IPPacket Analysis Using Wireshark
Open source community is the community responsible for the global growth of internet.
The default port for any web server is 80.
There are many problems that most big techies like Google, microsoft cannot solve, therefore, we need the open source community.
Microsoft has a visual studio code
Compile language does not need an interpreter. All it needs is driver. Visual studio is capable of programing langugaes like C#. Most AI/ML tools are using interpreter languages.
Interpreter makes sure that your code runs on the specified language even if the language changes it's libraries.
Machine computes with switches.
C is compiled language. The computer does not have to do extra work to process it.
Python is interpreted language. There is work to be done for the computer to be able to process it.
Space Time Complexity: Limited Space, faster speed to save time is the motivation of all electronic devices. Time is managed by CPU and space is managed by storage (temporary and permanent).
Companies are motivated by competition of creating algorithms. Generative AI is using interpreter language. Competition is where the languages are interacting with the hardware. Interpreter allows for global competition.
Servers are programmed to look for Index.html or home.html.
alternate attributes can be useful for people who cannot see. For instance, Alt="Name of image". Some software can use this text and tell the visually handicapped person with the description of the image.
FTP = File transfer protocol to share documents on web. But it is not secure. Therefore, someone can not only intercept it but someone can also change/alter it.
SFTP = Therefore we use Secure File Transfer Protocol. The default port is #22.
Wireshark:
can be used to troubleshooting network problems, and network misuse or check network for regulatory compliance. Network admins, developers, students, and security analyst can all benefit from wireshark network packet analysis. Developers can benefit from understanding protocol behavior and application behavior. They can understand if it's the application or the network protocol that is causing delays in cloud based application.
There are many protocols that can be used. There can be two ways data is exchanged, UDP or TCP. Wireshark is a free network analysis tool that captures the packets that gets transferred.
Wifi spark lines can be seen as the first package transfer to capture. For a wireless connection, the Ethernet will be just a straight line (dead line).
RTT = Round Trip Time.
Tapping into the data stream and finding out what is going on. Shared or hub base = wireless network
Wired network = switch
Methods:
Monitor on device
Port Mirroring
Full Duplex Tap in line with traffic on wired network
Packet analyzer converts to the gathered traffic and decode it (from binary to human readable form) and then display it. Traffic enters the network as one frame at a time. The decoding takes place in the capture engine called EPAN (Ethereal Packaet Analyzer). Wireshark provides many tools to make the frame in the human readable format. First panel is the packet list: Time Source, Destination, Protocol, Type (IPV4).
Second Panel is the information pertaining to each frame.
Third Panel is the raw data form: can be changed to bits or hexadecimal packet bytes.
Effective packet analysis goes through several phases: Tap in the correct location, gether traffic, decode using EPA, Display in the human readable format.
Display Filter (Displays only what you filter), and Capture Filters (captures only what you filter).
OSI Model: 7 layer OSI model -> Standard of data transformation. There are 7 layers. There are common protocols in each layers. There are addresses that are needed to access.
Layers 7: Application layer: User initiaties using a web page - FTP, HTTP, SMPT - No addresses needed.
Layer 6: Presentation Layer: Optional encryption
Layer 5: Session: Initiate and Terminate and Maintain
Layer 4: Transport: Transports Data: TCP, UDP (connectionless protocol)-: Transports the data: Segment of data is transported: We need port addresses (source and destination) to transport
Layer 3: Network: Addressing and Routing - IP (does not have has error reporting mechanism), ICMP addresses (routes the data from source to destination, has error reporting mechanism - however, does not transport data by itself, for which it needs TCP - TCP/IP binding is the most popular binding)
Layer X: Address Resolution Protocol: Data is in the form of packet and there is an IP address associated with the address
Layer 2: Data Link: Data is in the form of Frame: The Address is a MAC address
Layer 1: Physical Layer: Data is transmitted on the media: no addresses just the transportation that takes place in the form of Bits.
Frame Formation: Encapsulation Process takes place. Data is the form of web request. TCP/UDP Header. IP Header (Packet and IP address of source and destination), Frame Header (MAC Address) & Frame Trailer (Frame Check Sequence). Frames helps to analyze traffic better.
TCP: Transmission control protocol, checksum in the TCP header monitors for error detection and not correction. Three way packet. Client (SYN Packet) -> Server -> Client (ACKnowledgement). Often the connection drops and the connection is attempted to be reestablished.
