1, WireShark
Wireshark is an open source free high Performance network protocol analysis software, its predecessor is very well-known network analysis software Ethereal. You can use it to solve network problems, network protocol analysis, and as a software or communication protocol development reference, but also can be used as learning various network protocols teaching tools and so on. Wireshark Support now has the majority of Ethernet network cards, as well as the mainstream wireless network card.
The Wireshark has the following features:
(1) Support a variety of operating system platform, can run on Windows, Linux, Mac os X10.5.5, Solaris and FreeBSD and other operating systems;
(2) Support more than thousands of network protocols, and will continue to increase support for the new Agreement;
(3) Support real-time capture, and then in the offline state for analysis;
(4) Support the analysis of VoIP packets;
(5) Support for IPSec, ISAKMP, Kerberos, SNMPV3, SSL/TLS, WEP, and
Decryption of packets encrypted by WPA/WPA2 and other protocols;
(6) Data packets from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, Token Ring and FDDI (optical fiber) can be acquired in real time;
(7) Support to read and analyze the file formats saved by many other network sniffer software, including Tcpdump, Sniffer Pro, Etherpeek, Microsoft Network Monitor and Cisco Secure IDS and other software;
(8) Support to capture by various filtering conditions, support by setting display filter to display the specified content, and can be different colors to display the filtered message;
(9) With network message data statistics function;
(10) You can export the data it captures to the format of XML, PostScript, CSV, and plain text files.
Files required to run Wireshark:
Now the final version of Wireshark is 1.0.5, and we can download it to www.wireshark.org/download/. If Wireshark want to run under Windows system, also need a driver library named WinPcap, now its stable version is WinPcap 4.0.2, the latest test version is WinPcap 4.1 beta3, we can from HTTP// www.winpcap.org download. If you are using a Linux system, you should use the Libpcap driver Library, which is now in version Libpcap1.0.0 and we can download it from www.tcpdump.org.
Before installing Wireshark on Windows and Linux systems, you must first ensure that you have installed WinPcap or linpcap on your system. 1.1 is the main interface of Wireshark when it is running under Windows System.
2, Tcpdump and Windump
Tcpdump is one of the oldest and most frequently used network protocol analysis software, and it is a command-line based tool. Tcpdump filters the traffic to be captured on the network interface card by using a basic command expression. It supports the vast majority of Ethernet adapters that have now appeared.
Tcpdump is a network sniffer that works in passive mode. We can use it to capture the packets in the network to and from a host interface card, or the packets in the entire network segment under the Linux system, and then analyze and output the captured network protocols (such as TCP, ARP) packets to discover the various conditions that are occurring in the network. For example, when a network connectivity failure occurs, by analyzing the TCP three handshake process, you can find out which step the problem occurs in. and many network or security experts like to use it to discover whether there is ARP address spoofing in the network. We can also write the packet it captures into a file and then read and analyze it with a graphical interface such as Wireshark.
Its command format is:
tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename] [-I network interface] [-r FileName]
[-S Snaplen] [-T type] [-w file name] [Expression]
We can use the-i parameter to specify the network interface card to capture, use-R to read the existing capture file, and-W to write the captured data to a file. As for the other parameters, we can get a detailed description from its man document, or enter "Tcpdump–-help" to come to its help information.
A very important feature of tcpdum is the ability to use regular expressions as a condition for filtering network messages, which makes it very flexible to use. We can specify the conditions that we want to filter through the various keywords built into it, and once a network packet satisfies the conditions of the expression, the packet is captured. If we do not give any conditions, then all network messages in the specified network interface card will be captured.
Tcpdump uses the following three types of keywords:
(1), for the table type of keywords, mainly host, net and port. They are used to specify the host's IP address, the specified network address, and the specified port, respectively. If you do not specify a keyword, it will use the default host type.
(2), for the table-type transmission direction of the key word, mainly SRC, Dst. The package used to specify what the source IP address to capture is or what the destination IP address is.
(3), the key words used to capture what protocol, mainly ip,arp,tcp,udp and so on.
These keywords can be connected using logical arithmetic keywords to allow us to specify a range or exclude a host, and so on. There are also three of these logical arithmetic keywords, which are either non-op "not" or "!" Symbol representation; With the operation "and", you can use the "&&" symbol, or the operation "or", you can use the "| |" Symbol representation.
There are a lot of tcpdump keywords, and I'm not going to list them all here. The rest can be explained in detail by its help documentation.
