Understanding Networks Wk 5-7: Packet Sniffing

STEP 1: Packet Sniffing With Wireshark (~5 Hours)

I used Wireshark to capture and analyze the traffic on my home network. I left it running while I worked on other projects that required me to look up a bunch of sites for help (youtube, stack overflow, random blogs, unity’s documentation site). This step was done so I could get an overview of what a typical working session looks like on my home network. After this, I exported the data (which was way too large – a total of around 1 million data points, 300 MB) as a CSV. Then I used excel to do a little data analysis.

snippet of excel sheet with summary

a.) With Excel, I grouped all the protocols then got all the unique values.
There are 22 unique protocols.

ARP: address resolution protocol; “is a procedure for mapping a dynamic Internet Protocol address (IP address) to a permanent physical machine address in a local area network (LAN)”
Browser
DB-LSP: Dropbox LanSync Protocol,
DB-lSP-DISC: Dropbox LAN Sync Discovery
DNS: Domain Name System; “the phonebook of the Internet; DNS translates domain names to IP addresses so browsers can load Internet resources.”
EAPOL: “Extensible Authentication Protocol (EAP) over LAN (EAPoL) is a network port authentication protocol “
H1: “is a bi-directional communications protocol used for communications among field devices and to the control system”
HTTP: HyperText Transfer Protocol
HTTP/XML
ICMP: “(Internet Control Message Protocol) is an error-reporting protocol network devices like routers use to generate error messages to the source IP address when network problems prevent delivery of IP packets.”
ICMPv6: v6 of ICMP
IGMPv3: “Internet Group Management Protocol (IGMP) is the protocol used by IPv4 devices to report their IP multicast group memberships to neighboring multicast devices. “
MDNS: “multicast DNS protocol resolves hostnames to IP addresses within small networks that do not include a local name server.”
NBNS: “stands for NetBIO Name Service, which is a protocol for name resolution.”
NTP: ” is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. “
OCSP: “Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate”
SSDP: “(SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information.”
SSLv2: “is an obsolete version of SSL that has been deprecated since 2011 due to having security flaws.”
TCP: Transmission Control Protocol (explained elsewhere in blog)
TLSv1.2: TLSv1.2 is the newest SSL protocol version
TLSv1.3: rewrite of TLSv1.2.
UDP: User Datagram Protocol (explained elsewhere in blog)

—

b.) Then I filtered and organized the destinations (outbound).
There are 981 unique destinations.

The top 3 destinations are:

emilys-MacBook-Pro-1798.local
iMac.fios-router.home
cs10.wpc.v0cdn.net (Verizon Business/ ISP: Edgecast Networks)

—

c.) I did the same for the source (incoming).
There are 970 unique sources.

The top 3 sources are:

emilys-MacBook-Pro-1798.local
cs10.wpc.v0cdn.net (Verizon Business/ ISP: Edgecast Networks)
e5042.dsci.akamaiedge.net (akamai is a content-provider/CDN)

—

d.) HTTP traffic:

Screen Shot 2019-10-21 at 3.18.26 PM

Observations from HTTP Packets:
- Total HTTP Packets: 18457
- Of the 18457, Response Packets: 779 (4.22%); Request Packets: 17512 (94.88%)
- Of the 779 Response Packets: 3 Client Errors, 115 Redirection, 661 Success
- I’m noticing the info HTTP/1.1 200 comes up a lot. Found out that “200 OK” means that everything went well and I was able to connect to the server.

Definitions (for personal understanding)
- HTTP found at Layer 7 of OSI model (Application)
- When I upload data to a web server, I am creating a POST packet. This requires 3 way handshake: from client to server then back again.
- Burst: the maximum number of packets sent per interval of time.
- Burst start: the time when the maximum number of packets sent occurred.
- GET: Used when the client is requesting a resource on the Web server.
- HEAD: Used when the client is requesting some information about a resource but not requesting the resource.
- POST: Used when the client is sending information or data to the server—for example, filling out an online form (i.e. Sends a large amount of complex data to the Web Server).
- PUT: Used when the client is sending a replacement document or uploading a new document to the Web server under the request URL.

STEP 2: Specific Activities Captured on Wireshark

After capturing hours of data (Step I), I then ran a couple of experiments to see what would show up if I performed specific internet activities such as going to streaming services, uploading files, downloading files.

a.) What would I find if I uploaded a video onto vimeo?