UDP: User Datagram Protocol: 8 bites, Light weight protocol, no handshake (or connection process), no tear down, great for timesensitive applications like DNS. Source Port, Destination port, Length, and Checksum. Checksum is optional with IPV4 and mendatory with IPV6 (as it doesn't have error detection).
We can add comments in Capture Protocol (in Statistics) -> This will show up as astersisk.
Protocol Hierarchy:
Coloring Rules:
IPV4: Connectionless (no guarantee) but still good service. Earlier IPV4 had Identification, Flags, and Fragments (Reserved, Dont Fragment, Fragment Offset). Time to live is the time for which packets go round and round without reaching their destination.
IPV6: Large address space, autoconfiguration, no broadcast, streamlined header, connectionless, best protocol.NO FRAGMENTATION, Time to Live is called Hop Limit. No IHL (Internet Header Length).
Traffic Class = 00000 means best effort.
Payload length = length of data in bytes that IPV4 is carrying.
ICMP = Internet Control Message Protocol: Must be implemented by every IP Module. No data is exchanged. It is simply error reporting and utility ping and echoing messages.
Two categories of ICMP Messages: Error Reporting and Query. Type: Destination. The ICMP Error has first 8 bits of the original datagram, next 8 bits are the ICMP header code, and last 16 bits are the Checksum.
Iana.org/assignments/icmp-parameters provides all kinds of ICMP error codes and messages.
Flow Graph: is a tool in Wireshark that shows how the message completed its journey.
ICMPV6: is integral part of IPV6. No data is exchanged. Ping utility, echo request, echo reply only. Messages are like ICMP (version 4). Unlike V4, ICMPV6 has more roles like informational messages, neighbor messages, destination unreachable, time too big, incorrect parameter, etc. AARP, and IGMP are not necessary.
DNS: Domain Name System: Maps host name to an IP Address. Client sends query to DNS server for an IP address. Server responds to the request. It uses UDP Port 53 for request and TCP Port 53 for zone transfer. DNS header has: Message header, questions, answers, authority resources records, additional resource records. It allows data to transact on the network.
DHCP: works at the application layer s of the OCI model. Uses UDP for transport and Client uses 68 and server uses port 67. DHCP uses DORA process: discover packet is broadcasted, offer (client says this is my IP who wants it), Request (server accepts a request), and acknowledge (sends an acknowledgement to the client). To look for DHCP in the display filter use bootp in the display filter.
FTP: File Transfer Protocol: Application Layer: File transfer using TCP Port 20 (secondary port for data transfer) and 21 (command channel). PASV request: client initiates the request. Server responds through code 227 accepting the request.
HTTP: Hyper text transfer Protocol: Application Layer protocol: Used since 1990s. Uses TCP Port 85 default but can use other ports. Client sends HTTP requests and indicates what client wants and then server responds. Frame Header> Network Layer Header>Transport Layer Header. Data changes according to the conversation. HTTP transfers the HTML that is rebuild in our browser to display the website. HTTP code 200 means everything is okay.
ARP: Address Resolution Protocol: to resolve network resolution of IP address to a MAC address on a local area network. b/w layer three and layer 2. It doesnt have a network layer header nor it has a transfer layer header.
Bootstrap protocol: allows to establish connection faster. No IP address many times.
Expert Information System: A guide in the Wireshark to check errors like checksum. Red Circle: Errors, Yellow Circle: Possible Problems, Cyan Circle: Notes of interest, Blue Circle: Chats. Errors like Bad Checksum, Malformed packet, warnings like: connection resets, cyan notes like duplicate acknowledgement, blue like connection finish.
Expert Information: Cause of Concern: Zero Window, Keep Alive, Duplicate Acknoweldgement (client is requesting data over and over again until it receives it). Spurious Transmission. All these can cause latency in the network like processing delays, distance, and queing delays when the buffer is full. Dup ACK means I have received X amount of data and I am ready for more. Steven's graph: (In Statistics drop down): shows gaps in the transmission. Flat line indicates that the data receiving is stopped leading to latencies in the network. This graph indicates the congestion on the network.
Identify the bottleneck in the network: which packet is being downloaded and what is the size of it and how much of packet sizes are getting transferred can be studied by Wireshark. File -> Export Objects -> HTTP objects only -> Window appears that tells the packet sizes.]
Cloudshark: you can share the network capture with your co-workers. CISCO Meraki -> Network wide packet capture. Packetlife.net -> allows various types of packet captures for studing them. Follow the stream operation is also available live on the Packetlife.net. Cloudshark allows a tool called GoIP world map to visualize the end points of the data packet transfer. Malwaretrafficanalysis.net upload packet captures for malware analysis.
