 Good afternoon, everybody. Welcome back to the afternoon session. This afternoon session has got a demo part which is approximately half an hour or so followed by a hands-on lab session. The lab session has got two parts. One is familiarity with Linux relevant Linux commands and the second that will You have to turn in a little quiz. The TAs will explain that to you. So this Lab part the first part is Linux commands that concludes around 4 o'clock or so There's a tea break between 4 and 4 30 and then we resume for the via shark Experiments, so we begin right now with a demo on via shark This will be presented by the agarajan one of our m-tech students and Devendra Feel free to ask any questions as we go along just try to get familiar with the tool so you can use it in the lab So good afternoon everyone Now I will briefly introduce to you the wire shark tool Wire shark is a network packet analyzer. It tries to capture network packets through the interface network interface which is on your system and Whatever packets are being exchanged between the client and the server and it displays those packet data in a very detailed fashion It is also you can also call it as a packet sniffer a passive which is passive by passive I mean it cannot send packets The wire shark tool itself does not send packets. I mean it's it just analyzes whatever is there in the network So it cannot send packets neither can it receive packets that is there will be no packet which is destined to the to the wire shark tool as such and Whatever packets are being exchanged it creates a copy of those network packets and displays it on the tool and it is free and open source Some of the features of wire shark are it is available for the unix and windows platforms It captures live packet data from a network interface You can open files containing already captured packet data There are some standard programs or tools with which you can capture these packet data like TCP dump or wind dump wire shark itself and a number of other programs Then you can also import packets from text files containing hex dumps of those packet data and It then this you can view or display those packets with a very detailed protocol information You can save the packet data captured You can export it into a number of capture file formats. You can filter the packets based on many criterias You can search for packets. You can colorize them based on the packet type or based on where you can apply filters and Apply a color to that filter and Then you can get various statistics out of those packets which have been captured Typical applications of this tool would be you can troubleshoot network problems if any examine security problems debug protocol implementations and learn network protocol internal specifications Now briefly show you a demo of the tool So to begin with to I mean you need an installed wire shark on your system once you have installed it To run the wire shark tool basically there are two ways to run if if you are an administrative User that is you have the root privileges in your system You can directly type in wire shark and start the program otherwise, if if you are not the root user then you usually type GK pseudo wire shark GK pseudo is for Stating that you are the root user it may then ask for your Authentication It will ask for your password and then this will start wire shark So it may show you one or two error messages just ignore those So as you can see on the right It wire shark has detected Certain interfaces on your machine like the Ethernet and a few others They're connected to the internet through the Ethernet port So you need I mean you'll typically use the Ethernet port to capture the packets for whichever websites you you are browsing so Now we'll capture The packets on the Ethernet port so for that you go to the capture menu on the top Then you start capturing packets by clicking on the start button for the corresponding to the Ethernet port So this will start capturing the packets So this is the main window of the wire shark Of the wire shark tool It has multiple parts the top The top bar which is this menu bar Contains the standard GUI menus like file edit view You'll find this in any GUI application So this is the menu bar from where you can initiate any actions to be performed Below the menu bar is the main toolbar. It provides you a quick access to certain frequently used options in wire shark like in Most word editors you would have a save option as a shortcut to that tool so similarly you have corresponding to this tool you you would have Frequently used options already present here as a shortcut. So next is the filter toolbar It allows you to filter the packets based on a certain expression say suppose you want to Look at only the TCP packets. So in the filter tool the text box Which is which you can see here you if you type TCP and hit enter So then you can the all the Out of the captured data you just you can I mean it will only display those packets which are corresponding to the TCP protocol So with that you can I mean there are many other ways to filter packets based on I mean you can also have conditional expressions like if you want to Look at those packets look at all those packets except the TCP packet So you can have a not that is a exclamation mark not TCP. So that will display all the packets except the TCP packet So in similar ways you can also have multiple Conditions and separated by and an or an or similar to that. So That's the filter toolbar next is this is the packet list section this section displays a Brief one-line summary of each packet that has been captured the default Columns which which are shown here are the number is the packet number since the Capture began So it starts from one and then goes on increasing the time is the time elapsed since the capture began So the source address of that packet the destination then the protocol corresponding to that packet The length of that packet and some information about that packet. So this is a brief one-line summary a More detailed summary is you can look at a more detailed summary in this packet detailed section If you click on a packet you can view a very