1st International Conference of Recent Trends in Information and Communication Technologies

Detecting Threats in Network Security by Analyzing Network Packets

using Wireshark

Abdulalem Ali *, Arafat Al-Dhaqm, Shukor Abd Razak

Faculty of Computing, University Technology of Malaysia

Abstract

Nowadays it is very important to maintain a high level security to ensure safe

and trusted communication of information between various organizations.
Computer networks have kept up growing in size, complexity and, over-
all, in the number of its users as well as being in a permanent evolu-
tion. Hence, Packet sniffers are useful for analyzing network traffic over
wired or wireless networks. In this paper, security network protocol analyzer,
wireshark, has been used to capture the data from Center of Information and
Communication Technology (CICT) network traffic in Universiti Teknologi
Malaysia. These data can be applied as a sample to test it by wireshark. In-
deed, the data packets have obtained are malware and non-malware. The aim
of this paper is to analyze these data in order to help network administrator to
monitor any abnormal behavior in the network and log it. The information
gathered from CICT and the data analyzed using matching algorithm. The re-
sults gave high implication in the analysis of network and increase significant
essence in network security to detect any threats that violate system security.

Keywords: Matching Algorithm Network Security; Wireshark; .

1. Introduction
Packet Sniffing is a technique for monitoring every packet that crosses the network.
A packet sniffer is the best open source software available that monitors network
traffic. The security threat presented by sniffers is their ability to capture all incom-
ing and outgoing traffic, including clear text passwords and usernames or other sen-
sitive material. Sniffer is a program running in a network attached device that pas-
sively receives all data link layer frames passing through the device's network adapt-
er. It is also known as network or protocol analyzer or Ethernet Sniffer. The packet
sniffer captures the data that is addressed to other machines, saving it for later analy-
sis. It can be used legitimately by a network or system administrator to monitor and
troubleshoot network traffic either in local area network or in host system [1]. In this
paper, security network protocol analyzer wireshark has been used to capture the da-
ta from CICT network traffic. These data can be applied as a sample to test it by
wireshark. Indeed, the data packets have obtained are malware and non-malware.

*Corresponding author: almaldolah2012@gmail.com

IRICT 2014 Proceeding

12th -14th September, 2014, Universiti Teknologi Malaysia, Johor, Malaysia
 Abdulalem Ali et. al. /IRICT (2014) 508-515 509

The aim of this study is to analyze these data in order to help network administrator
to monitor any abnormal behavior in the network and log it. The information gath-
ered from CICT and the data were analyzed using open source tools. The rest of this
paper is structured as follows. Section 2 presents tools for traffic analysis. Priciple of
network sniffer in section 3. In Section 4, implementation of network sniffer. Meth-
odology in section 5. In Section 6, The results. Finally, the conclusion is presented in
Section 7.

2. Tools For Traffic Analysis

 Wireshark
Previously known as Ethereal, Wireshark, as it is currently known, is a packet ana-
lyzer employed in analyzing troubleshooting of networks. The change of name was
done in May, 2006 because of a trademark issue. Wireshark captures packets by
means of PCAP. It is a cross-platform which is capable of running in various types
of operating system that are Unix-like as well as Windows and Solaris. In
Wireshark, it is not only the traffic meant for an address constructed for the particu-
lar interface that can be seen, but rather everyone is visible there [2]. This is possible
because the user can make use of an interface allowing a loose mode.

Figure.1: Wireshark tool.

Wireshark makes it possible for the user to capture packets moving across the
whole network on a given interface per time. The capture tool is one of the basic
tools. The user is able to carry out the packet, and capture using the capturing menu
which has a number of options to choose from based on the analysis desire. It is also
possible for the analyst to set filters such that unwanted traffic that can be avoided
during the capture [3]. Wireshark however, has a limitation in that it does not pos-
sess intrusion detection capability.
The user gets no warning when an intruder tampers with something on the network
and wireshark does not exercise control over the network. Space consumption is
quite much with its 18MB file installation taking up to 81MB and 449MB respec-
tively in Windows and Linux [4]. However, the Wireshark GUI is quite user friend-
ly.
 Abdulalem Ali et. al. /IRICT (2014) 508-515 510

 Soft Perfect Network Protocol Analyzer (SPNPA)

This is an advanced, professional analyzer. It analyzes data passing through the di-
al-up connection or the Ethernet card and presents it in comprehensible form. It is a
practical tool for different network personnel or any user requiring a broad picture of
personal network traffic. SPNPA results are very easy to understand and also allows
for defrayments of network packets and reassembling into streams.
 CAPSA
This is an indispensable tool for network administrators. It is a freeware, designed
for personal use or small business and useful for network monitoring, diagnosis and
troubleshooting. Packet capturing is real-time, forensics is reliable, monitoring is on
24/7 basis, protocol analysis is advanced and packet decoding is in-depth.

