Network packet analysis tutorial

packet analysis reference guide and http packet analysis
HartJohnson Profile Pic
HartJohnson,United States,Professional
Published Date:02-08-2017
Your Website URL(Optional)
Comment
4 packet analysis You’ve Been Framed This is the last place they’ll look for my network data... It’s time to go under the hood. Network devices send data down the cable by converting the data into a signal. But how do they do this? And what else might be hiding in the signal? Just like a doctor needs to look at blood cells to identify blood-borne diseases, a network pro needs to look at what’s in the network signal to detect network intrusions, perform audits, and generally diagnose problems. And the key to all of this is packet analysis. Keep reading while we put your network signal under the microscope. this is a new chapter 125 Download at awhat’s in the signal? What’s the secret message? The Head First Spy Agency specializes in conducting undercover investigations on behalf of their clients. No job is too big or too small, and they’ve just recruited you to their cause. Here’s your first assignment: So how do we extract a message from a signal? We’ve seen before that network signals contain network data. This data is encoded into a format that computers can use, so if we can decode the signal, we should be able to extract the hidden message. But how do we do this? 126 Chapter 4 Download at a network_ops1spydept.gov Mole on the network cloakbossspydept.gov We intercepted a rogue signal we believe is being sent by a mole on our network. It looks like it’s being sent to our main rival over the Ethernet. Can you sift through all the network stuff and extract the message? If company secrets are being passed on to our rival, we’re in big trouble. Here’s the mole - but what message is he sending?low = “flip” to 1 low = “flip” to 0 high = “keep” 1 low = “flip” to 1 low = “flip” to 0 high = “keep” 1 high = “keep” 1 packet analysis Think of three different ways the same signal could be converted into 1’s and 0’s. It’s okay if you don’t get them right. We’ve done the first one for you. 1 Start at 0. Where a high horizontal bar meets a vertical dotted line, we repeat the last number we got. Where a low horizontal bar meets the vertical dotted line we flip to the opposite number. 0 1 1 1 1 0 1 1 1 0 1 1 2 3 Could this signal represent something other than 1’s and 0’s? you are here 4 127 Download at a high voltage, low voltage, so we “keep” the 1. so we “flip”to 1. We start at 0. low = “flip” to 1 low = “flip” to 0 high = “keep” 1 low = “flip” to 1 low = “flip” to 0 high = “keep” 1 high = “keep” 1 your data’s encoded Think of three different ways the same signal could be converted into 1’s and 0’s. It’s okay if you don’t get them right. We’ve done the first one for you. 1 Start at 0. Where a high horizontal bar meets a vertical dotted line we repeat the last number we got. Where a low horizontal bar meets the vertical dotted line we flip to the opposite number. 0 1 1 1 1 0 0 1 1 1 1 1 Where a high horizontal bar meets the vertical dotted line, we get a 1. Where a low horizontal bar meets 2 a vertical dotted line, we get a 0. 1 0 1 1 1 0 0 1 1 0 0 1 Whenever the signal changes from high to low, encode a zero. Whenever the signal changes from low to high, 3 encode a one. 0 0 0 1 0 0 1 1 0 0 1 1 128 Chapter 4 Download at a high voltage, low voltage, so we “keep” the 1. so we “flip”to 1. change in voltage, keep 0. This encoding method is known in the industry as Non-Return Zero Inverted (NRZ-I). This encoding method is known in the industry as Non-Return Zero. This is known as Manchester encoding. change = keep 0 change = keep 1 change = keep 1 no change = flip to 1 no change = flip to 0 change = keep 0 no change = flip to 1 no change = flip to 0 change = keep 0 no change = flip to 1 We start at 0. We start at 0. packet analysis Tonight’s talk: Manchester Phase Encoding vs. Non-Return to Zero Non-Return to Zero: Manchester Phase Encoding: Welcome, Non-Return to Zero. Is there something I can call you for short? I prefer NRZ, but some folks call me NRZ-L for Non-Return to Zero Level. My name’s nice and transparent. When I encode a signal, it starts at zero voltage, but it never gets to go back to zero voltage. So you give a positive voltage a one and a negative voltage a zero? I can do it that way or vice versa, depending on how I’m implemented, but I always stick to the rules of that implementation. I am a slim encoding technique. After all, I require only half the bandwidth you require. A little extra bandwidth is worth the price. I have built-in clocking. I make sure the data gets there, and I can spot errors. Can you do that? I like to keep the encoding process simple. Clocking is overrated. What happens when you have a whole bunch of bits in a row? Say you’re trying to send a whole bunch of zeroes? What sort of crazy standard would allow for a bunch of bits in a row? Ethernet, for one. If you have a bunch of bits in a row. The signal sits