Ethereal

		Chapter 9 - Network Traffic Analysis Honeypots for Windows by Roger A. Grimes Apress 2005

Ethereal is an open-source network protocol utility that can capture online, real-time network packets off the network or be fed saved capture files for later analysis. It is easily the best, easiest to use, and most useful open-source tool ever ported to the Windows environment. Its user interface is as beautiful as any that you will find with an open-source tool, and its feature set mimics expensive commercial products. For many honeypot administrators, Ethereal will be all they need in a network sniffer.

Originally coded by Gerald Combs, Ethereal’s list of authors now includes several hundred co-writers. It is usually pronounced “i-thir-E-&l” like the heavenly concept it was named after, but it is acceptable to call it “ether-reel,” too. Ethereal was originally a Linux/Unix program, but was ported to the Windows platform years ago. The Windows port is aggressively maintained and used by tens of thousands of people around the world. Solaris, Apple, BeOS, FreeBSD, AIX, HP-UX, Macintosh, S/390, and NetBSD versions are available as well. It has a very active development community, and technical support questions can be sent to the Ethereal mailing list at ethereal-users@ethereal.com. Unlike most open-source programs, Ethereal comes with a professional-looking instruction manual. The PDF version weighs in at over 400 pages. That sure beats a one-page man file.

Ethereal can read capture files from a variety of other sniffers, including tcpdump, Network General’s Sniffer, Microsoft’s Network Monitor, Novell’s LANalyzer (now languishing away), WildPacket’s EtherPeek, and Network General's Netasyst products. It is capable of capturing more than 470 different network protocols, including every protocol I’ve even vaguely heard about. More protocols are added all the time, and you can create your own packet decoders to identify any traffic you like. Layer 2 protocols supported include Ethernet, PPP, Token Ring, FDDI, wireless 802.11, and ATM.

Ethereal comes in both a GUI and command-line forms (useful for scripting). Data being captured can be analyzed in real-time without needing to stop the capture filter, and several intelligent analysis features exist. For instance, you can convert HTTP traffic into a human-readable TCP stream to read HTML commands instead of the raw packet data.

Chapter 5 explained how to install Ethereal. Version 0.10.8 is the latest version of Ethereal as I write this book. You must have WinPcap installed for Ethereal to capture packets and work.

Viewing Packet Information

You can start Ethereal by double-clicking the main Ethereal icon or by executing ethereal.exe. Running ethereal.exe without any additional command-line parameters shows the same screen as double-clicking the icon, but you can add parameters to script its startup behavior.

You can start the packet-capturing process using the Capture menu, and you can also set capturing options, as described in the next section. Figure 9-6 shows an example of the main Ethereal screen with packet-capture data. The screen is divided into three resizable parts.

Figure 9-6: The main Ethereal screen with packet-capture data

The top pane shows summarized packet information taken during a capture session, organized in the following columns:

• No.: The logical packet number during that capture session

• Time: The relative time (in milliseconds) of the packet since the start of the capture session (all new capture sessions begin at 0:00.0000)

• Source: The source IP address of the packet

• Destination: The destination IP address of the packet

• Protocol: The protocol used by the packet

• Info: Basic information and/or data in the packet

The Protocol field denotes the protocol identified by the Ethereal’s decoders. Higher-layer protocol packets are identified by their protocol name—such as DNS, FTP, or HTTP—when recognized, even though they are running on top of a lower-layer protocol like TCP or UDP. When you see TCP or UDP as the identified protocol, it usually denotes the underlying protocol used to distribute the higher-layer protocol, or it means that Ethereal could not uniquely recognize and decode that traffic. For example, if I run my web server on any port other than the standard HTTP port 80, the captured traffic will be marked as TCP, as shown in Figure 9-7, not as HTTP, even though it is normal web traffic. However, the decoder can be modified to look at more ports than port 80, or you can simply right-click a related packet and decode the whole stream as a particular protocol picked from a list.

Figure 9-7: Ethereal showing HTTP traffic on a port other than 80

Each packet in the summary window can be selected to bring up the details in the lower two panes. The middle pane shows a logical view of the packet, from frame type to application protocol, broken up roughly according to the OSI layer, as shown in the example in Figure 9-8. The middle pane contains the following information:

• Frame number (Frame 32 in Figure 9-8)

• Frame type (Ethernet II in Figure 9-8), showing the physical MAC addresses involved

• Network protocol (IP in Figure 9-8), listing the source and destination IP address

• Transport protocol (TCP in Figure 9-8), listing the source and destination ports, along with TCP packet and flag settings

Figure 9-8: Ethereal’s middle pane shows packet layer information.