3. Principle of Network Sniffer

Network sniffer uses the local media; the transforming data can be detected by any
computer system. Data frame is received by each computer’s Ethernet network
adapter, generating either a data frame that is a match of its own hardware address or
a broadcast frame. With the two data frame type, for Ethernet network adapter, the
data are transformed into upper processing, whereas it discards the other types of
frames. In promiscuous mode, the adapter can accept data transmission in every
segment and transfer same to the OS for further treatment. Data transformed within
the sharing network can be detected in network sniffer as shown in Figure 2[5].

Figure.2: Implementation of Network Sniffer

4. Implementation Of Network Sniffer

For the completion of network data collection, setting of network detector are done
in the physical segment and linked to export routers on the network. This way, de-
tection of all packets in the network is possible. NICO and NICI are the two adapters
with which the network detector is configured as a host. While the former serves as
the communication interface, the latter is set as the promiscuous mode and linked to
the router at the same hub shown Figure 3.
 Abdulalem Ali et. al. /IRICT (2014) 508-515 511

Figure.3: Model of the Network Sniffing.

 Packer Sniffer
A packet sniffer ‘sniffs’ information passing through a system, and stores/presents
the content of the fields in this message. It is the tool for monitoring communication
between protocol entities. It is a passive tool; only observing communication without
being responsible for initiating it; packets received are also not directly addressed to
it, it only receives copies The typical packet sniffer set-up is shown in Figure 4 The
protocols (IP) and applications are on the right. The sniffer is represented by the rec-
tangular broken line. It is a mere addition to the regular computer software. It is
made up of the packet capture library and the packet analyzer. The packet capture li-
brary receives a copy of information (link-layer frame) transmitted over the comput-
er; encapsulation of information through higher layer protocols, e.g. DNS, HTTP,
etc is done in link layer frames transmitted through physical media.

Figure 4. Packet Sniffer Structure

The packet analyzer is the other component of the sniffer. It is responsible for dis-
playing the contents of all fields in a protocol communication. To be able to do this,
it must have an understanding of the structure of protocol communication. For ex-
ample, if we intend to display the component fields of the communication on the
HTTP protocol. The packet analyzer can identify the IP datagram format by com-
prehending the Ethernet frame format. It is also able to extract the TCP within the
datagram. It is also able to comprehend HTTP protocol and will be able to identify
the content of the first bytes of an HTTP message
 Abdulalem Ali et. al. /IRICT (2014) 508-515 512

5. Methodology

Data of computer send through the network in the form of packets. These packets
are the group of data is actually directed to the certain designated system. In reality,
most of data sent through the network which need to predefine it before send it to the
destination and all the data are going directly to a particular computer.
There are many examples of packet sniffing software available on the internet for
free that can be run on different platforms including windows and Linux. In our ex-
periment, wireshark network analyzer is the one that will use to sniff network traffic
in CICT department. These data traffic will be examined and compared with one
pattern or signature form in order to find any abnormal pattern in these data. Actual-
ly, two kinds of data have been getting, one malware and the other one non-
malware. So we are going to test these data using one software tool to analyze it.

A. Sniffing Process
Here we are going to talk in a brief about sniffing process and our analysis imple-
mented by wireshark software. The following steps describe sniffing process base on
[6]:
 Packet sniffer collects raw binary data from the wire. Typically, this is done by
switching the selected network interface into promiscuous mode
 Captured binary data is converted into a readable form.
 Analysis of the captured and converted data. The packet sniffer takes the captured
network data, verifies its protocol based on the information extracted, and begins
its analysis of these protocols for specific features.

6. Results
The data packets were obtained from CICT department. These data packets were al-
ready captured from the network by wireshark. The data can be classified into two
type malware and non-malware. When the data packet was compared with signature
used one software tool implemented via matching algorithm to give us analysis pa-
rameters. This software can be used to compare the payload data for the selected
protocol with a particular pattern as shown in the Figure 5. In our experiment, we
used TCP payload string and compared with the small size of the pattern. In each
time we compared around five packets with a specific pattern or signature in one tri-
al.

Figure.5: Packet Comparison Software Implemented by Matching Algorithm

 Abdulalem Ali et. al. /IRICT (2014) 508-515 513

In the above Figure 5, there are two input places, the first one is a load pattern input
where you can type the specific signature pattern inside and in the second place for
input is load string, this place can insert one or more packets to compare with pat-
tern.
After we insert the two inputs together, we press quick search algorithm button to
get the following parameters from the software.

 First Testing using Malware Data Packets:

We have two types of data packets which obtained from CICT organization, so that
our experiment will be implemented in two stages. The first test is dealing with
malware packet. Table 1 shows malware packages comparisons.

