There are large amounts of data packets that get transmitted over the network every moment. It is not only important to know how secure these packets are but also to determine how to track these packets to track down important information about an attack. Hence network packet analysis provides a detailed overview of traffic across a network. It allows admins to both focus on a slowdown in packet response times between two managed nodes and better understand network performance. We will be using wireshark to run a packet analysis.
Wireshark
Captured packets on my computer using manual capture through the local network. HTTP packets are available as csv data.
All the network packets are visible on the top frame. Each network packet has details about the time, source, destination, protocol, length of the packet and detailed information regarding the network request. In the middle frame, the details of a selected packet is shown. The details are also available in hexadecimal format as shown in the bottom frame.
If we double click on the packet we can see a detailed information of the packet. We can see the Source port, Destination Port, Sequence Number, Network Protocol and other related information regarding the packet.
There is a filter box on top of the window that can filter the network packets. To filter network packets according to a particular source or destination ip, type in :
Ip.addr == [ip address]
Now lets analyze a probable phishing attack on a http website. Head over to : http://zero.webappsecurity.com/ and go to the login page login with any random username and password (it is just a testing website) Let's say username = "rahul" and password = "12345" Make sure to start the capture before signing in. After entering the user credentials let's analyze if our credentials are leaked.
To filter all the network packets that had http protocol, type in:
http
If we double click on the network packet with the POST request, we can further see more information. Alternatively, one can filter the post request using by typing in :
http.request.method == “POST”.
Now if we open the packet, we can see a great deal of information. We can see the source and destination port. If we scroll down and look under the HTML Form URL Encoded section, we can see the login username and password!
Hence this is a data breach!