Wireshark Tips

Wireshark Tips

1. Filters

a. tcp.port eq 25

b. (ip.dst == xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) || (ip.dst == xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) && http

ref: http://wiki.wireshark.org/DisplayFilters

http://wiki.wireshark.org/CaptureFilters

Workflow:

1. Interface options

2. Select the right interface (INTEL) *

3. Start Capture

4. Filter using commands

*In Case WinPcap is not installed this would not work…

Wireshark Tips

1.       Filters

a.       tcp.port
eq 25

b.       (ip.dst
== xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) || (ip.dst ==
xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) && http

ref: http://wiki.wireshark.org/DisplayFilters

        http://wiki.wireshark.org/CaptureFilters

Workflow:

1.       Interface
options

2.       Select
the right interface (INTEL) *

3.       Start
Capture

4.       Filter
using commands

*In Case WinPcap is not installed this would not
work…

 

 

–>

SSH Basics

What is it?

1.       http://en.wikipedia.org/wiki/Ssh://

a.       Secure
Shell (SSH) is a cryptographic network protocol for secure data communication,
remote command-line login, remote command execution, and other secure network
services between two networked computers that connects, via a secure channel
over an insecure network, a server and a client (running SSH server and SSH
client programs, respectively).[1] The protocol specification distinguishes
between two major versions that are referred to as SSH-1 and SSH-2.

b.      The
best-known application of the protocol is for access to shell accounts on
Unix-like operating systems, but it can also be used in a similar fashion for
accounts on Windows. It was designed as a replacement for Telnet and other
insecure remote shell protocols such as the Berkeley rsh and rexec protocols,
which send information, notably passwords, in plaintext, rendering them
susceptible to interception and disclosure using packet analysis.[2] The
encryption used by SSH is intended to provide confidentiality and integrity of
data over an unsecured network, such as the Internet.

c.       SSH
uses public-key cryptography to authenticate the remote computer and allow it
to authenticate the user, if necessary

d.      SSH
is typically used to log into a remote machine and execute commands, but it
also supports tunneling, forwarding TCP ports and X11 connections; it can
transfer files using the associated SSH file transfer (SFTP) or secure copy
(SCP) protocols.

e.      The
standard TCP port 22 has been assigned for contacting SSH servers

f.       
An SSH client program is typically used for establishing connections to
an SSH daemon accepting remote connections. Both are commonly present on most
modern operating systems, including Mac OS X, most distributions of GNU/Linux,
OpenBSD, FreeBSD, NetBSD, Solaris and OpenVMS. Notably, Windows is one of the
few modern desktop/server OSs that does not include SSH by default.
Proprietary, freeware and open source versions of various levels of complexity
and completeness exist.

g.       SSH
is important in cloud computing to solve connectivity problems, avoiding the
security issues of exposing a cloud-based virtual machine directly on the
Internet. An SSH tunnel can provide a secure path over the Internet, through a
firewall to a virtual machine

2.       Windows
Clients:

a.       OpenSSH

b.      PuTTY

It’s better to use PuTTY as the experience is
better and more native.

 

Ports, sockets and connections

Ports, sockets and connections, how does it all fit together?

 

 

–>

How is TCP Connection Established ?

      TCP is always 2-way. There is no
‘send and forget’ as with UDP. The first Program would have to open a Server
Socket. This means, that it listens on port 25 for a TCP SYN (A flag, that
signals that a connection is being opened). If your second program connects on
port 25 (from port 45000), that connection is identified by 4 values, IP of
your host, Port of your host, IP of the remote host, Port of the remote host.
At this moment, where the 3-Way handshake (SYN, SYN ACK, ACK) is done

Eg.
If you connect to google on port 80, the google web server accepts your client.
Then, the server program (eg. Web Service) returns a client socket, which is
connected to your browser client socket. Then, your browser sends the “GET
/ HTTP/1.1” HTTP-Packet over the connection, which is read by the google
side. Google then takes their website and sends it to you. Now is the point
where malicious attacks can come into play. There are multiple vectors where
you could be attacked. Someone could hijack your TCP Connection, someone could
also inject malic. traffic into the google website (JavaScript)

 

 

–>

HTTP and TCP Basics

TCP

1.
TCP provides a communication service at
an intermediate level between an application program and the Internet Protocol
(IP).

