What Is a Tool Extractor?
A packet capture tool is software that intercepts and views the contents of network packets. The packet capture tool, because it can capture all IP packets in the data communication process and perform layer-by-layer unpacking analysis, has always been a troubleshooting tool commonly used in traditional fixed network data communication maintenance tanks. Many: Wire shark, SnifferPro, Snoop, Tcpdump and other packet capture software interfaces, the application platform is slightly different, the basic functions are similar. [1]
- A packet capture tool is software that intercepts and views the contents of network packets. By analyzing the captured packets, you can get useful information. There are many popular packet capture tools at present, the more famous ones are wireshark, sniffer, httpwatch, iptool, etc. These packet capture tools have different functions, but the basic principles are the same. Our computer implements data transmission on the network by uploading and downloading some data packets to and from the network. Usually these data packets are processed by the software that is sent or received. Ordinary users do not ask, these data packets are not always stored on the user's computer. Packet capture tools can help us save these packets. If these packets are transmitted in clear text or we know the encryption method, then we can analyze the contents of these packets and their uses. Currently packet capture tools are more used for network security, such as finding computers infected with viruses. Sometimes it is also used to obtain the source code of the web page, to understand the methods used by the attacker, to track the attacker's IP address, and so on. [2]
- Common customer application faults in mobile packet network maintenance are divided into two categories: mobile signaling faults, data transmission, and application layer faults.
- Common data communication analysis functions of packet capture tools are:
- 1. TCP / UDP / ICMP and other message interaction process analysis
- This is the most basic function of the packet capture tool and will not be described in detail here.
- 2.Data packet transmission delay analysis
- The packet capture tool supports recording the time point of each captured message, and also supports the time difference between any message and the previous message as the time point of recording the message capture. Based on this, analysis of messages at a specific point in time and calculation of delays in forwarding messages by nodes can be realized.
- 3. Analysis of L3-L7 layer IP data packets
- Realize the intuitive analysis of the internal information of the L3 layer IP address header, L4 layer TCP / UDP header up to layer 7.
- 4.Data transmission packet loss analysis
- By comparing the packet identification IP fields that a node enters and exits on both sides, the identification fields remain unchanged after being forwarded by the node, or use the SEQ and ACK sequence numbers of TCP communication to analyze the packet loss of the node or link. Whether the device (router, switch, SGSN, GGSN) of the message fails or a bottleneck of message forwarding occurs. [1]
- There are several common methods for obtaining packet capture files in mobile packet networks:
- 1. Conversion tools:
- The conversion tool provided by the manufacturer is used to convert the signalling file tracked by the maintenance station of the mobile packet equipment (GSN) to obtain a packet capture file. At present, mobile packet network equipment manufacturers basically provide similar tool software. The subcontracting tool provided by Huawei also supports the in-direction (Gn interface-GGSN) and out-direction (GGSN) of the signaling files tracked on a device. -> Gi interface) to extract and convert separately, this function greatly facilitates the analysis of the packet loss problem of GSN equipment.
- 2. Port mirroring:
- If the packet device manufacturer does not provide a conversion tool, you must capture the packet by using port mirroring on the datacom device accessed by the packet device. Port mirroring is to copy the data on the monitored port to the designated monitoring port, and analyze and monitor the data. When using a packet capture terminal to capture packets, you need to connect the packet capture network card of the host on which the packet capture software is installed to the monitoring port to capture I packets flowing through the monitored port. The configuration method of switch port mirroring varies with different manufacturers and different models of switches. For specific methods, refer to the instruction manual of the specific device. [1]
- In actual troubleshooting, not any fault location requires the capture tool to be analyzed. The premise of enabling packet capture analysis is to use signaling tracking to eliminate faults caused by abnormal connection of mobile packet signaling (such as abnormal MM and SM processes such as failure to attach and activate), that is, the terminal successfully activated and obtained the IP address assigned by the GGSN However, the access service fails, and further analysis of the data transmission process and IP packets is required to locate the fault. Of course, in the analysis process using the packet capture tool, it is still necessary to consider whether the specific communication process is related to the signaling connection of the mobile packet, and a comprehensive analysis can be combined to obtain the correct result. [1]
- Here I will introduce a very practical method based on the characteristics of network viruses scanning network addresses: use packet capture tools to find the source of the virus.
- Capture tool
- 1. Install the packet capture tool.
- The purpose is to use it to analyze the contents of network packets. It is not difficult to find a free or trial version of the packet capture tool. Sniffer, wireshark, WinNetCap. WinSock Expert are currently popular packet capture tools. I used a packet capture tool called SpyNet3.12. The speed is also fast. After installation, we have a packet capture host. You can set the type of packet capture through SpyNet, such as whether to capture IP packets or ARP packets. You can also set more detailed filtering parameters according to the destination address.
- 2. Configure network routing.
- Does your router have a default gateway? If so, where did they point? It is dangerous to point the default gateway to another router during a virus outbreak (unless you want to disable this router). In some corporate networks, only the route of the address segment in the network is often pointed out, and the default route is not added. Then, point the default route to the packet capture host. Fortunately, it is higher, otherwise it is easy to be killed by a virus). This allows most of the scans sent by those virus hosts to be automatically delivered to your door. Or map the network exit to the packet capture host, and all network packets accessed externally will be analyzed.
- 3. Start capturing packets.
- The packet capture host has been set up, and the data packets in the network have been sent over, so let's see what exactly is transmitted in the network. Open SpyNet and click Capture. You will see a lot of data displayed. These are the captured packets (as shown in the figure).
- The main window in the figure shows the situation of packet capture. Lists the sequence number, time, source and destination MAC address, source and destination IP address, protocol type, source and destination port number of the captured packet. It is easy to see that the host with the IP address 10.22.20.71 sent access requests to a large number of different hosts in a very short period of time, and the destination port was 445.
- 4. Find out the infected host.
- From the perspective of packet capture, the host 10.22.20.71 is questionable. First we look at the destination IP addresses. Do these addresses exist in our network? It is likely that there are no such network segments in the network. Secondly, is it possible for an access host to initiate so many access requests in such a short time under normal circumstances? Is it normal to issue tens or even hundreds of connection requests in milliseconds? Obviously there must be something wrong with this 10.32.20.71 host. Take a look at the Microsoft-DS protocol, which has a vulnerability to a denial of service attack. The connection port is 445, which further confirms our judgment. In this way, we can easily find the IP address of the infected host. The rest is to patch the host operating system to kill the virus. [3]