Page 104 - Hacker HighShcool eBook
P. 104
LESSON 7 – ATTACK ANALYSIS
Note: If Ethereal reports no network activity at all, you may have the wrong network interface
chosen. Go to the Interface drop-down list in the Capture Options screen and choose a
different network interface.
7.2.2 Decoding Network Traffic
Now that you can see the network data that's moving through your computer, you have to
figure out how to decode it.
In Ethereal, the first step, before you even end the capture session, is to look at the summary
capture screen that the program displays while it is performing the capture. For our web
browsing session, most of the packets should have been TCP packets (although if you
stopped to watch a streaming video, your UDP packet numbers will have been increased).
However, if you're capturing a simple web browsing session, and you see a large number of
ARP or ICMP packets, that could indicate a problem.
After you've ended the capture session, you're going to see output similar to this:
No. Time Source Destination Protocol Info
1 0.000000 257.10.3.250 rodan.mozilla.org TCP 1656 > 8080 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
2 0.045195 257.10.3.250 rheet.mozilla.org TCP 1657 > http [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
3 0.335194 rheet.mozilla.org 257.10.3.250 TCP http > 1657 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
4 0.335255 257.10.3.250 rheet.mozilla.org TCP 1657 > http [ACK] Seq=1 Ack=1 Win=17520 Len=0
5 0.338234 257.10.3.250 rheet.mozilla.org HTTP GET /products/firefox/start/ HTTP/1.1
6 0.441049 rheet.mozilla.org 257.10.3.250 TCP http > 1657 [ACK] Seq=1 Ack=580 Win=6948 Len=0
7 0.441816 rheet.mozilla.org 257.10.3.250 HTTP HTTP/1.1 304 Not Modified
8 0.559132 257.10.3.250 rheet.mozilla.org TCP 1657 > http [ACK] Seq=580 Ack=209 Win=17312 Len=0
10
