Archive | Networking

Networking
25 November 2011 0 Comments

Wireshark: 802.11 Frame Display Filters

Introduction

When using a wireless network card in monitor mode (using airmon-ng), Wireshark will not just pick up Ethernet-level frames, but also the raw wireless 802.11 frames. This data is very interesting, but the volumes can be large: wireless Access Points send out a lot of “beacon frames” that you might want to filter.

In this post we provide a list of the most useful Wireshark display filters for 802.11 frames. Use them in Wireshark in the filter field displayed below.

802.11 Frame Format

The generic 802.11 frame structure is displayed below. Most of the interesting values are in the Frame Control section, because this section determines the type of the frame.

Display Filters

wlan.fc.type == 0           Management frames
wlan.fc.type == 1           Control frames
wlan.fc.type == 2           Data frames
wlan.fc.type_subtype == 0   Association request
wlan.fc.type_subtype == 1   Association response
wlan.fc.type_subtype == 2   Reassociation request
wlan.fc.type_subtype == 3   Reassociation response
wlan.fc.type_subtype == 4   Probe request
wlan.fc.type_subtype == 5   Probe response
wlan.fc.type_subtype == 8   Beacon
 
wlan.addr = 12:34:56:AB:CD:EF  Select frames where any of

Tags: 802.11, 802.11 frame, , beacon, display filters, fc.type, frame control, pocket reference, subtype, , ,
Networking
24 June 2011 0 Comments

The ICMP Protocol for IPv4 Explained

In this post we discuss the Internet Control Message Protocol (ICMP), one of the core protocols of the TCP/IP suite [Wikipedia] [RFC 792]. Many common networking utilities are based on ICMP, including tracert and ping.

ICMP messages are typically generated in response to errors in IP datagrams or for diagnostic or routing purposes. ICMP errors are always reported to the original source IP address of the originating datagram. The protocol is implemented by both hosts and routers, albeit in different ways.

A version of ICMP for IPv6 exists: ICMPv6. The scope of this article is limited to ICMP for IPv4 (ICMPv4).

ICMP Packet Structure

Each ICMP message is encapsulated directly within a single IP datagram, and thus, like UDP, ICMP is unreliable. The structure of ICMP packets is displayed below:

 

Header Fields

The Type and Code fields are the first two fields in the header of the ICMP packet. Together these fields designate the meaning of the packet.

 

Type/Code Fields

The most common combinations of Type and Code are displayed below.

As can be seen in the table, an ICMP message can either be an error message or a query message. Query messages are two-way: when an ICMP request …

Tags: checksum, code, core protocl, echo, , icmp header, icmpv6, ipv4, packet, , traceroute, tracert,
Networking
22 June 2011 1 Comment

The DNS Protocol Explained

The DNS Protocol

The Domain Name System protocol translates domain names into IP addresses (Wikibooks page). When a client wants to open a webpage at www.google.com, a query is sent to a DNS server (a.k.a. name server) to fetch the corresponding IP address. The IP returned by the name server is used to contact the Google web server – the server that hosts the actual website contents. In this post we explain the DNS protocol and the packets involved.

Usually, a client will know the IP address of one or more DNS servers after the DHCP boot process is completed. In order to resolve a hostname, a DNS query packet is sent. All DNS traffic between clients and name servers is encapsulated in UDP, and name servers always run on UDP port 53.

DNS Packet Structure

The structure of DNS packets looks like this:

The flags field (16 bits) has the following structure:

    a)  The first (0th)bit indicates query(0) or response(1)
    b) Next three bits (1-4) indicates ‘Standard Query (0)’,
       ‘Inverse Query (1)’ and ‘Server Status Request (2)’.
    c) The 5th bit field indicates Authoritative answer. The
       name server is authoritative for the domain in the
       question section.
    d) The 6th bit field is set if

Tags: a, AAAA, class, dns, domain name system, MX, port 53, question, resource record, , udp,
Networking
21 June 2011 6 Comments

The DHCP Protocol for IPv4 Explained

Introduction

The Dynamic Host Configuration Protocol (DHCP) is an automatic configuration protocol used on IP networks [RFC 2131]. A major advantage is that it eliminates the need to manually assign each host a static IP address. Hosts can ‘ask’ to join a network and they will be assigned an IP, and provided with additional information such as the subnetmask and gateway IP.

There are two versions of DHCP, one for IPv4 and one for IPv6. While both versions bear the same name and perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they can be considered separate protocols. In this article we explain the DHCP for IPv4 protocol and its packets.

How It Works

A client initially knows nothing about the network is it joining, so it needs to contact the DHCP server to request an IP address and receive other network information such as the subnetmask and the address of the DNS server. However, the MAC and IP address of the DHCP server are initially unknown to the client as well. So how can the new client contact the DHCP server, if it doesn’t know its location?