detailed information of that packet Each protocol wise information. I mean it's a tree like structure So you click on one of these options then the tree expands and then you can look at the various protocol fields The values the protocol fields and their values within that packet. So this provides a very detailed information and the final section here below is the packet byte section This section will display the packet data in a hex dump In a hexadecimal format also in a ascii format. So and there's another status bar below actually You won't be able to see here, but there's also a status bar which provides a few information about the packet So Shall we come to and conclusion Yeah, you can look I mean it provides your statistics based on whatever we have the statistics. Could you please analyze? Could you please analyze the statistics? I mean currently this is just a basic demo. I mean you can try that during the lab session That we can do that the basic commands we know That interpretation we got some report now, okay, could you please analyze that? What are the different protocols we have what we can do with that? I mean currently this is a video I'm not actually running wire shock here. So this is just a video. So I mean We'll just I mean we'll let you know later So now I mean the packet data capturing process has started now We'll visit a few web pages so that the packets corresponding to our Browsing all the browsing data will be captured by wire shark So here we have just shown up. I mean we'll just browse through a couple of web pages. We'll first go to google.com Then we'll look for wire shark and then the wire shark homepage So based on our browsing all these all the packets which were exchanged will be captured by wire shark So now we stop the capturing process by clicking on that icon So the capturing process has stopped So a few options available are The open option allows you to open captured files Which have been captured before you can load them into the into wire shark open recently used files You can merge one or two files I mean if you have a loaded file and you want to merge another file into that you can also merge that You can import the file into Some other format like a text file or a hex dump You can save the captured data in I mean typically wire shark saves it in dot p cap or dot p cap NG format so you can save it in that format export it to some other format like a plain text or a CSV then in the edit menu the find packet option allows you to Find a pack find the first occurrence of a packet based on a certain string suppose I mean as I brought browse through wire shark, so I want to look at the first packet which contained wire shark I mean the first packet which was corresponding to what I was browsing so in the filter I'll type wire shark and Then when I hit find It will it will highlight the first packet which contain wire shark in it So that's about finding a packet and then find next or find previous allows you I mean the same filter will be applied To I mean it will find the next packet which contain wire shark in it and similarly for the previous the mark packet Option allows you to mark a packet safe If you find something interesting about a packet Some information about that packet you find interesting so you can just mark it for later reference So the mark packet allows you to do that similarly, there are various other options for highlighting packets based on how you need it So next another option is to ignore a packet safe. You are not interested in looking at that packet so you can just For the selected packet you can ignore it. So the relevant information won't be displayed for that packet And to again undo the operation you can Again hit the ignore packet option. So that will automatically undo that option and Similarly for if you want to unmark the packet. So you just hit hit mark packet another time So that will unmark that packet Now setting the time reference This is useful when Save if you have a reference packet and you want to find the time elapsed with Relative to that packet so you can For the reference packet you can set it as a time reference So the time column which is displayed in the packet list section all the packets that were received after that packet you will have the Time relative to I mean the time elapsed relative to that reference packet. So currently the This orange highlighted one was what's the selected packet. So when I hit set time reference You can see the ref string being shown here. So that is the reference and then all the packets below it You have the time elapsed relative to that reference packet so if you want to find Say the time elapsed the time between HTTP get and an HTTP response packet So you can set the HTTP get packet as the reference and then look at its response And you can see how much time has elapsed elapsed between those two packets. So another option in the edit would That's a preferences option. I mean these are just for your convenience You can set the layout currently. I mean it's one below the other You can also have other layouts for it based on how you like You can add one or more columns You can either add a column if you don't want a column you can delete that column and Then you can also specify the field type what kind of a column it should be and have various fonts colors And so on and so forth The next view menu it shows whatever toolbars and Sections have been already shown in the wireshark GUI Currently the main toolbar is shown filter toolbar status bar packet list packet details packet bytes these are shown the time currently the format of the time shown is Since the capture began the time elapsed since the capture began you can also have various other formats like Day 10 time of the day when it was captured or the time of the day the seconds Elapsed since the beginning of the capture or since just the previous packet captured and various other formats depending on your analysis So as you can see you can also see various colors for those packets So the color I the colorizing option is as of now on you can also off it if you don't like to view those colors and You can also change the colors for the