Packet Analysis Using Wireshark

Wireshark is a open source security tool use for analyzing the network and packet to determine activities ongoing.

I will be analyzing for Ping sweep, SYN-scan and Arp Storm in this article.

Ping Sweep

An Internet Control Message Protocol (ICMP) sweep, often known as a ping sweep, is a diagnostic method used IT to determine the Internet Protocol (IP) address ranges being used by active hosts. It is typically used to locate active computers on a network and is occasionally used by a system administrator to identify network problems.

Bad actors who are trying to get into a network also use ping sweeps to determine which computers are online and where to focus their attacks.

Ping sweep can also lead to DoS attack, and it’s called ICMP flood attack, ping of death or smurf attack. This occurs when the host receiving those packet as receive too many ping messages and eventually the network jam, locking out legitimate users from accessing the host

Ping sweep can be detected in packet via wireshark using syntax like icmp.type==8 or icmp.type==0 for ICMP ping sweep, tcp.dstport==7 for TCP and udp.dstport==7 for UDP.

SYN-scan

SYN scanning involves the establishment of a half connection with the destined target i.e. three-way handshake wasn't completed. Attackers can use it to determine open ports at a fast pace and also can be use to cause harm to computer/server.

There are two possible scenarios with SYN-scan, which are:

Firstly, if the response from the computer or server is SYN-ACK, that's indication of an open port. The client then send RST packet, and it makes the server believe that client didn't request for connection to be established. This can be detected with tcp.flags==0x012 syntax.

The second situation is when a server indicates that a port is closed and secured by sending a RST packet from that port. In these situations, the hacker sends an enormous amount of SYN packets, which the server accepts, but there is no communication or connection formation between the client and server. This can be detected with tcp.flags==0x004 syntax.

ARP Storm

Arp storm is an attack which causes DoS or DDoS attack. Arp storm is a network problem which an attacker causes within a local network by generating broadcast messages with IP address in that network range or sending it to IP address not present in that network range. This can be detected with arp.packet-storm-detected syntax.

To prevent against all these attacks, it's necessary for an organization to implement proper firewall rules to block unwanted traffic.