To solve this bootstrap problem the DHCP protocol uses special broadcast…

Tags: , dhcpdiscover, dhcpoffer, dhcprequest, , router, switch
Networking
20 June 2011 1 Comment

Wireshark Filters for Ethernet Multicast and Broadcast

On the Ethernet level, multicast traffic (and broadcast, which is just a special case of multicast) can be recognized by the least significant bit of the most significant byte of the MAC address. If this bit is set to 1, then the Ethernet frame is multicast traffic, otherwise it is unicast.

Display Filter for Excluding Broadcast/Multicast Traffic

!(eth.dst[0] & 1)

A display filter is used for packet filtering while viewing captured traffic.

Capture Filter for Excluding Broadcast/Multicast Traffic

not broadcast and not multicast

Wireshark capture filters are specified before capturing commences, and use the same syntax as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library. Capture filters can exclude traffic from being captured at all.…

Tags: , display filter, eth.dst, ,
Linux
18 June 2011 1 Comment

Packet Crafting on Linux Using Scapy

Introduction

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It is written in the Python, and is installed by default on Backtrack 4+. On Ubuntu it can be installed using this command:

sudo apt-get install scapy

The official scapy documentation is located here, and you may also need a Python Cheat Sheet.

Scapy Basics

Execute scapy at the command-line to run the Python interpreter with the scapy libraries loaded.

Start up scapy and run the ls() command. This will list all supported packet types.

$ scapy
Welcome to Scapy (2.0.0.5 beta)
>>> ls()
ARP        : ARP
ASN1_Packet : None
BOOTP      : BOOTP
CookedLinux : cooked linux
DHCP       : DHCP options
...more

List all available functions using lsc():

>>> lsc()
 sr               : Send and receive packets at layer 3
 sr1              : Send packets at layer 3 and return only the first answer
 srp              : Send and receive packets at layer 2
 srp1             : Send and receive packets at layer 2 and return only the first answer
 srloop           : Send a packet at layer 3 in loop and print the answer each time

The ls() command can do much more. Show the contents of the IP structure with ls(IP)

Tags: , , , , lsc, packet crafting, packet generator, , scapy
Networking
18 June 2011 0 Comments

An Introduction to ARP Cache Poisoning

Other posts in the ARP series: The ARP protocol explained, Viewing and manipulating the ARP cache on Windows and Linux

Remember that each network interface maintains a table of (IP->MAC) mappings in its ARP cache. The ARP protocol packet has the following structure:

Structure of an ARP packet

There are two types of ARP packets: request and reply. The type is determined by the Operation Code field. The tabel below shows a scenario of normal operation:

  • Host A sends an ARP request looking for the MAC address of Host B
  • Host B responds with ARP reply.

This ARP packet is encapsulated in an Ethernet frame with the following values:

Normally an ARP request is sent because the sender wants to talk to a given IP address and needs to find out the associated MAC address. But sometimes the sender generates an ARP packet to inform the receivers about some information, instead of asking for information. This is called gratuitous ARP and is commonly used in the following situations:

  • Duplicate address detection
  • Change of MAC address
  • Virtual IP

Routers and other network hardware may cache routing information gained from multiple gratuitous ARP packets. Read this page for more information. For gratuitous…

Tags: , , , , , gratuitous, poisoning, reply, request, unsollicited
Networking
18 June 2011 0 Comments

Viewing and Manipulating the ARP Cache on Windows and Linux

Other posts in the ARP series: The ARP protocol explained and An introduction to ARP cache poisoning.

Both Windows and Linux have a tool called arp. I tested this with Windows 7 and Linux kernel 2.6.31, but this information should be true for just about every OS version since the dawn of TCP/IP.

Command Overview

Be aware that there is one ARP cache (table) per interface, as opposed to the routing table, which is global for the system.

Windows: arp.exe

Open an (you need administrator rights). Now you can type arp to execute the Windows ARP cache manager.

Display the current ARP entries for each interface with arp -a:

[sourcecode language="text" classname="nonum"]
C:>arp -a

Interface: 232.19.232.231 — 0xb
Internet Address      Physical Address      Type
232.19.232.2          22-22-2c-27-ac-22     dynamic
232.19.232.22         22-21-f3-23-3e-23     dynamic
232.19.232.32         22-29-33-c1-c2-24     dynamic
232.19.232.91         22-2d-29-a9-33-17     dynamic
232.19.232.231        22-22-29-c2-22-b7     dynamic
232.19.232.242       …

Tags: , arp.exe, clear cache, internet address, , , , physical address,
Networking
17 June 2011 3 Comments

The ARP Protocol Explained

Introduction

The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.

Other posts on the ARP protocol are available here:

  • Viewing and manipulating the ARP cache on Windows and Linux.
  • An introduction to ARP cache poisoning.

ARP Basics

When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.

An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP - MAC).

Source and Destination Hosts on the Same Local Network

The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host…

Tags: , , arp entry, , , , , , , ,