many, many other types of statistics that we can use. Again, helpful in doing an analysis.

Managing capture options

- Let's take a look at capture options. Well first of all, if I've already made some selections in which interface I want to
capture on, I can click the green fin and simply say "Start". Go up to the menu choices and take a look at Capture, and go
to Interfaces. In most cases, you will have more than one interface. Select the one you want to capture on, and then go
to Options.You can capture on all interfaces, but you do want to say "Capture promiscuous mode", and that's going to
allow me to see all the traffic that's coming in to my network interface card.

If I only want to capture a certain type of traffic, I will use a capture filter. I'm going to go to the left-hand side and select
"Capture Filter". They are pre-done filters that you can use or modify.I'm going to try to capture some DNS packets. DNS
rides on top of the UDP, so I'm going to select "UDP only". I'm going to say, "OK". I caution you against using a capture
filter if you are doing troubleshooting.

The first thing is, it is resource intensive, and secondly, it's going to capture only what you've asked it to capture, and
you might miss something. Down below on the left you see "Capture Files". Here, if I wanted to capture more than one
file, and a sequence of files, I can specify it at this point. In some cases, I might want to run those files into what's called
a ring buffer. That would override the files into a ring buffer, and allow you to capture the length of time, without
consuming all of your resources.

It simply creates a file, and it drops it into the ring buffer, over and over again, until you tell it to stop. Down on the
lower part of the left-hand side is the "Stop Capture Automatically After..."whatever you would like it to be, after so
many files, after whatever size. On the right-hand side, you see some of the displayed options in which we talked about
before. I always keep those checked. For example, "Update list of packets in real time". "Allow to automatically scroll
during live capture" is helpful as well because I can take a spot check, for example, if I'm concerned about a lot of
transmission errors.

And also, hide the capture information dialogue. "Name Resolution", we've talked about before. I'm going to select
"Resolve MAC address" and "Resolve transport-layer name address" Those two will be fine, and I'm going to start my
capture. Now to give me something interesting to look at, I'm going to go to my browser, and I'm going to go to
newegg.com, and then I'm going to stop my capture. When I went to newegg, if you notice, that the Hub screento
newegg had a whole bunch of hyperlinks.

All of those links are associated with a webpage. As a result, we need some resolution in order for me to package it and
address it correctly. The DNS domain name system did a resolution,so that whenever I go to click on any of those
hyperlinks, it's already in my cache. You've completed your capture. Well, before you continue, and before you go on to
the next capture, be sure to go to the Options and the Interface, and take out that capture filter so you don't miss
anything on your next capture.
Using display and capture filters

- Now we can take a look at display filters. Now display filters are used when we have already captured some packets or
are actively capturing packets. Now in this case, we see a TCP communication stream with an http server. So in this case,
let's just go up to the filter and type in http. Now we're going to say Apply, not much here, as we know, which is
great. I'm gonna clear that. We know that we could also add what's called an Expression and a more complex filter.

Let's click on that. The Expression Builder comes up, which allows us to add a more complex filter. As you can see, over
in the middle panel, we have an equal, not equal to, greater than, less than, other variables we can add to build an
expression. If we click over in the field namein the left hand side, take a look down below. You'll watch. It helps you
search. DNS. Now it sort of knows I wanted to go to DNS.

Now let's expand this. Now we can see that with DNS, we have some options as to exactlywhat type of field value we
would like. For example, I would like to see a Quad A recordlooking for an IP version six address. I'm gonna select that,
and you can see if it says equals, it says exactly what IP version six address are you looking at? Another one we'll do is
TCP. Now TCP, again, has a lot of options, and we're just gonna expand this.

Now we can build an expression. So for example, I wanted to see which ones have the fin flag set. I'm going to select
tcp.flags.fin, and says equals, and that is on. We're going to say OK.Now we're going to apply it once we have it in the
filter area. Now we can see only those that have the fin flag set are up there. Now I'm going to clear that. Okay, so we
can build an expression, and yes, we can add complex expressions as well.

Now let's look at some shortcuts. If I right click Transmission Control Protocol and expand, I clicked on tcp, and now let's
take a look at the flags, and just bring this up. Now if I want only to add those that have the acknowledgment flag
set, I'm gonna right click and I'm gonna sayPrepare as a filter. Now when I prepare as a filter, it won't run it. It simply
puts it up in the display filter area. I'll have to run it, but it's so that I can modify it.

We see there it says Selected, Not Selected, and not Selected. We'll do that in just a minute.Let's just say Selected. So
now it's put it up there for me to run. I'm gonna just drop this downso we see what happens. I will only want those
packets that have the acknowledgment set at one. I'm gonna Apply. All right, but I have some other stuff in there. Well I
want maybe not to have the Syn flag, so I know up here in the handshake, I have that Syn flag set.

I don't want that. So let's go here, and we're gonna go to the Syn flag. Now I'm gonna right click. The filter's already
there. I'm going to say Prepare as a filter, and not Selected. We're gonna put it up there, but what I wanna say is gonna
change that to a one. So what does that say? That says give me the traffic that has the acknowledgment flag set, but not
those that have that the Syn flag set. Now I'm gonna apply it. And that has taken that away.

But look, I have those that have the fin flag set. Hmm, we're gonna take that away too. We're going to the fin flag, and
I'm gonna right click. Now let's say Prepare it as a filter, and not Selected, and since it's already set at one, it'll go up
there and now that should take it away as well. Now we'll say Apply. Now all I have are those packets that have an
acknowledgment flag set. Now let's clear that. Well what about those capture filters? I'm gonna go to Capture and then
Options.

Now let's take a look. In the center of this Capture Options dialogue box, you see Capture Filter. Now capture filters are
when you only want to capture a specific type of traffic, which as arp traffic or DNS. Well we simply can type arp, that
would be fine. Remember if it turns green, it's good, red, it isn't good, and yellow is it might work. Or you can do
this. Select Capture Filter, and you can see that there's already some pre-done capture filters in there for you.

Now for example, I want not arp, and that filter string is available. TCP only. No Broadcast or no Multicast. And it's
already set up. I'll say OK, and I'm not gonna run it because we're not gonna capture anything, but we would put that in
there and only traffic that was not Broadcast or not Multicast would be captured. I'm gonna just clear this off, but keep
in mind a couple of things.When you use a capture filter, you're only going to capture traffic you've said you wanted to
capture and nothing else.

So when troubleshooting, that might cause a problem. You might miss something. Plus, the fact is a capture filter is a
little more resource intensive in that you are filtering as you capture.I'm gonna close this. So you can see the different
things in order what you can do to filter and display only types of traffic that you want to see when you're using
Wireshark.

Challenge: Filtering the data that is displayed

- Okay, let's try a Challenge. For this Challenge, open a TCP Example. Now, with this Challenge you're going to use a
DISPLAY filter to show the following: First use a DISPLAY filter to show all TCP traffic, and nothing should change. But
then you're going to clear the filter.Next, use a DISPLAY filter to show only HTTP traffic. You should only see two
frames. Now clear that.
And now this one I want you to show only TCP traffic with the syn flag set. This one you will only see two frames. Okay,
let's try it. This should take you under five minutes. When you're done, please come back and check out my
Solution, where I'll show you how I completed this Challenge. Good luck!

Solution: Filtering the data that is displayed

- Ok, now let's take a look at our solution for display filters. Now the first one was to create a display filter displaying only
TCP traffic. Going up to the display filter, remember if we type in here tcp and we see it's green, that means it's good. If
it's red, it means it won't work. And if it's yellow, it might work, go ahead and try it. In addition, we can't have a capital
letter over on the left hand side, it won't work.

So we're just going to simply type tcp and Apply. Now there's the same amount of packets in here because nothing will
change, because this HTTP transaction is going to use TCP as its transport layer protocol. Now I'm going to clear that,
now this time we want to do HTTP display filter. Now even though you see in capital HTTP, we're still going to use a
lowercase http and then we're going to say Apply.

Now we see two frames here and HTTP and that's pretty much it. We're going to clear that filter. Now let's just take a
look at one that might be a little bit more complex. We're going to do an TCP with the SYN flag set. Alright, so there's
one of two ways that we can do this, and maybe you've figured out another way. I'm going to just go up to the
Expression Builder, we're going to click that one time. And allow that to load.

Now we're bring in the Expression Builder and I'm going to just simply type tcp. Now down below you see that it's
helping me search it and I'm going to drop down to TCP options and we see alot of the field values that we can select
from. So let's scroll down, we're going to look for tcp.flags.syn. And here I selected that = 1. Now that means that that
SYN flag was set.

Now I'm going to say ok, now let's put it up in here the display filter. Now I will say Apply. Now we'll see only two
because remember that's the first two packets of the three way handshake.Now I'm going to clear that. Let's look at a
shortcut. I'm going to go down below and I'm going to select Transmission Control Protocol. And now I'm going to drop
down and take a look at the flag section. On here you see the SYN flag is already set, so that's easy.

But just let's right click and go to Prepare as a Filter. Now remember if we say Prepare as a Filter, it'll put it up in the
display filter area, it won't run it. I'm going to say select it and make sure that you see that tcp.flag.syn is = 1. Now I'm
going to say Apply, and again you have your two packets or frames whichever you want to call it. We're only going to be
seeing two displayed. And that's it for that challenge.

Lesson2: Review of the Open Systems Interconnection (OSI) Model

Dissecting the OSI model

- The Open Systems Interconnection Model, or OSI, is a model that standardizes each of thefunctions of data
transformation by breaking it down into layers. Well why is the OSI Model important? In order to better understand
packet analysis, you must understand the way the data is prepared for transit. The OSI Model is a seven layer
representation of how data changes in form as each layer provides services to the next layer, and in particular, how data
is encapsulated as it is prepared for transit.

The OSI Model was proposed by the International Organization for Standardization, or ISO. It's a common framework for
developers and networking students, for better understanding.Reference models and standards both
enable interoperability among layers and communicating devices. Then we can look at the seven layer OSI
model. Starting at the top in layer seven, is the Application Layer, where we initiate contact with the network.

Layer six, the Presentation Layer, layer five, the Session Layer, layer four, the Transport Layer,layer three, the Network
Layer, layer two the Data Link Layer, and layer one, the Physical Layer. There are two phrases that you can use to
remember the first letter of each of the layers. From layer seven to layer one, the phrase is All People Seem To Need
Data Processing.

From layer one to layer seven, Please Do Not Throw Sausage Pizza Away. Now that we know the layers, let's take a look
at them and how the encapsulation process works together. We'll take a look at the layer itself, the PDU, or Protocol
Data Unit, and then we'll look at the header information in the form of what address is used. In the top three layers, the
Application,Presentation, and Session layers the Protocal Data Unit is simply Data.

Nothing has changed, it's just in Data format. There is no address, but then it readies itself so that it can communicate
to the next layer, the Transport Layer. At the Transport Layer, the Protocol Data Unit is a segment. Now what this layer
does is add a Transport Layer Header,which includes the the source and destination Port address. The Port address
associates us with an application. For example, Port 80 is associated with HTTP.

