Packet sniffing

Updated: Oct 27, 2019


A tool that we can use in order to identify problems in the network and monitoring the network.

We learned that data travel in packats through a network. The packets will become one once all the data packets arrived to their destination.


Usually, our computer will look only at packated that are addressed to him, but when a packet sniffer is running it can look for everything that is coming through. Packets sniffers can monitor network usage, detecting abnormalities and identifying bottlenecks. By doing so, a packets sniffer can find the exact node that failed and provide a fast action to such faults. On certain events, packets sniffers can prevent hacking attacks because of their ability to work as a spying tool.


A packet sniffer located at one of the servers of your ISP would potentially be able to monitor all of your online activities, such as:

  1. Which Web sites you visit

  2. What you look at on the site

  3. Whom you send e-mail to

  4. What's in the e-mail you send

  5. What you download from a site

  6. What streaming events you use, such as audio, video and Internet telephony


For example, many employers can determine how much their workers are spending online or the type of content they consume. When it comes to hackers, whoever is analyzing the data it captures can view information and details such as passwords and authentication tokens.


In this assignment, it will be using Wireshark.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. (according to Wikipedia)



Steps for this Assignment:


1. First thing was to close all my web browser and start fresh


2. Open Wireshark and recorded a 5 minutes session where I use my Chrome browser with three different websites: NYU Gmail account / My bank account and Facebook.


3. Open Wireshark and recorded a 5 minutes session where I use my Explorer browser with three different websites: NYU Gmail account / My bank account and Facebook.


The Results:

Saved my wireshark file to a CSV file in order to analyse it easier using excel.


Chrome browser amount of packets: 29,576

Explorer browser amount of packets: 49,310


Protocols that I came across:


ARP (7) - Address resolution protocol

It is a protocol used by the Internet Protocol (IP), specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.


DNS (325) - Domain Name System

It is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.


HTTP (4) - HyperText Transfer Protocol.

HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.


MDNS (27) - multicast DNS (mDNS)

It is a protocol that resolves hostnames to IP addresses within small networks that do not include a local name server.


OSCP (4) - The Online Certificate Status Protocol

It is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.


TCP (34,651) - Transmission Control Protocol

It is a standard that defines how to establish and maintain a network conversation via which application programs can exchange data. TCP works with the Internet Protocol (IP), which defines how computers send packets of data to each other.


TSL - Transport Layer Security

TSL AND SSL are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.


I had over 15,000 packets using TSL in different versions. So I started to read more about this protocol: In order to have a successful website you have to take into consideration your online security method. In the past getting a certificate for a website wasn’t an easy action due to cost and implementations. In 2014, Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let’s Encrypt - an open certificate authority. After this act there a few more new companies offering basic encryptions at no added cost to hosting customers. Today we live in a reality where that are free certificates, lower-cost industrial-grade certificates, and much better certificate management tools.


  1. TLS Is the Modern Encryption Standard, SSL (Secure Sockets Layer) is basically an older version.

  2. TLS consists of two parts: A handshake - that manages the type of encryptions algorithm, the authentication, and the key exchange. This handshake happens only once to create a secure connection for both the source and destination. B The record layer that actually receives the data encrypts the data and deconstruct it to a size that can be sent.

  3. TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts.

  4. According to hostingadvice In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change was made mostly to avoid legal issues with the Netscape company, which created SSL so that the protocol could be developed as an open standard, free for all.

  5. The main customers of these methods will eCommerce and healthcare-related sites eCommerce and healthcare-related sites.

  6. There are pros and cons in using SSL/TLS: Pros Prevent “a man in the middle attack” / Preventing from listening to communication with the server. Cons Adding latency to the website traffic / Add complexity to the server management.

There are a few versions available out there and this why i saw Different versions in my Sniffing:


TSLV1(3) - Transport Layer Security

Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP.

