Phn tch gi tin vi WIRESHARK

Gii thiu qua mt cht v Wireshark

- WireShark c mt b dy lch s. Gerald Combs l ngi u tin pht trin phn mm ny. Phin bn u tin c gi l Ethereal hnh nm 1998. Tm nm sau k t khi phin bn u tin ra i, Combs t b cng vic hin ti theo ui mt c hi ngh nghip

khng may, ti thi im , ng khng th t c tho thun vi cng ty thu ng v vic bn quyn ca thng hiu Ethe rea , Combs v phn cn li ca i pht trin xy dng mt thng hiu mi cho sn phm Ethereal vo nm 2006, d n tn l

- WireShark pht trin mnh m v n nay, nhm pht trin cho n nay ln ti 500 cng tc vin. Sn phm tn ti d Ethereal khng c pht trin

- Li ch Wireshark em li gip cho n tr nn ph bin nh hin nay. N c th p ng nhu cu ca c cc nh phn tch chuyn nghip d v n a ra nhiu tnh nng thu ht mi i tng khc nhau. Cc giao thc c h tr bi

WireShark vt tri v kh nng h tr cc giao thc (khong 850 loi), t nhng loi ph bin nh TCP, IP n nhng loi c

AppleTalk v Bit Torrent. V cng bi Wireshark c pht trin trn m hnh m ngun m, nhng giao thc mi s c thm vo ni rng khng c giao thc no m Wireshark khng th h tr.

Thn thin vi ngi dng: Giao din ca Wireshark l mt trong nhng giao din phn mm phn tch gi d dng nht. Wiresh

dng ho vi h thng menu rt r rng v c b tr d hiu. Khng nh mt s sn phm s dng dng lnh phc tp nh TCP din ho ca Wireshark tht tuyt vi cho nhng ai tng nghin cu th gii ca phn tch giao thc.

Gi r: Wireshark l mt sn phm min ph GPL. Bn c th ti v v s dng Wireshark cho bt k mc ch no, k c vi mc mi. H tr: Cng ng ca Wireshark l mt trong nhng cng ng tt v nng ng nht ca cc d n m ngun m. H iu hnh h tr Wireshark: Wireshark h tr hu ht cc loi h iu hnh hin nay. 1. Mt s tnh hung c bn Trong phn ny chng ta s cp n vn c th hn. S dng Wireshark v phn tch gi tin gii quyt mt vn c th ca Chng ti xin a ra mt s tnh hung in hnh. A Lost TCP Connection (mt kt ni TCP)

Mt trong cc vn ph bin nht l mt kt ni mng.Chng ta s b qua nguyn nhn ti sao kt ni b mt, chng ta s nhn hin t mc gi tin. V d: Mt v truyn file b mt kt ni: Bt u bng vic gi 4 gi TCP ACK t 10.3.71.7 n 10.3.30.1.

Hnh 3.1-1: This capture begins simply enough with a few ACK packets.

Li bt u t gi th 5, chng ta nhn thy xut hin vic gi li gi ca TCP.

Hnh 3.1-2: These TCP retransmissions are a sign of a weak or dropped connection.

Theo thit k, TCP s gi mt gi tin n ch, nu khng nhn c tr li sau mt khong thi gian n s gi li gi tin ban u. Nu tc khng nhn c phn hi, my ngun s tng gp i thi gian i cho ln gi li tip theo.

Nh ta thy hnh trn, TCP s gi li 5 ln, nu 5 ln lin tip khng nhn c phn hi th kt ni c coi l kt thc. Hin tng ny ta c th thy trong Wireshark nh sau:

Hnh 3.1-4: Windows will retransmit up to five times by default. Kh nng xc nh gi tin b li i khi s gip chng ta c th pht hin ra mu trt mng b mt l do u.

Unreachable Destinations and ICMP Codes (khng th chm ti im cui v cc m ICMP)

Mt trong cc cng c khi kim tra kt ni mng l cng c ICMP ping. Nu may mn th pha mc tiu tr li li iu c ngha l b thnh cng, cn nu khng th s nhn c thng bo khng th kt ni ti my ch. S dng cng c bt gi tin trong vic ny s nhiu thng tin hn thay v ch dung ICMP ping bnh thng. Chng ta s nhn r hn cc li ca ICMP.

Hnh 3.1-5: A standard ping request from 10.2.10.2 to 10.4.88.88 Hnh di y cho thy thng bo khng th ping ti 10.4.88.88 t my 10.2.99.99.

Nh vy so vi ping thng thng th ta c th thy kt ni b t t 10.2.99.99. Ngoi ra cn c cc m li ca ICMP, v d : co unreachable)

Hnh 3.1-6: This ICMP type 3 packet is not what we expected. Unreachable Port (khng th kt ni ti cng) Mt trong cc nhim v thng thng khc l kim tra kt ni ti mt cng trn mt my ch. Vic kim tra ny s cho thy cng cn m hay khng, c sn sang nhn cc yu cu gi n hay khng.

