Use the packet capture tool to easily troubleshoot network faults-ARP attacks

In the past, we sometimes encountered network paralysis caused by Internet cafe network storms or viruses. At this time, we usually turn off all the power supplies of all switches and start the switch later.

However, when the switch is restarted, we find that the problem has not been solved, because the network is paralyzed again soon. At this time, we consider that a switch or a computer in the network has

We usually solve the problem by means of network disconnection in segments. After a long time, we open the switch one by one and enable the ping command to ping the test DNS of China Telecom, the test DNS in Xiamen is 202.101.103.55. We can run the ping 202.101.103.55-T command to check whether the test DNS is connected to China Telecom. The-t parameter indicates continuous connection, no

However, the ping command stops after four connections.

Each time we open a vswitch, we can check and test whether the dns edge connection is normal until the connection is interrupted. Then we can determine which vswitch is faulty. At this time, we will unplugging all the networks on the vswitch, connect one by one, and check whether the connection is normal until the connection is interrupted. Then we can determine which network cable is faulty, find the problematic host through the network cable. . Virus detection and removal can generally solve the problem.

However, we can see that this workload is very large. If there are enough switches and there are more than one faulty computer, it will take a long time for us to completely solve the network problem. However, we have a tool called the packet capture tool or network sniffing tool. Sniffer Pro is a well-known professional sniffing software in the industry outside China. It is also well-known for its domestic network analysis software. At this time, we can use this sniffer software to conduct a bypass listener on network conditions, that is, to listen to all packets in the network, and then analyze these packets, we can quickly find the cause and fault point of network faults.

A computer in the Network communicates with another computer, which sends data packets to the network, including:

Source Address: indicates the computer from which the data is sent,

Data Packet: the specific data sent.

[In fact, there are many network packet parameters, but we can understand them later.

This packet will be sent to every computer in the network, which means that any computer in the network will receive this packet. When the computer receives the packet, it will check the target address, if you find that the target address is your own, you will receive this packet. Otherwise, the packet is discarded. If we set the NIC to the hybrid mode on a computer, the computer will receive all the packets on the network without discarding them.

This is the principle of sniffing.

Specific analysis:

Generally, there are two network faults:

First, because the network transmits a large number of junk data packets and leads to network congestion, for example, a host in the network sends a large number of broadcast packets after being poisoned, that is, the target address is 192.168.0.255. We suppose the network segment is 192.168.0.0/24]. In this case, we can check the captured data packets to see which computer sends the most data packets. Generally, it is easy to find the fault source.

Second, an ARP spoofing packet is sent after a computer in the network is poisoned. What is an ARP spoofing packet?

Let's take a look at the concept of ARP:

There are two types of addresses in the network. One is an IP address that we all know, for example, 192.168.0.1. The other is a physical address. For example, 00-e0-4c-8c-25-69 is the MAC address, this is the only address in the world that the NIC is set by the manufacturer when it leaves the factory. The source address and destination address when data is transmitted over the network are not the IP address used, but the MAC address. Let's take a look at how the data is transmitted over the network.

When a computer needs to send data to another computer, for example, 192.168.0.2 MAC address is: 00-19-e0-29-7f-47 to send data to 192.168.0.3, MAC address is 00-11-5 B-7e-08-ae, at this time, 192.168.0.2 will send an ARP broadcast on the network, the ARP broadcast packet data structure is

Source Address: 192.168.0.2 MAC address: 00-19-e0-29-7f-47

Target address: 192.168.0.3

Packet: "Who is 192.168.0.3? Please return your MAC address"

When 192.168.0.3 is received, a packet is returned.

Source Address:

IP Address: 192.168.0.3

MAC address: 00-11-5 B-7e-08-ae

Packet: "My MAC address is 00-11-5 B-7e-08-ae"

When 192.168.0.2 receives this packet, it will write down the MAC address of 192.168.0.3 in the local cache.

We can see the cache through the ARP-a command:

C: \> ARP-

Interface: 192.168.0.2 --- 0x2

Internet address physical address type

192.168.0.3 00-11-5 B-7e-08-ae (dynamic)

Here, Internet address is the IP address, physical address is the thing address, and type is dynamic, which indicates dynamic update.

By default, the ARP cache timeout period is two minutes, that is, two minutes later, an ARP query is initiated, and ARP spoofing uses this feature.

Generally, ARP spoofing is a gateway spoofing, that is, a node that everyone needs to pass through the Internet. For example, in a general network, 192.168.0.1 is the gateway address. Assume that its MAC address is 00-90-7f-2e-47-bf,

Let's look at how 192.168.0.2 performs ARP spoofing.

First, 192.168.0.2 will continuously send data packets in the network. The format is as follows:

Source Address:

IP: 192.168.0.2 Mac: 00-19-e0-29-7f-47

Target address: 192.168.0.255 [broadcast, which means that all computers on the network can receive]

Packet: "I am 192.168.0.1, and my Mac is 00-19-e0-29-7f-47"

[The actual MAC address of 192.168.0.1 should be 00-90-7f-2e-47-bf]

All the computers in the network will update the local ARP cache after receiving this ARP spoofing packet,

Change the MAC address corresponding to 192.168.0.1 from the correct 00-90-7f-2e-47-bf to the MAC address of 192.168.0.2: 00-19-e0-29-7f-47. All data sent to the gateway will be sent to 192.168.0.2. However, the computer that sent the message does not know that the message was wrong. 192.168.0.2 this computer can analyze captured data packets to obtain desired data, such as accounts and passwords. This is generally what the virus eventually wants.

Through the above understanding, we know that if a computer performs ARP spoofing, it must send a large number of ARP responses instead of ARP queries. We only need to check the captured packets, whoever sends a large number of ARP responses can quickly find this computer.

Professional Network sniffing tools greatly facilitate daily network management.

In this way, we no longer need to switch power-off one by one, and unplug one network and then connect it.