there at the same voltage level for a long time. Without a clock, the sending device and the receiving device will get out of sync. I don’t get caught up in all that high-falutin’ stuff. Economy and simplicity is the name of my game. I use self-clocking. I give a network more bang for the buck. You’d be good for writing data to a hard drive, but you just don’t cut it on a network, do you? Data should stay home. All that crazy travel over cables is unnecessary and fraught with problems. That’s what I thought you might say. you are here 4 129 Download at aencode the data Network cards handle encoding Encoding is handled by the Network Interface Card, or NIC, inside the computer. It handles and decodes digital signals, and is in charge of all the messaging ins and outs on the computer. Processors on the NIC do the signal conversion work. Read-Only Memory (ROM) chips on the NIC store the Media Access Control (MAC) address. The NIC produces the voltage The MAC address is a unique identifier necessary to push the signal for the NIC used in any data sent over a across the network. network. A port on the face establishes an electrical connection with an RJ-45 connector on a network cable. Lights next to the port tell you the NIC is 1 2 connected to the network (1), and the NIC is sending data on the network (2). So how does the NIC encode the data? The NIC starts by taking the message that needs to be sent across the network. It then turns the message into binary numbers, a series of 0’s and 1’s. After that, it encodes these numbers, and sends corresponding voltage signals through an attached network cable. This is a top secret message So if we know what the signal is, how do we find the original message? 130 Chapter 4 Download at a The Network Interface Card or NIC is the big boss when it comes to encoding. The NIC takes the message, encodes it, and then sends it as a signal across the network.packet analysis To get the message, reverse the encoding To find out what the message is, we need to decode the rogue network signal. Here’s what we need to do. 1 Take the rogue signal. The signal is the series of voltage changes that’s been transmitted along the cable. The message is hidden inside it. +V 0 -V 2 Divide the signal into equal slices using a clocking mechanism. By this we mean a device that pulses regularly. The clock provides a regular heartbeat. +V 0 -V 3 Convert the signal into a series of 0’s and 1’s. To do this, look at the voltage level where the clock pulse meets the signal. The voltage level at this point determines whether the value is a 0 or a 1. So how do we decode the signal? The way in which we find the stream of 0’s and 1’s depends on the method used to encode the signal in the first place. So how do we know what this is? you are here4 131 Download at aencoding requires a standard The Ethernet standard tells hardware The protocol for how to encode the data 10BaseT Ethernet So what sort of encoding scheme does the rogue signal use? specifies that the The signal is transmitted over Ethernet. This is a standard that engineers and manufacturers use when designing computers and signal will be network gear, and the protocol includes features such as Manchester phase encoding. So if the signal is sent using the Ethernet protocol, encoded using it uses Manchester encoding. Manchester encoding. Let’s look at how this works: The CPU in the computer 1 sends data to the computer’s NIC. 0 1 0 0 1 0 1 0 The signal 3 is sent through the Ethernet cable 2 Inside the NIC, NRZ encoded data is combined with a clock signal to create a Manchester encoded signal. 132 Chapter 4 Download at a Converted signal The NIC is inside the computer. Data from the CPU You don’t have to know the exact details of how encoding works. What is important for you to understand is that data in a computer is represented one way but is encoded into a signal when it is transmitted on a network. packet analysis In NRZ encoding, the binary data is represented by the high and low voltage levels; high is a 1, low is a 0. In Manchester encoding, it is the The CPU in the 6 TRANSITION computer gets data from the computer’s to a voltage that NIC. represents data. 1 0 1 1 1 0 0 1 The signal 4 is received by the NIC. 5 Inside the NIC, the received Manchester encoded signal is converted in to NRZ. The NIC then lets the CPU know it has data. you are here4 133 Download at aso what about... Q: Q: Q: Why do we need to encode and How many different kinds of data As a network professional, I just decode signals? encoding are there? need to know how to connect stuff. Why should I learn all of this math and physics? A:If we don’t encode and decode signals, A: Data encoding comes in many flavors: they come in as raw waveforms, i.e. 1’s & American Standard Code for Information 0’s represented by voltages. We can’t do Interchange (ASCII), Binary Coded Decimal A: Networking is all about sending much with such waveforms. We encode (BCD), Differential Manchester Encoding messages (data) over a