TCP/IP Deep Dive

with Wireshark
For NetOps and SecOps
Links and Things - Chris
• Wireshark Analyst/Instructor
• Training Partner – Wireshark University
• Speaker at DEF CON / Sharkfest
• YouTube Channel – youtube.com/chrisgreer
• [email protected]
 What will we learn?
• Segment 1: Core Skills
• Capturing Packets, Where, How, When?
• Basic Display Filters
• Configuring a Profile
• Segment 2: TCP Basics
• The Handshake
• Sequence/Ack Numbers
• Retransmissions

• Segment 3: TCP – A little deeper

• MSS vs MTU
• Options – Zero Windows
• Measuring App Performance

• Segment 4: Hunting for Threats

• Analyzing Scan Activity
• Filtering for Reconnaissance
• Malware Analysis
Welcome Protocol Analysts!
What is Wireshark

The most popular protocol analyzer in the world

Wireshark
• Written by Mr. Gerald Combs as a
weekend project in the 90’s
• Now – over one million downloads per
month
• Supported by a group of volunteer
developers from all over the world
Where can
Capture It Wellwe Capture?
– Where?

IDS/IPS
Capture it Well – Direct Capture on Endpoints

Any Pros/Cons?
Capture it Well – SPAN/Mirror Port

Any Pros/Cons?
Capture it Well – Tap/Inline Device

Any Pros/Cons?
Capture it Well – Multi-Point Captures

Any Pros/Cons?
 Enough Talking
Lab 1 – IntrotoWireshark.pcapng
 Enough Talking - Wireshark Setup
Use Lab 1 – IntrotoWireshark.pcapng

Learn profiles, columns, buttons, coloring rules, and filter buttons.

Ethernet Frame

Source Address
6 Byte MAC

Data Portion of Packet

46 to 1500 Bytes Depending on Contents

D S Type Data FCS

Ethertype Field
2 Byte Field – Next Protocol
Frame Check Sequence
4 Byte Field - Checksum
Destination Address
6 Byte MAC Address
IP Header

IP Version and Header Length Fragmentation Flags

1 Byte Field 2 Byte Field Source IP Address
Total Length 4 Byte Field
2 Byte Field

Protocol Identification
1 Byte Field

D S Type Version
Length
Diffsrv Length ID Flags TTL Protocol Checksum Src Dest Data CRC

Destination IP Address
4 Byte Field
Identification Field
2 Byte Field

Diff Srv Time to Live Header Checksum

1 Byte 1 Byte Field 2 Byte Field
Enough Talking - Wireshark Setup
IP Demo – Use IntrotoWireshark.pcapng

.
 Display Filters
Time to learn how to focus on the right
packets.
Know The Fundamentals – Display Filters

Filter Type Display Fiilter

IPv4 Address ip.addr==10.0.0.1
IPv4 Source ip.src==10.0.0.1
IPv4 Range (Subnet) ip.addr==10.0.0.0/24
TCP Port tcp.port==80
TCP SYNs tcp.flags.syn==1
Wireshark Will Help You
Operators in Filters

== ! || && > <

eq not or and gt lt

ip.addr eq 192.168.1.1 && tcp

Special Filters
contains (exact string)
frame contains “google”
matches (regex)
http.host matches “\\.(org|com|net)”
in {range}
tcp.port in {80,443,8000..8004}
Just right-click, it’s easier
Demo right-clicking
 Enough Talking
Lab 2 – DisplayFilters.pcapng
Transmission Control
Protocol
Know The Fundamentals – TCP

Transmission Control Protocol

APPLICATION APPLICATION

PRESENTATION PRESENTATION

SESSION SESSION

TRANSPORT TRANSPORT

NETWORK NETWORK

DATA LINK DATA LINK

PHYSICAL PHYSICAL
Know The Fundamentals – TCP

IP Header
20 Bytes Dest TCP Port
RX Window Size

Ack Number

D S Type IP Src Dest Seq Ack Header

Length
Flags Win
Size
Checksum Data CRC

Flags

TCP Header Length

TCP Checksum
Source TCP Port Sequence
Number
TCP Handshake

TCP SYN

SYN / ACK

ACK
 Handshake Walkthrough
Use Lab 1 – IntrotoWireshark.pcapng
 Now Your Turn
Lab 3 – TCP Handshake.pcapng
Closing Connections – Polite Shutdown

TCP FIN

ACK

TCP FIN

ACK
Closing Connections – Abrupt Shutdown

DATA

ACK

DATA

TCP Reset
TCP Resets
• Resets can be caused by:
• User clicking Stop on their web browser.
• The destination device receiving out of sequence TCP frames over a period of time.
• The destination host is not listening to the destination port.
• Normal operation depending on the OS.
 Now Your Turn
Lab 3.1 – ClosingConnections.pcapng
Sequence and ACK Numbers

DATA – 100 Bytes

Seq: 0 Ack: 0

ACK – No Data
Seq: 0 Ack: 100

DATA – 100 Bytes

Seq: 100 Ack: 0

DATA – 500 Bytes

Seq:0 Ack: 200

ACK – No Data
Seq: 200 Ack: 500
 Demo
Lab 3.2-TCP_Seq_ACK.pcapng
Time Based Retransmissions
Packet 1

Packet 2

Ack packet 1

Retransmission
Timer

Packet 2

Ack packet 2
 Fast Retransmissions

Dup ACK (SACK)

Dup ACK (SACK)
Dup ACK (SACK)

Fast Retransmission
Retransmission
Timer
 Enough Talking
Lab 4 – TCPRetransmissions.pcapng
 Enough Talking
Lab 5 – SelectiveACKs.pcapng
TCP Receive Window
• The TCP Window is like a receive buffer.
• When the window drops to 0, no more data can be sent to the receiver
Zero Windows
Data – 1460 Bytes

Data – 1460 Bytes

ACK – Win 2,920

Data – 1460 Bytes

Data – 1460 Bytes

ACK – Win 0
What Causes a TCP Zero Window?

• Stuck process
• Too many tabs open on browser
• Internal application issue
• Faster ingress than application can handle
 Enough Talking
Lab 6 – TCP Window Problems.pcapng
 Enough Talking
Lab 7 – SYNScan.pcapng
 Enough Talking
Lab 8 – OSFingerprint.pcapng
TCP Deep Dive
with
Wireshark