various types of packets which are supported or captured So currently for HTTP it's green In this HTTP involves I mean all those packets which are either HTTP or TCP port is equal equals 80. So that also corresponds to HTTP So all such packets will be highlighted in green color and similarly for various other packets You have different colors Yeah, that's it and then for the go in the go menu. You have a go-to packet option So say suppose you have a million packets captured and you want to go to a specific packet And if you have that packet number you can just type in the packet number and that will directly Take you to that packet in this case It's thousand so it will Take you to the thousand So now the next So similarly you can navigate through various packets previous packet in a in a conversation will take you to the packet which was exchanged after that packet was Typically a response to that packet So the next the capture menu has interfaces, which I showed you at the beginning where you can Begin capturing packets at various interfaces Ethernet if you are connected to a Internet through Wi-Fi, so it will show a white wireless interface and then you can start capturing packets from that interface the next option Is the capture filters option This the capture filters is different from the filter bar Which I showed you earlier that is known as the display filter This is the capture filter one of the differences is that capture filters Allows you to filter while the capturing is in process say suppose you want to capture packets Which arrived only from this source so it will during the capturing process it will only show those packets which were Obtained I mean which came from that source and it will ignore all other packets Whereas display filter is applied after the capturing process has been completed So once you have all the captured data Then if you want to look at only the HTTP packets or only the TCP packets then you can apply the display filter to that captured data So this is the capture filter and for various types of filtering you have corresponding strings for that say for suppose You want to capture Packets only from this Ethernet address the MAC address So the filter string shown below You have to type that in one of the places which I'll just show you so for IP only Package you type IP For TCP only you type TCP and now where you type this is in the Capture menu go to options and then in this text field you will type whatever string You like based on the filter In this case if I want just a TCP so I'll just type in TCP and then it's the start button and One of the things you would notice here is if your string is invalid if your string is in I mean it does this Text text field does a syntax check So if your whatever you type in is invalid or incomplete it will display it in red color So you'd know that whatever you have typed in is incorrect or invalid. So but when you Complete it, I mean whenever you type a valid string it will show it in green. So with that you can identify whether it is correct or not So next in the analyze menu display filters The same as what whatever I showed before in the in this filter toolbar. So say one Yeah says suppose I want to Look at only those packets which came from the following IP address I mean which kind which had this IP address either as a source or a destination So in that case in the filter toolbar in the text text field, I would type IP dot ADDR equals equals 192.168.0.1 so that would and when you apply that filter you would you would see only those packets which Either had this IP address as a source or a destination so similarly there are various syntax for different kinds of filtering which you would like to do you can apply multiple conditions like TCP port dot 80, TCP dot port equals 80 or UDP dot port equals 80 So it will show only the relevant packets You can also use a not say if you want to look at all those packets which do not contain this IP address So this is the syntax Now the next menu is the statistics menu Actually Yeah, I just shown an example here for the filter. So if I type in HTTP and click apply It will only show those packets which contain HTTP There are a few SSTP packets, but it contained HTTP in it. So it also showed those packets Yeah, you can see below that status bar. So there I mean You can see that total number of packets which are captured in this trace But when you apply a filter only a subset of those packets are shown so Out of I mean out of 3946 packets which are captured in all Total HTTP packets were 321. So with that you can identify how many packet how many HTTP packets were there and similar Statistics you can have and if you want to clear the filter you just erase whatever was there in the filter bar and click apply so now You'll get all you'll see back all those packets which were originally all the 4000 odd packets So now the statistics menu the summary option will show you a summary of the entire trace which was captured It has various statistics like the packet The file for that the file corresponding to that packet trace The time the first packet when it was captured the last packet and various other statistics The next option in the statistics menu is the protocol hierarchy In this you can see the various protocols Which were part of the trace and then a corresponding to each protocol you can also look at the number of packets which correspond to that protocol it provides a very detailed Statistics of the protocols and how much packets were captured corresponding to that The next option is the conversations In this you can see all those source and destination addresses which were which had conversation between them So all these are the source destination pairs Combination these are the MAC addresses and these are the IP addresses so you can find The IP address of if you have a server you can look at what IP address it had So the next is the IO graphs This shows you a graphical Summary of What was captured when you can have various things on the X and Y axis Currently it shows the number of packets captured per tick or per second. So this this is the graph And there are various other options, but we'll