The Network Layer, the Protocol Data Unit, is a packet, and the Network Layer Header is in an IP Address, which
includes the source and destination IP address of the host, the Data Link Layer. At the Data Link Layer, the Protocol Data
Unit is a Frame. At this layer, Source and Destination MAC address is added. In the Physical Layer, the Protocol Data Unit
is simply Bits.There is no address, and the Physical Layer is the way the data is transmitted across the media.

Diving deeper into the layers of the OSI model

- The OSI model is a seven-layer framework that represents the transformation of data as it is readied for transit. We'll
take a look at each of the layers, appropriate addressing, and what is the Protocol Data Unit at that layer. The Protocol
Data Unit, or PDU, helps us describe and understand how each layer breaks down data to prepare it for transmission. It
also defines what shape the data is in as it is passed down the layers.

For example, the PDU in the application layer is simply data, but when it passes through the transport layer, it becomes
a segment, when port addressing is added. The application layer is layer seven. This is the layer that initiates contact
with the network. Some protocols that you might be familiar with include HTTP, Hypertext Transfer Protocol, FTP, File
Transport Protocol,or SMTP, Simple Mail Transport Protocol.

The Protocol Data Unit at this layer is simply data. Layer six is the presentation layer. The presentation layer has a couple
of jobs. One of them is formatting. Data has to be in the proper format to be presented to the application. For example,
if you get a .jpg, that's an image, and the presentation layer is responsible for formatting it correctly, so your browser
can render it as an image.

The presentation layer also does optional encryption and compression. At this layer, we still see that the Protocol Data
Unit is still simply data. Layer five is the session layer. Now the session layer is responsible for setting up, maintaining,
and tearing down a session. In order for a session to take place though, I have to have the correct IP address, so DNS, or
Domain Name System, works in this layer. The Protocol Data Unit at this layer is data.

Layer four is the transport layer. Now this is where things start to change. This is where I begin to encapsulate the
data. The transport layer is responsible for transportation of datacomples. In the transport layer, we have two
choices. We can either have a connection-oriented process or a connectionless. Transmission Control Protocol, or TCP, is
connection-oriented. User Datagram Protocol, or UDP, is connectionless.

Depending on type of traffic, will be what you select to transport the data. Transmission Control Protocol is a
connection-oriented protocol. It has end-to-end reliability. It has 11-field header, as apposed to User Datagram Protocol,
or UDP, which only has 4-field header. At this layer, the Protocol Data Unit is a segment. But now, we add a little piece of
information, that is, a port address.

A port address is what associates us with the application. For example, Hypertext Transport Protocol, or HTTP, uses port
80. The network layer is responsible for addressing and routing.There are three main protocols in this layer: Internet
Protocol, Address Resolution Protocol,and Internet Control Message Protocol. The Protocol Data Unit at this layer is a
packet.

In this layer, we need a header, which holds a source and destination IP address. So the addressing includes the IP
address, which is also referred to as a logical address. Layer two is the data link layer. Now the data link layer is primarily
concerned with proper frame formation.And on a Local Area Network, the most common frame formation is an Ethernet
II frame header. The Protocol Data Unit at this layer is a frame.

At this point, we need a header, which includes the source and destination MAC address,which is also referred to as a
physical address. Layer one is the physical layer. This is where binary transmission takes place. Transmission is
dependent upon the medium. If it's over copper, it's a pulse of electricity. If it's over fiber, it's a pulse of light. If it's over
wireless, it's a radio wave. The Protocol Data Unit at this layer is simply bits.

Understanding encapsulation

- Let's look at the encapsulation process and how the layers look in Wireshark. In this concept, we're going to be
talking about the OSI Model layers, the appropriate Protocol Data Unit, and the addressing. Layers in the OSI Model are
represented in many different ways that you might be familiar of. For example, in the Local Areas Connections
Properties dialog box, you can see the OSI Model at work. When you take a look at the network interface card
itself, there's where you'll see the Physical and Data Link.

When you look at your bindings for Client for Microsoft Networks and File and Printer Sharing,that is the Application
Presentation and Session layers. And when we look at the Internet Protocol, or TCP/IP suite, this is where you see the
Network and Transport layers. When we understand how encapsulation works, as data travels down the OSI Model, it
readies it in proper frame formation. A standard frame has the following elements. We have the Frame header, which
includes the source and destination MAC address, the Packet header, which includes the source and destination IP
address, the Segment header, which holds the sourceand destination port address, and then the Data.

But with a frame, there's also a Frame Check Sequence. And this is holding the value of the cyclic redundancy check. This
is used for error detection on a network. Now, in Wireshark, we are not gonna see the contents of the Frame Check
Sequence. This is done as a calculation,but you won't see the results. When looking at the OSI Model, we're going to
take a look at an example where we look at the layers Frame, Packet, Segment and Data, and Wireshark will select any
http frame and you will see the frame contents from layer two through layer seven.

The bits themselves, or the physical layer, layer one, will be in the lower panel. We're going to open up a TCP
example. Before we continue, I'm going to talk about packet analysis in general. Packet analysis can be considered a
passive attack. So you should only do packet analysis on a network either owned by you or you are instructed to perform
an active capture.If you do perform an active capture, you don't want to generate more traffic on the networkthan
you're examining.

So what we're going to do is, just show you, go into Edit and then Preferences. What you're going to do is, look at Name
Resolution. Where it says Resolve the network IP address, you do not wanna select this because it will probably generate
more traffic by hitting the DNS server than you want it to. So now that we have a TCP example open, this is where we're
going to take a look at the encapsulation process. A TCP example is not a live capture.

I've already captured this and the other exercise files so we can examine them. Now, what we're going to do is, take a
look at a single frame. When you look at the Wireshark interface, it generally defaults at three panels. I've taken off the
last one. I'm gonna bring it back so we can examine the bit value. Go to View and put on Packet Bytes. And down at the
bottom, you'll see your lower panel. And I'm going to right-click and Hex View. In most cases, you're going to see
it represented in this format.

This is a Hex View and that is from back in the day when we did network analysis, we had what was called a Hex
Dump. For this conversation, I'm going to, then, convert it now to Bits Viewso we can see that layer one and what it
looks like in a layer one format. What I want to do is, just look at http traffic. Now, up on the top, you see all of the
frames I have captured. But I simply want http traffic, so I'm going up to the Display Filter.

Now, the protocol is http. If I put a capital letter on the left-hand side of the Display Filter, it won't work. So now I put in
http in the Display Filter and click Apply. Now I see my two http frames.Over here on the left-hand side, we see number
36. That simply means that is the 36th frame that was captured. Now, up on the top in this panel here, we see "Frame
36: 1296 bytes on wire." There is no header called Frame 36.

That's simply something Wireshark uses to help us understand what is happening in that single frame. It's metadata
about data. In the lower part of this, we're gonna take a look at the bits on that single frame. We focus on a single
frame because frames come into your network interface card one frame at a time. And when we put them all together is
where we can analyze a whole conversation. Well, when we look at this single frame, we see the different layers.

Down below is where we see layer one, the Physical layer. And this is the data as it was transmitted into our network
interface card in a stream of bits. I'm going to take off that panelbecause it's sort of distracting and I want a little more
landscape. I go to View and Packet Bytes, and that'll give me more room to look at. So we talked about layer one, the
physical layer. And that was a stream of bits. Up at the top is where we see the encapsulation. Ethernet II is the frame
formation.

It is the most common frame formation on a Local Area Network. In a Frame header, we see the source and destination
MAC address. This is a 12-digit hexadecimal number,00:26:62:2f:47:87. The destination MAC address is
00:1d: 60:b3:01:84. Now we look at the network layer protocol. This is an IP Version 4 header.

The main component we're looking at is the source and destination IP address. Here we see the source is
174.143 .213.184. The destination is 192.168.1.2. At the Transport layer, we have the TCP header. This is a segment, and
it has the source and destination port address. The source port is Port 80, and the destination port is 54841.

Well, the source port is Port 80, which, that makes sense because Port 80 is associated with Hypertext Transport
Protocol. But the destination port, 54841, that's not associated with any well-known protocol. The source port is the
port that came from the client that says, "When you deliver that to me, I want you to go "to Port 54841 "and deliver my
information." It's a randomly-assigned port by the client to the server to tell where is it that the data is to be delivered.

Now we're looking at the Application layer. There we see http, Hypertext Transfer Protocol. But within that protocol, we
see what we were looking for is an image, a PNG. That summarizes encapsulation. Again, we've talked about the OSI
Model and its importance. But now we can see how each of those layers works and looks in Wireshark.

Lesson3: Deep Packet Analysis of Common Protocols

Analyzing TCP

- Transmission Control Protocol is based on concepts first described by Robert Kahn and Vint Cerf in 1974. Their
memo, A Protocol for Packet Network Intercommunication, would become the foundations for TCP. TCP is a connection-
oriented transport protocol. It begins with a handshake, and data is sequenced and acknowledged. It supports
windowing, and manages data transfer with flow control.
In this graphic, we see, on the left-hand side, the four-layer TCP/IP Model. The Application, Transport, Network, Network
Interface layers. And then on the right-hand side, you see the OSI Model. A seven-layer model from
Application, Presentation, Session, Transport, Network,Data Link, and Physical. In the center, you see the Protocols &
Services. The top layer, that is where you see your application layer protocols.

Followed by your transport layer protocols, TCP and UDP. TCP is a connection-oriented protocol. UDP is connection-
less. TCP is underneath the application layer and on top of the IP layer. This graphic shows the TCP Header
Format. Significant fields include the Source Port,the Destination Port, Sequence, Acknowledgement, and the flags. Let's
take a look at the TCP header.

We're going to open a TCP example. Up on the top you see frames one, two, and three,represent the handshake. We'll
cover that later. For now, we're going to put a display filter, "http". We want to only see the application HTTP, and we'll
see the TCP header right above HTTP, represented in this pane. We'll go to frame 36. When we take a look at this
individual frame, you'll see frame 36, and there is no header called "frame", this is simply Wireshark's metadata about
that frame.

We then see the true headers, which are the frame header, "Ethernet II", IP header, and then TCP header followed by
HTTP. We're going into the TCP header. I'm going to place my cursor on this plus sign, then I'll expand it out so we have a
lot of room to take a look at the entire header. As I said, there's significant fields in here, and we'll take a look at
those. The source port, here is where we see the sending or listening port. And in this case, it's port 80, which would
make sense, because it is an HTTP connection.

The destination port, 54841, this is sent by the client saying, "When you return data, send it to this port." The next line
you see, "Stream index". There is no stream index field in a header.This is, again, another way Wireshark helps you keep
track of the data. A stream is an IP address and a port address that represents a socket. Stream index is, of course, when
you have a large capture, you'll see many streams.

This will allow you to follow a stream. No we are at sequence number, and in this case, you see it's a relative sequence
number, and this is set in Wireshark as a preference that is in relationship to where it started. It's a smaller number that
is easier for us to understand. If we did not check relative sequence number, the number would be large. Let's take a
look. I'm going to go to Edit, and Preferences. Now, I'm going to take a look at protocols and type "TCP".

