Norton is telling me. We have detected a large amount of suspicious outbound traffic on your system. What Wireshark filters can I use to find this traffic. How can I tell what port this suspicious outbound traffic is using?
With Wireshark, you can get an idea of the type of traffic leaving your system by first filtering on its IP address, e.g., "ip.src eq 192.168.1.100" ... where 192.168.1.100 represents your system's IP address and then viewing:
Statistics -> Protocol Hierarchy, which will give you a high-level breakdown on the type of traffic present as well as various statistics like bytes, packets, etc.
Statistics -> Conversations -> IPv4, which will tell you the amount of packets, bytes etc per IPv4 "conversation" (you may need to check the box that indicates "Limit to display filter" in order to isolate only the outbound packets from your system) You can right-click on a conversation and "apply as filter -> selected -> ..." to isolate a particular IP conversation for further analysis, and you can also look at the IPv6, TCP or UDP conversations as well by selecting those tabs instead of the IPv4 tab. The data is also sortable by whichever column you're interested in, simply click on the column heading to sort by that column. The TCP or UDP tab will indicate the respective port(s) that the traffic is communicating over.
Statistics -> Endpoints -> ... is similar to Statistics -> Conversations, but lists each endpoint separately. If you "Limit to display filter", then you will see each endpoint your system is communicated with listed on a separate row.
Analyze -> Expert Information may also provide you with some additional information about the traffic you've captured, and you can "Limit to Display Filter" there as well.
Well, this should hopefully get you started.
Related
I have multiple readers on a single system which bind to a single address (IP:port ex. 239.0.0.1:1234). Another computer on group sends a UDP multicast packet to this group and readers should receive it. I used GLib 2.0 networking stack, g_socket_bind with allow_reuse set to true.
When there is a single reader (single socket binded to that address) or up to three readers everything is ok and readers will receive packets correctly. But when the number of readers increases to four or above, the packet loss occurs and linearly increases with number of readers on system.
If socket is a UDP socket, then allow_reuse determines whether or not other UDP sockets can be bound to the same address at the same time. In particular, you can have several UDP sockets bound to the same address, and they will all receive all of the multicast and broadcast packets sent to that address.
As stated in GIO Reference Manual, when allow_reuse set true, all readers should read all of data but it doesn't happen as the stated above.
Anybody knows what the problem is? Is there a kernel related problem?
All your sockets need to join the multicast group. If you're just relying on the bind to effect that, you are into undefined behaviour.
I want to sort captured traffic on #packet sent through ports. How can I filter this in wireshark?
Edit 1:
I have captured traffic, I want to find most port sending packet from specific Address.
Go to the Statistics menu.
Click Conversations.
Click either the UDP or TCP tab as appropriate.
Click the Packets A->B column twice to sort by the number of packets in descending order.
The first five rows of the Port A column will now show the five source ports with the most packets (and Address A the associated IP with each port).
This is using Wireshark 1.12.8.
I'm using a real machine (hp procurve) for my project, I need to send message of other protocol format, OSPF for instance, instead of flows, from controller side to OpenFlow switch through socket(by specifying ip address and port of the OF switch).
But everytime I try to do this, I get "Connection refused" error message, I guess that it might be that the port on OpenFlow switch I'm sending the message to is not listening, so I think I might need to use the same port for the sending which OpenFlow switch uses to talk to the controller, like the port 51067 in the log info :
Switch:192.168.1.11:51067 is connected to the Controller
My question is, how do I retrieve the port information on the controller side, since it is changing every time I restart it? I couldn't find this information.
Or am I going the wrong direction that I need to go another way around instead of sending the message using socket?
Thanks a lot in advance, any suggestions will be appreciated.
jonesir
I think you are misunderstanding the nature of networking ports, protocol numbers, and protocols such as OSPF. Let me clear those up:
Port numbers: Usually, there is exactly one application listening on a single port: The operating system/networking stack checks each packet of certain types (e.g. TCP or UDP) for the port number and then passes the packet to the application that registered itself for that specific port. If the application cannot handle the received packet then usually it will just ignore it or log an error.
Aside: It is possible for two applications to communicate on the same port only if you put some sort of multiplexing application before both (usually a reverse proxy, possibly a TCPMUX application). This multiplexing application would take incoming packets, determine what type of packet it is and then pass it to the correct application.
Protocol numbers: The protocol number is a field inside an IP packet that tells the networking stack what type of data is contained inside. For example, TCP is protocol 6, ICMP is 1, and OSPF is 89.
OF switches: Now, logically an OF switch consists of two components: 1) the switching fabric (which includes the physical ports and OF flow tables), and 2) a separate physical port to for out-of-band control, with several applications running behind it. One of these applications is the OpenFlow application, which in your case happens to listen on port 51067. But in real switches, other applications might also be running on different ports, e.g. a web interface running on port 80 for maintenance etc.
