Network Packet Sniffer on Various Network Protocols on Live Network

Published in

Vaibhav Sharma

13 min readJul 1, 2019

Preface

The objective of the project was “To Make a Network Packet Sniffer on Various Network Protocols working on both saved pcap file or on Live Network”.

For this we first have to understand the basics of Computer Networking and of all the protocols which we are going to decipher. The project was started after knowing all the relevant information regarding the project. The first part of my project involves the study of Computer Networks, OSI Model, TCP protocols and UDP Protocols.

After this the main task was to understand the basics of packet capturing on both live network and already saved packet file. This included various things like of finding a Network Device, getting Info about device, live capturing, printing packet info, determining packet type, finding the data payload, loading pcap file, closing handle, sending packets and many more.

The most important part of the project was when I had to decipher many protocols that are listed later on with the help of Wireshark and printing them on the terminal and then storing each of these protocols’ payload data in MySQL.

For my full code please refer to https://github.com/lonesomebronco/Packet-Sniffers/blob/master/CompleteLiveSniffer.c

What is a Sniffer?

Network sniffers take snapshot copies of the data flowing over a network without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools work with many other network protocols and at lower levels, including Ethernet frames.

How Packet Analyzers Are Used

There’s a wide range of applications for packet sniffers. Most packet sniffers can be used inappropriately by one person and for legitimate reasons by another.

A program that captures passwords, for example, could be used by a hacker, but the same tool might be used by a network administrator to find network statistics like available bandwidth.

Network sniffing is also used to test firewall or web filters, and to troubleshoot client/server relationships.

How Network Sniffing Works

A packet sniffer connected to any network intercepts all data flowing over that network.

On an local area network (LAN), computers typically communicate directly with other computers or devices on the network. Anything connected to that network is exposed to all of that traffic. Computers are programmed to ignore all network traffic not intended for it.

Network sniffing software opens up to all traffic by opening up the computer’s network interface card (NIC) to listen to that traffic. The software reads that data and performs analysis or data extraction on it.

Once it receives network data, the software performs the following actions on it:

The contents, or individual packets (sections of network data), are recorded.
Some software only records the header section of data packets to save space.
Captured network data is decoded and formatted so that the user can view the information.
Packet sniffers analyze errors in network communication, troubleshoot network connections, and reconstruct entire data-streams intended for other computers.
Some network sniffing software retrieves sensitive information like passwords, PIN numbers, and private information.

OSI Model

The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers.

A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that constitute the contents of that path. Two instances at the same layer are visualized as connected by a horizontal connection in that layer.

Layer 1: Physical Layer

The physical layer is responsible for the transmission and reception of unstructured raw data between a device and a physical transmission medium. It converts the digital bits into electrical, radio, or optical signals. The components of a physical layer can be described in terms of a network topology. Bluetooth, Ethernet, and USB all have specifications for a physical layer.

Layer 2: Data Link Layer

The data link layer provides node-to-node data transfer — a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer.

Layer 3: Network Layer

The network layer provides the functional and procedural means of transferring variable length data sequences (called packets) from one node to another connected in “different networks”. A network is a medium to which many nodes can be connected, on which every node has an address and which permits nodes connected to it to transfer messages to other nodes connected to it by merely providing the content of a message and the address of the destination node and letting the network find the way to deliver the message to the destination node, possibly routing it through intermediate nodes

Message delivery at the network layer is not necessarily guaranteed to be reliable; a network layer protocol may provide reliable message delivery, but it need not do so.

Layer 4: Transport Layer

The transport layer provides the functional and procedural means of transferring variable-length data sequences from a source to a destination host, while maintaining the quality of service functions.

The transport layer controls the reliability of a given link through flow control, segmentation/DE segmentation, and error control.

Layer 5: Session Layer

The session layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application.

Layer 6: Presentation Layer

The presentation layer establishes context between application-layer entities, in which the application-layer entities may use different syntax and semantics if the presentation service provides a mapping between them

Layer 7: Application Layer

The application layer is the OSI layer closest to the end user, which means both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model.

Simple Mail Transfer Protocol (SMTP)

Email is emerging as one of the most valuable services on the internet today. Most of the internet systems use SMTP as a method to transfer mail from one user to another. SMTP is a push protocol and is used to send the mail whereas POP (post office protocol) or IMAP (internet message access protocol) are used to retrieve those mails at the receiver’s side.

SMTP is an application layer protocol. The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is always on listening mode. As soon as it listens for a TCP connection from any client, the SMTP process initiates a connection on that port (25 or 587 or 465). After successfully establishing the TCP connection the client process sends the mail instantly.

WORK:

In TCP protocol whenever Source port Number is 25 then the Code enters into the SMTP Code part.

This Code prints Response Code, Command & Response Parameter in addition to the data already printed by the TCP Header which are Source IP Address, Port Number & Destination IP Address, Port Number

The data from this code is then entered into a table (i.e. SMTP in this case) in MYSQL, which can be retrieved later on.

SMTPS use port no. 465 and then same things are taken out from the packets that were taken from SMTP

POST OFFICE PROTOCOL (POP 3)

Post Office Protocol is the primary protocol behind email communication. POP works through a supporting email software client that integrates POP for connecting to the remote email server and downloading email messages to the recipient’s computer machine. POP is an application layer protocol in the OSI model that provides end users the ability to fetch and receive email.

POP uses the TCP/IP protocol stack for network connection and works with Simple Mail Transfer Protocol (SMTP) for end-to-end email communication, where POP pulls messages and SMTP pushes them to the server. As of 2012, Post Office Protocol is in its third version known as POP 3 and is commonly used in most email client/server communication architecture.

WORK:

In TCP protocol whenever Source port Number or the Destination port Number is 110 then the Code enters into the POP Code part.