Over in the right pane, I'm going to say, "Analyze TCP sequence numbers", and I'm going to uncheck it. Now I'm going to
apply.

Dissecting the TCP three-way handshake

- Transmission Control Protocol is a connection oriented protocol. It begins with a handshake and ends with a
termination session. Normal TCP traffic begins with a 3-way handshake. The SYN packet will synchronize the sequence
numbers, and the first two packets of the 3-way handshake have the SYN flag set. In a 3-way handshake, a client initiates
the conversation by requesting to have a communication session with a server.

First the client sends a synchronization packet. If the server accepts, it responds with a synchronization
acknowledgment saying that the door is open, the light is on, let's do this thing. The client responds within an
acknowledgment. Now, the session begins and we have a socket created. There is no data sent in a 3-way
handshake. Periodically, services will be refused. Then, you will see a reset.

No response may indicate a firewall. You may receive an ICMP Destination Unreachable packet. A code might be the
network was unreachable or the host was unreachable but most likely the target port is firewalled. The host may try
again with another SYN packet. At the end of a conversation, generally, there is a proper termination with an exchange
of FIN packets. However, sometimes the connection will simply timeout and close, or no password was sent so the
connection is simply reset, or FIN packets are exchanged for a normal termination.

For normal termination, we see simply an exchange of FIN and FIN ACK packets from the client to the server, and the
server back to the client. Now, we can see a TCP example. Again, this is a packet capture we've captured before, and we
have a beginning and an end in this packet capture. Now, we're first going to look at the 3-way handshake. Remember
no data is transferred before we begin an initiate contact with the server, respond with a SYN ACK, and then our final
acknowledgment, and then we can begin to send data.

Now, our 3-way handshake will begin by going to Frame 1. This is where our client initiates contact with a server. We see
that the client 192.168.1.2 initiates contact with the server at174.143.213.184. Now, this is a SYN packet, so I'm going to
drop this down. We'll take a look at the Transmission Control Protocol header. I'm now going to take a look at the flags.

We're going to drop this down, and we see that the SYN flag is set. Now in that initial packet, we're attempting to
synchronize the sequence numbers. On my side, we see that the sequence numbers set at 0. Coming back from the
server, we see that the server at174.143.213.184 responds to the client at 192.168.1.2 with a SYN ACK.

We go down to the flags and we see that the SYN flag is set and so is the acknowledgment flag. Again, we're trying to
synchronize the sequence numbers. As expected, the sequence number is 0. Now, we have set this as relative sequence
numbers in Wireshark so they makes sense. Our third packet, is the third packet in a 3-way handshake. At this point, the
client at 192.168.1.2 sends to the server at 174.143.213.184 the final acknowledgment.

We'll take a look at that and we see that that acknowledgment flag is set. Now, we see the sequence number is 1. Now,
we can begin transferring data. During that 3-way handshake, we see the length is 0, because there is no
data. Remember, it's only a handshake. Now, we'll bring these up and now we're going to take a look and locate a FIN
packet. With a Transmission Control Protocol being a connection oriented protocol, we have a setup, and then we have
a tear-down.

We have the tear-down with an exchange of FIN packets. Let's located some packets with the FIN flag set. I'm going to
expand the TCP header, and let's prepare a filter. We'll go down here to the FIN flag and right-click. Now, if I say apply as
a filter, it's going to simply run it, and as you see that FIN flag is set at 0. I want to prepare as a filter, and selected, and
modify that. So, tcp.flags.fin is set at 0.

I'm going to say give me the ones that are set at 1 and apply. Now, I can see at Frame 38 we have an exchange of FIN
packets along with 39. I'll clear that, and we'll go down to that, and see how the connection closes. At the end of the
conversation, we do see an exchange of FIN and FIN ACK packets. Go down below and take a look at the flags that are
set. In this case, you see the FIN flags set and the acknowledgment flag set. They're set from the client to the
server, then the server back to the client.

This flows as the connection and completes the session.

Exploring IPv4

- At the network layer, we use Internet Protocol. We'll focus on IP Version 4, Internet Protocol Version 4, because it is
still widely used. IP Version 4 is Connectionless - best effort, meaning there's no guarantee it's gonna get to its final
destination. It's up to a higher level protocol,TCP, to guarantee its delivery. For example, if we're using a webpage, we
would use TCP to guarantee delivery. IP will not guarantee delivery.

It's like sending a letter in general delivery. Most of the time it gets there, but there's no guarantee that it's going to get
there. Addressing and also routing to get its final destination.IPv4 also, in the original RFC, was to include fragmentation
as one of its jobs. That's taking the packet and breaking it into smaller packets at reassembly at the other end. That was
used widely when early days of the network because the network was unstable.

It is not used anymore. There's also other options that will provide for control functions. We've seen this graphic
before. On the left, we see the TCP/IP Model. On the right, we see the OSI Model. Where we see the Internet Protocol is
in the Network Layer, which we see the layer above which is TCP and below it is the Data Link Layer and also the
Network Interface Layer.The IP Version 4 Header Format includes significant fields such as source and destination
address.

We also see some other things that you may be familiar with. Type of service, which is going to be called quality of
service in some cases, differential services, and time to live, which essentially means how many times it can hop
through different routers before it times out. In the IP Version 4 header, there's a also header checksum, again, used for
error detection, not correction, on a network. In this case, we can select any of those frames to look at an IP header.

The frame that won't have any IP header is an ARP broadcast that won't have an IP header,but any other one will. Let's
take a look at Frame 1 and we'll take a look at the IP header. We'll expand this out and then I'll move up this single frame
so we can examine the Header in more detail. Now you see the data about this indicating IP version 4 in the source and
the destination IP address; that's simply information so you can see that very quickly.

But let's take a look at some of those field values. Underneath that header we see it's version 4. Now we know it's
version 4 but that's why it simply indicates that. In version 6, it would indicate it's version 6. Now the header length here
says 20 bytes. Now we know it's 20 bytes, but another way to check this is to go up and place your cursor right on the
header. Down below you see in the lower left hand corner, it says 20 bytes. It's not always necessary to check this, but
it's just to show you where you can quickly reference the header length.

The Differentiated Services Field. This field is used as a type of service, or quality of service. In this case, it's simply best-
effort or it's set at zero. The total length is the IP header and anything that follows it. And the Identification. Now this
field indicates what is the ID field of this packet.Now the ID field was used when we fragmented data. So we see three
fields that were usedback when we did fragmentation.

The Identification field, the Flags and the Fragment offset. The original specification for IP version 4 indicated that the
two primary jobs of IP version 4 was addressing and fragmentation. So with that we see the Identification field, which
was used when there was fragmentation. When the packets were broken into smaller parts, they had to keep all the
packets together and that's where the Identification field was used.

All the numbers would be consistent, but I would have to take you back to a packet capturefrom the late 1990's because
fragmentation is not done on today's network and you shouldn't allow it. But let's take a look at the flags. These flags are
specifically for fragmentation. This first flag is simply the reserved bit; it is not used. The second flag is Don't
Fragment. And the third flag is More Fragments. And most, if not all cases, you should see the Don't fragment flag set.

More Fragments would be set if there were more fragments to follow. But again, you should not see any fragmentation
on today's networks. If you were to take a packet capture and look at fragmented packets, we would see an offset, and
that value is placed in here. The time to live value is essentially the number of hops the packet can take before it times
out and is dropped. the time to live value is designed to prevent packets from flying endlessly around and around in a
loop.

When it reaches zero, it simply drops. The protocol field indicates what header follows the IP header and in this
case, you see it's TCP which is exactly what that header is. The checksum.IP version 4 has a checksum, which is used for
error detection, not correction. And then you see the Source and Destination IP address. One other thing that you'll see
in Wireshark is GeoIP.

This reference is the GeoIP databases that can be used in conjunction with Wireshark to show where exactly packets
were sent and where they were received.

Discovering HTTP

- Hypertext transport protocol is an application layer protocol for the web. HTTP uses TCP as the transport layer
protocol. We're gonna focus on HTTP version 1.1, it is the most widely used.In this graphic, as we've seen before, we see
on the left-hand side the TCP/IP model, on the right-hand side we see the OSI model. Then within the center we see
protocols and services.

We see here that HTTP is in the application layer. There are two types of HTTP messages;requests from a client, and
then a response. Now a web page consists of objects. Those objects can be something like the images, the HTML file
itself, and JavaScript. Now we want to ensure that we get all of those objects, so that your web page can be rendered
correctly.HTTP is a stateless protocol, meaning the server maintains no information about past client requests.

An HTTP request message begins with a request line, indicates GET or POST method, a Uniform Resource Identifier, or
URI. This is different from the URL, or Uniform Resource Locator, in that a URI indicates where on the page you'll
find what you're looking for. You would see that when you search for, perhaps, the SYN flags in a TCP header, you
mnight come back with a URI that drills right down to the SYN flags section of that page, and that's how a URI works.

There's also additional information about the request, and about the client itself to the server.That would include what
language might it accept, and the type of connection. The HTTP response message would include the status code line,
and tell us what status this transaction would be in. In most cases we would hope that it would be a status 200, or
OK. The Header Fields, such as a keep-alive connection, and the type of content, and then the data that was requested
in the file.

There are five main types of HTTP response status codes. The first one is informational. It's not used, but simply reserved
for future use. Most likely we see a 200 status code, and that means that the request has succeeded, and the requested
object appears later in this message. 300 codes means there's a redirection, and further action must be taken in order to
complete the request. You might see a status code 301.

That indicates that it's moved permanently. 400 means there's a client error, the request possibly contains bad syntax or
cannot be fulfilled. And 500 is a server error, the server failed to fulful an apparently valid request. When we look at the
type of connections, there's non-persistent, and persistent. A non-persistent HTTP connection establishes one TCP
connection, one single object is sent over that connection, and then that TCP connection is closed.

Each object, the same process is repeated. HTTP 1.0 uses non-persistent HTTP. It's a little slower as you can see, because
each object tests have a separate session. A better way to go is using a persistent HTTP connection. There are a number
of advantages, one being that multiple objects can be sent over a single TCP connection. There's no need to establish
and close multiple connections with a lot of overhead.

HTTP 1.1 uses persistent connections in default mode. In this case, you see the packet capture, but we want to focus in
on HTTP. Go up to the display filter, and type, "H-T-T-P" and apply. Now we see two packets, a request from the client to
the server to go get an image.Now let's take a look down below at the individual frame. Give us a little more landscape
by pulling this up, and we see that frame four and the encapsulation process as we see, and now we can see HTTP, and
now let's expand this.

So it tells us a little bit about what the client is asking, "Well I would like an image, "and I am going to ask if we could use
1.1, "telling me where I want to go, packetlife.net, "and what is my browser?" Mozilla. Also, "What language am I going
to accept?" And also a keep-alive request.So now let's take a look at frame 36, and this is responding from the
server. Well, it's telling us first of all, that it is saying it's a 200 status, meaning it's OK.