To run the files required by tcpdump:
Tcpdump can run well on UNIX, Linux and Mac OSX operating systems, it is now the latest version of Tcpdump 4.0.0, and we can download its binary package from www.tcpdump.org. At the same time, to run it, you also need to install the Libpcap1.0.0 Driver Library in the system.
The version of Tcpdump under the Windows system is windump, and it is also a free network analysis software based on the command line approach. Of course, before we use windump, we also make sure that the WinPcap 4.0.2 driver Library is already installed in the system. 2.1 is the interface that tcpdump runs under the Linux system console.
3, Dsniff
Dsniff is a very powerful network sniffer software suite, which is one of the first network sniffer software to improve the traditional passive sniffing mode to active mode. Dsniff software suite contains a number of special features of network sniffer software, these special network sniffer software can use a series of active attack methods to redirect network traffic to the network sniffer host, so that the network sniffer has the opportunity to capture the network of a host or the entire network traffic. In this way, we can use the Dsniff in an Exchange or routed network environment, as well as the cable modem dialing the Internet environment. Even when a network sniffer with Dsniff is not directly connected to the target network, it can still capture network packets in the target network by means of a transport. Dsniff supports Telnet, FTP, SMTP, P0P3, HTTP, and some other high-level network application protocols. Among its packages, some network sniffing software has a special method of stealing passwords that can be used to support the capture and decryption of data encrypted by SSL and SSH. The Dsniff supports the vast majority of Ethernet NICs that have now appeared.
We can use Dsniff to verify that our security guard settings are reliable and to monitor the operation of the network in a network environment using a switch or router. But before we use Dsniff, it's a good idea to think about the new security risks that it might bring to us to prevent unnecessary losses.
The Dsniff suite consists mainly of network sniffing software in the following areas:
(1), Arpspoof (ARP spoofing): Through it to the ARP address spoofing, redirect network traffic to the network sniffer host, and then the opportunity to capture network packets;
(2), Dnsspoof (DNS spoofing): Use it for DNS spoofing. It has a very important function is WEBMITM, this function is mainly used to capture SSL and SSH encrypted data;
(3), Mailsnarf: It can be sent by the SMTP e-mail message, re-assembled into an mbox format, and then can be offline to be read by some mail receiving software;
(4), Filesnart: It can be used to obtain a copy of the file transmitted by NFS, SMB;
(5), Urlsnart: It can sniff all the URLs sent from HTTP traffic and save it as a common log file (CLF) format. This log file can be used by most Web servers and can be read by Web Log analysis tool while offline;
(6), Webspy: It can be sniffed from the customer URL address, sent to the attacker's Web browser display. And in real-time updates, the attacker can see which websites you have browsed.
(7), Msgsnarf: It can be used to sniff some real-time chat software;
(8), Screenspy: Use for screen monitoring;
(9), MACOF: It uses the MAC address overflow attack method to attack the switch. By constantly switching to the switch
Sends a packet containing a spoofed MAC address to overflow the MAC Address table of the switch.
At this point, the interchange sends the received packets in a broadcast manner. It is generally in the above sniffing software
Before use;
(10), Tcpkill: A denial of service attack (DoS). Mainly used to cut off the network connection with the legitimate host, to ensure the normal sniffing work. It is generally used before the above sniffing software.
Files required to run Dsniff:
Dsniff can be used under Linux and Windows operating system platforms, it supports the vast majority of Linux
Releases and versions of Windows 2000 or more. Dsniff is now in Linux in version dsniff-2.4. We can download dsniff-2.4b1.tar.gz this package from www.monkey.org. When we use Dsniff in a Linux system platform, we also need the following several files:
(1), Dsniff-2.4-configure.in.diff patch pack;
(2), Dsniff-2.4-sshow.c.diff patch pack;
(3), libnet-1.0.2a.tar.gz;
(4), libnids-1.16-1.i386.rpm;
(5), libpcap-0.4-39.i386.rpm;
If the above files are not working properly, we must also install db4.1.25 and OpenSSL. These files can be downloaded from the www.xfocus.net/tools/.
If you want to use it under the Windows System platform, we need the following files:
(1), dsniff-1.8-win32-static.tgz;
(2), libnids-1.16-win32.zip;
(3), libevent-0.6-win32.zip;
(4), winpcap4.0 and above version.
They can also be downloaded from the www.xfocus.net/tools/.
4, Ettercap
Ettercap is also an advanced network sniffing software that can be used in network environments using switches. Ettercap can decode most of the network protocol packets, whether or not the packet is encrypted. It also supports the vast majority of Ethernet network cards that have now appeared. Ettercap also has some unique methods for capturing the traffic on the host or the entire network and analyzing the traffic accordingly.
