Scribd Logo
Unggah

Selamat datang di Scribd!

  • Advanced Packet Analysis

    Diunggah oleh

    Teodora-Raluca Luca
    45 tayangan13 halaman
    criminalitate informatica

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    criminalitate informatica

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    45 tayangan13 halaman

    Advanced Packet Analysis

    Diunggah oleh

    Teodora-Raluca Luca
    criminalitate informatica

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 13

    Attendees: Course notes online at www.packet-level.com.

    www.packet-level.com/resources/hpetsnotes.txt

    Advanced Packet Analysis

    Sessions this week: Thursday 1728 Cybercrime 1 9:30 Rm124 Thursday 1729 Cybercrime 2 2:00 Rm224 Friday 1730 Advanced Analysis 8:00a Rm124 Friday 1731 Case Studies/Security 11:00a Rm124 Remember to fill out your evaluations!

    Laura Chappell Protocol Analysis Institute www.packet-level.com

    October 11, 2002

    2002 hp

    filename.ppt

    hp enterprise technical symposium

    page 1

    Prerequisites
    Understanding basic packet structures Understanding data flows Ability to count Ability to convert hex-decimal-binary Thorough knowledge of the protocol or application you are working on or some very good technical resources

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 2

    This Lecture Covers


    Timestamping Application Throughput Triggered Captures Filtering Address Protocol Application Bit-Level Packet Transmission Cool other stuff

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 3

    Using Timestamps
    Latency testing (from here to there and back again...) Interval testing (i.e., OSPF hellos, TR ring polls) The three basic timestamps: Absolute time Relative time Delta time

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 4

    Absolute Timestamp
    Based on time of day (uses PC clock setting) When did that event occur? The login/logout The break-in The DoS attack The overload

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 5

    Relative Timestamp
    Relative to the first packet in the trace buffer.

    Time from one command until completion Used for application testing.

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 6

    Delta or Interpacket
    From the end of one packet to the end of the next packet. Used for the slow network problem
    REQ Roundtrip time 1 ACK RESPONSE REQ Roundtrip time 2 ACK RESPONSE
    2002 hp 1730_chappell.ppt hp enterprise technical symposium page 7

    Average response latency (ms)

    Application Throughput Testing


    Cumulative bytes Relative time (look for 1 second) (better look for 1 minute and divide by 60)

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 8

    Triggered Captures
    When you absolutely positively gotta go to sleep.
    Trigger by date/time Trigger by alarm (i.e., utilization % exceeded) Trigger by event (packet meets filter criteria)

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 9

    Application Analysis
    Filter on test host. Time processes. Define packet count requirement. Examine utilization stats for planning.

    Form online at www.podbooks.com (References). From Advanced Network Analysis Techniques by Laura Chappell

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 10

    Know Your Applications


    Spotting the Cookie Exploit
    Connect to site 1 Cookie Dropped Connect to site 2

    Cookie Read

    See www.cookie-central.com.

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 11

    Filtering
    Address-based MAC address Network address Complete or only portions of an address Protocol-based Focused on port or socket numbers Pattern-based Heres where you can really get to the nitty gritty.

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 12

    Address-Based Filtering
    Have them ready Critical devices Servers Routers The bosss machine Fred

    Watch DHCP-addressing!
    2002 hp 1730_chappell.ppt hp enterprise technical symposium page 13

    Protocol-Based Filtering
    Know your Ports www.iana.org 21 - ftp 23 - telnet 25 - smtp 53 - dns 80 - http

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 14

    Pattern-Based Filtering
    Know Your offsets or cheat Know your values Look for strings Should you define start and end?

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 15

    Obtaining Offsets - the Easy Way

    Configure EtherPeek to Show Field Offsets


    View > Packet Decoder > Data Offsets

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 16

    Boolean Filters
    AND OR NOT AND OR USER PASS RETR STOR NOT D.IP 10.1.2.3

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 17

    Transmitting Packets
    Warnings. Legitimate uses Test vulnerabilities Recreating problems

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 18

    The Analysts Toolbox


    NetScanTools Pro <www.nwpsw.com> PacketScrubber <www.wildpackets.com> Sam Spade <www.samspade.org> ProConvert <www.wildpackets.com> Hex Workshop <www.breakpoint.com> NeoTrace Pro <www.neoworx.com>

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 19

    Packet Sanitization
    Clean IP addresses Clean usernames/passwords Clean site names

    Method 1: PacketScrubber Method 2: HexWorkshop

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 20

    10

    Scrubbing the Hard Way


    CRCs dont recalculate Easy to find strings

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 21

    Just a Note on Hex Surfing...


    Malicious code identification

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 22

    11

    Packet Conversion
    Converting between analzyer formats. Use the best decodes!

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 23

    More Training/Information
    Attend other analysis sessions US/Canada Roadshow (www.nuihotlabs.com) Hands-On Analysis, Troubleshooting and Cybercrime

    Classes (private and public) Read the specs along side your analyzer Read books focusing on analysis and packet-level communications see www.podbooks.com Get online at www.packet-level.comjoin the mailing list

    2002 hp

    1730_chappell.ppt

    hp enterprise technical symposium

    page 24

    12

    yellow 02 255 204 0

    yellow 04 255 156 1

    blue 09 66 189 198

    blue 11 0 99 132

    hp color palette RGB values


    apply these colors to charts and other graphic elements

    orange 02 255 189 99

    orange 04 255 99 0

    green 02 115 173 148

    green 04 0 107 49

    red 02 226 61 40

    red 04 173 33 33

    green 06 165 198 115

    green08 0 128 0

    purple 02 188 56 119

    purple 04 140 0 76

    green 10 204 204 0

    green 12 132 132 0

    blue 02 115 173 222

    blue 04 0 33 107

    brown 02 222 169 99

    brown 04 107 66 49

    blue 06 123 148 173

    invent blue 10 53 126

    grey 02 132 132 132

    black 0 0 0

    2002 hp

    filename.ppt

    hp enterprise technical symposium

    page 26

    13

    Anda mungkin juga menyukai