You see next we see the server which is "nginx". Nginx and Apache are two of the mostwidely used web servers in the
world. In fact approximately 65% of the web servers are eith nginx, which is a lightweight Apache, or Apache. This tells
us when is the date, what is the connection, as you see a keep-alive, and now let's do something else. I'm gonna bring
this up, and I'm gonna just show you that if I wanted to see this all in one, I'm going to place my cursor on frame 36, and
I'm gonna right-click.

Now I'm gonna say follow the TCP string. If the data is unencrypted, I can actually see the headers as we look, and the
request and the reply from the server. So there very easily it's telling me that I've asked for an image, and again, what
my user agent is, in that case Mozilla.Now we'll scroll down, and we'll see from the server that yes, the status code is
OK, and I am sending you this image.

Now down below is where you will see it says, ".PNG." That is your image. I'm gonna scroll down a little bit more, and of
course it is in a proper encoding for a PNG, and I'm gonna close that. So now you can sort of see what happens during an
HTTP conversation. The client is requesting data from the server. The server is returning it back to the client, and if
everything goes well, it will receive all the objects of the webpage.

Mastering DNS

- Domain name system as we see in our model here with TCP/IP and OSI Model is an application layer protocol. It sits up
here with the other applications and it is essential to any network. DNS converts host names to an IP address. It uses
port 53 over UDP or TCP. In general, it uses UDP, but for a full zone transfer, you would use TCP.

It transfers name information between DNS servers. DNS failures will prevent hosts from communicating or locating
each other. Normal Queries and Responses occur when a client sends a query to a DNS server for an IP address. The
server then responds with informationbut it can also ask other DNS servers for the information. There are 4 Sections of a
DNS Header.

We see that there are a number of different types of DNS Queries. A couple that you'll be seeing is a Type A, which is an
IPv4 address; a quad-A which is IPv6 or MX, which is a Mail Exchange. We selected a UDP Example because DNS
primarily uses User Datagram Protocol.Remember, it will only use a TCP connection when it does a full zone transfer. We
see here this capture.

I'll only want to filter out DNS records. I'm going to type DNS and I'm going to say Apply. Here we see a number of
queries and responses. When you go to a webpage, automatically in the background, your operating system is doing
these resolutions so that if you were to click on a hyperlink then you can immediately go to whatever page is presented
on there in a form of a hyperlink. Now we see a number of different queries and responses.

If I select, for example, Frame 1017, I only want to see the request and response from that single request for
mcafee.com. I'm going to right click and I'll say Follow UDP Stream. Now in this case, I'm just going to see the request
and reply, and I'm not going to see anything elsebecause there's really no data. It's just doing the resolution. We're going
to close this out. Now we can focus on this single query and response. I'll bring this back up here so we can take a better
look at this individual frame.

We see the User Datagram Protocol and I'm going to drop this down and we see the Source Port from the client
55478. It's going to the Destination Port 53, which is the DNS server. We'll bring this back up and take a look at DNS. This
is a query. In this case, you can see the Flags, which are set. I'm going to drop this down. When you look into this and
under the Flags, you see Recursion desired: Do query recursively. There are two types of queries: recursive and iterative.

Recursive means if you could ask the server "Please, if you could look for me, I'd appreciate it." Iterative means "If I can't
find it, "I have to go back out again and again "until I do a resolution." So I prefer a recursive query. We see that the type
is a query message and now I'm going to just bring this back up here and go to queries. Let's take a look at the query. It's
saying could you please do a resolution for mcafee.com? Type A, which is an IPv4 address.

We'll also take a look at the Transaction ID and in this case, you can see that when you look at the response, it will be
the same. I'll place my cursor on the Transaction ID. Now let's look at the response. The Transaction ID is the same. We
know that they're paired, so they keep them together, so I know which one is the query and which one is the
response. Now I'm in the response. I'm going to bring this up and take a look at the UDP header. As you can see it's
coming from the Server Port 53, which is the DNS server port, and then Destination Port goes back to the client 55478.

Let's bring this back up. Let's take a look at that response. I'm going to bring the Flags down again because in this
case you see that the Flag is set as a response. Down below though, you'll see something a little different. Here we say
Recursion desired: Do query recursively. I have asked if you could please do that query recursively. Here we see the
recursion is available, server can do recursive queries, which is what I want. Let's bring this up.

We've asked for mcafee.com, now we're going to take a look at the answers. You can see that it's coming back with the
type A or IPv4 address. Remember, type A is IPv4. Quad-A or four A's is an IPv6. Down below all the way in the bottom
line, you see what the address, 161.69.92.10. But here's something that you may not have known about DNS. You see
it's a Time to live.

A Time to live value in a DNS header has nothing to do with the hops that are in IPv4. A Time to live means how
long, how many seconds it can live in my cache. Some Time to live values are very generous, others are very short. It
really all depends. Anything on your network generally should time out so that gives you the freshest values. In this case,
we see the standard DNS request and reply. We took a look at the recursion flags and also, the Time to live value.

Grasping UDP

- User Datagram Protocol. User Datagram Protocol is a simple transport layer protocol. We see in this graphic as we've
seen before, on the left-hand side the TCP/IP Model and on the right-hand side the OSI Model. In the center we see
Protocols & Services. We see here in the Transport Layer alongside of TCP, we see UDP. It sits below the Application
Layer Protocols and above IP.

UDP provides connectionless Transport Layer services. It's very simple in that there is no handshake or connection
process. There is no ordering or reliability, but as a result, few problems occur with UDP. What are some UDP
Applications? Domain Name System uses UDP. In addition to TCP for a full zone transfer, DNS is used when we actually
have to do ahostname to IP address resolution.

We want it fast, latency can't be an issue. Voice over IP, the same issues, we want it fast, no overhead should be
included in a Voice over IP transaction. Routing Information Protocol also uses UDP, and Trivial File Transfer Protocol, it's
related to File Transfer Protocol but it is a lightweight application, and Dynamic Host Configuration Protocol or
DHCP. UDP headers are always 8 bytes long.

What's included in a UDP header? Very simply, it has a Source Port, a Destination Port, the Length Field and a
Checksum. Now, the Checksum, the Checksum, in many instances, in any header, is used for error checking. Remember,
error detection, not correction. The Checksum is optional when used with IPv4. If you see a value of zero in that
Checksum, it means it simply wasn't used.

Oddly enough though, when UDP run over IPv6, the Checksum is mandatory. Why? Because IPv6 does not have a
checksum. We'll take a look at a UDP example. Now, we're going to filter on UDP and come up with protocols that utilize
UDP. Now, User Datagram Protocol is very lightweight, four fields. Let's take a look at this. I'm going to select any
frame, we can select frame 13.

Then expand the User Datagram Protocol. As you see, the four fields, including the Source Port, the Destination Port, the
Length and the Checksum. Again, very lightweight protocol, not much to it and not many things happen and go wrong
with UDP. We'll take an opportunity,since we don't really have much to discuss with UDP, with some other things within
Wireshark.Let's clear this out. One thing that I can show you are the statistics.

Place your cursor up under Statistics and click and take a look at the Summary. The Summary is really just telling us a
little bit about this Packet Capture itself. In this section here, with the new generation of Wireshark, you can add some
file comments. For example, if you were to capture something unusual and you wanted to share this with your
friend, "Connor, this is something that I felt was important, "please take a look at frame 29" and there might be a
signature or something unusual that you wanted to share, which is nice, you can add that comment section.

Another thing is the coloring rules. Now, there are coloring rules with Wireshark and that was not always the case. If you
had used anything else that didn't used coloring, you might find this distracting and you can turn this off. I'm going to
just go under Internals and just uncheck the coloring rules, and you can see that clears it up. Now, the coloring rules are
there to help us,but again, it might be distracting so some people like to turn it off. We can put it back on but now let's,
again, take a look at the statistics.

If I go into Statistics, I can also see some of the other statistics. Now, one thing that might be of interest is a Protocol
Hierarchy. I'll place my cursor under Protocol Hierarchy, and we can take a look and it breaks it down by the types of
protocols that are evident in this capture. This helps you to eyeball protocols that, perhaps, are not allowed on your
network. We see that when broken down at Transport Layer Protocol, TCP is most widely used.

But there might be some other protocols on that network that you should not have on there.Now, your packet shapers,
if you do have them, and your organization will do this for you, but if you don't have a packet shaper you can just quickly
do a check to see if there's someone,perhaps, doing some illegal activity, some gaming or some type of activity that is
not allowed.Now, we're going to go and we'll take a look at Statistics and let's take a look at Conversations.Now, the
Conversations are the two endpoints that are in a conversation together.

Here, we can take a look at the conversations in the Ethernet Conversations and this is our MAC addresses. We can look
in at IPv4 and then here's TCP which is in this packet captureand also UDP. We can filter these, we can select any of
these and right click and say "Prepare us a filter", Selected, and now we can really be specific, for example, I wanted A-B.

Then I can close that and now it filters out only one type of data string. I'm going to apply thisand now we can see, now
that is going from the .2 address to .255. I'll clear that. And the last thing is a Go To feature. Underneath Telephony, we
can just select this little green arrow with a yellow dot. Now, this is a fairly short capture but if I wanted to jump to a
higher packet capture,and I'm just going to go jump to 1000, and Jump to, it'll take me right to that.

It's a little shortcut, again, with this small packet capture you might not need that, but it is there.That's pretty much it for
UDP.
Examining FTP

- File Transfer Protocol is used to share files and transfer data reliably and efficiently. Now, in this graphic we've seen
before, we see on the left-hand side the TCP/IP Model, on the right-hand side the OSI Model. Up at the top you see your
Application Layer Protocols, and there you see FTP. Underneath that, you see TCP and UDP, your Transport Layer
Protocols, and FTP uses TCP as its Transport Layer Protocol.

FTP is a TCP based client/server model. The FTP client initiates a data transfer, and then it then transfers files to and
from a remote FTP server. What you need to know about FTP is, it uses two separate connections. And, unlike an HTTP
server, an FTP server maintains state information and will keep track of things such as, what is the current directory, and
any user authentication.

Now, with the FTP Connections, a client will contact a server at port 21. It will then establish a control connection, and
then will be able to go in and log-in and change directories, et cetera.The client is authenticated over that control
connection, and then the client is allowed to browse the remote directory. There are two types of file transfer protocol,
either Active, or Passive. First, let's take a look at Active FTP.

With Active FTP, the client sends a Port Request, and that would be over Port 21. That's the control connection. The
server is listening, and then the server then initiates a TCP connection. So, this is active. The client listens at the
requested Port number, and then the server will initiate the TCP connection. The other type of FTP connection is
Passive. This is widely used when a client is behind a firewall and is unable to accept incoming TCP connections.

Now, this is where, essentially, the client takes over. Passive Mode then may be used. The client sends a Passive
Request, first over to that control connection on Port 21. It will be clearly indicating it will want a Passive Connection,
indicated by PASV. The server then opens a random, unprivileged port and sends back the port number to the client
over the control connection. That unprivileged port is a port greater than the well-known ports; greater than 1023.

