DIGITAL FORENSICS - IFN643 Assignment 2 Executive Summary Packet Filtering
Added on 2022-10-17
67 Pages8588 Words396 Views
DIGITAL FORENSICS - IFN643
Assignment 2
Assignment 2
Executive Summary
Packet filtering is the method using which, the filtering takes place at the network nodes.
Captured packets are briefly stored before analysis. Packet inspection takes place to resolve any
network issue. This is the method commonly used by hackers to capture packets transmitted over
a network. Such data is processed based on protocol used, source, ports, and destination. Packet
filtering is also a common implementation in firewalls to check network intrusions. A PCAP file
is taken for investigation. Investigation done using Wireshark as well as network message
analyzer. The details of extracted from the investigation.
1
Packet filtering is the method using which, the filtering takes place at the network nodes.
Captured packets are briefly stored before analysis. Packet inspection takes place to resolve any
network issue. This is the method commonly used by hackers to capture packets transmitted over
a network. Such data is processed based on protocol used, source, ports, and destination. Packet
filtering is also a common implementation in firewalls to check network intrusions. A PCAP file
is taken for investigation. Investigation done using Wireshark as well as network message
analyzer. The details of extracted from the investigation.
1
Task-1
Theory about Wireshark
Identify Host and Users using the packet analyzer - Wireshark
Wireshark is an open-source packet analyzer used to identify affected hosts and users while
troubleshooting a suspicious network. (Afonin, 2016) (Al, kazary, Begum & Rubel, 2011)This
network analysis tool is widely used by security professionals to review a packet of an infected
host and hence spot the underlying problem.
In this tutorial we look at ways and means to gather the pcap data of a network packet using
Wireshark. (Alghawli, 2013)The pcaps of IPvP4 traffic is used to describe the retrieval
techniques involved for the various data types:
Information of the Host from DHCP traffic
Information of the Host from NetBIOS Name Service (NBNS) traffic
Operating systems and device models from HTTP traffic
Windows user account from Kerberos traffic
Here it is assumed that the reader is aware of the basics of network traffic.
2
Theory about Wireshark
Identify Host and Users using the packet analyzer - Wireshark
Wireshark is an open-source packet analyzer used to identify affected hosts and users while
troubleshooting a suspicious network. (Afonin, 2016) (Al, kazary, Begum & Rubel, 2011)This
network analysis tool is widely used by security professionals to review a packet of an infected
host and hence spot the underlying problem.
In this tutorial we look at ways and means to gather the pcap data of a network packet using
Wireshark. (Alghawli, 2013)The pcaps of IPvP4 traffic is used to describe the retrieval
techniques involved for the various data types:
Information of the Host from DHCP traffic
Information of the Host from NetBIOS Name Service (NBNS) traffic
Operating systems and device models from HTTP traffic
Windows user account from Kerberos traffic
Here it is assumed that the reader is aware of the basics of network traffic.
2
Analysis of packets is dealt with at the higher levels of wireshark protocol. It also show how the
analyzer used the network during troubleshooting. (Bagyalakshmi et al., 2018) Packet analysis
commence with packet capturing. Before network traffic and performance is analyzed, real time
packets must be captured. This can be done using different techniques.
Syntax is used here to filter out packets. Colorization is used to display the filtered packets. The
tools used for packet capture are set to color rules. These set rules form the specifications, which
the system will use to display the captured packets. Problematic packet will easily be
distinguished by a different coloration. (Baker, 2013) (Banerjee, Vashishtha & Saxena, 2010)
If any anomalies exist in the network, sent packets may not reach the target destination. At times,
the packet order may abruptly change. The network may also produce another copy of the packet
under transmission. Lost packets normally degrade network performance and traffic. Sequence
number and duplicate acknowledgements are clear pointers to a packet loss. The receivers cannot
acknowledge receipt of lost packets. (Buchanan, 2011)
Transmission control protocol (TCP) act as a judge. it verifies any acknowledgement received
and retransmit it if there is a need to do so. (Bukohwo M., 2016) This is evident in TCP sessions.
Network nodes are listed in terms of their IP addresses and MAC. Network issues identified in
the packet captured must be analyzed to determine root problems. Sometimes the root problem
can be the window size, device malfunction, application dependency and latency. Such network
problems are identified after analysis and appropriate recommendations displayed for further
action.
