Research Paper Example on Traffic Analysis

Transmission Control Protocol is one of the major protocols available in the network under the Internet Protocol suite. The above is a screenshot of the TCP flag field in the header section. During the conversation between the client and server, several types of packets are used.

In the above picture, Wireshark does a great job of automatically highlighting the flags field. There is a total of 8 flags in the 1-byte flags field, which is set by a 1 in the corresponding position. For example, in the above picture, the 1 is on the synchronize bit, which means that this packet is an SYN (). In our case, there is sending of more than one-bit set which includes SYN/ACK at the beginning of a TCP connection.

Flags available

1.acknowledgement

It is indicating that data has been successfully received. It appears because it is used to establish and tearing down TCP connections.

2.reset

Helps the receiver that the sender has shut down the connection

2.SYN

It is the one that is used for the handshake to establish a connection between to devices over the network.

3.FIN

It appears because it is used to gracefully tear down the connections.

As shown in the figure, Wireshark output consists of two panes: the top pane shows the packets, while the bottom pane shows details of packets highlighted in the top pane. When you stop a Wireshark session you can save the output to a file. This allows you to analyze the traffic captured in more detail.

The Wireshark capture used for the first part of this post is taken from a session running iperf. The iperf session was a 30-second continuous transmission. There was other traffic on the network in addition to the iperf traffic.

TCP

Starting a capture is simply a matter of clicking on the icon shown circled in green.Clicking on the icon next it stops the capture. As Figure below shows, Wireshark output consists of two panes: the top pane shows the packets, while the bottom pane shows details of packets highlighted in the top pane. When you stop a Wireshark session you can save the output to a file. This allows you to analyze the traffic captured in more detail.

The Wireshark capture used for the first part of this post is taken from a session running iperf. The iperf session was a 30-second continuous transmission. There was other traffic on the network in addition to the iperf traffic.

Wireshark will indicate whether the packet was fragmented in order to fit within the Maximum Transmission Unit (MTU). In this case, the MTU is 1514 bytes. As an aside, you can also see the protocol overhead of each transmitted frame. In this case, we can see that the protocol overhead for the frame is 54 bytes. This comprises Ethernet header information (14 bytes), IP headers (20 bytes) and TCP headers (20 bytes). This leaves 1460 bytes for data.

The second part of this post looks at using a couple of basic filters to separate out traffic classes. In this case, rather than running ip, a capture was made during a normal use period. The first class we look at is HTTP traffic. This type of traffic uses TCP in the transport layer and operates on port 80. The filter used in this case is tcp.port==80. The filter used and the output is shown in figure below

Dynamic Host Configuration Protocol (DHCP)

DHCP is a client/server protocol used to dynamically assign IP-address parameters and other things to a DHCP client. It is implemented as an option of BOOTP. Most versions of Microsoft Windows improperly encode the secs field on the wire as little-endian. Wireshark will attempt to detect this and display the message "little endian bug?" in the packet detail. In the example below, the secs value 0x0e00 3584, or nearly an hour was sent by a Windows client, even though the client hadn't been retrying that long. Interpreting the value as 0x000e (14) matches the time elapsed since the first request (packet #3).

We can see the Request query packet no for this response. Transaction ID is correctly matched to transaction ID within Request query packet.

Under Flags:

The first bit is set to 1 which means that it is a DNS response packet.

Recursive queries are enabled.

There is no error in the response query.

Also, there is some additional data (name servers) found in the response.

There are more sections to Queries and Answers which relates to what was asked from DNS and what is the response. There are some authoritative name servers also found for InfoSec Institute.

Under Additional Records, we can even see the IP address of these authoritative nameservers.

SSL

SSL provides security in the communication between two hosts. It provides integrity, authentication, and confidentiality. It is used most commonly in web browsers but can be used with any protocol that uses TCP as the transport layer. Each of the SSL records begins with the same three fields (with possibly different values). One of these fields is content type and has a length of one byte. List all three fields and their lengths. Each hexadecimal digit represents four binary digits (bits) so each pair of hexadecimal digits equals 1 byte.

a. Destination Mac address |6 bytes

b. Source mac address | 6 bytes | 00 10 db ff 20

c. Type: IP | 2 byte | 08 00

Expand the Client Hello record. (If your trace contains multiple Client Hello

records, expand the frame that contains the first one.) What is the value of the

content type?

hex: 16 (16+6=22) Handshake

Does the Client Hello record advertise the cipher suites it supports? If so, in the first listed suite, what are the public-key algorithm, the symmetric-key algorithm, and the hash algorithm?

MD5, SHA, RSA, DSS, DES, AES

DNS analysis

The other type of traffic looked at (and this may be of some interest when troubleshooting network issues) is DNS traffic. DNS uses port 53 and uses UDP for the transport layer. To filter DNS traffic, the filter udp.port==53 is used. four queries were made to DNS over the course of this capture. It is possible to track the queries and see whether there are any issues associated with DNS lookups.

Before DNS protocol notice that UDP is used for source port 54458 and destination port 53.

We can see the Response packet no for this query. In this case, it is 30. Also, note the transaction ID. It should match in the response packet.

Under Flags:

The first bit is set to 0 which means it is a query. Bonus points to you if you can guess what will be set for query response (See below in the response section below)

Next, 4 bits are set to 0000 which means that it is a standard DNS query.

The 8t bit is set to 1 which means that recursive queries are enabled on our DNS server.

14th Bit is set to 0 which means it will accept authenticated data.

Under Queries, you can see that the request is made for

As you can see that the reply code is 9 which means DNS server is not authoritative to get zones from authoritative name servers which result in connection termination which we can in the below connection termination sequence of TCP packets.

DNS traffic analysis adds a lot of context during the investigation, for example, we can build up Indicators of Compromise based on DNS traffic, we can detect DNS zone transfers and even an organization can look at how much information it has actually revealed about itself. With these analysis results, DNS servers can be hardened.In this article, we have also learned that how looking at DNS records like AAAA, AA; DNS lookups (both forward and reverse); Response Codes; Queries and Answers; Wireshark packet stream feature can really help to set the context for an investigation.

References

Davidoff, S., & Ham, J. (2012). Network forensics: tracking hackers through cyberspace (Vol. 2014). Upper Saddle River: Prentice Hall

Sanders, C. (2017). Practical packet analysis: Using Wireshark to Solve real-world network problems. No Starch Press.

Orebaugh, A., Ramirez, G., & Beale, J. (2006). Wireshark & Ethereal Network Protocol Analyzer toolkit. Syngress.