It sends it back to the client over that control connection. The client then initiates the connection to the port that was
opened by the server in order to transfer data. I'll let you know that, what I had done was, take a look around at an open
FTP server. To be honest, there aren't a lot left anymore, and we know that the best way to run FTP is through a client,
however, a web browser can go to an FTP server just like any other file system. So, instead of HTTP, in this case, I'm
gonna type "FTP" and the server's name.

That's what I did, and I was able to come up with an FTP site which I can traverse through the directory. I'll type, "FTP",
in the display filter, and "Apply". Now, here you see my connection made with that FTP server, and now I've gone into
and asked it to go into Passive Mode, which the server then said, "That would be fine". Going into TCP, you can see that
from my side I've said I wanted to request data from the FTP server. So, you see the Destination Port, Port 21,and from
my side a Source Port of 57327.

Now, you see that the Stream Index is 3. Now, in FTP conversation, the streams will changebecause at some point I'm
going to request the data from that FTP server. I'm gonna get that back up and let's take a look at this. And, as you see,
NAT is gonna be my Passive Request.Let's go look at the next one, which is Frame 18. At Frame 18, coming from the
server, as you can see, Port 21 back to my Port 57327. Okay, let's take a look and I'll put myself into Passive Mode so
that you can do the driving.

Now, bring this back up and now we'll take a look at the server site saying, "Alright, I'm entering Passive Mode". At this
point, I'm simply gonna traverse the directory. I'm going to right-click, say "Follow TCP Stream", and here you can see
what I did was take a look around. Now, I went through the directory to see if there was anything of interest to take a
look at. Near the bottom, you see I did find a text file that I thought would be interesting to retrieve. I'm gonna close
this, and I'm gonna clear this.

And, now when you go into the Display Filter, bring this back up, and I type, "FTP". You can see the other selection in the
filter which automatically thinks you may want that data stream.I'm gonna "Apply" this. Now, I'm going to select, as you
can see there is a couple streams in here I'm just going to show you, that the one I want is Stream 74. So, what I'm going
to just do is, right-click and follow the TCP Stream, but what I'm going to do is go back into this Display Filter and just say,
"Follow the TCP Stream 74".

Now, I'm gonna "Apply". Now, this is where I can see what data I've retrieved. Let's pull this up, now I want this from my
side. I'm going to get that data. I'm going to right-click, "Follow the TCP Stream", and now I've pulled down that text file
that I wanted to see. And, here is where there is an image of this individual's tombstone, and I was curious, so I right-
click, "Copy", and I will go to the browser and paste.

And again, that was in the text file so it really isn't part of the download, but there was the image. I'm gonna close that,
and clear that. So, you can see File Transfer Protocol, in most cases, is done by an FTP Client. In some cases you can go to
an FTP server, and essentially, one point you're looking around for what you would like to get, and then you're ready to
retrieve the data, and then it moves into that data mode.
Dissecting ICMP

- Internet Control Message Protocol, ICMP, is used by routers, intermediary devices or hoststo communicate updates or
error information to other routers, intermediary devices or hosts.And it is also used to troubleshoot network issues. As
you see in our model graphic, ICMP resides right in the network layer, in either the TCP/IP Model or the OSI
Model. ICMP is an integral part of the Internet Protocol, and must be implemented by every IP module.

This is part of the original RFC. It is a requirement. The fact is, IP would be nothing without ICMP. It is a very important
protocol. Now, as we know, ICMP is used to communicate updates or error messages. With ICMP, there is no data
exchanged. It's simply error reporting. It's also used by the utility ping for echo-request or echo-reply. As we see here,
ICMP is essentially a scout for the Internet Protocol, making sure the route is clear and communicating any errors.

There are four types of query messages that characterize the output generated by the ping command: echo request
reply, time stamp request reply, information request reply, or subnet mask request reply. ICMP messages are
transmitted within an IP Datagram. So here you see an illustration of, you will see an IP Header, but within that, you will
see the ICMP Message.

Within that ICMP Message, you'll see some commonalities, the Type, the Code, the Checksum. And then the Contents
will really depend on the type and whatever possible code you'll see. IP is unreliable. Remember, it doesn't guarantee
delivery. So it's important to notify the sender when something goes wrong. ICMP is used to give feedback about
network problems that are preventing packet delivery. When an ICMP error message is sent, the message is always
going to contain the IP Header and the first eight bytes of the original Datagram that caused the error to be generated.

Here you're going to see a Destination Unreachable ICMP Packet. You'll see the Type, the Code, the Checksum, but then,
nested within it, you'll see the original IP Header and the first 64 bits of the Original Datagram, or eight bytes. That's so it
tells you where it came from so it can help you determine the error. A Type 3 Destination Unreachable error
message occurs when it determines that either the network is unreachable, possibly the host unreachable, or even the
protocol was unreachable.

There's also Redirects. Now, when we take a look at a Redirect message, you can see that there are a couple of different
types of Redirects. Now, when you have a Redirect, there are three IP addresses that the receiver of an IPM Redirect
must look at. First, the IP address that caused the Redirect, the IP address of the router that sent the Redirect, and the IP
address of the router that should be used. Redirects are generated only by routers, not hosts.

You also could see the Time To Live Exceeded. And that would be the time to live in the IP Header. Keep in mind, ICMP is
used in reconnaissance by Kali Linux. So the question is, what type of ICM traffic do you allow? The only essential ICMP
traffic is type 3 and type 4. There are others. Well, they are optional. And it's up to you to decide which ones you're
going to allow,keeping in mind, it is a very chatty protocol and will tell a lot about what's happening on your network.

We'll now take a look at ICMP, specifically, the ping utility. We'll take a look at normal ping utilityand a normal request
and reply. And then we'll take a look at one where the destination was unreachable and see what happens at that
point. Now, we're gonna open up Wireshark. And now I'm going to get a capture ready. So I'm gonna go Capture, and
then I'm gonna go to Interfaces and set me up. I'm not gonna start just yet, but just set up to start, because I wanna
capture everything but not capture too much.

Now, what I wanna do is ping Google. So I wanna go in and I'm gonna actually run and get into my command line. And
now I'm gonna ask to ping google.com. Ping google.com. Now I'm all set. I'm not gonna press Enter just yet. I'm just
gonna start that capture. And now I'm going to ask to speak with Google. Now, it was able and it was successful to reach
Google, and it was able to reach it and test reachability past.

I'm gonna stop the capture. Now what we have here is request and reply. And now I wanna isolate the ICMP
packets. First thing I'll just point to you is, you should see a query requesting a DNS resolution to whatever site you went
to ping, because that's the first step. You will not see in your ICMP request the actual name of the site. You'll see the IP
address. So here you'll see the standard query for google.com, and then you'll see your response.

So now let's focus simply on ICMP packets. Icmp, and now we're going to apply that filter. Now we see four requests and
four replies. In a Windows operating system, it defaults after four it will stop. On a Linux machine, you would have to
stop it. But on a Windows operating system,it goes through four times and then it stops. So here I see my ping
request. And if we drill down into ICMP Header, you see that is a Type 8, and that is your ping request.

Now I'm gonna go to my ping reply, and you can see a simple ping reply. So there's nothing really unusual that has
happened here. I'm gonna take a look at an unusual one, where the destination was unreachable. Now in this case, you
see that something doesn't look quite right. First of all, you see the coloring rules. And these coloring rules, we can
modify. We'll just touch on this for a second, just to show you that, if I go to View and down below, Coloring Rules, this is
where the coloring rules are set up.

As I told you before, we can deactivate these if they bother you. But one you see on ICMP errors, they appear in
black. We can modify that if you want, but it's really just a guide to saythat there's possibly something wrong in this
transmission. I'm just gonna cancel that. But now let's just focus on my actual request. So here I see a ping
request. Looks normal, but now I see Destination unreachable (Host unreachable). That's an error.

So now what has happened, in my test for reachability failed. And what happens on any error is, the first eight bytes is
tucked within the ICMP header. That is a nested head, and what you see is, now reply is saying, "Destination
unreachable." I'm gonna drop this down. Now you see the host was unreachable. And now what we see is the original
request and the original ping request with the IP header nested within that. That's your first eight bytes and that is ...

The RFC requires this. So now you can see that error, and that helps you determine that the destination was
unreachable. Where was I originally going? Now let's take a look at some ICMP captures with a little bit more
information. This one, we're gonna see errors. When we open up this capture, you see a lot of color, most of it being
bad. I'm gonna scroll down here,and we're gonna take a look at this. And you can see a variety of different types of ICMP
request and replies.

First of all, you see that it is black, saying the network was unreachable. In some cases, the protocol was
unreachable. And then also, you see the port ws unreachable. Whenever ICMP is used, remember it's a test for
reachability, but it's also used by IP to see if it can get to its destination, acting as a scout and then coming back and
replying whether or not it was successful. When we look at all of these ICMP packets, we see that there is no transport
layer header.

Remember, there is no end-to-end connectivity. There is no application data. It's simply a test for reachability. In this
case, you see all of these ICMP packets. But the fact is, what you should be concerned with is why are there so many
ICMP packets? Now, to be fair, this could have been a capture that was filtered off, and that was really all it was
designed to capture. But in the case of where you're seeing a lot of ICMP packets flying through your network, this is
where you ought to take a look at it.

Why? Because ICMP is a very chatty protocol. It tells us a lot about what's happening on the network, and is used by
some of the reconnaissance tools, such as Kali Linux. So when we're looking at some of the information requests out
there, what is the types? As I said, there are certain types of ICMP packets which we really don't want to allow on your
network. For example, we see information request, address mask, this is asking for a subnet mask. This one here,
Timestamp request, Type 13.

We really only need type 3 and type 4. The rest are optional. So again, you might wanna tune your devices. But know
that ICMP is a very chatty protocol, and it will tell us a lot about the network and how much of it you wanna allow is up
to you.

Challenge: Protocol discovery

- In this challenge, we're going to take a look at a couple of examples. Now there is a worksheet that I've added there for
you so you can complete your responses, and then you'll be sure to come back and check out my solution. The first thing
we'll take a look at is Open A UDP Example. Now with that examine frame 528. This is the DNS query. When looking at
that what is the Transport Layer protocol used? Next, examine frame 533, the DNS response.

What is the IP address for update.microsoft.com.nsatc.net? Next open A TCP Example.Display only HTTP traffic, and
select frame 4. What is the Transport Layer protocol used? Right click on frame 4 and follow the stream. Take a look at
that and tell me what is the User-Agent the client is using? And what type of language will the client accept? For the last
challenge, you're going to open ICMP Lynda.

Record the Identification field value of the IP header for frame 1, 3, 5, and 7. What is the relationship between these
four values? And last, what is the average response times for each of the reply messages? Be sure to check out my
solution video when we're completed. This should take you under 10 minutes. Good luck.

Solution: Protocol discovery

- Let's take a look at the solution. The question was Examine Frame 528, the DNS query. I can go right to that by going
here, to Go to the packet with number, or I can put in a filter for DNSand then go and easily see that. Either way, let's try
one way and then we'll do another. We'll jump to 528 and that will take us right to it. That's one way. Let's take it back
up to the top and this time, we'll just put in a filter for dns and then Apply, and that will jump me to that first one right
there.

