Vs.
Packet capturing analysis, like log analysis, traffic
analysis is also important for network security. Traffic analysis is done by
packet captures and packet analysis. Traffic in a network is the basically a
flow of packets. Now, being able to capture and inspect those packets is
important to understand in what type of traffic flowing in our network, we
would like to protect.
For this analysis, a range of tools are available, and
Wireshark & tcpdump are the 2 most common one.
What does Google say?
Tcpdump: It is a data-network packet analyser computer
program that runs under a command line interface. It allows the user to display
TCP/IP and other packets being transmitted or received over a network to which
the computer is attached.
Wireshark: It is a free and open-source packet
analyzer, used for network troubleshooting, analysis, software and
communications protocol development, and education.
Let’s dig a bit deeper.
User Interface:
Tcpdump:
CLI based packet capturing tool.
Wireshark:
Available Network Interfaces:
Tcpdump:
PCAP library:
Packet Capture or PCAP is an
application programming interface that captures live network packet data from
OSI model Layers 2-7. Network analyzers like tcpdump, wireshark create .pcap
files to collect and record packet data from a network. PCAP comes in a range
of formats including Libpcap, WinPcap, and PCAPng.
Both tcpdump and wireshark use the same open source libpcap library.
Traffic analyzed:
As already defined, network traffic is the flow of
packets in a network. Depending upon the port service and flags, the traffic
varies.
Tcpdump can do only the basic analysis of some types
of traffic like dns queries etc.
Whereas, wireshark is way more extensible in protocol
and packet analysis, it can decrypt the data payloads if the encryption keys
are known, identify data payloads from file transfers like even from smtp, http
etc.
So, for simple filters tcpdump is always a good choice, but for complex filters wireshark should be your priority.
Reading pcap files:
PCAP is a valuable resource for file analysis and to monitor
your network traffic. Packet collection tools like Wireshark allow you to
collect network traffic and translate it into a format that’s human-readable.
And this pcap file can be generated on any system by capturing the files on
that system, shared to another and the captured packets can be analysed from
this pcap file here.
Both tcpdump & wireshark support reading packet
captures from a file, i.e. it reads pcap files too.
Operating modes:
Unlike Wireshark, tcpdump has CLI based execution
which restricts the available operations on any captured packet. And so, tcpdump’s
default operating mode is to provide a brief packet analysis, so as to minimize
the operations and make the CLI execution smoother.
Wireshark’s understanding of application level
protocols even extends to its filter strength. This allows filter rules like
finding http requests with specific strings in the URL. For example,
http.request.uri matches “q=wireshark”, this filter string will locate
packets in our capturing that contain a specified string within it. In this
case it would match a query parameter from a URL searching for “Wireshark”.
Performing this string filter using Wireshark is way too easier as compared to
tcpdump.
For Wireshark, just use the search bar and add the
filter.
For tcpdump, command: (the filter string must be already known to you, and must be stored in the iptable)
sudo iptables -A INPUT -m string --alog bm --string attack_string -j DROP
Output format and PCAP file generation:
As already stated, tcpdump by default operates on
minimal output format for better performance. Although pcap files capture the
OSI layers 2-7, yet tcpdump converts key info from layers 3 and up into human
readable format only. Then it prints info of each packet in the std:output or
into your terminal. So, rather than direct I/O execution, tcpdump first
generates a pcap of the captured packet (by default pcap file is not saved,
it’s a user command), and then prints into the CLI. Even it’s possible to view
the actual raw data contained in the packet (flag: -x or -X).
Wireshark generates the pcap file for OSI layers 2-7,
which it only generates when the user wants to save the captured packet
externally. The output is directly displayed in the GUI, rather than generating
a pcap file first, unlike tcpdump.
For a captured packet, tcpdump shows the time stamp of
capturing the packet, layer 3 protocol, source and destination ip addresses,
packet sequence, packet window size and payload length.
When captured a packet using wireshark, there are 3 windows: packet list window, packet layers and hexadecimal representation of the captured packer header. The same packet detail displayed by tcpdump is simply in the packet list window. In addition to this, by selecting every layer from the packet layer section, you can view the entire hexadecimal data of the captured packet, of that particular layer.
So, in terms of output, wireshark is
really awesome.
IP and port analysis:
Both, wireshark and tcpdump convert the source and
destination IP address in dotted code format. It shows the port number used by
the communication.
Although it performance this dotted format conversion,
by default tcpdump will attempt to resolve host addresses to host names.
Tcpdump allows you to replace port numbers with commonly associated services to
that port. (flag: –n)
Wireshark’s better understanding of application protocols enables efficient filtering of packets on the basis of protocols along with their specific fields. It even allows tcp streams or session , which lets us to quickly reassemble and view both sides of the tcp session, so the complete 2-way exchange of information is quickly available to you. Wireshark also has the ability to decode WPA and web-encrypted packets. It can extract audio streams from unencrypted audio transfers.
This efficient filtering and
decoding of protocol based packet capturing in wireshark, it gives you a great edge over
tcpdump.
Although, wireshark seems to be way better than
tcpdump, yet for simple and short-hand based packet capturing, tcpdump is
preferred. For simple scans and packet capturing, the output accuracy of
tcpdump has better figures. But when it comes to complex scans, wireshark is
always one’s first choice.
Demo scans:
Tcpdump:
Red: time stamp
Magenta: Layer 3
protocol (IPv4, here)
Yellow: source and
destination ip address
Green: TCP flag
Brown: TCP sequence number
Pink: ack number
Blue: tcp window
size
Purple: payload size
Tcpdump allows us to inspect these values from packets
directly.
Tcpdump gives a view of the contained data that fits
into the various fields that make up the headers or layers of the packet.
Wireshark:
Blue- list of
packets
Red- layer wise
representation of selected packet
Green- hexadecimal
representation of the packet data
Above the packet list pane is the display filter box
which allows complex filtration of packets shown. This is different from
capture filters which follows the lib pcap standards from tcpdump.
The main aim is to analyze the network traffic by capturing the packets. Now, which tool to use is all personal preference, in terms of your ease with the tool, what output format you demand, and most importantly type of packet capturing simple/complex.
1 Comments
Good info, Cheers!
ReplyDelete