TSLV1.2(4,613) - Transport Layer Security

It introduces new SSL/TLS cipher suites that use the SHA-256 hash algorithm instead of the SHA-1 function, which adds significant strength to the data integrity. According to IBM KNOWLEDGE CENTER

TSLV1.3(9,378) - Transport Layer Security

The final version of TLS 1.3 has been published in August 2018. Making Encrypted connections are now more secure and faster.


Summary of my Sniffing


Amount of packets that were sent to my computer - 34,791

Amount of packets sent from my computer - 17,571


Sources:

I got 4880 packets from Level 3 Parent, LLC

Sni.star.http2.cdn.it.best-tv.com.c.footprint.net


E12476.b.akamaiedge.net - 3061

Apparently Akamai provides content delivery to a huge portion of the websites out there, they are the single largest content provider. Streaming data for just about everyone, Microsoft, Amazon, Google, Netflix, many news sites, and even porn.

While searching online people wrote that after blocking Akamaiedge random things started to stop working or updating etc.


F2.taboola.map.fastly.net - 2.981

Fastly is a content delivery network (CDN). We serve as an Internet intermediary and offer the Fastly CDN Service to make transmission of your content to your end users more efficient.


Youtube-ui.l.google.com - 1,656

Youtube, without even opening youtube.


World-gen.g.aaplimg.com - 41

Information form the Internet suggest that this is an Apple server that is being contacted for updates, most likely the AppStore app is doing this.


Ssl.gstatic.com - 796

is classified as an browser hijacker, which isn’t a Virus.

Viruses are considered High priority for removal, while browser hijacker is usually low-to-medium.


Pagead-googlehosted.l.google.com - 786

Pagead46.l.doubleclick.net - 592

Google in united states


Mrb.upapi.net - 430

Partnerad.l.doubleclick.net - 356

Scontent.xx.fbcdn.net -147

13.client-channel.google.com - 112

Events.browsiprod.com - 108

Cdn.firstimpression.io- 88

Ec2-34-194-201-2.compute-1.amazonaws.com - 76

Us-east-sync.bidswitch.net - 41

Perf-optimized-by.rubiconproject.net.akadns.net - 32

Ss-prod-an1-notif-22.aws.adobess.com - 26

Prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud - 24

Pixel-origin.mathtag.com - 22

Idsync.rlcdn.com - 18

Bigsea-america-prod-elb-windtrap-1501557327.us-east-1.elb.amazo - 15

Ml314.com - 15

Idaas-production.us-east-1.elasticbeanstalk.com - 13

Ads.revjet.com -12

Bttrack.com - 12 > https://bidtellect.com/

Csm.va.us.criteo.net - 10

72.21.91.29 - 8 > Verizon Business


Destinations:

E12476.b.akamaiedge.net - 2234

Again, Apparently Akamai provides content delivery to a huge portion of the websites out there, they are the single largest content provider. Streaming data for just about everyone, Microsoft, Amazon, Google, Netflix, many news sites, and even porn.

While searching online people wrote that after blocking Akamaiedge random things started to stop working or updating etc.


Safebrowsing.googleapis.com - 1862

The Google Chrome, Apple Safari and Mozilla Firefox web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats.


Googlemail.l.google.com - 1243

Gmail - That i opened in order to check my email


A676.w23.akamai.net - 1154

Again another Akamai Service


Youtube-ui.l.google.com - 849

Pagead-googlehosted.l.google.com - 531

Ssl.gstatic.com - 451

Accounts.google.com - 332

Dns2-ha.noc.nyu.edu - 162

Ecdn.firstimpression.io - 157

E673.dsce9.akamaiedge.net 86

Js.nagich.co.il - 48

World-gen.g.aaplimg.com - 47

Api-nyc.smoot.apple.com - 42

Us-west-2.queue.amazonaws.com - 26

Ss-prod-an1-notif-22.aws.adobess.com - 22

Dfh8hwrwbxm35.cloudfront.net - 22

Bttrack.com - 18

Aorta.clickagy.com - 18

www.promisejs.org - 17

Hosting02.sitebytes.nl - 2

Box1165.bluehost.com - 1


97 views0 comments

Recent Posts

See All