We're going to take a look at Frame 528 and what is the transport layer protocol used? Well it is DNS, and in this case, it
is a query, so it is going to be using UDP or User Datagram Protocol. Remember, DNS does use TCP and that is for a full
zone transfer but for a query, it's only going to use UDP. We'll clear this, and now let's see Examine Frame 533.

Again, we can go to jump to and just type 533. This is the response so I'm just going to bring this up here and you'll look
at your domain name system response and what is the IP Address for update.microsoft.com? Let's drop this down, and
I'm going to look for the answers. Take a look down below, and it tells me right here what is the IP address for
update.microsoft.com.nsatc.net and right here you see it's 65.55.184.151.

Now let's open a TCP example. In this case, we've done this before but let's do this again.We're going to display only
HTTP traffic. http in the display filter, and Apply. We're going to select Frame 4. Let's take a look at this and here is your
application layer protocol HTTP and what is the transport layer protocol used? Well, it is TCP, and that is what HTTP
uses.

Now, what we're going to do is follow the stream. Take a look at Frame 4, lay your cursor right there and right click and
follow the stream. Just scroll down. Here you can see Follow TCP Stream. Now, this actually tells us our request from the
client and the server's response. This is actually something that you may have seen before but let's take a look at the
question. What user agent is the client using? Here is your answer right there.

If you selected or said Mozilla, you're correct. What type of language will the client accept? At this point, you see right
here, it's English. You can see other things that headers will tell us.There is an extension to Firefox called Live HTTP
Headers which can be used as well. It tells us a lot about what's happening and I'm going to clear that and close the
dialog boxes. Let's look at our response for ICMP Lynda challenge.

The question was, Record the identification field value for the IP header for Frames 1, 3, 5, and 7. What is the
relationship between these four values? What I'm going to do is just pull this upand I want you to look at this
capture and if you are seeing that bottom panel, that would be packet bytes. I generally take those away just to give me
more landscape but it's up to you, but I'm going to take it off so we can just focus in on these packets alone.

We see that it is a request and I'm just going to select the ICMP header and you can see it's a ping request type 8. So 1,
3, 5, and 7 are all requests. But let's just take a look at the IP headerand we're going to look now at the identification
field. This identification field value, we're going to take a look at first 1 and then we're going to go to number 3, 5, and
7 and what did you see?Well you should see them incrementing or changing and that's normal.

The fact is that that identification field would stay the same only if it was fragmented and you shouldn't see that. We
should see it changing, and in this case, with the ping request to reply, it's incrementing. You want to see a different
identification field value in an IP header.Remember, we only use that identification field value when we had
fragmentation and we should not see that anymore on today's networks. Now our question is what is the average
response times for each of the reply messages? In this case, let's use our time value.

Go to View, and our Time Display value is going to be default at Seconds Since Beginning of Capture. That doesn't really
help us, so I'm just going to say Seconds Since Previously Captured Packet and that will give us a better idea of how it
was captured and how fast it came through in the replies. Here you see our reply, and you see 0.09 or 90 milliseconds.

Again, 0.09, 0.09, 0.09. That's 90 milliseconds. That's our solution for the challenge for Chapter 3.

Lesson 4: Normal and Abnormal Behavior

Displaying Wireshark's expert system

- Built within Wireshark, is Wireshark's Expert System. It helps to alert the Network Administrator on possible issues
once a capture has been made. Keep in mind, it's only a guide. It's located, if you look at the interface, in the lower left
hand corner in a small circle. The color will indicate any severity of error, if any. When you click, "Open the Wireshark
Expert System", you'll see that there are Six Expert Info Tabs.

Four of which will deal with the severity. Those include: Errors, Warnings, Notes, and Chats. In addition to telling us
detailed information about possible errors or warnings on your system,you can also see that the Expert Info will
indicate, by a color, what the severity is. When you see it simply indicating a Grey circle, that's just going to say, "Chat",
or normal workflow.

A Cyan color, is going to be a Note, or a potential unusual error. Yellow will give us a Warning, such as a connection
problem. And Red shows a Serious Problem, such as a malformed packet. Again, the Expert Information that Wireshark
offers is only a guide. You should look into this a little more if you suspect a problem. Let's just take a look at ATCP
Example. And, this is just gonna show you the Expert Info.

So, I'm gonna go to the lower left-hand corner and click one time, and we see the Expert Infos.Now, we don't really see
any errors, or warnings, or notes, but chats are pretty much just gonna say what happened during this packet
capture. Connection established, we see an acknowledgement. Well, what I also see is I've asked to get some images
returned saying, "Yep, that'd be okay", and then your Connection Finish sequence.

And, that again is just sort of a normal capture, and the details, again, just tell us a little bit more about what has
happened. Not too much to see here. Now, let's close out of this, and now let's go back to Tear Drop. We're gonna open
this up, and now the Tear Drop, a Tear Drop attack iswhat was classically considered a Tear Drop, is where we see
mangled IP fragments, and perhaps some overlapping, different sized payloads. That really shouldn't occur on today's
networks.
And why? Because you should not allow fragmentation. So, if we just place our cursor down in the lower left hand
corner, and bring up that Expert Info, we see a malformed UDP: Bad length IP payload length. Go into the Details, again,
we see that. And, if we just click on that, that gives me the ability to go right to that frame. Well, if I want to just go
into, just filter that out, I'm going to go to the source IP address, and I'm gonna say, "Prepare as a Filter", where I'm
going to just get the traffic from, "Dot 1", and I'm gonna say, "Apply".

Let me just show you here, up in IP Version 4, where we're gonna take a look at Frame 8. If we take a look at the IP
Header, this is where I'm gonna show you, you don't wanna see. Go into Flags. I'm gonna drop down the Flags. There,
we see the, "More fragments: flag set". And, this is what we don't want to see. You don't want to allow any
fragmentation. So, we took a look at some normal traffic and the Expert Infos, and then we took a look, a little bit, about
some abnormal traffics.

And, using the Expert Infos, let's then take a look at some real errors.

Navigating TCP transmission errors

- Wirshark gives us an ability to diagnose performance problems. One thing we know that we can use is simply the
Expert System, where we can drill down and take a look at the Expert Infos to see some indication of what potentially is
happening. In addition, the coloring rules that Wireshark uses can indicate some issues on our network. Now, these
coloring rules can be taken off or you can modify them. They're in there by default. But again, you can modify those.One
other thing you should become familiar with are the time values.

The time values can be used, and you should become familiar with those, in order to see how fast the traffic is flowing or
some serious latency issues. Now, when we take a look at the Expert Information, there are a couple of things that we
might wanna see that there would be cause for concern, for example, Zero Window. Well, Zero Window means pretty
much the client is unable to receive any further information at the moment. That TCP transmission is halted. It's pretty
much saying, "Whoa! "Slow down. I can't accept any more." It'll then allow more processing occur after it sends an
update and then allow the transmission to continue.

We also might see numerous Keep-Alives, including Duplicate Acknowledgements. And Duplicate Acknowledgements

occur periodically, but if we see a large number of them, we should investigate. We also could see Retransmissions or
Fast Retransmissions. And also, you might see Spurious Retransmission. Now that actually isn't a serious error. It's
basically saying that that data was sent again and the receiver's already acknowledged it. This is sort of a needless
transmission.

Now, high latency on a network, well, that's can be from any number of reasons. When we're experiencing high latency
on a network, we could actually be because of simple processing delays in the intermediary systems or at the host or the
client's end. The distance itself could cause high latency, and also queuing delays. That's in the form of
BUFFERFLOAT. What happens, buffers tend to fill up and remain congested at intermediary links. Those actually
contribute to excessive traffic delay.

Your interfaces should be tuned to deal with potential BUFFERBLOAT. We've seen some potential transmission
errors. Let's take a look at some examples. This actually was captured on a network which was experiencing some
serious congestion. One of the things is that you can do network administration for the most part at your desk. But it's
really best to get up and walk around and check your network at different locations. The fact is that your network might
have an issue and congested in one area.

It will soon possibly cascade to another. Now, your package shaper can tell you somethingthat might be sucking up the
bandwidth, such as video streaming or Pandora. But you really don't know sometimes until you hear from your
clients that there are latency issues. Now, when you take a look at this, we can see from this capture that there are
some issues. Now, one of the things is, I'm gonna scroll down here and I will tell you that we see some Keep-
Alives, Duplicate Acknowledgements, and Retransmissions.

Now let's take a look again at our Expert System in the lower left-hand corner. And I'll just hit that one time. Now, your
Expert Information will tell us a little bit about what's happening. Again, it's up to you to get up and go check this
out. Now, go to Warnings, some of these which are warnings, some of them which are just kind of giving you
information. For example, Previous segment not captured, that does happen sometimes when I just jump in and try to
start a capture, I'll miss some of it.

This frame (suspected) an out-of-order segment, Connection reset, so as you can see, some of these things are
showing ... Connection reset, now, we see actually seven of them that have taken place. And remember, reset means
that, "I don't want to talk to you." So, for some reason, seven times this reset flag was set. Let's look at Chats. Now,
when we're looking at Chats, we can see some of what happened is, connection was established, et cetera, and that I
was able to get some of what I've requested. But now let's, like, take a look at Notes.

Now we see here Duplicate Acknowledgements, Keep-Alive segments, and here we see Spurious Retransmission. Is that
always an error? Not really. What happens is that data was sent again, and that the receiver's already acknowledged
it. That means, it's actually a needless retransmission. If you're seeing Spurious Retransmissions, that means the sender
thought package were lost and it sent it again even though the receiver sent an acknowledgement for it.

Now we see Duplicate Acknowledgements and Keep-Alives. So I'll go to the Details. And in this case here, when I'm sort
of taking a look at some of the concerns that I might have is,again the Zero Window segment. And that means, when the
window size is zero, it means, "I simply can't take any more. "You're gonna hold off sending it to me "until I can give you
a little bit more of a window "so I can receive more." Now, one of the things is that, if we're already taking a look at how
data is being transmitted, it should be received from the client and it would go back out in the form of an
acknowledgement.

That's successful. Now, what is an acknowledgement? In a TCP communication, an acknowledgement is, essentially,

what's called an expectational acknowledgement, meaning the server doesn't wait to get to the acknowledgement and
then send more data. It's concurrent, meaning the acknowledgements are being sent concurrently. A Duplicate
Acknowledgement is, for example, ACK 343. It simply means, "I've received 342 bytes of data."I'm ready for more,
starting at 343." If for whatever reason I'm inpatient, I do not receive that next set of data, I send out another
acknowledgement, and it's pretty much saying, "Hey buddy! "I've received 342 bytes of data.

"I'm ready for more, starting at 343." So Duplicate Acknowledgements means at some point the data is not getting to
me in a timely manner, so I'm gonna ask for it again in the form of a Duplicate Acknowledgement. We see some other
information here. But again, when you're taking a look at some of these concerns and the darkness in the coloring rules
shows us that I might want to look into that. So transmission errors can take place. Again, the Expert System can give
you information. We can also use the coloring rules.