The ETTERCAP has the following features:
(1), determine the operating system type of the active host in the network;
(2), get the IP address and MAC address of all active hosts on the network;
(3), can be specified to work in a static or passive mode;
(4), filter rules can be added from the specified filter rules file;
(5), with packet filtering function, in the case of large data flow, so that you can easily get the information needed.
(6), can be used to collect the network in the plaintext transmission of the user name and password;
(7), the captured data can be saved to the file in the specified location;
(8), can be used to detect whether there are other activities in the network sniffer;
(9), support plug-in way to expand the function;
(10), can be a number of active attacks, to obtain the encrypted data;
(11), it built a number of attack methods, such as ARP address spoofing, as well as character injection attacks.
Most features of Ettercap are similar to Dsniff. It can be used in character mode or on a graphical interface using the ncurses based GUI and GTK2 interface. When we have finished installing ETTERCAP, we can use the "-t" option to specify that it runs in character mode with the "-C" option to specify that it runs in graphical mode using the ncurses based GUI, and that the "-g" option specifies that it runs in graphical mode using the GTK2 interface. The ETTERCAP command format is as follows:
ettercap [Options] [Host:port] [host:port] [Mac] [Mac]
It has many options, and we can enter the "ettercap–help" command in character mode to get their description.
Files required to run Ettercap:
Ettercap can be run in OS platforms such as Linux, Windows, FreeBSD, OpenBSD, NetBSD, Mac OS X, and Sloaris.
When we use the Ettercap sniffer software under Linux, we need all of the following files:
(1), ettercap-ng-0.7.3.tar.gz;
(2), Libpcap >= 0.8.1;
(3), Libnet >= 1.1.2.1;
(4), Libpthread;
(5), zlib.
If we also want to use it in a graphical interface or want data that is encrypted by SSH and SSL, you should also
The following files:
(1), Libltdl, it is a part of Libtool;
(2), libpcre;
(3), OpenSSL 0.9.7;
(4), ncurses >= 5.3;
(5), Pkgconfig >= 0.15.0;
(6), Glib >= 2.4.x, Pango >= 1.4.x.
If we want to use it under Windows, we must use the following two files:
(1), Ettercap-ng-0.7.3-win32.exe;
(2), winpcap4.0 and above version.
The files shown above can be downloaded from the http://ettercap.sourceforge.net/download.php website.
5, NetStumbler
NetStumbler is a wireless LAN tool used to find the ieee802.11a/b/g standard. It supports the vast majority of mainstream wireless adapters, including the PCMCIA wireless adapter, while also supporting the global GPS satellite positioning System.
NetStumbler can perform the following tasks:
(1), used for "war driving";
(2), to verify the wireless customer and wireless AP configuration is weak;
(3), to find some of the wireless LAN can be connected to the location.
(4), to detect interference with the wireless LAN signal causes;
(5), used to detect some unauthorized wireless access points;
(6), used to get the SSID value of the WLAN.
Files required to run NetStumbler:
NetStumbler can be run in Windows98 and above operating system versions, and it also has a lite version for use under the Windows CE system.
NetStumbler is a free software, it is now the latest version of Netstumbler0.4.0,windows CE under the latest version is MiniStumbler0.4.0. Both of these installation packages can be downloaded from the www.netstumbler.com/downloads/website. Figure 5.1 is the main interface after the NetStumbler is started.
Figure 5.1 The main interface of NetStumbler
6, Kismet
Kismet a wireless network detection, sniffer software, and intrusion detection system based on IEEE802.11 system standards, it is an open source, free software. The Kismet can work with the vast majority of wireless adapters that support RF monitoring modes. Examples include PRISM2, 2.5, 3, and GT wireless chips, as well as wireless adapters for Orinoco Gold and Atheros a/b/g wireless chips. When the wireless adapter is in monitor mode (monitoring mode), it can sniff the network traffic that is transmitted in a wireless network that is compatible with the ieee802.11a/b/g standard. Kismet is primarily a passive way of sniffing wireless networks to detect standard wireless network names, including the ability to detect a wireless network with hidden SSID values.