just go through some of the important ones the flow graph Option I mean this is again. I mean it shows you the statistics in a different way. I mean it shows what packets were exchanged between which two IP addresses and Some graphical representation of that. So the next option is the HTTP No, the IP address option Say if you want to filter based on HTTP packets, so it will show all those IP addresses and how many HTTP packets were Corresponded to that IP address I mean either as a source or a destination you can look at how many packets were Corresponding to that IP address The count the percentage The rate at which it received Yeah, and then finally the help menu. I mean you you can have a look at the website Wireshark and also the wiki page which which might help you in Identifying the various options available These are some of the detailed information within the packet. I mean you can expand those trees and look at what frame number and Various fields which are involved in the internet you can look at the destination address the source address In the IP you can look at the version number the header length the flags time to live value and various other things and if you click on one of these options the relevant I Mean the data corresponding to that field would be highlighted in the packet byte section So you can look at the x-adecimal value also of that I mean of the representation of the above details Yes, yes, yes, you can read I mean read in the sense. What do you mean? Detained in that packet the content of that packet if It is not in crypto we can read so is it encrypted here? Whatever you are sure Okay, so means we cannot understand the meaning of that packet by providing decryption key in statistics we can see the Decrypted form of that packet, but for that we need to know the private key of that See in the third window what is shown the content in hexadecimal and ASCII format So just by seeing that can I understand that whether this is Encrypted or is it a plane? in Packet details section it is describing all the fields here I mean you the values are already shown right and what I mean you have the time to live value IPv4 no IPv4 you are using here So it is already encrypted and you cannot identify it is plain text or cipher text all these things You can decrypt only if you have the key you key also it is already exchanged So the best way to learn about this actually is to go to the lab and try things out So there'll be three different labs any hands-on thing is just like that so there'll be three different labs and There'll be a quite a few tears about four or five tears in each of those labs So anything you need to get started etc. Please ask them Are there any quick questions about this that need clarification somebody asked about encrypted stuff? Can you see the payload? Yes, you can you can actually see the entire packet and you know the way these headers are set up The packet always starts with the highest layer. So you put the HTTP header out there Then you will have on the outside of that you'll have the TCP header Then you'll have the IP header and so on and so forth so you can actually drill down and see all of the headers and you can see the payload finally and If the packet is encrypted you can see the encrypted payload as well Normally the TCP header and so on will not be encrypted unless you're using IP sec So examine all of those things you need to understand each of the headers each of the fields in each header So that is the key thing. What do those different fields mean? So tomorrow when we study SSL, we will see in the handshake protocol. There are different SSL handshake messages So one of the assignments is to see what are those messages? The handshake part itself is entirely in the clear So you will be able to see all of the different fields. You'll see the nonces for example You know what is a nonce a random number? You'll see the timestamp You'll see the session ID You will see the cipher suite everything that we study in the theory class You'll be able to examine and so on but that is a little bit advanced for today The goal is only to try to study basic HTTP packages say start a session with Google and just let's look at the HTTP header Now as you very well know the HTTP header is in clear clear text So let's look at the different fields. There'll be a get or a post or whatever it is And those things can appear because you can have ASCII dump or you can have a hex dump So these are the basic things for today in the second half of the lab session in the first half as I said It's Linux commands. So with that let us move on to the labs The TAs will try to help you TAs start getting ready and shepherd them to the three different labs Sir on small doubt Actually in NS2 we are writing TCL coding for analyzing the packets So here we need to do any coding for analyzing or something. It is just an analyzer automatically Yeah, you can just set the filters like I want to see only HTTP packets and then only the HTTP packets will be Captured you can put them in a file and inspect them later on if there are too many packets If there are one or two, you can just see them right there itself on the screen So you can specify all those options of storing the packets for later You can write scripts later on if you want to get more advanced Scripts that look at these packets and try to see if how many packets are generated this time Over these flags set and so on and so forth. You can do a whole lot of very interesting things and even build some sort of an Ideas tool on this in fact So I have question Does this tool is a location specific? Sorry, is this location specific? What do you mean by that in the sense now? I am connected to a land So it will analyze only the packets from the land only right so what you do is in via shark You set the land card in promiscuous mode. Yeah, so it it actually captures everything Yeah, okay, that means it cannot capture the packets beyond an any switch Yeah, so only things that it sees that is passing through it. It can capture I Think we better start with a lab because we may not have time to complete We are hoping to complete by no later than 615 or so