Clasificación de resinas a) Resinas de poliéster

There are a lot of tools to get traffic captures: Wireshark, Tshark, Tcpdump, NetworkMiner, Cain and Abel, Xplico, Capsa, ngrep... In this article we are go-ing to focus on tools commonly used to achieve this goal: Wireshark, Tshark

What you will learn:

• Sites in your network where you can get traffic captures.

• Useful tools to aid in getting/ana-lyzing traffic captures.

• How to use Virustotal, Wireshark and NetwokMiner in a real inci-dent.

• How to detect attacks and more details from a pcap file with an IDS system.

WHY WIRESHARK OR TSHARK

Wireshark (before known as Ethereal) and Tshark are a really popular network protocol analyzer. Both of them are the same tool. The first one has a graphical user interface (GUI) and the second one has a command line interface (CLI).

The main reasons to work with these tools are:

• Both of them are Open Source with GPL license.

• Available in all platforms (Windows, Linux, MAC...).

• Both take traffic captures in live and offline mode.

• They can understand the majority of Internet Protocols (TCP, DNS, FTP, TFTP, HTP...).

• They have advanced filters and searches, TCP Follow Stream, Flow Graph, Maps reports, etc...

• There are a lot of tutorials in the Internet.

CAPUTRE DATA ON THE MACHINE YOU ARE INTERESTED IN

There are several methods to capture traffic from your network. In this article, I’m going to talk about which are most commonly used.

If you only need to capture the network traffic to/from a specific host, you can just install Wireshark on that host (computer) and start to sniff. It’s really easy to use but the traffic exchanged between other hosts of the network will be unavailable (except broadcast traffic).

This type of capture could be helpful when you suspect there is a problem in your network involving the host you are testing or when you just want to analyze the traffic exchanged from that host on the network.

CAPUTRE DATA USING A PORT MIRROR

Some Ethernet switches have a monitor mode. A monitor mode is the capability of the switch to use as a single port to merge the traffic of all other ports: that is, the port acts like a hub. If this monitor port is connected to the host when running the sniffer, all the network traffic (crossing that switch) will be cap-tured. It’s sometimes named ‘port mirroring’, ‘port monitoring’, ‘Roving Analysis’ (3Com), or ‘Switched Port Analyzer’ or ‘SPAN’ (Cisco). Using the switch management, you can select both the monitoring port and assign a specific port you wish to monitor.

Figure 2. Port Mirror examples on a switch

Some switch models could allow the mirroring of just one port instead of all ports: in this case it’s really interesting, the mirroring of the port reserved to the router/firewall (which connects the internal network to the Internet).

Figure 3. Port mirror of the port reserved to the router

Mirroring the port used by the router/firewall, the switch will duplicate the incoming/outgoing traffic of our network to the Internet and send it to a host where it is running a sniffer or an IDS like Snort or Suri-cata in order to get security events. If you are interested in installing an IDS, you should read the tutorial from the original IDS website before installing it.

It’s also possible to lose some traffic if we are sniffing a high traffic network...

This type of capture is easy to use if such a switch is available; we just need to read the switch manu-facturer documentation to get the instructions.

HOW TO WORK WITH WIRESHARK AND TSHARK

The goal of this article is not to train you on how to use Wireshark or Tshark. This is only a brief introduc-tion but I think it could be interesting to show you some examples that will help you to start with these tools.

I commented that when we want to capture traffic to research some problems in our network or we want to do some tests, we can capture data on the machine we are interested in by using Wireshark. This is really easy to do by installing the sniffer software in this machine. We can see “in live” the traffic capture.

In these kinds of captures, it’s common to capture all traffic in a certain network card and then, working with filters.

Figure 4. Default captures traffic in the Wireless interface

Figure 5. Filter in a live network capture

We are going to capture only the protocols, subnets or hosts we are interested in and save the capture data in a pcap format. For example we will save the captures automatically in 64Mb files to work easily with them. Why do we need to break up the capture data file in 64Mb? In the next part of the article, we are going to see how Virustotal could help us with the traffic capture because they can analyze it. They accept a maximum size of 64Mb. With the commands below, Tshark saves all traffic on the interface eth0, it switches to a new file every 64Mb and it stops capturing after 20 files:

$ tshark -i eth0 -b filesize:65536 -a files:20 -w mf3.pcap

I don’t talk much more about the filters because there is a lot of information on the internet about how to sniffer only an IP, network or protocol with Wireshark (http://www.wireshark.org/docs/dfref/) or Thsark (http://www.wireshark.org/docs/man-pages/tshark.html).