Capturing Network Traffic With Wireshark: Promiscuous Mode And BPF Filters

Describe what the term promiscuous mode means in relation to capturing network traffic with Wireshark and similar network traffic analysers.

Describe the difference between a network switch and a network hub. Then explain how switched networks limit the network traffic that is visible to Wireshark in comparison to networks that used hubs.  (Note – switches are the technology used in today’s computer networks)

Documenting the 3 logical operators for combining primitives

The boxed example above show the logical AND operator ( && ) being used to combine two primitives. There are two other such logical operators.

Document all three logical operators and give one example of how each could be used in a capture filter.

In this section of the assignment you are required to create a range of capture filters, implement those capture filters in Wireshark and take a screenshot of associated captured traffic.

Your screen captures must include the Time, Source, Destination and Protocol fields of the Wireshark display along with at least two packets (the graphic below shows three, packets 7,8 & 9).

Because the Time field is displayed to such a fine resolution your screenshot capture will be unique from all other students doing this assignment. This will therefore act as an automatic plagiarism detector.

Promiscuous mode and its significance for capturing all packets with Wireshark

1. Describe what the term promiscuous modemeans in relation to capturing network traffic with Wireshark and similar network traffic analysers.

Promiscuous mode allows a network interface card NIC to capture all the packets that come across the wire even if they are not destined for that particular host

1. The Capture > Options dialog allows the Name Resolution of Network Layer names. Describe what this means and describe how it could be used for capturing network traffic.

The name resolution option will try to resolve the IP addresses given into human readable form.  

Wireshark issues queries to the DNS to resolve IP host names. Using name resolution is easier and less time consuming. Once capturing of packets has been done and a name has been resolved, you should reload so that the packets can be rebuilt with the resolved name.

• Describe the difference between a network switch and a network hub. Then explain how switched networks limit the network traffic that is visible to Wireshark in comparison to networks that used hubs.  (Note – switches are the technology used in today’s computer networks)

 A hub is a network device that connects network devices together. It transmits only one data packet at a time. When a hub receives a packet from one computer all other computers wait until the packet reaches its destination. In a hub, when a packet is received from one port, it is transmitted to all other ports.

A switch is also a device that is used to connect network devices. Unlike the hub, multiple data packets can be sent through the network simultaneously. Also, a switch forwards a data packet to the destination address only and not to all ports.

Because switches send data to only a specific port, it does not allow capturing of packets to the other ports or devices. Unlike a hub that sends data to all its ports hence making it more efficient to capture all the packets for all ports in wireshark

1. From the web or any other source determine the well-known port numbers of the following server programs:

Program	Port
ftp data	20
ftp control	21
http	80
NTP	123
ssh	22

Also find the well know port numbers for 6 other network protocols and describe the function that each protocol performs.

PROTOCOL	FUNTION	PORT
Simple Mail Transfer Protocol(SMTP)	Used for sending mails	25
Telnet	Used for unencrypted command line login	23
Domain Name System (DNS)	used to convert IP addresses to domain names	53
Border Gateway Protocol (BGP)	used for maintaining large routing tables and traffic processes	179
Trivial File Transfer Protocol (TFTP)	used by devices to upgrade software and firmware	69
Simple Network Management Protocol (SNMP)	Used for network management	161 and 162

There are three types of BPF qualifiers:

• Type (3)

Type qualifier. It specifies the type of thing, its name id or the number it represents. It includes the host, net and port.

Host 192.168.12.56 this capture filter is used to capture all the traffic between the machine that has Wireshark and the IP address of the specified computer. All the packets that are sent between the two computers are captured

tcp port 80. This filter is used to capture all the packets that are passing through the port 80. This refers to TCP traffic.

net 192.168.10.0/24. This filter is used to capture all the traffic on that particular network.

