Scribd Logo
Upload

Welcome to Scribd!

  • KrutikShah CSS Exp7

    Uploaded by

    Krutik Shah
    11 views10 pages
    Computer Security

    Original Title

    60004198011_KrutikShah_CSS_Exp7

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Computer Security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views10 pages

    KrutikShah CSS Exp7

    Uploaded by

    Krutik Shah
    Computer Security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Experiment No.

    7
    Date of Performance: 15-04-2021 Date of Submission: 15-04-2021
    SAP ID: 60004198011 Name: Krutik Shah
    Div: B Batch: B4

    AIM: Study of packet sniffer tools :


    A. Wireshark Download and install wireshark and capture icmp, tcp, and http packets in
    promiscuous mode.
    B. Explore how the packets can be traced based on different filters.

    THEORY:
    Wireshark:
    Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis,
    software and communications protocol development, and education. Originally named Ethereal, the
    project was renamed Wireshark in May 2006 due to trademark issues. [4]
    Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface,
    and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating
    systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark.
    Wireshark, and the other programs distributed with it such as TShark, are free software, released under
    the terms of version 2 of the GNU General Public License.
    Wireshark is very similar to tcp dump, but has a graphical front-end, plus some integrated sorting and
    filtering options.
    Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the
    network interface controller), so they can see all the traffic visible on that interface including unicast
    traffic not sent to that network interface controller's MAC address. However, when capturing with a packet
    analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is
    necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily
    sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on
    the network. Simple passive taps are extremely resistant to tampering.
    On GNU/Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put
    wireless network interface controllers into monitor mode.If a remote machine captures packets and sends
    the captured packets to a machine running Wireshark using the TZSP protocol or the protocol used by
    OmniPeek, Wireshark dissects those packets, so it can analyze packets captured on a remote machine at
    the time that they are captured.
    Part A : Download and install wireshark and capture icmp, tcp, http packets in promiscuous mode
    ICMP:
    ICMP (Internet Control Message Protocol) is a protocol that network devices (e.g. routers) use to generate
    error messages when network issues are preventing IP packets from getting through. Although the lower
    level Internet Layer is not supposed to be concerned with connection assurance, ICMP gives a little bit of
    feedback on communications when things go wrong. So, even if you use UDP, which has a connectionless
    communications model, it is still possible to find out why a transmission failed. All network-connected
    devices can process ICMP messages, so that includes routers as well as endpoint devices. ICMP has been
    adapted so it can work with IPv6 just as thoroughly as it has served IPv4. As this protocol resides at the
    Internet Layer, its messages are carried by IP packets and so exist at a higher level than the operating
    structures of switches. Although the ICMP is carried within the IP packet, it does not exist inside data-
    carrying packets. An ICMP packet is only generated in response to an incoming data packet when the
    transmission of that inbound message fails. The error conditions that provoke an ICMP packet are often
    the result of data contained in the IP header of the failed packet.

    Output
    TCP:
    The TCP protocol is the Transmission Control Protocol that lies between the Application layer and
    network layer used to provide reliable stream delivery service, i.e., delivering data as a stream of bytes
    and receiving data as a stream of bytes. TCP uses the acknowledge mechanism to check the safe and
    sound arrival of data, performs multiplexing at the sender side, and demultiplexes at the receiver end. TCP
    uses three phases to achieve the connection orientation feature, like connection establishment, data
    transfer, and connection termination.It is considered a connection-oriented protocol, which means that
    connection is established and maintained until the time application programs at each of the end are done
    exchanging messages. It also decides how to break the application data in the form of packets that the
    networks deliver, then send packets and finally accept those packets from the network layer, and manage
    flow control. In the OSI model, TCP occupies parts of Layer 4, Transport Layer, and parts of Layer 5, the
    Session Layer.Let us take an example. When the webserver sends an HTML file to the client, it makes
    use of the HTTP protocol. The HTTP program layer then requests the TCP layer to set the connection and
    then send the file. TCP stack then divides the file in the form of packets, numbers them and finally
    forwards them to the Internet Protocol layer to deliver. Though each of the packets in transmission has
    the same source and destination IP addresses, packets are still sent along various routes. TCP program
    layer in the client computer always waits until and unless all the packets have already arrived, and
    afterwards, it acknowledges the ones it has received and then it asks for the retransmission.

    Output:
    HTTP:
    The Hypertext Transfer Protocol is an application protocol for distributed, collaborative, hypermedia
    information systems that allows users to communicate data on the World Wide Web. HTTP was invented
    alongside HTML to create the first interactive, text-based web browser: the original World Wide Web.
    Today, the protocol remains one of the primary means of using the Internet.As a request-response
    protocol, HTTP gives users a way to interact with web resources such as HTML files by transmitting
    hypertext messages between clients and servers. HTTP clients generally use Transmission Control
    Protocol (TCP) connections to communicate with servers.HTTP utilizes specific request methods in order
    to perform various tasks. All HTTP servers use the GET and HEAD methods, but not all support the rest
    of these request methods:
    • GET requests a specific resource in its entirety
    • HEAD requests a specific resource without the body content
    • POST adds content, messages, or data to a new page under an existing web resource
    • PUT directly modifies an existing web resource or creates a new URI if need be
    • DELETE gets rid of a specified resource
    • TRACE shows users any changes or additions made to a web resource
    • OPTIONS shows users which HTTP methods are available for a specific URL
    • CONNECT converts the request connection to a transparent TCP/IP tunnel
    • PATCH partially modifies a web resource
    • HTTP can be leveraged by cyber attackers using techniques like HTTP smuggling.

    Output
    Part B : Explore how packets can be traced based on different filters

    1.Filter results by port:

    Sets filters for any TCP packet with a specific source or destination port. Sometimes is just useful and less
    time consuming to look only at the traffic that goes into or out of a specific port.
    Command : tcp.port eq 443

    2.Filter results based on multiple conditions:

    Gives packets which has tcp and udp as protocol.


    Command : tcp or udp
    3.Filter results by IP addresses:
    Sets a filter for any packet with 192.168.0.0, as either the source or destination

    Command : ip.addr == 192.168.0.0

    4. Filter results based on byte sequence:


    Sets the filter for any packet which gives us particular sequence.
    Command : tcp contains 00:01:02
    5.Filter based on Data in the packets.

    displays all packets that contain the word ‘traffic’. Excellent when searching on a specific string or user
    ID

    Command : Frame contains traffic

    6.Filter based on timestamp

    sets a filter to display all tcp packets that have a delta time of greater than 250mSec in the context
    of their stream.

    Command : tcp.time_delta > .250


    7.Filter based on Http Get request

    Sets the filter to give only get request packets.

    Command : http.request.method == GET

    8. Filter Based on not including particular IP address

    This reads “pass all traffic that does not have an IP address equal to 10.43.54.65.”
    Command :!(ip.addr == 10.43.54.65)

    CONCLUSION: Hence, we have successfully captured various packets using Wireshark tool.
    PRESENTATION

    You might also like