I noticed that when uploading to Vimeo (I know this because the source says: “emilys-MBP….”) the protocol is usually UDP. This makes sense because the video is a large data file so would benefit from the faster speed of UDP. However, how is it possible to ensure that my video data gets transferred reliably, since that is one of the main drawbacks of UDP? I’ve usually had good success with uploading to Vimeo and don’t have any issues with not getting my data sent. Is there a way they ensure it is transferred properly? Read on the below site that: “Although it (UDP) still has certain drawbacks that prevent it from being used in all applications, there have been great advancements in improving its stability and reliability.” Perhaps UDP file transfers are improving and that is why I rarely experience Vimeo issues?(*Reference for UDP/TCP: https://www.keycdn.com/support/udp-file-transfer)

Screenshot of source: my network | destination: vimeo

When vimeo is sending to my network, the transfer is using TCP or TLSv1.2. This does make sense since vimeo isn’t sending me a large file back.
- TLSv1.2: TLS stands for Transport Layer Security. It is a way to transfer information securely. (*Reference: https://www.appointmentplus.com/blog/top-8-things-know-about-tls-1-2/)
- The TLSv1.2 version was required for any site by PCI (payment card industry) on June 30, 2018. Apparently, PCI requires sites to upgrade to newer version our sites risk putting user’s data at risk. Wow, who knew?!

Screenshot of source: vimeo | destination: my network

—

b.) What would I find it I downloaded something from the browser?

Then I wanted to see what packets would appear if I downloaded a file from the internet. So, I went to a course github page and downloaded that repo. I chose not to use SSH. I wonder if this would’ve made a difference?

results from downloading a file from github

Most of the Protocol is with TCP. And in the info section it is often says [TCP Keep Alive]. The sources that come up consistently on github’s side are “github.map.fastly.net” and “api.github.com”
- Fastly is a CDN (Content Delivery Network) so there is no need to worry.
- When looking into Api.github.com, I found this helpful page: https://developer.github.com/v3/. According to their site, all API access is over HTTPS. All data is sent and received as JSON. The page also mentions: “By default, all requests to https://api.github.com receive the v3 version of the REST API.” This leads me to my next question…
What is REST API?
- REST is acronym for REpresentational State Transfer.
- “It means when a RESTful API is called, the server will transfer to the client a representation of the state of the requested resource.”
- The representation is often in JSON, but is sometimes in XML or HTTP
- A REST API is a set of functions which developers can perform requests and receive responses via HTTP protocol such as GET and POST.
- * Reference: https://medium.com/extend/what-is-rest-a-simple-explanation-for-beginners-part-1-introduction-b4a072f8740f

—

c.) What would happen if I visited sites of other countries?

I was also curious what would happen if I tried to visit a website from another country like Taiwan or Iran. I first checked this taiwanese design site: https://www.oniondesign.com.tw.

Screenshot 2019-10-21 21.33.01.png

“http://k6kv-bfrm.accessdomain.com” comes up alot. This checks out to be the ip address of the onion site.

For Iran, I checked this site: http://footballitarin.com. This is what immediately came up in Wireshark.

what came up immediately when I went to this Iranian site

“eu-u.openx.net” came up a lot when I clicked. Discovered that us-U.Openx.Net is a high-risk domain. It acts as a browser hijacker infection. It can invade your system when you visit a risky web site, install unsafe freeware or open spam email attachments. That’s not good.
“ds.dotomi.com” came up many times as well and wanted to check it out. According to this site: https://malwaretips.com/blogs/remove-cj-dotomi-com/, if your browser is constantly redirected to this Cj.dotomi.com site, then it is possible that you have an adware program installed on your computer. It’s a malicious program that once installed in your program, your browser may get many unwanted ads or pop ups. Beware!

—

d.) What’s with all these different types of TCPs? Observation from these step: what is TCP Dup ACK? What does TCP Out-of-Order, TCP Keep Alive, and TCP Retransmission mean? It seems to always be colored in black when it is related to TCP, but not just a normal TCP, there is always a message in the “info” section. She helps break it down: https://www.youtube.com/watch?v=tjZ2IgiG2PU

TCP will judge the need for retransmission based on the RTO or the retransmission timeout. If the packet never receives a packet in a given time frame, it is retransmitted. If it is constantly showing TCP retransmission that means that there was no acknowledgement received.
TCP Duplicate Acknowledgements means that they received order packets out of order. All TCP connections start with a initial sequence number (ISN) and each packet after that will go up by the size of its data payload. Ex: If my computer has an ISN of 1000, I send a data with 200 bytes, then my acknowledgment should be 1200. Next ISN should be 1200.
TCP Keep Alive: two main purposes for keepalive is to check for dead peers and to prevent disconnection due to network inactivity.
- Reference: http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html

Example of the TCP Dup ACK

Super basic questions just to help me understand Wireshark, packet sniffing, and this assignment:

What is Wireshark? What exactly is it doing?
- Series of data are considered frames, which are considered packets
- Wireshark can detect and decode the packets for analysis.
- Data is converted into packets when it passes through your network interfaces. Wireshark hunts for those packets in the TCP/IP layer during transmission and keep what it finds.

Other resources stumbled upon as I researching:

https://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940
for reading wireshark: https://www.youtube.com/watch?v=akhB55S86kE
https://www.c-sharpcorner.com/forums/what-is-difference-between-get-post-put-and-delete
she explains things nicely for someone who doesn’t know much about networks (I fall in this category): https://www.youtube.com/watch?v=RYCH7-PfJpY
https://www.keycdn.com/support/udp-file-transfer

Like this:

Related