V d, kim tra dch v FTP c chy trn mt server hay khng, mc nh FTP s lm vic qua cng 21 ch thng thng. Ta tin ICMP n cng 21 ca my ch, nu my ch tr li li gi ICMP loi o v m li 2 th c ngha l khng th kt ni ti cng .s Fragmented

Hnh 3.1-7: This ping request requires three packets rather than one because the data being transmitted is above average size.

y c th thy kch thc gi tin ghi nhn c ln hn kch thc gi tin mc nh gi i khi ping l 32 bytes ti mt my tnh chy Kch thc gi tin y l 3,072 bytes. Determining Whether a Packet Is Fragmented (xc nh v tr gi tin b phn on) No Connectivity (khng kt ni)

Vn : chng ta c 2 nhn vin mi Hi v Thanh v c sp ngi cnh nhau v ng nhin l c trang b 2 my tnh. Sauk hi

b v lm cc thao tc a 2 my tnh vo mng, c mt vn xy ra l my tnh ca Hi chy tt, kt ni mng bnh thng, m Thanh khng th truy nhp Internet. Mc tiu : tm hiu ti sao my tnh ca Thanh khng kt ni c Internet v sa li . Cc thng tin chng ta c

c 2 my tnh u mi

c 2 my u c t IP v c th ping n cc my khc trong m ng Ni tm li l 2 my ny c cu hnh khng c g khc nhau. Tin hnh Ci t Wireshark trc tip ln c 2 my. Phn tch

Trc ht trn my ca Hi ta nhn thy mt phin lm vic bnh thng vi HTTP. u tin s c mt ARP broadcast tm a ch c tng 2, y l 192.168.0.10. Khi my tnh ca Hi nhn c thng tin n s bt tay vi my gateway v t c phin lm vic v bn ngoi.

Hnh 3.1-8: His computer completes a handshake, and then HTTP data transfer begins. Trng hp my tnh ca Thanh

Hnh 3.1-9: Thanhs computer appears to be sending an ARP request to a different IP address. Hnh trn cho thy yu cu ARP khng ging nh trng hp trn. a ch gateway c tr v l 192.168.0.11. Nh vy c th thy NetBIOS c vn .

NetBIOS l giao thc c n s c thay th TCP/IP khi TCP/IP khng hot ng. Nh vy l my ca Thanh khng th kt ni I TCP/IP. Chi tit yu cu ARP trn 2 my : My Hi

My Thanh

Kt lun : my Thanh t sai a ch gateway nn khng th kt ni Internet, cn t li l 192.168.0.10. The Ghost in Internet Explorer (con ma trong trnh duyt IE)

Hin tng : my tnh ca A c hin tng nh sau, khi s dng trnh duyt IE, trnh duyt t ng tr n rt nhiu trang qung co. i bng tay th vn b hin tng thm ch kh ng li my cng vn b nh th. Thng tin chng ta c

A khng tho v my tnh lm My tnh ca A dng Widows XP, IE 6 Tin hnh

V hin tng ny ch xy ra trn my ca A v trang home page ca A b thay i khi bt IE nn chng ta s tip hnh bt gi tin t m Chng ta khng nht thit phi ci Wireshark trc tip t my ca A. Chng ta c th dng k thut Hubbing Out . Phn tch

Hnh 3.1-13: Since there is no user interaction happening on As computer at the time of this capture, all of these packets going across should set off some alarms. Chi tit gi tin th 5:

Hnh 3.1-14: Looking more closely at packet 5, we see it is trying to download data from the Internet. T my tnh gi yu cu GET ca HTTP n a ch nh trn hnh.

Hnh 3.1-15: A DNS query to the weatherbug.com domain gives a clue to the culprit. Gi tin tr li bt u c vn : th t cc phn b thay i. Mt s gi tip theo c s lp ACK.

Hnh 3.1-16: A DNS query to the weatherbug.com domain gives a clue to the culprit. Sau mt lot cc thay i trn th c truy vn DNS n deskwx.weatherbug.com y l a ch A khng h bit v khng c nh truy cp.

Nh vy c th l c mt process no lm thay i a ch trang ch mi khi IE c bt ln. Dng mt cng c kim tra proces nh Process Explore v thy rng c tin trnh weatherbug.exe ang chy. Sau khi tt tin trnh ny i khng cn hin tng trn na. Thng thng cc tin trnh nh weatherbug c th l virus, spyware. Giao din Process Explore

Li kt ni FTP

Tnh hung : c ti khon FTP trn Windows Server 2003 update service packs va ci t xong, phn mm FTP Server hon thng, khon ng nhng khng truy nhp c. Thng tin chng ta c

FTP lm vic trn cng 21 Tin hnh Ci t Wireshark trn c 2 my. Phn tch Client:

Hnh 3.1-19: The client tries to establish connection with SYN packets but gets no response; then it sends a few more. Client gi cc gi tin SYN bt tay vi server nhng khng c phn hi t server. Server :

Hnh 3.1-20: The client and server trace files are almost identical. C 3 l do c th dn n hin tng trn

FTP server cha chy, iu ny khng ng v FTP server ca chng ta chy nh kim tra lc u

Server qu ti hoc c lu lng qu ln khin khng th p ng yu cu. iu ny cng khng chnh xc v server va mi c c

Cng 21 b cm pha clien hoc pha server hoc c 2 pha. Sau khi kim tra v thy rng pha Server cm cng 21 c chiu In Outgoing trong Local Security Policy