網路分析 常見監測網路封包的工具 Sniffer Pro (Commercial version): 可以擷取網路中的封包, 並分析封包中的內容 Ethereal: WinPcap & Ethereal http://www.ethereal.com/ Wireshark: http://www.wireshark.org/download.html WinDump: Windows 平台下, 一個用來擷取網路封包和分析網路流量的工具 http://windump.polito.it/install/default.htm Sniffer Pro Network Associates 公司 www.nai.com Just for Windows O.S. 版本 4.5 (Win2000 升級 XP 可 ) 版本 4.7 (WindowsMe 升級 XP 可 ) Sniffer FAQ: http://www.robertgraham.com/pubs/sniffing -faq.html
Reference Books 安裝 Sniffer Pro 輸入序列號碼
安裝 Sniffer Pro (cont.) 常見的問題 ( 網路不通?) 我的網路不通了! 怎麼處理? 準備什麼工具? 網路先備知識 網路架構圖 網路維護文件 NIC, UTP, Testers, Sniffer, 怎麼查?
Internet Switch AP Switch S2 Sniffer Hub Hub A B C 1. Ipconfig/ping/telnet/tracert 2. TCPIP/DHCP 3. DNS/gateway/mask/proxy 4. 工作管理員 5. 檢查 NIC,driver,UTP 6. Sniffer 鎖定 A 的 MAC/IP S1 Hub G D E F H I J 1. SSID 2. Quality 3. Data rate 4. Secret key 5. Channel Interfe. 6. 如電腦 A 的查法 7. Sniffer MAC/IP 常見的問題 ( 網路變慢?) 我的網路變慢了! 怎麼處理? 準備什麼工具? 網路先備知識 網路架構圖 網路維護文件 NIC, UTP, Testers, Sniffer, Hub, 怎麼查? 從哪裡查起?
Internet Sniffer or sniff Mirrored port Switch Hub Switch S2 Hub AP Sniffer Sniffer Hub Switch/Bridge A B C 1. 個人觀感 2. 工作管理員 3. 檢查 NIC,driver, UTP 4. Sniffer 鎖定 A 的 MAC/IP S1 Hub G D E F 1. S1: 工作管理員 2. S1: NIC,driver, UTP 3. Sniffer 鎖定 S1 的 MAC/IP H 1. S2: 工作管理 2. S2: NIC,UTP 3. S2 的 MAC/IP I J 1. Processes, NIC 2. Data rate 3. Sniffer MAC/IP Configuring Sniffer Pro for Remote Access Two NICs on the Sniffer Pro system. One will be used for capturing and monitoring traffic The other will be used purely for management (remote access) Install and configure a remote control software application such as PC Anywhere, VNC, or Carbon Copy
Full-duplex mode NAI NetPod The Fast Ethernet Full Duplex Pod from Network Associates (NAI) is a hardware device that you can use to capture full-duplex traffic. It captures data and stores them in an internal buffer. The captured data is then passed on to Sniffer Pro over another Fast Ethernet connection. There must be a supported Fast Ethernet adapter on the Sniffer Pro. A Technician Tool Kit A laptop with Sniffer Pro A Sniffer Pro Quick Reference Guide Some straight-through and cross-over cables A mini-hub, NICs and RJ-45 connectors. Some standard networking tools An RJ-45 crimper A punch-down tool Some screwdrivers A toner/probe: troubleshoot cabling problems Network diagrams IP addressing documentation
TCP/IP Layering User Process User Process User Process User Process application TCP UDP transport ICMP IP IGMP network ARP Hardware Interface RARP link media Protocol Stack User data Appl header User data TCP header application data TCP segment IP header TCP header application data IP datagram IP header TCP header application data 14 20 20 4 Ethernet frame Ethernet header Ethernet trailer application TCP IP Ethernet driver Ethernet 46 to 1500 bytes
擷取與分析無線網路封包 勾選 Log On 核取項 單擊 確定 按鈕 第一次執行 Sniffer( 挑選網卡 )
Real-time Monitoring 常見的 Layer 2 Problems 資料訊框過短 : Collision, hardware damaged, driver, transmission interference, UTP Runt: correct CRC Fragment: erroneous CRC 資料訊框過長 : Driver, NIC or network hardware damaged, transmission interference, UTP Oversize: correct CRC Jabber: erroneous CRC
常見的 Layer 2 Problems (cont.) 資料訊框 CRC 錯誤 : Driver, NIC or network hardware damaged, transmission interference, UTP 資料訊框 Alignment 錯誤 : Frame alignment by 8 bits Driver, NIC or network hardware damaged, transmission interference, UTP 常見的 Layer 3 Problems Duplicated IP addresses: A user configured the wrong IP address. DHCP errors Local routing: 同一區段之兩台 PC 卻透過 router 傳輸 Wrong PC configuration VLAN 例外 協定分析的免費網站 www.protocols.com
Alarm Log Alarms When it detects a symptom or diagnosis When a threshold is exceeded Display the status of the alarm, the type of event, the time it occurred, its severity, and a description of the error. Tools/options Define severity Actions: Email/ Pager/ Script file 擷取與分析網路封包 (cont.)