The bottom Ethereal pane shows the data payload information (in hexadecimal format by default) of the selected packet. In Figure 9-8, the HTTP protocol layer is selected.

Using Ethereal Features

The Ethereal GUI has five top menus. I’ll cover the features on each menu (except the View menu, since that’s easy to figure out) that interest most honeypot administrators.

File Menu Options

The File menu options allow you to open, close, load, and print capture files. You can print one or all packets, or any number of selected packets. You can print packet summaries, similar to what you see in the top pane, or you can print packet details. Packet details can mimic what you see in the middle viewing pane, the hex data you see in bottom pane, or some combination thereof. You can also export packet data, some or all, to an external file.

Edit Menu Options

The Edit menu allows you to find or mark frames, or modify preferences or filters. You can search for different packets using character strings, and find data in the fully decoded packet or have Ethereal just search the payload data. A common search is to look for the PASS command word that often precedes plain-text passwords in many different protocols, including POP, telnet, and FTP. When you’re looking for malicious hacker commands, you might search on known buffer overflow characters, a virus signature, or a login account name of interest. You can mark packets and, later on using the View menu, highlight selected packets with a color to denote their significance.

The Edit menu’s Preferences option lets you modify Ethereal’s information display and runtime operations. You can add, delete, or move capture columns around. I frequently add the delta time, source port address, and destination port address columns to my views. You can turn promiscuous mode on (default) and off, and tell Ethereal whether to display captured packets in real-time. You can also tell Ethereal to resolve to common names the MAC address (vendor name), transport name (port number common name), and host name (DNS). Note that each of these options causes additional network traffic and slows down Ethereal. You can also change the default capture options and enable specific decoder options on each protocol.

When you make changes using the Edit menu, they must be applied, and then saved. Then you must restart Ethereal to make sure they take effect.

Capture Menu

The Capture menu is where most administrators spend their time. You can stop and start packet capturing using this menu, modify what you capture, and select different preferences on the fly. The screen displayed by the Capture Start menu option is shown in Figure 9-9. You can set the following options:

• Specify the interface to capture packets on (one per instance)

• Choose a link layer type if you have multiple link layers, such as Ethernet vs. FDDI vs. Token Ring

• Specify a limit to how much of each packet to capture

• Define a capture filter (as described after this list)

• Enable or disable promiscuous mode

• Specify the capture file name

• Choose whether to use a ring buffer that will overwrite data on a first-in, first-out basis when the capture buffer is full

• Select to rotate capture files every x seconds

• Choose to update the screen during packet capturing and whether or not the screen should scroll to display the latest captured packets

• Set capture file limitations, based on number of packets captured, size of data captured, or number of seconds capturing has been enabled

• Select name resolution options

Figure 9-9: Ethereal Capture Options dialog box

Most honeypot administrators should capture all traffic, but you can build filters to identify data of special interest on the screen. Using the Filter option in the Capture Options screen, you can define different filter options and save them with different names. Filters are logical mathematical expressions using the syntax of the tcpdump filter language, upon which Ethereal is based. For example, the filter tcp port 80 and host 68.106.158.136 would capture HTTP traffic headed to and from my honeypot. Another advanced filter example is ip.addr eq 64.233.161.104 and ip.addr eq 10.4.4.222) and (tcp.port eq 80 and tcp.port eq 3618). As long as you can mathematically represent your filter logic with logical ANDs and ORs, you can capture just those packets that meet the criteria. Consult Ethereal’s documentation for details on filter expressions.

Analyze Menu

After you stop the capturing process, the Analyze menu has a few options that make tracking malicious hackers easier. One of these options allows you to quickly collect summary information and statistics. The statistics summarize the captured information by IP addresses, frame types, and so on. My favorite statistics feature is the ability to analyze conversations between the honeypot and foreign machines (known as “high talkers”) in other protocol analyzers. You can find, in one screen, who was doing the most talking with the honeypot and which ports and IP addresses were used, as shown in Figure 9-10.

Figure 9-10: Ethereal’s TCP Conversation screen

Ethereal’s TCP Stream feature is even more useful. When you identify a packet that is of interest, you can right-click it (or use the Analyze menu) and choose the Follow TCP Stream option. Ethereal will show you all related TCP packets and the data payload they create in a given communication session. It certainly beats logically connecting dozens or hundreds of related packets yourself.