Network nodes are listed in terms of their MAC, IP, Ports, and Services. A diagram showing the
network topology will also be given. Packet capture file analysis is done to determine network
troubles and their root cause. These root causes will be addressed in order of priority and
performance. Any other issue will be identified and technically solved. (Choo & Dehghantanha,
2017)
* Network Enumeration
IP & Mac address
3
analyzer used the network during troubleshooting. (Bagyalakshmi et al., 2018) Packet analysis
commence with packet capturing. Before network traffic and performance is analyzed, real time
packets must be captured. This can be done using different techniques.
Syntax is used here to filter out packets. Colorization is used to display the filtered packets. The
tools used for packet capture are set to color rules. These set rules form the specifications, which
the system will use to display the captured packets. Problematic packet will easily be
distinguished by a different coloration. (Baker, 2013) (Banerjee, Vashishtha & Saxena, 2010)
If any anomalies exist in the network, sent packets may not reach the target destination. At times,
the packet order may abruptly change. The network may also produce another copy of the packet
under transmission. Lost packets normally degrade network performance and traffic. Sequence
number and duplicate acknowledgements are clear pointers to a packet loss. The receivers cannot
acknowledge receipt of lost packets. (Buchanan, 2011)
Transmission control protocol (TCP) act as a judge. it verifies any acknowledgement received
and retransmit it if there is a need to do so. (Bukohwo M., 2016) This is evident in TCP sessions.
Network nodes are listed in terms of their IP addresses and MAC. Network issues identified in
the packet captured must be analyzed to determine root problems. Sometimes the root problem
can be the window size, device malfunction, application dependency and latency. Such network
problems are identified after analysis and appropriate recommendations displayed for further
action.
Network nodes are listed in terms of their MAC, IP, Ports, and Services. A diagram showing the
network topology will also be given. Packet capture file analysis is done to determine network
troubles and their root cause. These root causes will be addressed in order of priority and
performance. Any other issue will be identified and technically solved. (Choo & Dehghantanha,
2017)
* Network Enumeration
IP & Mac address
3
MAC (Media Access Control) is a six-character number used to uniquely identify a node in a
network. Colons separate these numbers. This number is listed in a router device to add that
particular node to a network (Chowdhury & Alam, 2019). MAC receives and sends packet to and
from a network. It is a link between nodes in a network set up. Wire shirk is installed in the
DHCP server (CUI & SHEN, 2018). In order to use wire shirk set the source as the users' MAC
while destination becomes users' DHCP server.
Internet Protocol
This number for locating nodes anywhere in the world. It is a unique number with no system
duplications. This is a number used to locate devices wherever they are located in the World
Wide Web (Devi, Kannan & Ravindran, 2019) (Davidoff & Ham, 2012). Every machine or
system has a unique number, which is known as the IP. This IP address is used to connect to
systems within a network for purposes of communication. Other functions of Internet protocols
are:
Hosting
Each device has a unique IP address for identification purposes. IP addresses are also important
for adding a device to a network. Domain name service resolves the IP address to a readable host
name. (Duranti & Endicott-Popovsky, 2010) (Gogolin, 2013)To convert IP address to a host
name: Get hostname () function is used. The system responds to these commands by searching
for the host file.
* Mapping ports and service
The objective of mapping is as follows;
* get acknowledgement for hosts
* locating IP addresses
* Ports and services
* mapping technology using NMAP or network mapper.
4
network. Colons separate these numbers. This number is listed in a router device to add that
particular node to a network (Chowdhury & Alam, 2019). MAC receives and sends packet to and
from a network. It is a link between nodes in a network set up. Wire shirk is installed in the
DHCP server (CUI & SHEN, 2018). In order to use wire shirk set the source as the users' MAC
while destination becomes users' DHCP server.
Internet Protocol
This number for locating nodes anywhere in the world. It is a unique number with no system
duplications. This is a number used to locate devices wherever they are located in the World
Wide Web (Devi, Kannan & Ravindran, 2019) (Davidoff & Ham, 2012). Every machine or
system has a unique number, which is known as the IP. This IP address is used to connect to
systems within a network for purposes of communication. Other functions of Internet protocols
are:
Hosting
Each device has a unique IP address for identification purposes. IP addresses are also important
for adding a device to a network. Domain name service resolves the IP address to a readable host
name. (Duranti & Endicott-Popovsky, 2010) (Gogolin, 2013)To convert IP address to a host
name: Get hostname () function is used. The system responds to these commands by searching
for the host file.
* Mapping ports and service
The objective of mapping is as follows;
* get acknowledgement for hosts
* locating IP addresses
* Ports and services
* mapping technology using NMAP or network mapper.