The best advice is, if you're suspecting latency on your network, is to get up, take a look, and tap into other parts of your
network to compare to see where perhaps there are bottlenecks or issues that can occur.

Lesson 5: Common Attack Signatures

Detecting denial-of-service attacks

- A denial of service attack is one attack we can't protect against using encryption. This is a unique attack, which their
efforts are to interrupt or suspend services for any length of time. A plain old denial of service attack is not effective
anymore, although at one point they were. But what is really effective is a distributed denial of service. This is more
effective because it uses zombie armies or botnets, but we'll just take a look at a plain denial of service attack and see
what it looks like.

On your network your devices should be tuned to pick up signatures of suspicious or unusual behavior. The fact is
though sometimes you haven't configured them correctly and things might slip through. Here's something that I'll show
you is we've opened up sec-justascan or security justascan, and what is it we are seeing? We're seeing here this host
here 0.2 hitting 0.1 with SYN packet. Then in response what you're seeing is that coming from .1 to .2 is a reset, meaning
I don't want to talk to you.

Now again and again this happens where .2 is trying to reach .1, and again you see a reset. So now let's take a look down
below in the TCP header. I'm gonna just start here with .2. This is where I can see that what is the Source Port. We see
2294 going to Port 1. Let's jump again to Frame 3 and now we see 2296 to Port 2.

So now it's jumping around. The pattern is not as clear as maybe you would see. For example, the Port from the Source
Port is not always the same, and the Destination Port is different. But there are a couple of things that seem to be
consistent. It is the same host going to the same other host, that would be .1 to .2, .2 to .1, back and forth. Also you see
the same pattern, SYN and then a reset and an acknowledgement.

SYN and then a reset and an acknowledgement. Let's do this. We're going to do a filter and just get those packets from .
2. I'm going to go to the IP Header, then I'm gonna go to where it says Source IP address. I'm gonna right click and I'm
gonna say Prepare as a Filter. Now we say we want it to only show Source .2 and Apply. Now we can see how many that
is actually being sent.

Now this isn't a very big capture, but let's take a look. I'm going to go to View and Time Display Format. Now what I'm
going to do is just as you see, it's on Automatic File Precision, but here it says Seconds Since Previously Captured
Packet. Let's further define this since Seconds Since Previously Displayed Packet. Now you can see how fast these
packets are being sent. So one of the things as I said, you do see some signatures, you do see some patterns that could
arise.

The fact is you want to be familiar with some of these things and this is, again, your devices are tuned to pick this
up. This is in the form of signatures. I'm gonna clear this out. Now what we're gonna do is use this one so I'm pull this up
here. Now we're gonna export this and we have another choice. Let's do this time Export Packet Dissections as Plain Text
File. Let's just save that as 05_02 Challenge, and now we'll Save it.

Now we can get that later.

Challenge: Identifying attack signatures

- Let's do a challenge. We're going to use tcpdump file to analyze traffic. Now there are other command line interface
tools that you can use that will show you how your traffic is flowing across your network. In this case I want you to open
05_02 Challenge. It's a plain text file so you can open it in Notepad. Once you open it I want you to see if you can see a
pattern taking a look at the information one frame at a time.

I want you to focus on the flags that are set. After you see about five or six frames, you should see a pattern. Try not to
spend more than five minutes looking at it but then come back and take a look at my solution video where we'll discuss
what patterns I saw. Good luck.

Solution: Identifying attack signatures

Let's take a look at the solution for Chapter Five Challenge. If you're having trouble opening it,you can just simply open it
in a Notepad. The question is, do you see a pattern? One of the things that we can see in the source is .2 destination .
1, and there you see a SYN packet. Now it's attempting to make a connection. Coming back from the source from .1 to .2
is a reset,meaning I'm refusing that connection.

Let's take a look at frame three. Again, from the source, .2 to .1, again we see a SYN packet.Number four, again, from 1
to 2 is a reset. The other thing is that I want you to take note of the port addresses. They're going to be changing on the
server side. We can see that we're going to try different ports, and as we're going through this, the ports are going to
change. We see the source port up here is 2294-1, 1-2294 back again and the next one, 2296-2, 2-2296.

Again, they're going back and forth, reset and refusing connection. Now again, why did this happen at this point? This is
really unclear. Is this an attempt? Is it a reconnaissance exercise?It's really in your best interest to take a look and find
out what's happening. As you can see,the pattern is a series of SYN packets and then resets. What it is really
depends. You'd have to look a little closer to see if it's a reconnaissance attempt or what, if someone's trying to poke
around on your network.

And that's the solution for Chapter Five Challenge.

Identifying network scans

- Here we are in sec-justascan.pcap. It looks familiar cause we've used this before, but what I wanted to point out to
you is when we're looking at any type of hacking, there's three essential steps we need in order to take a good look at
the organizational layout. We wanna do some foot printing, some scanning and enumeration. These are indicators of
someone actually trying to trace through and take a look at what's happening on your organization. We wanna find out
any essential organization and map out the network.

That could be ping scan on a range of IP addresses. The scanning takes place to see if thereare any hosts that are
listening and waiting for a response. At this point, this is where you could see the pattern as to what they're trying to
do. Again, knocking on the door to see if there's anybody listening. Whenever we're doing something, what's called a
port scan, this is where we see the same source and destination IP address, but we're going to go to different ports. On a
port scan, it will go through all the range of ports in order to connect to some open port that is listening.

So for this, let's just take a look at synscan. Here's an example, as you can see. It's a really short example, but it is, a
point that I wanted to make is, it's a single host going to another host.But with that, we're gonna just pull this up here
and then I'm gonna go to View, and then take off Packet Bytes. You see the same IP address. That's consistent. What
about the time? Let's go to View, Time Display Format, Seconds Since Previously Displayed Packet.

Now let's drop this down, Transmission Control Protocol. What we're looking at is, are they different ports we're trying
to go to? Well, we see the same port here, 36050, but now it's going to 143, now 3306, 199, 111, et cetera. You can see
this certain scan has a distinct signature, and this is where someone is trying to do a little checking out to see which
ports,which are open and which ones the client can connect to.

And that's just another form of a scan. Now, once connected, it'll tell us a little bit more information, but this is the type
of activity you don't want on your network.

Distinguishing ARP issues from attacks

- Address Resolution Protocol associates an IP address with a hardware address. It's also used to test for duplicate IP
addresses. Understand ARP is not routable. There is no IP header. It's just used to do that resolution. Normal ARP traffic
is simply a request and a reply.Here we see our TCP/IP Model and OSI Model.
Now in the network layer you see ARP. But understand this, it's really in between layer threeand layer two, as it's
performing that resolution. When you see normal traffic, periodically you might see what's called a Gratuitous
ARP. These are special ARP request packets, not ARP reply packets. Now what are they used for? Well, once a host boots
up and receives an IP address from the DHCP server, a Gratuitous ARP packet is sent to determine if another host on the
network has the same IP address as the sender.

This also updates the ARP tables. With a Gratuitous ARP, no reply is expected. Periodically you do see some ARP related
issues. One being network addressing problems. ARP Storms.ARP Storms occur because ARP works well under regular
circumstances, but it was not designed to cope with malicious hosts. A storming attack will create a denial service
attack and prevent the network from functioning normally.

We also could see ARP Poisoning and ARP Padding issues. Let's take a look. Now we know that Address Resolution
Protocol is a protocol that lies just at the bottom of layer three, and right at the top of layer two. And why? Because
what is it doing? It's resolving a logical IP address to a physical Mac address. Now what we see here is a series of
ARP, request and replies.

And it looks something like this. Here is your request, so go to Frame 1 and we're just gonna select Frame 1. And you see
that this is an Address Resolution Protocol request. And you're going to see a number of them because in an Address
Resolution Protocol request you'll see that sometimes it asks a couple of times in order to do a resolution. Remember, in
order for a switch to determine which port to send it out of it has to know which MAC address is related to which port.

Now take a look at this. Frame 1 you see Ethernet 2 so you have a frame header, but do you see anything else? Well, you
don't see an IP header, right? Because it's already there. You don't need any network address. You don't see a transport
layer header either. All it's doing is a resolution. So what is it doing? Now let's take a look. The source is from a
destination. Alright, what I wanna do is I want to go to Edit, and then Preferences.

And now I'm gonna go to Name Resolution. Now in this case, I'm just gonna say Resolve MAC address. Now we'll say
Apply, and then I'm gonna close it. And what is it doing is it's telling me,remember your MAC address is a 12-
digit hexadecimal number. The first six digits represents the manufacturer. So you see clearly it's coming from a Cisco
device. And it is a broadcast.Well now, what does that broadcast look like? Well, it is all Fs. And that means it's a single
device and it goes out to all devices on the network.

And of course it's waiting for a reply. In Frame 5 we do get a reply for one of the requests, and what is it saying? It says
192.168.1.102 is at, and it tells me what MAC address it's at. So now I've resolved it. Now you'll see a number of these in
certain cases, and in my case I did do a Capture filter so that's why I only have ARP traffic. So that's what pretty much
normal ARP traffic looks like and you would see that mixed in with other traffic as well.

We're going to look at arp-badpadding. Now in some cases, there is padding that has to take place in order to get the
minimum 64 byte Ethernet length. I would normally turn off the Packet Bytes View. Go to View, and let's take it
back, and bring that back in. So now what you're gonna see is, take a look at the bottom here. It's padded because it's
picked up some stufffrom the network interface card. And really, it shouldn't be there. The fact is, this was a flaw that
was discovered early on in the 2000s. Now, I'd looked, and there really isn't anything malicious that I've discovered.
However, there might be in something where we're looking atways to export data covertly, but I haven't found any.

It's simply something unusual that you might find in an ARP packet.

Protecting from password attacks

- Now password cracking attempts, there's a variety of different ways that we can do this.Some are just going through
and trying every possible password available. An FTP connection sometimes has a username and password
requirement. First of all, we're going to just use a display filter say, ftp, and apply. Now one of the things that you should
see if we take a look here is a password. And now you see mercury. Password required, mets. Well, what is it doing
is trying a number of different passwords.

Now I'm gonna just take off the coloring rules right there, so that possibly you could see it a little more clearly. If I were
to just simply right-click and follow the TCP stream, we can see thatit's coming back with a password or log-in that is
incorrect. And again, it won't allow you to connect. I'm gonna clear this and go back again and put an FTP filter on
here. We'll apply. But the fact is, we want to only see those requests with different passwords.

So now let's take a look. I did find one here. Frame number 11 we can now put our cursor on there and see that, I'm
going to drop down the IP address. And now what I'm gonna to do is say anything from that source, .254, right-click, let's
say prepare as a filter so I am sure that I've entered it correctly. Now let's apply that. And now I only want the
requests, so now I'm gonna further that by going into the file transfer protocol.

