Packet

Capture and
Sniffing
Lecture 5
Packet Capture
• Why is packet capture so important?
• If you can get the right place in the network, you will be able to capture the data
• grab usernames and passwords or other authentication/authorization traffic.
• credit card information or other personally identifiable information (PII) or personal
health information (PHI).

• Packet capturing is the process of acquiring network traffic that is addressed to systems other
than your own.
• Headers are the fields that are specific to the protocol.
• The data that is being carried from one endpoint to another is called the payload
• This payload may be broken up between multiple packets and certainly multiple frames

CYB234_Lectuer#5 2
Packet Capture
Tcpdump

tshark

Wireshark

Berkeley Packet Filter (BPF)

Port Mirroring/Spaning

CYB234_Lectuer#5 3
Packet Capture - Tcpdump
• Unix system
• It is a command-line program that can be used to give an idea of what is happening
on the network, but it can also be used to capture traffic and store that traffic in a
file that can be opened later on.

CYB234_Lectuer#5 4
Packet Capture - Tshark
• The program tshark comes installed by default with the Wireshark package.

CYB234_Lectuer#5 5
Packet Capture - Wireshark
• Wireshark is a GUI-based packet capture program, comes with some command-line
programs.
• It gives us a way to view the packets easily, moving around the complete capture.
• You can see the entire network stack
• It gives the ability to easily scroll through the list of all frames captured.

Wireshark frames list

CYB234_Lectuer#5 6
Packet Capture - Wireshark
• It provides with full protocol decodes
• It can even help you understand encrypted communications, to a degree.

TLS information

Protocol details CYB234_Lectuer#5 7

 Packet Capture - Wireshark
• Wireshark does have the ability to take RSA (Rivest, Shamir, Adleman, the names of
the people who created the algorithm) keys to decrypt messages that have been TLS-
encrypted.
• It can open any file that has been written by tcpdump or tshark.
• It supports filtering

Capture filter in Wireshark

Wireshark home screen
Wireshark home screen CYB234_Lectuer#5 8
Packet Capture – Berkeley Packet Filter (BPF)
• BPF is an interface to the
Data Link layer of a system.
• BPF is used across many
systems and applications,
including tcpdump, tshark,
and Wireshark.

CYB234_Lectuer#5 9
Packet Capture – Port Mirroring/Spanning

• Because of the switch, the systems on the network never see that frame pass their network interface.
• This makes capturing packets more difficult if we are looking for traffic that isn’t passing our network
interface.
• To over come this:
• Configure the switch to mirror ports in seeing traffic entering and exiting the network, to have
more access to sensitive information instead of just monitor a single endpoint.
• any traffic that passes through one port would be mirrored to another port.
• It possible to mirror multiple ports to a single port, which would let you monitor traffic to and
from multiple systems.
• Switched Port Analyzer (SPAN) on Cisco devices.
• Consideration with mirroring ports à oversubscription

CYB234_Lectuer#5 10
Packet Capture –
Port
Mirroring/Spanning

CYB234_Lectuer#5 11
Packet Analysis

• Wireshark
• It understands protocols, which means it can not only decode the protocol, it can
also tell you places where there may be protocol violations.
• It is very good at determining information that isn’t directly provided. It will color
frames where it identifies problems in the frame list based on rule sets

Packet analysis
CYB234_Lectuer#5 12
Packet Analysis
Wireshark
• It take care of calculations (provide relative sequence numbers)
• Easy moving from one packet to another (follow a stream)
• Extract the data from the payload

Relative sequence numbers

CYB234_Lectuer#5 13
Packet Analysis

• Wireshark
• It has capabilities to present statistics from
the packet capture.
• Protocol Hierarchy
• Conversations view: shows all of the
conversations between endpoints in
the packet capture
• Expert Information: shows all of the
frames that Wireshark has identified as Protocol Hierarchy statistics
problematic

CYB234_Lectuer#5 14
Packet Analysis

Conversations statics
Expert Information
CYB234_Lectuer#5 15
 • A spoofing attack is where you pretend to be a

Spoofing system you aren’t.

• It can be approached from different layers,
starting at layer 2.
Attacks • It cab can be spoof at a higher layer, using DNS
to get systems to send traffic to systems.
• Spoofing attacks allow to sit in the middle of a
conversation between two endpoints.
• Make sure to using these powers for good and not
for evil.
Spoofing Attacks

ARP spoofing DNS Spoofing

CYB234_Lectuer#5 16
ARP Spoofing

• Address Resolution Protocol (ARP) has two stages:

• 1. The request, where a system knows an IP address but doesn’t know the
corresponding MAC address. It sends an ARP request out asking for the system with
the IP address to respond with its MAC address.
• 2. The response is the system replying, indicating its MAC address to the requestor.
There is nothing to authenticate that request, though.
• anyone could respond to that request with their MAC address to get the
requesting system to send the message to the attacker’s/spoofer’s address.
• It could be even easier by simply not waiting for the request to begin with and
just sending the reply.

CYB234_Lectuer#5 17
ARP Spoofing
• We could just send out ARP responses, mapping whatever IP address on the network we want to
our MAC address.
• This would get all systems on the local network sending messages to us, as our address is in
their ARP cache.
• The process of just sending out ARP responses without a corresponding ARP request is called
gratuitous ARP, meaning it’s an ARP message that wasn’t asked for.
• Problems of length of time ARP entries are cached for.
• Keep Sending gratuitous ARP responses programmatically rather than manually.
• When we redirect message to our system,
• we need to forward them back out onto the network with the correct MAC address in the
destination field. Otherwise, conversations don’t happen.

CYB234_Lectuer#5 18
ARP Spoofing- arpspoof & fragroute

• arpspoof and fragroute tool

• Inject ourselves in between two systems on the network.
• tell arpspoof which two IP addresses we want to pretend to be.

CYB234_Lectuer#5 19
ARP Spoofing- Ettercap
• Ettercap tool
• Console-based mode and the GUI-based mode.
• run man-in-the-middle (MitM) attacks.

CYB234_Lectuer#5 20
Ettercap host list RSA keys preferences
DNS Spoofing

• ARP spoofing capture every message being sent.

• DNS spoofing looking to redirect traffic to an attacker and get a target to come to
systems under our control for specific requests.
• by intercepting DNS requests and responding to the requestor. Instead of providing
legitimate responses, we’re going to be using our own addresses. When one of our
targets tries to visit a website that we are interested in getting information from, we
redirect them to an IP address where we have our own website set up.
• Ettercap tool
• requires a configuration file in which you set up the DNS records you want to
spoof.

CYB234_Lectuer#5 21
DNS Spoofing

• Encrypted messages are problematic when it comes to capturing traffic.

• SSL and TLS
• Sslstrip tool can grab SSL messages and strip the encryption from them.
• sslstrip can be used as a stand-alone program.

CYB234_Lectuer#5 22
Summary
• Sniffing is another word for capturing packets, which is the process of gathering all
messages that pass by the network interface, grabbing them at the Data Link layer, and
passing all the messages up to an application that is capable of displaying the messages
captured.
• Capture software is discarding the layer 2 information, then it really is a packet capture
and there are variety of capture software.
• There may be other programs and utilities you can use to analyze packet captures, but
Wireshark is the best.
• You can also perform spoofing attacks, such as:
• ARP spoofing is when a system sends gratuitous ARP responses, which are then
cached on other systems on the network.
• DNS spoofing is also a possible way to redirect traffic to an attacker

CYB234_Lectuer#5 23
 Lab 5
Sniffing Attack