Kismet has the following characteristics:
(1), can be sniffed to save the file as Tcpdump and other software can read the format;
(2), can detect the wireless network is now used by the IP address range;
(3), can detect the wireless network installed NetStumbler software host, in order to find illegal wireless access;
(4), can detect the hidden wireless network SSID value;
(5), cooperate with GPS, draw the network map of wireless access point and wireless customer's location;
(6), the use of client/server architecture;
(7), to identify the wireless access point and wireless customers in the wireless adapter manufacturer and mode of operation;
(8), can find out the wireless access point and wireless customers present weaknesses;
(9), can decode the data packets encrypted by WEP;
(10), can cooperate with other software, to expand the scope of application of these software. For example, can cooperate with snort network intrusion detection system;
Files required to run Kismet:
Kismet can run well in Linux2.0 and above releases. At first, it only supported Linux system platforms, and now it also has versions running on Windows2000 and above.
When Kismet is running in the Linux distribution, we can download the Kismet-2008-05-r1 file from http://www.kismetwireless.net/download.shtml. If you want to run in Windows2000 and above, we need to download the Setup_kismet_2008-05-r1.exe installation file from the same website as above, and must also from Www.cacetech.com/support/ downloads.htm Download the Airpcap setup_airpcap_3_2_1.exe file. Figure 6.1 is the interface that Kismet runs under the Linux system character terminal.
Figure 6.1 Kismet interface running under the Linux system character terminal
In Ethernet, there are also some network sniffer software is more commonly used. For example, Sniffer Pro network protocol analysis software, which can be run on a variety of platforms, for real-time analysis of network health, but also rich in graphical features. As well as analyzer, it is a free network sniffer software running under the Windows operating system. In addition, some commercial network sniffer software, although they need to pay a certain fee, but their function is not to say, the more famous representative is the Etherpeek suite.
Use a network analyzer to work for us
Now that you know how to connect your network analyzer to your network structure, it's time to start using a network analyzer to perform various network management or security management tasks for yourself. Network analyzer, mainly used to help the system management, solve network problems, security management of these three aspects of the work. The following is a detailed description of the three aspects of the specific content.
First, using the Network analyzer for System management
A host in the network, for some of the problems related to network connectivity, through some of the General Network command tools (such as ping command) can not determine whether the system or the network server problems, it is possible to use a network analyzer to analyze the way a network protocol (such as TCP protocol) work, To determine where the problem lies.
Now, an example of a TCP connection is used to illustrate how to use network protocols to help the system manage.
In general, to complete a successful TCP connection, a three-layer handshake is required, and we can identify the problem by using a network analyzer to analyze the response flags of the three handshake in the TCP connection process. There are three different cases:
1, there is a SYN sign, no syn+ack sign.
When the network analyzer captures only the client's SYN packet, but does not have a Syn+ack flag packet from the server response, it can be explained that the server cannot process the packet, possibly because it is blocked by a firewall class device.
2. After SYN, the server responds to RST immediately.
This means that the corresponding service for the target server does not have the correct port to open. This problem can be solved by re-binding the service on the product.
3. SYN Syn+ack ACK is immediately closed.
If TCP shuts down immediately after a connection is established, it may be because the destination server denies the client connecting to the server using the source IP address in the package. Check the access control list in the firewall and other security software on the server to add the client's IP address to the trust list.
Second, using Network Analyzer to solve network problems
One of the basic functions of network management is to solve all kinds of faults in the network so as to make sure the network can run normally. The key to solve the network failure is to find the location of the fault as soon as possible, and then determine the cause of the failure. There is a way to help us speed up the resolution of network failures by laying out network analyzers at every critical point in the network. In this way, you can use the Network Analyzer to understand the current network transmission speed, the network session is normal, the detection of what equipment has failed, the cause of the failure and so on.
Also, in order to solve the network problem quickly and correctly, it is a good way to develop a strategy to solve the problem in advance. This minimizes the human error that occurs during the handling of the failure. A good procedure for dealing with network failures should generally include the following:
Discovering problems-Understanding problems-problem classification-isolation issues-verifying and testing the cause of the problem-fixing the problem-verifying that the issue is really resolved.
Third, the use of network analyzers for security management
Network Analyzer is a very good network protocol analysis tool, it can not only find some network applications in the process of data transmission shortcomings, such as FTP and Telnet are in plaintext to transfer data, so the network Analyzer can easily capture the important information in these packets ( such as user name and password). From this, you can also use a network analyzer to check the security of other network protocols that need to be used on the network.
At the same time, we can use a network analyzer to check the source of worm spread in the system, as well as the source of denial-of-service attacks, and so on.
Therefore, using a network analyzer to analyze network traffic can help us find network security weaknesses and strengthen our security policies.
Six major free network sniffer software Wireshark,tcpdump,dsniff,ettercap,netstumbler