Table 1. Number of Comparison Packets using Matching Algorithm

No. Com-
parison Total Search Time No. Comparison Total Search Time
I 537 0.047 608 0.034
n
606 0.047 343 0.0411
f 236 0.031 265 0.011
a

In the above table, the data packets were tested three times, in the first comparison,
we used five packets for TCP protocol to compare with signature (specific pattern).
We observed that the number of comparisons is 537 and the time consuming is
0.047. In the second comparison, we used six data packets so that we observed that
the number of comparisons is increased but the time still stable. In the third compari-
son, we decrease the data packet into four therefore we found the number of compar-
isons decreased also and the time for total search was decreased.

1500 Malware
236
Testing Packet
265
1000 606
343
Series3
537 608
500
0.031 Series2
0.011
0.047
0.0411
Series1
0.034
0 0.047
No. Total Search No. Total Search
Comparison Time Comparison Time

Figure.6: Malware Testing Payload using Matching Algorithm

We have observed that, from Figure 6, the graph starting point always from the to-
tal search time. The first line, the red line, indicates that the maximum number of
comparisons reaches more than 1000 and the second line is the blue line reaches less
 Abdulalem Ali et. al. /IRICT (2014) 508-515 514

than 600. The minimum number of comparisons was represented by the green line
which indicates the lowest number, 236.the

 Second Testing using Non-Malware Data Packets:

The second test in our experiments was non malware data packets in order to com-
pare with specific pattern. Table 2 shows the non-malware packages comparisons
using match algorithm.

Table 2. Non-Malware packages Comparisons using Match Algorithm

No. Compar- Total Search

ison Time No. Comparison Total Search Time
343 0.031 963 .0359
780 0.047 1046 0.0391
870 0.063 1160 0.0453

In the first comparison, we used five data packets, then in the second comparison
we used six packets in one times, and in the third comparison we used four packets
in order to compare with specific pattern.

Non-Malware Testing
Packet
4000
1160 Series3
2000 8700.063 1046 0.0453
7800.047 9630.0391 Series2
0 343 0.0359
0.031
Series1

Figure 7. Non-Malware Packages Testing using Matching Algorithm

Figure 7 shows three lines, the green line indicates the maximum number of com-
parisons and consuming time was about 0.0453. Then, it was followed by the red
line that represented the second highest number after green line and consumed time
for total search around 0.0391. The third line was the blue line that indicated the
lowest number of comparisons and lowest time consumed. We observed that the
highest point was 1160 and the lowest point was 343.
 Abdulalem Ali et. al. /IRICT (2014) 508-515 515

7. Conclusion
One of the significant methods in network security nowadays is to use the network
traffic analyzer in order to reveal any abnormal behaviour in the data transfer over
the network. Network analyzer tools can be used to monitor and troubleshoot the
network. Network administrator do not only use these tools to fix any violation in
network system but also to avoid network failure and detect security vulnerabilities.
Network sniffer is one of the passive attacks that can sniff the traffic and analyze it.
Unlike network sniffing, it is a sniffer detector tools that can discover any sniffing
attack through the network and prevent it. Sniffing network traffic is an illegitimate
process unless if it used for security purpose. Two types of data analysis have been
tested for packets malware and no-malware. Comparisons between packets have
been made that uses different techniques depending on what administrator wants.
The results showed that while we used the small size of patterns to compare within a
group of packets for more than five packets, it will give us more satisfied results and
the make network analysis more efficient.

References
[1] Ansari, S., Rajeev S.G., Chandrasekhar H.S., "Packet Sniffing: A Brief Introduction",
IEEE Potentials, Jan. 2003, Volume: 21 Issue: 5, pp: 17-19 (2003).
[2] Dabir, A., Matrawy, A. "Bottleneck Analysis of Traffic Monitoring Using Wireshark",
4th International Conference on Innovations in Information Technology, 2007, IEEE In-
novations '07, 18-20 Nov. (2007), Page(s): 158- 162(2007).
[3] Dulal C., et al. . Ethereal vs. tcpdump: A comparative study on packet sniffing tools for
educational purpose. Journal of Computing Sciences in Colleges archive, Volume 20(4),
pp 169-176, (2005
[4] All about Wireshark [Online] Available http://www.wireshark.org/.
[5] Lida, Z., Jiguang, L. "The Analysis of Technology in Detection and Undetection with
Network Sniffer ", Journal of Zhongnan University for Nationalities ,NO.9.2003.(in
Chinese)
[6] BoYu "Based on the network sniffer implement network monitoring. International Con-
ference on Computer Application and System Modeling (ICCASM 2010)Volume:
7,2010, Page(s): V7-1-V7-3(2010). IEEE