Open source community is the community responsible for the global growth of internet.
The default port for any web server is 80.
There are many problems that most big techies like Google, microsoft cannot solve, therefore, we need the open source community.
Microsoft has a visual studio code
Compile language does not need an interpreter. All it needs is driver. Visual studio is capable of programing langugaes like C#. Most AI/ML tools are using interpreter languages.
Interpreter makes sure that your code runs on the specified language even if the language changes it's libraries.
Machine computes with switches.
C is compiled language. The computer does not have to do extra work to process it.
Python is interpreted language. There is work to be done for the computer to be able to process it.
Space Time Complexity: Limited Space, faster speed to save time is the motivation of all electronic devices. Time is managed by CPU and space is managed by storage (temporary and permanent).
Companies are motivated by competition of creating algorithms. Generative AI is using interpreter language. Competition is where the languages are interacting with the hardware. Interpreter allows for global competition.
Servers are programmed to look for Index.html or home.html.
alternate attributes can be useful for people who cannot see. For instance, Alt="Name of image". Some software can use this text and tell the visually handicapped person with the description of the image.
FTP = File transfer protocol to share documents on web. But it is not secure. Therefore, someone can not only intercept it but someone can also change/alter it.
SFTP = Therefore we use Secure File Transfer Protocol. The default port is #22.
Wireshark:
can be used to troubleshooting network problems, and network misuse or check network for regulatory compliance. Network admins, developers, students, and security analyst can all benefit from wireshark network packet analysis. Developers can benefit from understanding protocol behavior and application behavior. They can understand if it's the application or the network protocol that is causing delays in cloud based application.
There are many protocols that can be used. There can be two ways data is exchanged, UDP or TCP. Wireshark is a free network analysis tool that captures the packets that gets transferred.
Wifi spark lines can be seen as the first package transfer to capture. For a wireless connection, the Ethernet will be just a straight line (dead line).
RTT = Round Trip Time.
Tapping into the data stream and finding out what is going on. Shared or hub base = wireless network
Wired network = switch
Methods:
Monitor on device
Port Mirroring
Full Duplex Tap in line with traffic on wired network
Packet analyzer converts to the gathered traffic and decode it (from binary to human readable form) and then display it. Traffic enters the network as one frame at a time. The decoding takes place in the capture engine called EPAN (Ethereal Packaet Analyzer). Wireshark provides many tools to make the frame in the human readable format. First panel is the packet list: Time Source, Destination, Protocol, Type (IPV4).
Second Panel is the information pertaining to each frame.
Third Panel is the raw data form: can be changed to bits or hexadecimal packet bytes.
Effective packet analysis goes through several phases: Tap in the correct location, gether traffic, decode using EPA, Display in the human readable format.
Display Filter (Displays only what you filter), and Capture Filters (captures only what you filter).
OSI Model: 7 layer OSI model -> Standard of data transformation. There are 7 layers. There are common protocols in each layers. There are addresses that are needed to access.
Layers 7: Application layer: User initiaties using a web page - FTP, HTTP, SMPT - No addresses needed.
Layer 6: Presentation Layer: Optional encryption
Layer 5: Session: Initiate and Terminate and Maintain
Layer 4: Transport: Transports Data: TCP, UDP (connectionless protocol)-: Transports the data: Segment of data is transported: We need port addresses (source and destination) to transport
Layer 3: Network: Addressing and Routing - IP (does not have has error reporting mechanism), ICMP addresses (routes the data from source to destination, has error reporting mechanism - however, does not transport data by itself, for which it needs TCP - TCP/IP binding is the most popular binding)
Layer X: Address Resolution Protocol: Data is in the form of packet and there is an IP address associated with the address
Layer 2: Data Link: Data is in the form of Frame: The Address is a MAC address
Layer 1: Physical Layer: Data is transmitted on the media: no addresses just the transportation that takes place in the form of Bits.
Frame Formation: Encapsulation Process takes place. Data is the form of web request. TCP/UDP Header. IP Header (Packet and IP address of source and destination), Frame Header (MAC Address) & Frame Trailer (Frame Check Sequence). Frames helps to analyze traffic better.
TCP: Transmission control protocol, checksum in the TCP header monitors for error detection and not correction. Three way packet. Client (SYN Packet) -> Server -> Client (ACKnowledgement). Often the connection drops and the connection is attempted to be reestablished.
UDP: User Datagram Protocol: 8 bites, Light weight protocol, no handshake (or connection process), no tear down, great for timesensitive applications like DNS. Source Port, Destination port, Length, and Checksum. Checksum is optional with IPV4 and mendatory with IPV6 (as it doesn't have error detection).