And I'm going to apply as a filter and select it. Now what I've done is a complex filter that says I want from .254 and the
password coming through. And now what we can see is the requestswith the different passwords. So I'm gonna try
this. Let's see, mercury, merlin, mets, michael, et cetera. So now when you see that type of signature coming
through, someone is actually trying to root force into your FTP server.
Whether they're successful is that you possibly use something a little more complex than some of these dictionary
words. And that's pretty much a simple password crack attempt.

Examining macof attacks

- A switch's CAM table contains network information such as MAC addresses available on physical switchports and with
the CAM table, or Content Addressable Memory table, these pairings can be volumous. There can be quite a few of
'em. A MACOF attack is a flooding of that CAM table. It floods the table and overwhelms the switch with all of those
bogus entries. At that point then, the switch simply acts like a hub allowing all the traffic to flow out all of the ports.

In order for this attack to be successful, though, the MACOF attack must continue to bombard the switch with those
bogus entries. And once it stops though, the timers will be reset and then the switch will resort back to being like a
switch. But this attack can happen and as a result, we really should use ways to mitigate the effects of this. In this you
can see that the Switchport port security such as what's called a Sticky Mac can be implemented. And on a Cisco switch
you'll see how this is very easy to configure.

Once you go in to config t, you're going in to your interface, we go to switchport port-securityand go to mac-address
sticky. The one thing I will say though is on one interface is not really effective I would probably suggest you do the
entire range of switchports in order for it to be a truly effective mitigation technique. And switchport port-security is
very easy to implement.We'll see a MACOF attack. When we open it, it doesn't seem to make sense and it's because it
shouldn't.

Because if we understand what the objective of this MACOF attack is to fill the CAM table or the Content Addressable
Memory, or switching table, or MAC address table, whatever you want to call it, the idea is to throw as many bogus IP
addresses and MAC addresses in to that table so that the switch is confused. And it then just becomes a hub. Now we've
opened this up, and again, you see what's happening is its just got a lot of mismatched IP addresses and MAC addresses
and nothing is really making sense.

If I go in to the Expert System by just right clicking over there and to the Wireshark Expert Infos area, in the lower left
hand corner, this was done very quickly, so you'll see that we have quite a few packets in there. And now I've opened
this up, let's take a look. Now when we go in to here, we just see Chats and in this case there is something that's going
on and we're really not sure, so if you see a whole bunch of SYN packets, that's really all you're gonna see is Connection
Established Request, to what server I have no idea, that's the whole point.

It's just going out there trying to flood that CAM table. The details, and as you see, the same information's coming
across saying that the SYN Flags are set. So, that's the fist indication of somewhat of a signature. Let's close this up. Now,
we took a look at the Expert Infos and saw that really all we see is a bunch of connections with the SYN Flags set. Were
there any other connections? Do we see any acknowledgments? Let's check.

Go in to the Transmission Control Protocol and drop this down. Now, what I want to look at iswe're going to expand the
flags. Now we see the SYN Flag is Set. Do we see any acknowledgment flags? Let's take a look. Right click, this time we're
going to say Prepare as a Filter. I'm going to say Selected. And we remember, if we say Prepared for a Filter, that isn't
gonna run it. It's only gonna put it up there and I'm just gonna say ack.

And that's going to say, "well, any acknowledgement flags "that are set at one, display those."Now I have to say
apply. And as you see, there are no Acknowledgement Flags. There was not a connection made. And I'm gonna clear
this. Let's take a look at the Conversations. Now up here in Statistics, I know that really I want to take a look at the
summary of this. And here, we can just see that this very fast Capture. Now, the actual type of attack that takes
place the objective is to keep it really confused so the attack is very fast and it goes across an extremely high rate of
transfer.

Kind of close this. Now let's take a look at Statistics and go to Conversations. But here's the thing. There really aren't any
conversations. There was just a number of different IP addressesand MAC addresses. Let's just take a look at what it's
throwing out there. You can sort, and it takes a second to sort, but you can see any number. They're different. And that
is again a signature. They're showing there's something unusual that's happening. We'll close that.

But here's the other thing that you can do. I'm just gonna open this up. We talked about the Time Display Format, Time
Display you see, is defaulted at Time Since Beginning of Capture.But we've also taken down that precision to just a
couple of decimal points. We're gonna change that. Let's go to Time Display Format, and now instead of
Centiseseconds, we're going to go to Time Display Format and now I'm going to say Seconds SincePreviously Captured
Packet.

That's the first thing, and I'm gonna expand this out because I'm gonna need some more room because now I'm gonna
go to View and Time Display Format, and now I'm gonna ask for the Automatic File Precision. That's actually gonna go to
more of a microsecond and you're gonna be able to really see how fast that Capture came through. That Packet Capture
since Previously Captured Packet is extremely fast. So there you see the signature of a MACOF attack.
The objective is to flood that table so that the switch acts like a hub. And it is effective. We talked about the way to
mitigate that and that is using PortSecurity using a Sticky Mac on the range of switchports.

Lesson 6: Security Tools

Understanding passive and active attacks

- There are two different types of attacks, passive and active, and we'll take a look at the difference between the two. An
attack can be against any of the security services:confidentiality, integrity, availability, or authentication. Let's take a look
at each of these.Confidentiality is protection of data against unauthorized disclosure. For example, if you worked in the
payroll department, you wouldn't want to see unauthorized individuals taking a look at the payroll information.

Integrity, protection of data from unauthorized modification. For example, if I got a C in Algebra,you wouldn't want me
to be able to go in and change it to an A. That would be a violation of integrity. Availability, that is, where data and
services are available to authorized users. A denial-of-service attack is an attack against availability. A denial-of-service
attack locks out legitimate users.

And authentication. Well, authentication is assurance that the communicating entity is who they say they are, and that
they are verifying the identity of a user or device. For example, on a network, we want to be able to provide
that authentication feature amongst routers. In a faceless, nameless environment such as the network, routers should
use authentication techniques. Now let's talk about passive attacks. Passive attacks, that would include something
that you wouldn't think is dangerous, such as eavesdropping.

We also call this traffic analysis, or tapping. This is where someone may be monitoring transmissions. It's hard to
detect. For example, someone would be capturing authentication information, such as passwords. This can result in the
disclosure of information or data files to an attacker without the consent or knowledge of the user. Now the emphasis in
this case is on prevention, not detection. In the case of prevention, we would want to use encryption.

So for example, if someone were to capture the data, they couldn't read it unless they had the key. Now a passive attack
also includes a more aggressive form of an attack called a reconnaissance exercise. In this case, the attacker is seeking to
find out information about the network. We're still scanning, but in this case, the attacker will do a ping scan or a port
scan. A ping scan is a set of ICMP or Internet Control Message Protocol echo packets that are sent to a network of
machines usually specified within a range of IP addresses and sees which ones respond.

The whole point of this is to determine which machines are alive and which ones aren't. After the attacker
determines which ones are alive and responding, the attacker will then do a port scan. And this is used to discover the
services running on a target machine. The intruder can then plan an attack on any vulnerable service that she finds. For
example, if the intruder finds that port 143, the IMAP port, is open, she may proceed to find out what version of IMAP is
running on the target machine.

If the version is vulnerable, the hacker may be able to exploit that weakness and gain access to the system. Now we look
at active attacks. Now this can be done through introducing malicious code, such as viruses, worms, or Trojan horses. In
an active attack, an attacker tries to break in to secured systems. My goal is to perhaps steal or modify information. This
then can result in the release or modification of data, or denial of service.

An active attack can be an attack on confidentiality, integrity, availability, or authenticity. Active attacks include
masquerade, session hijacking, denial of service, also a buffer overflow where the attacker sends more data to an
application than it is expected resulting in gaining administrative access to the system in a command prompt or
shell. And a password attack-- this is where an attacker tries to crack the password stored in a network account database
or a password-protected file.

A dictionary attack uses a word list, which is a list of potential passwords, where a brute force attack is when the
attacker tries every possible combination of characters. We know that there are many potential attacks, but there are
methods of defense. Encryption is a method of defense. Encryption is taking data and making it into an unreadable
format that the only way that you can read it is if it is decrypted using a key. Encryption can protect against four of the
services on our network, including confidentiality, integrity, availability, and non-repudiation.

We also can do application security. Application security should be built into the system development life cycle. There
are many known attacks, and they should be addressed early on in the development life cycle. Policies, this may be as
simple as frequent changes of passwords and strength of passwords and physical controls. This is the most overlooked
form of security. Those would include locks and smarcards. And then device security-- intrusion detection
system, intrusion prevention systems, firewalls, and switches-- all in all should be a layered approach where we should
protect against attacks in many different ways.

Using security tools for ethical hacking

- Every day our networks are bombarded with any number of attacks with the intention of finding security weaknesses
and potentially gaining access. As a result, it is in an organization's best interest to test the network with readily
available tools, many which are free.Ethical hacking is also known as penetration testing. Ethical hacking evaluates the
security of a network. It measures the effectiveness of defense mechanisms by attempting to exploit system
vulnerabilities, such as operating systems, services and application flaws, and proper configurations, and dangerous end
user behavior.

Well what is a vulnerability? A vulnerability is a security hole in a piece of software, hardware, or operating system that
provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords, or as complex as
buffer overflows or SQL injection vulnerabilities.Once vulnerabilities have been successfully exploited on a particular
system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources.

Specifically, by trying to incrementally achieve higher levels of security clearance, and deeper access to electronic
assets and information via privilege escalation. Well what is an exploit?Well, in order to take advantage of a vulnerability
you need an exploit, a small and highly specialized computer program whose only purpose is to take advantage of a
specific vulnerability, and provide access to that computer system.

Exploits often deliver a payload to the target system to grant the attacker access to the system.Well we know that we
are faced with a number of different attacks on our network, but there are tools and some of the tools you should get
yourself familiar with. As a network administrator you should download and try some of these tools. Metasploit is an
advanced tool used to perform penetration testing on network systems and IT infrastructure.

Closely related is Kali Linux, a Debian derived Linux distribution designed for digital forensics and penetration testing. It
was formally known as Backtrack, but it is now Kali Linux. Kali Linux is easy to use, and with a couple of simple
commands you can execute an attack. However, Armitage is an open source user friendly interface to the Metasploit
framework. It is in the Kali Linux repository, and it allows you to test your network for weak and vulnerable
machines, and it'll allow you to launch an exploit in just a few clicks, including a Hail Mary which throws everything at it
it has.

There are many other tools available to you to test your network. One tool is the Social Engineering Toolkit. Social
Engineering is used to test your people. Now, if we take a look at the network, and we logically lockdown the network
with intrusion detection, intrusion prevention, firewalls, and other appliances, we layer on that administrative and
policies, but forget that someone might give away their password for a bar of chocolate, the entire network can go
down.

We use Social Engineering techniques in order to try to get individuals to open a phishing attack email, and also give up
information, so that should be utilized in conjunction with someof the other logical tools such as Armitage or Kali
Linux. Other tools can include password policies, and include reinforcing length of password and complexity, and take
advantage of the tools in your command line interface such as Netstat.

In the command line interface Netstat tells you what your active connections are. You should periodically check those
active connections to see if any are unauthorized.