The newest issue of (In)Secure Magazine has been released today. This issue contains an article I’ve written entitled “Using Wireshark to Capture and Analyze Wireless Traffic”.

Article Introduction:

The tricky thing about a wireless network is that you can’t always see what you’re dealing with. In a wireless network, establishing connectivity isn’t as simple as plugging in a cable, physical security isn’t nearly as easy as just keeping unauthorized individuals out of a facility, and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point. That being said, it shouldn’t come as a surprise that analyzing packets from a wireless network isn’t as uninvolved as just firing up a packet sniffer and hitting the capture button.

 
In this article I’m going to talk about the differences between capturing traffic on a wireless network as opposed  to a wired network. I’ll show you how to capture some additional wireless packet data that you might not have known was there, and once you know how to capture the right data, I’m going to jump into the particulars of the  802.11 MAC layer, 802.11 frame headers, and the different 802.11 frame types.

The goal of this article is to provide you with some important building blocks necessary for properly analyzing wireless communications.

 

 

You can view the full article in the (In)Secure Magainze June issue, which can be obtained here: http://www.net-security.org/insecuremag.php.

The great folks over at the TechGenix website WindowsSecurity.com have published my article on Locking Down Windows Server 2008 Terminal Services. This article is a fairly detailed list of things you can do to make sure your Terminal Server infrastructure is more secure.

You can view the article here:

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html

I wanted to take a moment and link over to a project I have been working on for quite some time. I’ve recently founded a 501(c)(3) non-profit organization called the Rural Technology Fund. Coming from a small rural area that really lacked in opporunities for those interested in technology, I know how challenging it can be to pursue a career in that field. The goal of the RTF is to provide opportunities to students from rural areas pursuing education in computer technology.

There are two main ways this is done -

Scholarships - This year the RTF is giving away two $500 scholarships. Hopefully we can give away much much more next academic year.

The Genesis program - Working with county youth service centers and local businesses, this program aims to utilize area volunteers to refurbish donated business PC’s for donation to students who do not have computers at home. The Genesis program gives birth to opportunities for these students and their families.

How can you help?

Packet Analysis Training - A portion of the income from EVERY training program I do goes directly to the RTF. This includes live training downloadable videos (coming soon).

Monetary Donations - The RTF is accepting donations, and all of those donations are tax deductible.

Computer and Equipment Donations - The Genesis Program is accepting donated computers to be refurbished and donated to students in needs. These computers should be in fairly decent condition and at least have a functioning motherboard and processor. We are also accepting monitor, keyboard, mouse, and software donations.

For more information on the Rural Technology Fund, check out www.ruraltechfund.org.

Laura Chappell is now doing regularly scheduled online training seminars. I had the privelege of attending one of these last Thursday called the “Top 10 Reasons Your Network is Slow” and it was really great.

You can see a schedule of Laura’s training at http://www.chappellseminars.com/schedule-name.html.

Do you have a story about a time when you used packet analysis to solve a problem on your network? If so, I want to hear that story. E-Mail me at chris@chrissanders.org and your story could be featured on this site or even in the next edition of Practical Packet Analysis.

I’ve just announced my second online training event. This event will be happening on Wednesday, May 27th at 2 PM EST.

Course Description:

This is an introductory level packet analysis course with a focus on practical usage. The goal of this course will be to give you exactly what you need to jump deep into your network with Wireshark and begin getting value out of these skills immediatley. This course will use completely new files and scenarios and will not repeat any real-world scenarios taught in my book or in my previous trainings.

Prerequisites:

In order to understand what is going on in this course you will need to have a decent level of experience troubleshooting networks and client/server communications. You won’t be expected to know how individual protocols look on the wire (I’ll teach you that) but you will be expected to know what DHCP/DNS/SMTP/ETC are used for. 

The course will be administered using Citrix Go2Meeting which will transmit live audio and video from my computer. Because of this, some form of broadband Internet connection is recommended. I’ve used this format before and it seemed to work really well as all users were able to connect and listen/watch successfully.