擷取與分析網路封包 (cont.) 解碼, 可看所有 Packet 內容, 如下頁
往上轉可看到DLC/IP My IP/Ethernet Address/DNS Win 9x/Me winipcfg.exe Win NT/Server/XP ipconfig /all Linux ifconfig Solaris Arp Netstat -p
Winipcfg
Ping
Figure 2-15 Demo. 1 with Sniffer Pro Snif01-ping187.cap
Ethernet and MAC Address Ethernet Encapsulation Destination MAC address MAC address 6 6 2 46~1500 4 MAC Address Source Vendor/OUI: 3 bytes A serial number:3 bytes Type data http://standards.ieee.org/regauth/oui/ MTU Ethernet 1500 FDDI 4352 PPP 296 CRC Figure 7-4 ARP packet
IP Datagram Encapsulation of ICMP packet CRC 4 bytes
Contents of data field for error messages 擷取與分析網路封包 (cont.)
擷取與分析網路封包 (cont.)
1 2 若只想看此機器對外的進出, 則其一設定 My IP address 1 2 開始擷取
1 Start 2 Testing 3 Stop and Display
Demo. 2 with Sniffer Pro Snif02-dnsping.cap
Picture sources by Cisco Systems, Inc. Figure 18-1 Domain name space McGraw-Hill The McGraw-Hill Companies, Inc., 2000
Recursive resolution McGraw-Hill The McGraw-Hill Companies, Inc., 2000 Iterative resolution McGraw-Hill The McGraw-Hill Companies, Inc., 2000
Demo. 3 with Sniffer Pro Snif03-http.cap
Figure 12-19 TCP segment format
Figure 12-4 Stream delivery Figure 12-6 TCP segments
Figure 12-29 TCP Four-way handshaking Figure 24-10 HTTP Example 1
HTTP 方法 (Method) 當用戶端透過瀏覽器向 Web Server 下達 HTTP 請求時, HTTP 標題會伴隨著 HTTP 方法一併傳送至 Web Server, 以告知 Web Server 如何處理用戶端之請求 HTTP 方法依 HTTP 的版本不同而有所差異, 如下所示 : 版本 HTTP 方法 0.9 GET 1.0 GET HEAD POST 1.1 CONNECT DELETE GET HEAD OPTIONS POST PUT TRACE
Demo. 4 with Sniffer Pro Snif04-ftp.cap
Figure 20-2 FTP Opening the control connection McGraw-Hill The McGraw-Hill Companies, Inc., 2000 Figure 20-3 ls Creating the data connection Ready? Connection closed McGraw-Hill The McGraw-Hill Companies, Inc., 2000
Snif04-ftp_win_frozen.cap
Figure 19-6 Telnet Embedding SB: Sub-option Offer to enable McGraw-Hill The McGraw-Hill Companies, Inc., 2000
Demo. 5 with Sniffer Pro Snif05-telnet.cap Question? Thank you!