4
This network mapper is used for security reviews and investigation purposes. It runs in major
operating systems such as window, OS-X and Linux. (Gold, 2011) It becomes easier to conduct
network checks for any loopholes that hackers can use to manipulate or gain entry into the
system. The diagram show a session between server and client machines. (Hamid Lone & Naaz
Mir, 2018) (Hashimoto, Hasegawa & Murata, 2014) The firewall is linked to the internet service
provider.
Information of the Host from DHCP traffic
The three identifiers associated with any traffic generating host in a network are
1. MAC address
2. IP address
3. Hostname
Any suspicious activity in a network is alerted using an IP address. The pcap retrieved from an
internal IP address (obtained when a full packet of the network traffic is captured) will reveal the
associated MAC address and hostname. (Huang et al., 2009)
How can Wireshark be used to find the host information? Based on the pcap filtered.
To identify hosts connected to the network irrespective of the computer type, DHCP
traffic can be used.
To identify hosts on computers running Microsoft Windows or MacOS (Apple), NBNS
traffic can be used.
Let us consider a pcap to better understand using Wireshark.
First Pcap : host-and-user-ID-pcap-01.pcap is available here.
Internal IP address: 172.16.1[.]207.
To reveal the DHCP traffic, open the given pcap in Wireshark and filter on bootp .
Note: If using Wireshark 3.0, use the search term dhcp instead of bootp. ("Industrial Network
Security", 2015) ("Introduction to Computer and Network Security", 2013)
5
operating systems such as window, OS-X and Linux. (Gold, 2011) It becomes easier to conduct
network checks for any loopholes that hackers can use to manipulate or gain entry into the
system. The diagram show a session between server and client machines. (Hamid Lone & Naaz
Mir, 2018) (Hashimoto, Hasegawa & Murata, 2014) The firewall is linked to the internet service
provider.
Information of the Host from DHCP traffic
The three identifiers associated with any traffic generating host in a network are
1. MAC address
2. IP address
3. Hostname
Any suspicious activity in a network is alerted using an IP address. The pcap retrieved from an
internal IP address (obtained when a full packet of the network traffic is captured) will reveal the
associated MAC address and hostname. (Huang et al., 2009)
How can Wireshark be used to find the host information? Based on the pcap filtered.
To identify hosts connected to the network irrespective of the computer type, DHCP
traffic can be used.
To identify hosts on computers running Microsoft Windows or MacOS (Apple), NBNS
traffic can be used.
Let us consider a pcap to better understand using Wireshark.
First Pcap : host-and-user-ID-pcap-01.pcap is available here.
Internal IP address: 172.16.1[.]207.
To reveal the DHCP traffic, open the given pcap in Wireshark and filter on bootp .
Note: If using Wireshark 3.0, use the search term dhcp instead of bootp. ("Industrial Network
Security", 2015) ("Introduction to Computer and Network Security", 2013)
5
Figure 1: Filtering on DHCP traffic in Wireshark
Steps involved:
1. Select the frame that shows DHCP request in the info column.
2. In the frame details section, expand the line for Bootstrap protocol (Request)
3. Then expand the sections Client Identifier and Host Name
4. The MAC address assigned to 172.16.1[.]207 is revealed by the Client Identifier field
5. The Host Name field reveals the hostname. (Iqbal & Naaz, 2019) (Kadafi & Khusnawi,
2015) (Khan, Alshomrani & Qamar, 2013)
From the details retrieved from Wireshark, we can decipher that the hostname for 172.16.1[.]207
is Rogers-iPad and the MAC address is 7c:6d:62:d2:e3:4f.
6
Steps involved:
1. Select the frame that shows DHCP request in the info column.
2. In the frame details section, expand the line for Bootstrap protocol (Request)
3. Then expand the sections Client Identifier and Host Name
4. The MAC address assigned to 172.16.1[.]207 is revealed by the Client Identifier field
5. The Host Name field reveals the hostname. (Iqbal & Naaz, 2019) (Kadafi & Khusnawi,
2015) (Khan, Alshomrani & Qamar, 2013)
From the details retrieved from Wireshark, we can decipher that the hostname for 172.16.1[.]207
is Rogers-iPad and the MAC address is 7c:6d:62:d2:e3:4f.
6
7
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Network Analysis Using Wireshark for Networked Application Managementlg...
|36
|2887
|458
Network Analysis Using Wiresharklg...
|20
|2983
|459
Network Application Overview and Analysislg...
|18
|2466
|388
Deep Packet Analysis Using Wiresharklg...
|29
|1605
|25
Computer Networks - Statistical Analysislg...
|12
|2176
|17
Wireshark: A Comprehensive Guide to Network Traffic Analysislg...
|23
|1709
|177