2.
That is, when an application program
desires to send a large chunk of data across the Internet using IP, instead of
breaking the data into IP-sized pieces and issuing a series of IP requests, the
software can issue a single request to TCP and let TCP handle the IP details.

3.
Due to network congestion, traffic load
balancing, or other unpredictable network behavior, IP packets can be lost,
duplicated, or delivered out of order. TCP detects these problems, requests
retransmission of lost data, rearranges out-of-order data, and even helps
minimize network congestion to reduce the occurrence of the other problems.
Once the TCP receiver has reassembled the sequence of octets originally
transmitted, it passes them to the receiving application. Thus, TCP abstracts
the application’s communication from the underlying networking details.

4.
TCP is optimized for accurate delivery
rather than timely delivery, and therefore, TCP sometimes incurs relatively
long delays (on the order of seconds) while waiting for out-of-order messages
or retransmissions of lost messages. It is not particularly suitable for
real-time applications such as Voice over IP. For such applications, protocols
like the Real-time Transport Protocol (RTP) running over the User Datagram
Protocol (UDP) are usually recommended instead

 

HTTP

1.
Hypertext is structured text that uses
logical links (hyperlinks) between nodes containing text. HTTP is the protocol
to exchange or transfer hypertext.

2.
HTTP functions as a request-response
protocol in the client-server computing model.

3.
HTTP is an application layer protocol
designed within the framework of the Internet Protocol Suite. Its definition
presumes an underlying and reliable transport layer protocol,[2] and
Transmission Control Protocol (TCP) is commonly used. However HTTP can use
unreliable protocols such as the User Datagram Protocol (UDP), for example in
Simple Service Discovery Protocol (SSDP).

4.
HTTP resources are identified and located
on the network by Uniform Resource Identifiers (URIs)—or, more specifically,
Uniform Resource Locators (URLs)—using the http or https URI schemes. URIs and
hyperlinks in Hypertext Markup Language (HTML) documents form webs of
inter-linked hypertext documents.

5.
HTTP/1.1 is a revision of the original
HTTP (HTTP/1.0). In HTTP/1.0 a separate connection to the same server is made
for every resource request. HTTP/1.1 can reuse a connection multiple times to
download images, scripts, stylesheets et cetera after the page has been
delivered. HTTP/1.1 communications therefore experience less latency as the
establishment of TCP connections presents considerable overhead.

6.
An HTTP session is a sequence of network
request-response transactions. An HTTP client initiates a request by
establishing a Transmission Control Protocol (TCP) connection to a particular
port on a server (typically port 80; see List of TCP and UDP port numbers). An
HTTP server listening on that port waits for a client’s request message. Upon
receiving the request, the server sends back a status line, such as
“HTTP/1.1 200 OK”, and a message of its own. The body of this message
is typically the requested resource, although an error message or other
information may also be returned

7.
Persistent connections [edit]

8.
HTTP persistent connection

a.
In HTTP/0.9 and 1.0, the connection is
closed after a single request/response pair. In HTTP/1.1 a keep-alive-mechanism
was introduced, where a connection could be reused for more than one request.
Such persistent connections reduce request latencyperceptibly, because the
client does not need to re-negotiate the TCP 3-Way-Handshake connection after
the first request has been sent. Another positive side effect is that in
general the connection becomes faster with time due to TCP’s
slow-start-mechanism.

b.
Version 1.1 of the protocol also made
bandwidth optimization improvements to HTTP/1.0. For example, HTTP/1.1
introduced chunked transfer encoding to allow content on persistent connections
to be streamed rather than buffered. HTTP pipelining further reduces lag time,
allowing clients to send multiple requests before waiting for each response.
Another improvement to the protocol was byte serving, where a server transmits
just the portion of a resource explicitly requested by a client.