For example, in Figure 9-11, Ethereal captured over a 100 packets surrounding a hacker probing an FTP site on my honeypot. I selected a single packet of interest and chose Follow TCP Stream, and Ethereal converted the payload data in one communication stream between the originating host and one other single destination host, and displayed the data. In this case, the stream revealed the hacker’s attempt using easy passwords and common login names, as shown in Figure 9-12.

Figure 9-11: Ethereal showing packets of a captured hacker session

Figure 9-12: Ethereal showing the TCP stream (using the Follow TCP Stream) feature for a packet

Putting It All Together

When used together, Ethereal’s features are very powerful. My honeypot often has one or more crackers or automated tools attacking at the same time, so Ethereal has captured thousands to tens of thousands of packets. Here’s what I do:

• Use the Edit Find Packet option to find packets of interest.

• Apply a filter (choose Analyze menu Display Filters) to show just the packets of interest. Ten thousand packets become maybe a few hundred.

• Right-click a packet and choose Follow TCP Stream. Ethereal shows me the ongoing payload stream.

• Use the File menu to export just the packets I have selected to a separate export file. Then I replay that file in Snort, which can identify the predefined attacks.

You can be the expert and sift through all the packets, making judgment calls, or you can let Ethereal and Snort do the grunt work, so you only need to get involved in the custom work.

Go to the Honeynet Project Scan of the Month (http://www.honeynet.org/scans) web site. There, you’ll find forensic challenges based on real attacks against Honeynet Project honeypots. Often, the challenge will contain all the relevant network analyzer traffic captured during the attack. Usually it’s in tcpdump format, which is readily importable into Ethereal and Snort.

Use the packet data to do your own honeypot forensic investigation. Do a cursory review of the traffic as your read the report summary in Ethereal.Then find a packet of interest, turn on Follow TCP Streams, and export the data to Snort for a cursory review.This is how real honeypot forensic investigations begin. Have fun!

Using Tcpdump or WinDump with Ethereal

The tcpdump.exe utility isn’t included by default with Ethereal, but it’s what Ethereal (and Snort) is built on. Often, honeypot administrators use tcpdump to capture malicious traffic to a file, and then import that file into Ethereal or Snort for analysis. This allows you to get high real-time performance and perform back-end analysis extremely efficiently.

You can download tcpdump from http://www.tcpdump.org. A Windows version, WinDump, can be downloaded from http://windump.polito.it. Tcpdump, in conjunction with WinPcap (or Unix pcap) captures network traffic to a file and displays it to the end user. As you can see in Figure 9-13, tcpdump’s or WinDump’s interface isn’t nearly as pretty as Ethereal’s, but it’s a fast and efficient way to capture large amounts of network traffic. You can capture or display packet summaries. Alternatively, you can capture full packet decodes by issuing the following command (for WinDump):

 windump −i <interface> -s 1500 –w <capture filename> 

Figure 9-13: WinDump screen

Using Built-in Ethereal Command-Line Tools

Ethereal comes with several command-line utilities to make specific jobs easier. I’ll cover the tools helpful to honeypots here:

Tethereal.exe: This is a command-line version of Ethereal. It supports the same command-line options that Ethereal does, but without displaying the Ethereal GUI. Honeypot administrators use Ethereal to analyze packets, but many use Tethereal in scripts and batch files to do the actual data capturing (instead of WinDump). Tethereal is useful in DOS and other terminal server-like environments when displaying a GUI is not an option. Type tethereal -h to get a full list of command-line parameters.

Editcap.exe: This is a command-line capturing utility for filtering capture files. You run it against a capture file to extract just the data you are looking for. It’s much like running a display filter in Ethereal, but can be scripted or used in a batch file. It can be used to delete packets from a capture file (its default behavior), or to keep only those frames selected. You can also use Editcap to convert capture files from one format to another.

Mergecap.exe: This utility combines multiple capture logs into one log file. Packets from the input files are sorted according to timestamps, although this default behavior can be modified. Mergecap can be useful when you’re trying to get a comprehensive overview of malicious traffic taken from different points throughout a honeynet.

Text2pcap.exe: This utility converts an ASCII hexadecimal dump to a tcpdump-style log that Ethereal can read. Many systems, like Snort, have the ability to convert captured packets to ASCII, because of the speed increases gained by not needing to decode or format the data. You can use Text2pcap in a script or batch file to take what Snort captures and automatically feed it to Ethereal for analysis.

Ethereal and its companion utilities allow complete network packet analysis, but you cannot depend on it to automatically sort malicious packets from the legitimate chatter. As described in the next section, Snort can alert you to malicious activities that require network packet analysis.