This Code prints Response Description, Response Indicator/Request Command in addition to the data already printed by the TCP Header which are Source IP Address, Port Number & Destination IP Address, Port Number

The data from this code is then entered into a table (i.e. POP in this case) in MYSQL, which can be retrieved later on.

POPS use port no.995 and then same things are taken out from the packets that were taken from POP

Secure Shell version 2 (SSHv2)

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.

SSH provides a secure channel over an unsecured network in a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client.

SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet, although files leaked by Edward Snowden indicate that the National Security Agency can sometimes decrypt SSH, allowing them to read the contents of SSH sessions.

WORK:

In TCP protocol whenever Source port Number or the Destination port Number is 22 then the Code enters into the SSHv2 Code part.

This Code prints Padding Length, Packet Length, Protocol, Cookie, RSA Public Exponent[e] in addition to the data already printed by the TCP Header which are Source IP Address, Port Number & Destination IP Address, Port Number

The data from this code is then entered into a table (i.e. SSHv2 in this case) in MYSQL, which can be retrieved later on.

Internet Control Message Protocol (ICMP)

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).

Many commonly used network utilities are based on ICMP messages. ICMP uses the basic support of IP as if it were a higher-level protocol, however, ICMP is actually an integral part of IP. Although ICMP messages are contained within standard IP packets, ICMP messages are usually processed as a special case, distinguished from normal IP processing. In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error message to the application responsible for transmission of the IP packet that prompted the sending of the ICMP message.

WORK:

We create a switch case of ICMP as we did it in case of TCP and UDP.

In this case we have to find the two IP Address, Port Numbers, Header Checksum and Time to live of a packet by knowing the number them in packet with the help of WireShark. It will neither be given by TCP nor UDP. ICMP is a network layer protocol. There is no TCP or UDP port number associated with ICMP packets as these numbers are associated with the transport layer above.

This Code prints Checksum, Type, Identifier, Sequence Number, Data and Length of Data.

The data from this code is then entered into a table (i.e. ICMP in this case) in MYSQL, which can be retrieved later on to see the packet details.

Internet Group Management Protocol (IGMP)

The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicast.

IGMP can be used for one-to-many networking applications such as online streaming video and gaming, and allows more efficient use of resources when supporting these types of applications.

IGMP is used on IPv4 networks. Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which is a part of ICMPv6 in contrast to IGMP’s bare IP encapsulation.

WORK:

We create a switch case of IGMP as we did it in case of TCP, ICMP and UDP.

In this case we have to find the IP Addresses and Port Numbers in common as ICNG is further divided in 5 parts based on the packet no. 38 and 41.

· Membership Query(0x11)

· Membership Report(0x16)

· Leave Group(0x17)

· Membership Report(0x12)

· Others

Whichever type is from the above we decipher the packet according to it and the get Multicast Address, Checksum and Reserved

The data from this code is then entered into the suitable table according to the type of ICNG type in MYSQL, which can be retrieved later on to see the packet details.

Syslog Protocol

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyses them. Each message is labelled with a facility code, indicating the software type generating the message, and assigned a severity level.

Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems.

When operating over a network, syslog uses a client-server architecture where the server listens on a well-known or registered port for protocol requests from clients. Historically the most common transport layer protocol for network logging has been User Datagram Protocol (UDP), with the server listening on port 514. As UDP lacks congestion control mechanisms, support for Transport Layer Security is required in implementations and recommended for general use on Transmission Control Protocol (TCP) port 6514.

WORK:

In TCP protocol whenever Source port Number or the Destination port Number is 6514 or 414 in UDP then the Code enters into the Syslog Code part.

This Code prints Truncated Message in addition to the data already printed by the TCP Header which are Source IP Address, Port Number & Destination IP Address, Port Number

The data from this code is then entered into a table (i.e. Syslog in this case) in MYSQL, which can be retrieved later on.

Server Message Block (SMB)

Stands for “Server Message Block.” SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer’s local hard drive.

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network. For example, a computer connected to a Windows network could print a document on a printer connected to another computer on the network, as long as both machines support the SMB protocol.

Though SMB was originally developed for Windows, it can also be used by other platforms, including Unix and Mac OS X, using a software implementation called Samba. By using Samba instructions, Mac, Windows, and Unix computers can share the same files, folders, and printers.

WORK:

In TCP protocol whenever Source port Number or the Destination port Number is 445 then the Code enters into the SMB Code part.

SMB is further classified in 5 types as listed:

· Encrypted SMB3

· Negotiate Protocol (0x72)

· Tree Connect (3)

· Session Setup (1)

· Negotiate Protocol (0)

This Code prints Server Component, Credit Charge and Credit Requested, with (NT_Status, Process ID, User ID, Tree ID, Reserved and Signature) in some cases of SMB.

The data from this code is then entered into the suitable table according to the type of SMB type in MYSQL, which can be retrieved later on to see the packet details.

Live Capturing of Packets vs Captured packets

Live Capturing is done when we are surfing on the internet and the packets which are being sent and received by the network are being captured by our code. We have to live capture the packets in this type and then decipher them based on their protocols. In the main function following code is must for live capturing:

pcap_t *handle;

handle = pcap_open_live (device, snap_length, 0, 1024, error_buffer);

Where snap_length is how many bytes you capture from each packet and promiscuous length is 0

Captured Packets are the already Captured Packets from a network it can be either of your network or of someone else’s as it can be stored and can be sent to anyone in .pcap file format. These types of packets are to be loaded by our code and then decipher. Them based on their protocols. In the main function following code is must to decipher already Captured packets:

pcap_t *handle = pcap_open_offline (“Name of your file. pcap”, error_buffer);

where handle pointer is equal to pcap_open_offline which opens the file whose name you have written in the inverted commas.