9.
HTTP session state

a.
HTTP is a stateless protocol. A stateless
protocol does not require the HTTP server to retain information or status about
each user for the duration of multiple requests. However, some web applications
implement states or server side sessions using one or more of the following
methods:


i.
Hidden variables within web forms.


ii.
HTTP cookies.


iii.
Query string parameters, for example,
/index.php?session_id=some_unique_session_code.

10.     HTTP Pipelining

a.
HTTP pipelining is a technique in which
multiple HTTP requests are sent on a single TCP connection without waiting for
the corresponding responses.

b.
The limitation of HTTP 1.1 still applies:
the server must send its responses in the same order that the requests were
received — so the entire connection remains first-in-first-out [1] and HOL
blocking can occur. The asynchronous operation of the upcoming HTTP 2.0 or SPDY
could be a solution for this.

c.
The Microsoft .NET Framework 3.5 supports
HTTP pipelining in the module System.Net.HttpWebRequest.[

d.
Out of all the major browsers, only Opera
has a fully working implementation that is enabled by default. All other
browsers HTTP pipelining is disabled or not implemented

11.     HTTP 2.0

a.
HTTP 2.0 is the next planned version of
the HTTP network protocol used by the World Wide Web.

b.
HTTP 2.0 would be the first new version
of the HTTP protocol since HTTP 1.1 was described by RFC 2616 in 1999.

c.
Goals for HTTP 2.0 include asynchronous
connection multiplexing, header compression, and request-response pipelining,
while maintaining full backwards compatibility with the transaction semantics
of HTTP 1.1.

12.     SPDY

a.
SPDY (pronounced speedy)[1] is an open
networking protocol developed primarily at Google for transporting web content

b.
SPDY achieves reduced latency through
compression, multiplexing, and prioritization.

c.
SPDY does not replace HTTP; it modifies
the way HTTP requests and responses are sent over the wire.[1] This means that
all existing server-side applications can be used without modification if a
SPDY-compatible translation layer is put in place. When sent over SPDY, HTTP
requests are processed, tokenized, simplified and compressed. For example, each
SPDY endpoint keeps track of which headers have been sent in the past requests
and can avoid resending the headers that have not changed; those that must be
sent are sent compressed.

Conclusion

1.
TCP is a communications protocol which
operates the transport layer and allows the packets of information to make it
around the internet from the host to the receiving computer.

HTTP
is an access protocol that can use the internet to access the web or web pages.
It is a method that the browser software uses to access a particular file or
web page on the internet. Alternate to it is FTP.

2.
HTTP is a layer built ontop of the TCP
layer to somewhat standardize data transmission. So naturally using TCP sockets
will be less heavy than using HTTP. If performance is the only thing you care
about then plain TCP is the best solution for you.

You may want to
consider HTTP because of its ease of use and simplicity which ultimately
reduces development time. If you are doing something that might be directly
consumed by a browser (through an AJAX call) then you should use HTTP. For a
browser to directly consume TCP connections without HTTP you would have to use
Flash or Silverlight and this normally happens for rich content such as video
and/or audio.

3.
In general performance oriented system
like those in the military or financial sectors will probably use plain TCP
connections. Where as general web focused companies will opt to use HTTP and
use IIS or Apache to host their services.

 

As
TCP guarantees the correct delivery of segments (TCP packets), that’s a feature
that HTTP doesn’t need to worry about. However, for some protocols like H.323
and SIP for VoIP, the use of UDP is critical and not simply a “design
decision” since UDP works faster that TCP because UDP reduces overhead due
to its simplicity.

Http
is stateless, and thus doesn’t keep ports open

Further
Reading:

1.
http://blog.patrickmeenan.com/2009/09/tcp-and-http-fighting-each-other-to.html

2.
http://www.w3schools.com/tcpip/tcpip_protocols.asp

3.
http://publib.boulder.ibm.com/infocenter/cicsts/v3r1/index.jsp?topic=%2Fcom.ibm.cics.ts31.doc%2Fdfhtl%2Ftopics%2Fdfhtl_conintro.htm

4.
http://www.differencebetween.net/technology/internet/difference-between-tcp-and-http/

 

 

 

–>