OSPF: If you now wanted to talk to the application serving the web interface, you'd send a TCP packet with destination port 80 from your controller to the switch. Similarly, if you'd like to install a new flow, you'd send an TCP packet with port 51067 in your case. OSPF is quite different, as it directly uses IP packets and does not use port numbers. To process an OSPF packet, an application needs to use a raw socket to process the incoming IP packets that have protocol number 89, and skip all others. See also the raw manpage here. This will already be built into your OF switch.
Thus, if you want to send an OSPF packet to the OF switch (and your OF switch supports OSPF on the separate physical port!), you'd just send an OSPF IP packet to the switch's IP address (192.168.1.11), no port needed!
Note that the separate physical port might not support all of the features of the other ports on the OF switch, as they are not intended for the same uses.
I need a solution for NAT traversal to transmit RDP data across the internet. I came across the following tool and it's really amazing - pwnat.
I have tried it with the two different machines behind different router, but i am unable to make it work as explained in the above link. So is pwnat still working and if yes what could I have done wrong? It would be very helpful for me.
Note: I am using a Windows machine for testing and downloaded the Windows version from the following link:
http://www.sumitgupta.net/pwnat-windows-complied-version/
No.
I assume you know how it worked:
the server sent ICMP echo request packets to the fixed address(for example, 1.2.3.4) where no echo replies wouldn't be returned from, the client, pretending to be a hop on the Internet, sent an ICMP Time Exceeded packet to the server, expected the NAT in the front of the server to forward the ICMP time exceeded message to the server.
The picture above is from the homepage of pwnat, it's on the premise that client is not behind NAT and the original payload in time exceeded message is typically not checked by NAT implementations. If both client and server are behind NAT like this,
=========================================================================================
| CLIENT | <---> | NAT-C | <---> { internet } <---> | NAT-S | <---> | SERVER |
=========================================================================================
It rarely works nowadays mainly for 2 reasons below:
When the server sends ICMP echo request packets to the fixed address, according to RFC 3022, the identifier field in ICMP echo request header will be uniquely mapped to a query identifier of the registered IP address by NAT-S so that it can route future ICMP Echo Replies with the same query ID to the sender, so ICMP header in ICMP Query packets must be modified to replace the query ID and ICMP header checksum. RFC 3022 ICMP error packet modifications section:
In a NAPT setup, if the IP message embedded within ICMP happens to be
a TCP, UDP or ICMP Query packet, you will also need to modify the
appropriate TU port number within the TCP/UDP header or the Query
Identifier field in the ICMP Query header.
But the client doesn't know the external query ID(the code in pwnat use 0 as the identifier of original request), it sends an ICMP Time Exceeded packet to the server, even if the packet can reach NAT-S in front of the server, NAT-S can't find the active mapping for the embedded packet, most of NAT implementations will drop it.
Moreover, according to rfc 5508, when the NAT-C receives the ICMP Error packet from the Private Realm, NAT-C uses the packet embedded within the ICMP Error message (i.e., the IP packet from the client to the server) to look up the NAT Session to which the embedded packet belongs. If NAT-C does not have an active mapping for the embedded packet, the NAT-C SHOULD silently drop the ICMP Error packet. It means the ICMP Time Exceeded packet from the client wouldn't arrive at NAT-S.
So pwnat only works with basic NAT devices(rfc 1631 describes) which do simple address translation, won't work with any NAPT device which has robust NAPT implementation. And This paper does mention this problem.
I am willing to build a prototype of network appliance.
This appliance is suppose to transparently manipulate Ethernet packets. It suppose to have two network interface cards having one card connected to the outside leg (i.e. eth0) and the other to the inside leg (i.e. eth1).
In a typical network layout as in the attached image, it will be placed between the router and the LAN's switch.
My plans are to write a software that hooks at the kernel driver level and do whatever I need to do to incoming and outgoing packets.
For instance, an "outgoing" packet (at eth1) would be manipulated and passed over to the other NIC (eth0) which then should be transported over to the next hope
My questions are:
Is this doable?
Those NIC's will have no IP address, is that should be a problem?
Thanks in advance for your answers.
(And no, there is no such device yet in the market, so please, "why reinvent the wheel" style of answers are irrelevant)
typical network diagram http://img163.imageshack.us/img163/1249/stackpost.png
I'd suggest libipq, which seems to do just what you want:
Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel.
Apparently, it can be done.
I am actually trying to build a prototype of it using scapy
as long as the NICs are set to promiscous mode, they catch packets on the network without the need of an IP address set on them. I know it can be done as there are a lot of companies that produce the same type of equipment (I.E: Juniper Networks, Cisco, F5, Fortinet ect.)