• Dir (2)

Dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst

src 192.168.10.5 this capture filter is used to capture all traffic from that particular machine. Only the traffic generated from that computer will be captured. dst net 192.168.0.0/24 this capture filter is used to capture all the traffic to a range of the specified IP addresses

• Proto (8)

Proto qualifiers restrict the match to a particular protocol. Examples: ether, tcp, tr, ip, ip6, arp, rarp and udp. ether proto 0x888e capture filter. Used to capture only ethernet generated traffic of type EAPOL

IP capture filter. This captures all the traffic that are IPV4 tcp portrange 1000-1500 this capture traffic on a specified range of ports arp captures all the arp based traffic rarp this capture filter captures all reverse arp traffic ip6 this capture traffic captures all traffic of ip version 6. IPv6 traffic. udp and port 53. This captures all DNS requests

Documenting the 3 logical operators for combining primitives

AND operator &&.

Udp and port 53. This filter captures all the UDP traffic that comes on port 53

OR operator ||.

TCP port 53 or port 80. This captures tcp traffic that comes on either port 53 or 80

NOT operator !.

TCP port 80 and not host 192.168.1.12. this filter captures all the traffic coming from port 80 but not any traffic coming from the specified host

I assigned my second machine an IP address of 192.168.43.1

1. Capture all traffic between your machine (the one running Wireshark) and another machine. Use the IP address of the other machine to identify it in the filter.

From the above screen shot the filter that I used was host 192.168.43.2. This filter captures all the packets between the two computers.

2. Capture all traffic between your machine (the one running Wireshark) and another machine. Use the MAC address of the other machine to identify it.

I used the above filter for the mac address of the destination computer. It is used to capture packets using the mac address

3. Capture all traffic fromthe other machine. Use either the IP or MAC address of the remote machine to identify it.

The filter src is used to capture packets from a specified target. In this case I used src with the target Ip address. Here all the packets from the target are captured

4. Capture only ICMP traffic between the two machines

Using the ICMP filter in Wireshark, I captured only ICMP traffic between the two computers

Excluding particular network traffic (2 marks)

• Capturing broadcast traffic only

Broadcast. This filter captures only the broadcast traffic

• Exclude broadcast traffic

Not broadcast. This filter captures all the traffic except broadcast traffic

• Capture all traffic from a range of network addresses but exclude broadcast traffic

Tcp portrange 0 – 1900 and not broadcast. This captures all the tcp traffic on the range provided excluding broadcast traffic

Using port numbers in capture filters (1 mark)

1. DNS traffic

Port 53. This is used to capture only DNS traffic

2. DNS traffic being sent from your machine

Port 53 and ip.dst == 192.168.43.236

This is used to capture all the DNS traffic and the traffic that is being generated by that same machine. The IP address used is for my machine

3. DHCP traffic in either direction

To capture DHCP traffic we use the port for DHCP. That is port 67 and 67.

Therefore, the capture filter is port 67 or 68

tcp [13] & 4 == 4 This particular capture filter can detect TCP packets that have the RST flag set. Explain it in simpler form.

This is helpful when you want to find a particular traffic using tcpdump. The number 4 correspond to where the TCP flag falls on the binary scale. Therefore, the filter is finding the 13th byte in the TCP header, and only grabbing packets o RST flag.

References

1.1 Difference Between Switch and Hub | Cisco CCNA 640-802 Study Guide. (2018). Retrieved from https://ccna-guidance.blogspot.co.ke/2010/08/11-difference-between-switch-and-hub.html 

40 Network Protocols with Port NOs. Transport Protocols and Meanings. (2018). Retrieved from https://vincenttechblog.com/40-network-protocols-with-port-numbers-transport-protocols-and-meanings/

Cheat Sheets - PacketLife.net. (2018). Retrieved from https://packetlife.net/library/cheat-sheets/ 

DHCP - The Wireshark Wiki. (2018). Retrieved from https://wiki.wireshark.org/DHCP

CaptureFilters - The Wireshark Wiki. (2018). Retrieved from https://wiki.wireshark.org/CaptureFilters 

How to Remember Your TCP Flags - Daniel Miessler. (2018). Retrieved from https://danielmiessler.com/study/tcpflags/ 

TCP Flags Explained. (2018). Retrieved from https://syedali.net/2014/12/29/tcp-flags-explained/ 

How to Remember Your TCP Flags - Daniel Miessler. (2018). Retrieved from https://danielmiessler.com/study/tcpflags/