Who Should Attend:

If you troubleshoot or maintain a network on a daily basis then this course will provide immediate value to you. Packet Analysis is one of the hottest growing skill sets amongst IT staff in the world and is an absolute requirement to troubleshoot certain problems that may be faced. If you want to save yourself time, save your organization money, or make yourself more marketable by increasing your skill set, then this is the course for you.

Cost:

The early registration cost for this course is $100 USD. This pricing is valid until May 5th. After May 5th, the cost goes up to $150 USD. If you work for a non-profit or in education, please e-mail me for a discounted rate. The course is limited to a set number of participants so that I can get to all questions that may be asked, so your best bet is to get in early.

Curriculum:

Hour 1 - Intro, Theory, and Getting Your Feet Wet

• How Packet Analysis Can Help You
• “War Stories”
• How a Packet Sniffer Works
• Getting and Installing Wireshark
• Sniffer Placement on Your Network
• Walkthrough of Wiresharks Features Using Real Trace Files

Hour 2 - Protocols and Performance with Real World Case Scenarios

• Analyzing Common Protocols When They Work and When They Don’t
• Troubleshooting Network Performance Problems
• Steps for Creating a Network Baseline
• The 7 Deadly Sins of the Network

Hour 3 - Security, Wireless, and More Real World Scenarios

• Analyzing Common Network Attacks
• Wireless Packet Analysis
• Additional Tools and Resources
• Q&A

Registration:

In order to sign up for this course, please fill out the registration form below. At some point after registering, you should receive an e-mail from me with payment details.

As always, if you  have any questions regarding this training please e-mail me.

When you are capturing a lot of traffic the size of your capture files can grow really quickly. When this happens you are really going to have a hard time getting anything done when trying to sort through the file. There are a couple of things you can to do prevent this from happening.

Use an Effective Capture Filter

Capture filters are great when you know what you are looking for. If you ONLY want SMTP traffic, you can capture only that traffic. If you ONLY want to see HTTP POSTs, then you can capture only that traffic. If you aren’t sure what you are looking for then its bests to stick to capturing everything and using display filters, but when you have an eye on your target then capture filters are a great way to cut through the weeds. You will find this especially beneficial when capturing packets from a busy server or network segment.

Some of the things you can filter based upon include:

• Specific Protocols
• A Particular IP/MAC Address
• Incoming/Outgoing Traffic Only

Split the Capture File as It’s Being Captured

Wireshark has some really great flexibility in allowing you to split a capture file as its being created. You can access this by selecting Capture from the main drop-down menu and selection Options, or by pressing Ctrl+K.

You have a couple of options here and they all become available to you when you place a check mark next to the Use Multiple Files box. There are two primary sections which I’ve creatively labeled the Multiple File and Stop Capture sections.

The multiple file section lets you specify a point at which a new file is created, either by reaching a certain size limit or at a certain time interval. I find that I typically use the size option for typical uses, but specifying a time interval for the packet capture can become very useful when you are trying to pinpoint when a certain event is happening. In this scenario you could start the capture at 12:00 and place and set the multiple file option to create the next file every 1 hour which should create a nice clean display of capture files by the hour.

It’s important to note that you can specify both of these criteria and in this case, a new file will be created when EITHER condition is met. In this top section you can also specify a maximum number of files to be created (don’t underestimate the value of this, I’ve accidentally filled up a hard drive on many occasions) and specify a ring buffer. A ring buffer uses a set number of files, and after the last file has been written it will begin overwriting the first file and cycling back through.

The stop capture section of this area is very straightforward and allows you to stop a capture after it reaches a certain point, either at a certain number of packets captured, a certain size limit, or a particular time interval. This comes in handy when you want to start a capture and run off to lunch or take a call.