We can add comments in Capture Protocol (in Statistics) -> This will show up as astersisk.
Protocol Hierarchy:
Coloring Rules:
IPV4: Connectionless (no guarantee) but still good service. Earlier IPV4 had Identification, Flags, and Fragments (Reserved, Dont Fragment, Fragment Offset). Time to live is the time for which packets go round and round without reaching their destination.
IPV6: Large address space, autoconfiguration, no broadcast, streamlined header, connectionless, best protocol.NO FRAGMENTATION, Time to Live is called Hop Limit. No IHL (Internet Header Length).
Traffic Class = 00000 means best effort.
Payload length = length of data in bytes that IPV4 is carrying.
ICMP = Internet Control Message Protocol: Must be implemented by every IP Module. No data is exchanged. It is simply error reporting and utility ping and echoing messages.
Two categories of ICMP Messages: Error Reporting and Query. Type: Destination. The ICMP Error has first 8 bits of the original datagram, next 8 bits are the ICMP header code, and last 16 bits are the Checksum.
Iana.org/assignments/icmp-parameters provides all kinds of ICMP error codes and messages.
Flow Graph: is a tool in Wireshark that shows how the message completed its journey.
ICMPV6: is integral part of IPV6. No data is exchanged. Ping utility, echo request, echo reply only. Messages are like ICMP (version 4). Unlike V4, ICMPV6 has more roles like informational messages, neighbor messages, destination unreachable, time too big, incorrect parameter, etc. AARP, and IGMP are not necessary.
DNS: Domain Name System: Maps host name to an IP Address. Client sends query to DNS server for an IP address. Server responds to the request. It uses UDP Port 53 for request and TCP Port 53 for zone transfer. DNS header has: Message header, questions, answers, authority resources records, additional resource records. It allows data to transact on the network.
DHCP: works at the application layer s of the OCI model. Uses UDP for transport and Client uses 68 and server uses port 67. DHCP uses DORA process: discover packet is broadcasted, offer (client says this is my IP who wants it), Request (server accepts a request), and acknowledge (sends an acknowledgement to the client). To look for DHCP in the display filter use bootp in the display filter.
FTP: File Transfer Protocol: Application Layer: File transfer using TCP Port 20 (secondary port for data transfer) and 21 (command channel). PASV request: client initiates the request. Server responds through code 227 accepting the request.
HTTP: Hyper text transfer Protocol: Application Layer protocol: Used since 1990s. Uses TCP Port 85 default but can use other ports. Client sends HTTP requests and indicates what client wants and then server responds. Frame Header> Network Layer Header>Transport Layer Header. Data changes according to the conversation. HTTP transfers the HTML that is rebuild in our browser to display the website. HTTP code 200 means everything is okay.
ARP: Address Resolution Protocol: to resolve network resolution of IP address to a MAC address on a local area network. b/w layer three and layer 2. It doesnt have a network layer header nor it has a transfer layer header.
Bootstrap protocol: allows to establish connection faster. No IP address many times.
Expert Information System: A guide in the Wireshark to check errors like checksum. Red Circle: Errors, Yellow Circle: Possible Problems, Cyan Circle: Notes of interest, Blue Circle: Chats. Errors like Bad Checksum, Malformed packet, warnings like: connection resets, cyan notes like duplicate acknowledgement, blue like connection finish.
Expert Information: Cause of Concern: Zero Window, Keep Alive, Duplicate Acknoweldgement (client is requesting data over and over again until it receives it). Spurious Transmission. All these can cause latency in the network like processing delays, distance, and queing delays when the buffer is full. Dup ACK means I have received X amount of data and I am ready for more. Steven's graph: (In Statistics drop down): shows gaps in the transmission. Flat line indicates that the data receiving is stopped leading to latencies in the network. This graph indicates the congestion on the network.
Identify the bottleneck in the network: which packet is being downloaded and what is the size of it and how much of packet sizes are getting transferred can be studied by Wireshark. File -> Export Objects -> HTTP objects only -> Window appears that tells the packet sizes.]
Cloudshark: you can share the network capture with your co-workers. CISCO Meraki -> Network wide packet capture. Packetlife.net -> allows various types of packet captures for studing them. Follow the stream operation is also available live on the Packetlife.net. Cloudshark allows a tool called GoIP world map to visualize the end points of the data packet transfer. Malwaretrafficanalysis.net upload packet captures for malware analysis.