carrier (signals). and decode signals so that we have a way (DME), Extended Binary Coded Decimal To diagnose problems, a good mechanic to carry data on the signal. Networking is all Interchange Code (EBCDIC), Feedback needs to know all the aspects of how an about sending messages, so encoding and Shift Register (FSR), Manchester Phase engine works. Similarly, a networking decoding are crucial to networking. Encoding (MPE), Non Return to Zero (NRZ), professional needs to know how data is Non Return to Zero Invertive (NRZ-I), packaged to understand how to completely Return to Zero (RZ), and Unicode. Some troubleshoot a network. Q: Why don’t we just encode data in older encoding schemes in networking are one way and stick to that? Manchester, NRZ, and NRZ-I. Q: Where do I go if I want to find out more about the Ethernet protocol? A: Different encoding methods have Q: Older schemes? What is being different advantages. Some encoding used now in networking? methods are more efficient. Some methods A: The Ethernet protocol was written by have better error correction. Over time, the Institute of Electrical and Electronics better and better encoding methods come A: 4B/5B and 8B/10B are used for Fast Engineers (IEEE). You can find a whole about. These methods offer different Ethernet and Gigabit Ethernet. The 4B/5B lot more about the IEEE Ethernet working advantages and disadvantages over others. scheme uses 5 bits to represent the 4 bit group and its publications at the following numbers and 10 bits to represent 8 bit sites: numbers. This is done to assure that there Q: What is error correction? is a transition at some point. http://grouper.ieee.org/groups/802/3/ http://standards.ieee.org/getieee802/ A: Any time you send data on a network, you can run into problems with that data. Different encoding methods allow for detection and correction of those problems. Error correction helps maintain the integrity of your data. 134 Chapter 4 Download at aOne of your colleagues at the Head First Spy Agency. packet analysis So we know that the signal uses Manchester encoding because it’s Ethernet. But how does that help us decode the message from the mole? If we know how a signal’s encoded, that means we can decode it. Knowing that the signal uses Manchester encoding means that we know the series of 1’s and 0’s that the signal represents. What we need to do next is translate this into something more meaningful. To do this, we need to understand how to translate binary numbers. Manchester Encoding a method used in networking, which turns electric signals into data formats that a computer can read. The difference between Manchester and other binary encoding methods is that Manchester encodes data based on a change in the signal. The direction of the change in the signal determines whether the bit is a “0” or a “1.” A more formal definition appears in Federal Standard 1037C, Glossary of Telecommunications Terms. You can find this document at the following url: http://www.its.bldrdoc.gov/fs-1037/fs-1037c.htm you are here 4 135 Download at aSo 11001 in binary is the same as 25 in decimal. binary is base two A quick guide to binary The first thing you need to know about binary numbers is that they aren’t based on 10 digits (0 to 9); they’re based on 2 digits, 0 and 1. Here’s how binary digits work: 0 1 If you see a binary number like 0 or 1, this is the same as a decimal number 0 or 1. But how do we write a number like 2 in binary? Binary is a base 2 system. This means that each digit in a binary number represents an increasing power of 2. The right-most digit in 0 1 2 the binary number represents 2 , the next represents 2 , the next 2 and so on. 1 1 0 0 1 4 3 2 1 0 2 2 2 2 2 So how do we convert a binary to decimal? To convert from binary, here’s what you need to do. 1 1 0 0 1 Multiply each digit in the binary number 4 3 2 0 1 by the corresponding power of 2. 1×2 1×2 0×2 1×2 0×2 Add the whole lot up together. 16 + 8 + 0 + 0 + 1 25 And there’s your decimal number equivalent. 136 Chapter 4 Download at a Forget all about your other fingers, you only need two of them for binary. Each digit in the binary number represents a power of 2.packet analysis BE the Computer Your job is to play the computer and convert the binary numbers below into decimal. We’ve done the first one for you. 1 0 1 1 1 1 0 0 32 8 + 16 + + 0 + 0 + 1 128 + 0 + = 185 1 1 1 0 0 1 0 0 + + + + + + + = 0 1 0 1 1 0 0 0 + + + + + + + = 0 0 0 1 1 1 0 1 + + + + + + + = 1 1 1 1 1 1 1 0 + + + + + + + = you are here4 137 Download at awhat’s in there? BE the Computer Solution Your job is to play the computer and convert the binary numbers below into decimal. We’ve done the first one for you. 1 1 1 0 1 1 0 0 32 8 + 16 + + 0 + 0 + 128 + 0 + 1 = 185 1 1 0 0 1 0 0 1 32 + + 8 + + + 1 128 + + 0 0 = 169 0 0 0 1 0 1 1 0 0 0 + 16 + + + + 0 8 0 0 + 64 + 0 0 = 88 0 0 0 1 1 1 0 1 + 16 + 8 + + + 4 2 0 + 0 + 0 0 = 30 1 1 1 1 1 1 0 1 32 + 16 + 8 + 4 + + 128 + + 2 = 64 0 254 138 Chapter 4 Download at apacket analysis Try converting the signal below into binary and then into decimal. Use the Manchester encoding method to convert the signal. + + + + + = + + you are here 4 139 Download at aconvert the signal Try converting the signal below into binary and then into decimal. Use the Manchester encoding method to convert the signal. 