Ensure You Are Capturing in the Best Location

One of the most overlooked parts of the packet analysis process is ensuring you are properly tapped into the network and getting the packets you need. Although the typical concern is whether or not you are getting enough packets, there are some cases in which you may be capturing TOO MUCH information. If you are having trouble weeding through a large capture file then you need to ask yourself if you really need to be where you are at. If it is a client/server issue, do you really need to capture from the server or would capturing from the client yield the traffic you need? If you are analyzing a slow network link, do you really need to be inside the router or would you be best suited to tap the outside interface of the router and get away from the internal networks broadcast domain?

Working with larger capture files is a real quick way to bog down your system and further complicate what may already be a long drawn out process. Using these techniques you should be able to keep tabs on your capture file size and make your analysis process quite a bit more efficient.

I’ve already written quite a bit about getting on the wire as it pertains to packet analysis. Half the battle when you are capturing packets is placing the sniffer computer so that it captures the packets you need. The advent of switched networks makes this a bit harder on us as traffic is now directed and not free-flowing across every port on a network. In a post a few months ago I outlined three methods for getting on the wire. Those three methods were ARP Cache Poisoning, Hubbing Out, and Port Mirroring. One other technique which I had not previously used, but have now grown to love is using a network tap.

A tap is basically a hardware device that you can place on the wire to intercept the right packets.

The tap has at least three ports. These are inbound and outbound ports and a monitor port.

Say you wanted to intercept all network traffic entering your router. Typically, you would have a single cable going from a switch to your router. In order to insert the tap into the mix, you would unplug the current cable from the router and plug it into the inbound port on the tap. You would add an additional cable from the outbound port of the tap into the port on your router. Lastly, you would place a cable into the monitor port that leads to your analysis machine. The analysis machine will then capture all traffic flowing between the switch port and the router.

The great thing about doing this as opposed to hubbing out is that you aren’t using an old school hub that could cause dropped packets and limits you to half-duplex communication. This is also advantageous over ARP cache poisoning because it doesn’t generate any extra traffic on the wire, which is something you typically want to avoid doing…especially in security scenarios.  If your layer three switches typically have a very high processor utilization, you could also consider this over port mirroring. The tap adds no extra traffic or latency to the traffic on the wire and is completely undetectable.

That all being said I recommend the Barracuda network tap. They run about $130 and have an added benefit of having TWO monitor ports. One port monitors all inbound traffic and the other monitors all outbound traffic rather than having a single port for both, which can add some flexibility in your analysis. The Barracuda tap also allows for the use of a nine volt battery in situations where a power outlet isn’t handy or you just want to capture some packets quickly.

You can get the Barracuda network tap from http://www.barracudanetworks.com/tap/.

Although we are a couple of months into 2009 now, I’ve just launched the graphical redesign of the site. If you view the site via RSS you may want to stop by to check it out. I’ve merged a couple of pages and added some new ones and hope to start delivering some more new content soon. Also, I will be adding, modifying, deleting some post categories so be aware of that. Keep checking back often for new stuff!

Laura Chappell, one of the packet analysis world’s best, has just announced Chappell University. Here is her official statement from her newsletter:

“Chappell University (www.chappellU.com) is open for registration today. Subscription-level service will be open soon - I’ll let you know. Chappell University is an affordable, on-demand, online training system to maintain and enhance IT skills in the area of analysis, troubleshooting and security. Last night I uploaded two lab workbooks with over 100 lab exercises using Wireshark to spot network problems, security breaches, and analyze normal and abnormal TCP/IP communications. I’ve recoreded video answers to all the lab exercises. In addition, I’ve uploaded my trace file respository and you’ll see me uploading additional WLAN, VoIP, bot-infections, application, etc., trace files each quarter. Check out the new YouTube Channel for Chappell University at www.youtube.com/chappellU and the video “Ethical Hacking with NetScanTools Pro: Tutorial on ARP Scanning to Discover All Local Hosts” (even those hidden behind firewall applications). “

If you haven’t had the pleasure of experiencing Laura’s training on-site, or via Wireshark University, I would highly reccommend both. As I said, she is one of the best in the field.