Network Analysis Using Wireshark -10- arp and ip analysis
3 likes704 views
The document covers a lesson on network analysis using Wireshark, focusing on ARP and IP analysis. Participants will learn to understand and resolve ARP and IP networking problems, including issues like fragmentation, duplicate IPs, and DHCP challenges. The lesson emphasizes practical applications such as analyzing connectivity issues through various tools and examples.
Network Analysis Using Wireshark -10- arp and ip analysis
- 1. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 1 Network analysis Using Wireshark Lesson 10: ARP and IP Analysis
- 2. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 2 • By the end of this lesson, the participant will be able to: ▫ Understand ARP and IP ▫ Isolate and fix basic IP/ARP networking problems Lesson Objectives
- 3. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 3 yoram@ndi-com.com For More lectures, Courses & Keynote Speaking Contact Me to:
- 4. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 4 Analysing connectivity problems with ARP Using IP traffic analysis tools Finding fragmentation problems Finding duplicate IPs Analysing DHCP problems Chapter Content
- 5. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 5 What is ARP MAC AddressesIP Addresses
- 6. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 6 How it Works? 192.168.1.1 AA-C1-23-DC-B8-C9 192.168.1.2 BB-C1-23-A1-B8-C9 192.168.1.3 CC-C1-23-F5-B8-C9 192.168.1.4 DD-C1-23-65-B8-C9 ARP Request Ping (ICMP): 192.168.1.1 192.168.1.3 ARP Reply ICMP Request/Reply
- 7. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 7 Resolving a Remote IP Address 192.168.1.1/24 AA-C1-23-DC-B8-C9 DG: 192.168.1.254/24 192.168.1.2/24 BB-C1-23-A1-B8-C9 DG: 192.168.1.254/24 192.168.1.3/24 CC-C1-23-F5-B8-C9 DG: 192.168.1.254/24 ARP Request (1) Ping: 192.168.1.1 192.168.2.3 ARP Reply (2) 192.168.2.3 CC-C1-23-F5-B8-C9 DG: 192.168.2.254/24 192.168.2.4 DD-C1-23-65-B8-C9 DG: 192.168.2.254/24 ARP Request (4) ARP Reply (5) R LAN1 LAN2 ICMP Request (3) ICMP Request (6) 192.168.1.254/24 192.168.2.254/24
- 8. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 8 ARP Example 192.168.43.1 is at: ac:f1:df:9f:0a:d8 10.0.0.5 is looking for 10.0.0.138 Ping your neighbor and check with Wireshark and the ARP cache Example 10-1
- 9. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 9 ARP Example - Request In the Ethernet header: Destination - All 1’s (Broadcast) In the ARP header: Destination - All 0’s (Unknown) Example 10-1
- 10. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 10 ARP Example - Reply In the ARP header: Requested MAC of the destination Ping your neighbor and check with Wireshark and the ARP cache Example 10-1
- 11. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 11 Gratuitous ARP Standard ARP Request Gratuitous ARP Request: Target MAC: All “F”s Sender and Target IP are the same Example 10-2
- 12. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 12 Scanning (Security issue) Scanning (Network discovery tool) ARP Sweep Can be due to: Example 10-3
- 13. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 13 ARP Poisoning / ARP Spoofing IP: 192.168.1.103IP: 192.168.1.1 Alice Bob Trudy ARP Request (Packets 5) : Who has 192.168.1.103? Tell 192.168.1.1MAC: 00:20:78:d9:0d:db ARP Replies (Packets 6,7): I am 192.168.1.103 My MAC address is 00:d0:59:12:9b:01 (Packet 6) My MAC address is 00:d0:59:aa:af:80 (Packet 7) MAC: 00:d0:59:aa:af:80 MAC: 00:d0:59:12:9b:01 Example 10-4
- 14. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 14 Analysing connectivity problems with ARP Using IP traffic analysis tools Finding fragmentation problems Finding duplicate IPs Analysing DHCP problems Chapter Content
- 15. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 15 IP Datagram Format Bit stream H Data E Ethernet (L2) H Data IP (L3) H Data TCP (L4) H Data HTTP (L-5/6/7) This is the IP header
- 16. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 16 IP Datagram Format Ver Length 32 bits Data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum Time to live 32 bit source IP address Head. len Type of service flgs Fragment offset Upper layer 32 bit destination IP address Options (if any) IP protocol version number Header Length (in bytes “Type” of data Total datagram length (in bytes) For fragmentation and reassembly Max. no. remaining hops (decremented at each router) Upper layer protocol to which payload is delivered E.g. timestamp, record route taken, specify list of routers to visit Packet Checksum
- 17. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 17 IP Datagram
- 18. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 18 IPv4 Preferences Checksum validation Checksum validation
- 19. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 19 IPv4 - Filters Look for a pattern in filter expression
- 20. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 20 IP Name Resolution Source name and/or address Destination name and/or address Reload Source and destination presented in their names
- 21. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 21 Analysing connectivity problems with ARP Using IP traffic analysis tools Finding fragmentation problems Finding duplicate IPs Analysing DHCP problems Chapter Content
- 22. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 22 What is Fragmentation ID =x offset =0 fragflag =0 length =4000 ID =x offset =0 MF =1 length =1500 ID =x offset =1480 MF =1 length =1500 ID =x offset =2960 MF =0 length =1040 One large datagram fragmented to several smaller ones ID=X is equal to the Whole frame Fragment 1 Fragment 2 Fragment 3 DataDataData Data Original packet 0 0 0 DF =0 DF =0 DF =0
- 23. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 23 When can Problems Accrue (Example) PC2 S2S1 SP Network Remote office with DB clients Data Center with DB servers IPSec & GRE Tunnel PC1
- 24. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 24 Captured File Fragmented packets Example 10-5
- 25. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 25 Analysing connectivity problems with ARP Using IP traffic analysis tools Finding fragmentation problems Finding duplicate IPs Analysing DHCP problems Chapter Content
- 26. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 26 Duplicate IP - Example Duplicate IP discovered Example 10-6
- 27. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 27 Analysing connectivity problems with ARP Using IP traffic analysis tools Finding fragmentation problems Finding duplicate IPs Analysing DHCP problems Chapter Content
- 28. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 28 DHCP Principles of Operation The same transaction ID for the DHCP process The DHCP process: Discover – Offer – Request - Ack
- 29. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 29 DHCP Issues Example 10-7 Example 10-8
- 30. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 30 Summary • In this lesson we learned about ▫ Isolate and fix basic IP/ARP networking problems ▫ Understand IP fragmentation and the cases it can cause network delays ▫ Discover duplicate addresses
- 31. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com Network analysis using Wireshark V2 yoram@ndi-com.comPage 31 yoram@ndi-com.com For More lectures, Courses & Keynote Speaking Contact Me to: