Differences
This shows you the differences between two versions of the page.
|
ep:labs:09:contents:tasks:ex3 [2021/12/04 13:38] andrei.mirciu created |
ep:labs:09:contents:tasks:ex3 [2021/12/07 23:16] (current) andrei.mirciu [03. [30p] Network Monitoring] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ==== 03. [40p] Network Monitoring ==== | + | ==== 03. [30p] Network Monitoring ==== |
| - | == Microsoft Network Monitoring == | + | <note warning> |
| - | For this reason, we are calling upon another tool developed by Microsoft. Install it, start it using "Run as administrator", and select the network interface through which the traffic is expected to pass (cable, wifi, ...). You should get a capture such as this one: | + | For this task we will use //**Winhttp.sln**// inside the //**Task-03**// folder. |
| + | </note> | ||
| - | <spoiler> | + | We want to check the network traffic generated by the //Winhttp.exe// file (a program that downloads //putty.exe//; it is located in the //Debug// folder, after successfully running the code). By looking at its content, it can be noticed that it makes a request to www.sociouman-usamvb.ro. |
| - | {{ :ep:laboratoare:ep5_netmon.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | == Wireshark == | + | |
| - | As in the case of the CPU, inspecting the events taking place on the network involves some amount of work for the analyst. However, this being a simple case, you can just expand the view on the traffic generated by Winhttp.exe, and notice the request for //putty.exe//. If it is not clear why some requests are there or why they last so long, you can integrate the application that you wish to investigate with ProcessMonitor. This way you can insert logging elements to find out what request are made and how long they take. The part with timing the requests and traffic can be determined straight from Network Monitor by considering the times of the packets. For displaying all traffic on a http connection (it can also be https as long as you control the server, but this in not in the scope of this tutorial), you can use another tool, [[https://www.wireshark.org/download.html | Wireshark]]. Install Wireshark (**64bit!!!**) accepting the default settings. Start it and select the interface that you want to listen to. | + | |
| <spoiler> | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-start.jpg?400 |}} | + | As in the case of the CPU, inspecting the events that take place on the network involves some amount of work for the analyst. However, since this is a simple case, we can just expand the view on the traffic generated by //Winhttp.exe//, and notice the request for //putty.exe//. If it is still not clear why some requests are there or why they last so long, we can integrate the application that we wish to investigate with Process Monitor. This way, we can insert logging elements to find out what request are made and how long they take. Furthermore, the part with timing the requests and traffic can be determined straight from Network Monitor, by considering the times of the packets. |
| - | </spoiler> | + | </spoiler> |
| - | Click the //Start// button and run Winhttp.exe. After Winhttp.exe stops, click the Stop button in Wireshark. | + | :!: Monitor the network traffic generated by //Winhttp.exe// using **Task Manager**, **Windows Performance Recorder** and **Microsoft Network Monitor**. |
| - | <spoiler> | + | :!: Using **Wireshark**, capture all the frames generated after running this program. Is it possible to extract the conversation data from the packet exchange? Justify your answer. |
| - | {{ :ep:laboratoare:ep5_wireshark-captura.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | This way you have obtained a traffic capture while winhttp.exe was running. Viewing the code for winhttp.exe, it can be noticed that it makes a request to www.sociouman-usamvb.ro. Use the ping command to get the IP address for this url. | + | <note tip> |
| - | + | - Click the //Start// button and run //Winhttp.exe//. After //Winhttp.exe// stops, click the Stop button in Wireshark. | |
| - | <spoiler> | + | - Use the ping command to get the IP address of the previously mentioned [[http://www.sociouman-usamvb.ro/ | URL]]. |
| - | {{ :ep:laboratoare:ep5_findip.jpg?400 |}} | + | - Switch back to Wireshark and add a filter for ip.addr == <ip_address> (make sure to use the IP address identified using the ping command). |
| - | </spoiler> | + | - Right click on the **GET /documents** request and choose Follow -> TCP Stream. |
| - | + | - In the bottom part of the Wireshark window, at the "//Show and save data as//" option, choose "Raw". Save the capture using the "Save as" button. | |
| - | Switching back to Wireshark, add a filter for ip.addr = 86.106.30.115 (make sure to use the IP address identified using ping command). Right click Get documents and choose Follow TCP Stream. | + | - Use Notepad++ to open the .PDF file and remove the [[https://ocw.cs.pub.ro/courses/_media/ep/laboratoare/ep5_wireshark-extractdata.jpg?cache= | headers]] (GET request and HTTP response). |
| - | + | - Save it, close Notepad++ and double-click on the newly saved .PDF file. | |
| - | <spoiler> | + | </note> |
| - | {{ :ep:laboratoare:ep5_wireshark-captura2.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | In the bottom part of the Wireshark window, at the "//Show and save data as//" option choose "Raw". Save the capture (using the "Save as" button) as "//my.pdf//". | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-rawdata.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Use Notepad++ to open the my.pdf file and remove the headers as shown in the screenshot below. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-extractdata.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Save it, close Notepad++ and double-click on the newly saved file (my.pdf). | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-extractdata-result.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| <hidden> | <hidden> | ||
