Read: Class 01 Network Traffic Analysis with Wireshark - VascoLucas01/networking-reading-notes GitHub Wiki

Introduction

Initially, I will talk about the OSI model and its importance in understanding the Internet with a brief description and demonstration of how the encapsulation works based on a documentation that I consider it quite interesting and which I used to study computer networks in my first times.

Then, I will talk about what Wireshark consists of, what purpose it is used for and some of its limitations by showing an example with OSPF protocol.

Finally, I decided to show for the most curious people another example of capturing packets with Wireshark but with the well-known "message-digest authentication" to see how Wireshark behaves with encryption.

OSI vs TCP/IP models

The Open Systems Interconnection model, known as OSI model, proposed by the International Organization for Standardization (ISO), shows that the Internet can be organized in seven layers through which computer systems, such us, personal computers, servers and, so forth, use to communicate. The main reason or goal in defining the OSI model was to create a reference to all systems so that it enables the communication between different systems and different devices. The seven layers refered above are:

  • Application Layer (application oriented)
  • Presentation Layer (application oriented)
  • Session Layer (application oriented)
  • Transport Layer (transport oriented)
  • Network Layer (transport oriented)
  • Data Link Layer (transport oriented)
  • Physical Layer

Application Layer : controls the input and output of data and provides the application functions.

Presentation Layer : transfer the system-dependent presentation of data into a form independent of the application.

Session Layer : controls the logical connection between two systems and prevents, for example, connection breakdowns or other problems.

Transport Layer : is used for end-to-end control of the transfered data. The transport layer can detect and avoid congestion situations and segment data streams.

Network Layer : connections are established in circuit-switched networks, and data packets are forwarded in packet-switched networks. Data is transmitted over the entire network from the sender to the receiver.

Data Link Layer : enable reliable and error-free (CRC) transmissions on the respective medium. For this purpose, the bitstreams from layer 1 are divided into blocks or frames.

Physical Layer : the transmission techniques used are, for example, electrical signals, optical signals, or eletromagnetic waves. Through layer 1, the transmission takes place on wired or wireless transmission lines.

When one system device communicates with another system device, all seven layers of the OSI model are run through at least twice which it will be seen further with an image that illustrates what I am talking about. Contrary to what happens with the OSI model, TCP/IP (Transmission Control Protocol/Internet Protocol) is a model that the Internet is entirely based on. Instead of having seven layers, it just has four layers (or 5, which it will be referred further ahead):

  • Application Layer
  • Transport Layer
  • Internet Layer
  • Link Layer

In fact, in several sources they represent the TCP/IP model with one more layer, which is the physical layer that stands at the bottom of the model. This way, TCP/IP is a communication protocol that allows hosts to connect to the Internet. OSI, on the other hand, is a communication gateway between the network and end-users. The OSI model is usually referred to as the reference model because of its strict protocol and limitations.

imagem

Encapsulation

Indeed, the purpose of encapsulation is to ensure that the data being transmitted is well-structured. Each layer performs encapsulation, adding its own header information to the data being transmitted. For example, the application layer message and the transport layer header information together constitute the transport layer segment (if it is using TCP, datagram if it is using UDP). The transport layer then passes the segment to the network layer, which adds its header information, creating a network layer packet and so forth until reaches the physical layer.

imagem

This image shows exactly how this process of encapsulation works. Whenever a system device sends a packet it performs the encapsulation process and when it receives a packet it does exactly the reverse process. That is why, in the OSI vs TCP/IP models section says "all seven layers of the OSI model are run through at least twice".

Wireshark

After understanding the network protocols can be greatly deepened by seeing them in action and it is possible by many tools, such as Wireshark.

Wireshark is an open-source network protocol analyzer. It allows us to analyse each packet sent and received by our personal computer in detail. With this tool is also possible to filter and drill down into it, zooming in on the root cause of problems, assisting with the network analysis and ultimately security.

Wireshark does three important things:

  • Packet Capture
  • Filtering
  • Visualization

Then, I will show through a sequence of two images of one of my networking projects at my university that runs OSPF protocol how it works:

Network Topology

imagem

It does not matter how complex or not it is the topology. The aim of this is to show how Wireshark works and I am going to capture the traffic on the connection between R4 and R3.

OSPF filtering

imagem

Here it is possible to see hello packets from OSPF protocol between R4 and R3 sending by multicast (224.0.0.5). It is not importante for now, but hello packets are sent in a way that routers discover their neighbors and establish and maintain relationships with them.

Of course that I just explain one of multiples tools that Wireshark is capable of but I am sure that I will come back for more in the nearly future. Before concluding it is important to mention some limitations:

  • It can't help a user who has little understanding of network protocols
  • It can't grab traffic from all of the other systems on the network under normal circumstances
  • It is not an intrusion detection system
  • It can't help with decrytion with regards to encrypted traffic.

Message-Digest Authentication With Wireshark

As stated above the following information is for curious people. Using the same topology showed above it was decided to configure the message-digest authentication on routers R9 (interface g1/0), R10 (interface g1/0) and R2 (interface g3/0) and capture in the interface g1/0 of R9.

imagem

Example of configuration in R9:

R9(config-if)#ip ospf message-digest-key 10 md5 cisco

Before going further let's discussed a little bit about what message-digest authentication consists of. For this I decided to cite a bit of information from Cisco documentation (see REFERENCES).

"You can enable authentication in OSPF in order to exchange routing update information in a secure manner. OSPF authentication can either be none (or null), simple, or MD5. The authentication method "none" means that no authentication is used for OSPF and it is the default method. With simple authentication, the password goes in clear-text over the network. With MD5 authentication, the password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode. When you configure authentication, you must configure an entire area with the same type of authentication."

It is importante to say and outline that it is just an example to show how Wireshark behaves with encryption. This is extra information.

Back to what matters I used here MD5 authentication.

Let's see, finally, what happens when there is no configuration of MD5.

imagem

Both the fields “Auth Type” and “Auth Data” have the values Null and none, respectively, which means that is not running authentication in g1/0 interface from R9.

After analysing what is happening when there is no configuration, it is time to show what happens when there is Message-Digest Authentication.

imagem

It can be seen some differences such as the values in “Auth Type” and more four fields, “Auth Crypt Key”, “Auth Crypt Data Length”, “Auth Crypt Sequence Number” and “Auth Crypt Data”.

From this last image the limitation mentioned above is visible "4. It can't help with decrytion with regards to encrypted traffic" since we cannot know the content of the message because it is encrypted.

REFERENCES

1 - https://www.comptia.org/blog/layers-2-and-3-osi-model

2 - https://academy.hackthebox.com/module/details/34

3 - Computer Networking, "A Top-Down Approach", KUROSE ROSS, SEVENTH EDITION

4 - https://www.comptia.org/content/articles/what-is-wireshark-and-how-to-use-it

5 - https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html

The first three references announced above were used to synthesize and explain in the best way what the OSI and TCP/IP model consists of with the definition and explanation of the encapsulation process.

The fourth point to help me in a way that it should be easy to transmit in what wireshark consists of.

The last point for extra information.