1 0 1 1 0 0 1 0 + 1 64 0 + 16 + 8 + 0 + 0 89 0 + + = 140 Chapter 4 Download at apacket analysis So are you telling me we can only send messages as numbers? That’s a bit lame. What about text? We can convert the numbers into letters. So far we’ve looked at how we convert the signal into binary, and from binary to decimal. What we really want to do though is convert the signal into something more meaningful such as words. So how can we turn numbers into characters? The answer lies with ASCII... Q: Q: Q: Why don’t computers just use Where will I use binary in a day-to- Can you add, subtract, multiply, decimals like humans do? day networking job? and divide binary numbers? A: Computers use binary because A: The most common place you’ll A: You can do all of the same operations it’s more convenient to implement with use binary as a network professional is we do with decimal numbers. You just need electronics. Electricity is easier to deal with in subnetting (which we cover in a later to learn some special rules to do so. when it’s in two states, like on-off, high-low, chapter). Subnetting can seem like magic if positive-negative. If we had to represent you don’t understand the binary behind it. If Q: Can’t I just do binary on some sort ten numbers at the signal level, we’d have you want to monitor packets on a network, of calculator? to represent ten states. To do so, we’d need binary can help you understand the data expensive, highly-sensitive electronics. more completely. In the end, understanding A: On a Macintosh computer, you can We’d also have to account for errors in binary makes you a better networking use the Calculator app. When you open state and spend huge chunks of time error- professional. the app, choose “View Programmer” and correcting and troubleshooting. Binary is you’ve got a calculator that will do binary. way easier and way cheaper to use. For other operating systems, you can find and download a good programmer’s calculator. You can also search the Internet for web-based binary converters. you are here 4 141 Download at a There is another character encoding scheme. Another major character encoding scheme is Unicode. It allows for millions of characters. 01100001 in binary is 97 in decimal. computers read numbers Computers read numbers, humans read letters We can convert a signal into numbers, but what can we do when we need text? We use something called the American Standard Code for Information Interchange (ASCII). Computers use this format when transferring text messages to one another. In computer-speak, each binary digit is called a bit, and eight bits together form a byte. 0 1 1 0 0 0 0 1 97 Each byte needs to be translated to an ASCII character. To do this, we convert each byte into its decimal equivalent, and then look up the corresponding ASCII in an ASCII table, just like the one in Appendix ii. Decimal ASCII 97 a 98 b 99 c So the ASCII character represented by 01100001 is the letter a. But isn’t there an easier way? The trouble with translating bytes into ASCII characters in this way is that the 0’s and 1’s quickly become overwhelming. It can be fiddly converting bytes into decimal numbers, and this means it’s easy to make mistakes. So is there an easier way? 142 Chapter 4 Download at a To get the ASCII code that corresponds to a decimal, the computer uses a table much like this one. 8 bits form a byte. It takes 1 byte to represent any character in the ASCII set. Each binary digit is called a bit.packet analysis Wouldn't it be dreamy if I could convert binary numbers into ASCII in some easier way than converting to decimal, and not have to juggle quite so many 1’s and 0’s? But I know it's just a fantasy… you are here4 143 Download at aSo 0002A in hex is the same as 42 in decimal. hex is base 16 Hexadecimal to the rescue There’s a handier way of converting a byte into ASCII. Instead of looking up a decimal number in an ASCII table, we can look up its hexadecimal equivalent instead. Hexadecimal numbers are based on 16 digits, 0-15: 5 A 6 B 9 4 C 3 2 D 7 8 E 1 F 0 So if you see a hexadecimal number like B, you know that it just means 11 in decimal. Hex is a base 16 system, which means that each digit represents 0 an increasing power of 16. The right-most represents 16 , the next 1 represents 16 , and so on. 0 0 0 2 A 4 3 2 1 0 16 16 16 16 16 So how do we convert a hexadecimal to decimal? To convert a hexadecimal number to a decimal, take each digit in the hexadecimal number, multiply it by the power of 16 it represents, and then add the whole lot up together. 0 0 0 2 A 1 0 3 2 4 2×16 10×16 0×16 0×16 0×16 0 + 0 + 0 + 32 + 10 42 144 Chapter 4 Download at a Each digit in a hexadecimal number represents a power of 16.