Source: "Computer and Information Technology"
Application of Etherpeek NX in Network Maintenance
Tang Jianlong (Sandhou Institute of Technology Computer System)
Abstract: This article analyzes the working principle of Etherpeek NX, mainly using Etherpeek NX's data packets and analysis functions to analyze the NETROBOCOP (Network Law Enforcement Officer) Package, understand the basic principles of LAN and NETROBOCOP, thus better maintenance of the network Safe and smooth.
Keywords: Etherpeek NX, NETROBOCOP, ARP spoof
I. Introduction
With the development of computer network technology, especially the extensive use of Internet, the network is also widely used by all walks of life. The use of the network has brought great benefits to people's daily work and life, and then the structure of the network is getting more complicated, and the scale is getting bigger and bigger, and there is also a variety of network unsafe factors in the network. In this case, network managers must use a variety of network analysis tools to implement network management and maintenance. Among them, network monitors have an irreplaceable role in assisting network administrators monitoring network transmission data, excluding network failures, and has been favored by network administrators.
Second, Etherpeek NX
Network monitors are the network sniffers we often hear, which is a tool for intercepting data packets for other computers using a computer's network interface. Sniffer's tools have a lot, of which WildPackets' Etherpeek NX is a relatively common function. The best products were rated by Etherpeek NX V2.0 and RMONGRABBERs in 2003 CMP Media's NetWork Magazine.
Etherpeek NX software assessment and analysis of the entire OSI seven layers of architecture. Analyze the various states of each packet and instant monitoring network, including the issues of each network node and network architecture. The automatic identification of the problem can provide instructions and solutions, and can track more than 36 network conditions and provide Latency and THROUGHPUT parsing. You can also display all the nodes on the network in a graphic manner. Its display method allows managers to understand the current situation of the network.
Third, the principle of working on local area network
The current local area network is mainstream in IEEE802.3 Ethernet, Ethernet and TCP / IP can say that the relationship between the two is almost impossible. TCP / IP is a protocol, which is mainly TCP (Transmission Control Protocol) and IP (Internet Protocol), but also many other protocols, the following is a variety of common protocols in TCP / IP and their and OSI reference models. Comparison.
SMTP
DNS
HTTP
FTP
Telnet
TCP
UDP
IP
ICMP
ARP
RARP
IEEE 802 Ethernet SLIP / PPP PDN, etc.
NIC, cable, twisted pair, etc.
Figure 1 Network architecture of TCP / IP
Application layer
Transport layer
Network layer
data link layer
Physical layer
From the above figure, we can see that the first layer of physical layer and the second layer data link layer is the foundation of TCP / IP, and the TCP / IP itself is not very concerned about the low level because the network is in the data link layer. The device driver isolates the upper protocol and the actual physical interface. The network device driver is located in the media access sub-layer (MAC) of the data link layer.
TCP / IP uses 32-bit IP addresses, Ethernet uses 48-bit hardware addresses, which is the MAC address of the NIC, and the two ARP and RARP protocols are used to transform.
A ARP cache table is saved on each connected computer, and the IP address of the computer and the IP address of the computer and the MAC address of the computer are stored in the ARP cache table, each computer will query when connecting to other computers. The local ARP cache table finds the MAC address of the other party's IP address, then data transmission is performed, the destination is the other party's MAC address. If there is no other ARP record in this computer, then it first needs to broadcast an ARP request. The network can receive this broadcast information. When the other party's computer receives the request, I will send an answer, and the response contains each other. The MAC address, the current computer receives the other party's response, will update the local ARP cache. Then use this MAC address to send data (attached to the NIC). Therefore, this ARP table of local cache is the basis of local network traffic, and this cache is dynamically updated.
Ethernet adopts a broadcast mechanism, all workstations that are connected to the network can see data delivered on the network. In normal case, a network interface should only respond to such two data frames:
1. Data frames matching your hardware address.
2. Broadcast data frames for all machines.
The transmission and reception of the data is done by the NIC. The NIC receives the transferred data. The single-chip program in the network card receives the destination MAC address of the data frame. According to the reception mode set by the network card driver on the computer, it is considered that the reception mode is determined. The reception generates an interrupt signal to notify the CPU after receiving, thinking that the reception will be lost, so that the data network card that should not be received is truncated, the computer does not know. The CPU obtains the interrupt signal generation interrupt, and the operating system receives data according to the network card interrupt program address of the network card, and the driver receives the data and puts the signal stack to make the operating system processing. And for the network card, there are generally four reception modes:
Broadcasting method: The NIC can receive broadcast information in the network.
Multicast mode: The network card set in this mode can receive multicast data.
Direct mode: In this mode, only the destination network card can receive the data.
Mixed way: NICs in this mode can receive everything through it, regardless of whether the data is transmitted.
Etherpeek NX is using a mixed mode of the NIC, so that the NIC receives the data it can receive, which is the basic working principle of Etherpeek NX. Knowing its working principle we can use it to intercept and analyze the network packets and control.
Fourth, Etherpeek NX intercept and analysis of NETROBOCOP packets
Because Etherpeek NX can receive all the data in the LAN and analyze the data, we can use it to analyze and reconnaissance, find out the illegal data in the network, and make effective control over it. The following is an example of EtherPeek NX to analyze it with EtherPeek NX as an example.
NETROBOCOP This software is used to manage bid domains. It can get the corresponding table of each IP address and MAC address, and can also reflect the connection status of the network user, which can define the IP used by each machine (including the computer and the network device specified IP). Internet time, as well as blocking unregistered computers from network connections, record the Internet time of each machine connected to the network. But once it is illegally used, it will cause the network's chaos, and NETROBOCOP tool software has not announced its principle, and the principle of this software is also available with Etherpeek NX.
The following uses the three computers in the local area network, namely:
Computer A IP address 192.168.11.1 MAC address 00-E0-4C-3C-0F-14
Computer B IP address 192.168.11.2 MAC address 00-E0-4C-02-88-24 Computer C IP address 192.168.11.3 MAC address 00-E0-4C-3C-05-20
The NETROBOCOP software and EtherPeek NX software are installed on computer C.
In the case where there is no normal network of NETROBOPOP, we query the A and B ARP cache tables as follows:
Computer A C: / Windows / Desktop> ARP -A
Interface: 192.168.11.1 on interface 0x1000002
Internet Address Physical Address Type
192.168.11.2 00-E0-4C-3B-F0-46 Dynamic
192.168.11.3 00-E0-4C-3C-05-20 Dynamic
Computer B C: / Windows / Desktop> ARP -A
Interface: 192.168.11.2 on interface 0x1000002
Internet Address Physical Address Type
192.168.11.1 00-E0-4C-3C-0F-14 Dynamic
192.168.11.3 00-E0-4C-3C-05-20 Dynamic
After running NETROBOCOP, it lists all the computers connected in the network segment in the IP address, which shows information including the IP address, MAC address, computer name, online time and network card models, including the computer. When there is no limit to other users, obtain data by etherpeek nx's Capture feature, it can be seen that NETROBOPOP is requesting data from all IP addresses in a certain network segment, and queries each other. MAC address, each computer returns an ARP response data after receiving this ARP request data, returns to the sender's own MAC address, which shows its information on this normal ARP response data analysis (computer B is sent to the computer) C ARP response):
Flags: 0x00
STATUS: 0x00
Packet Length: 64 / Package Length
TimeStamp: 11: 04: 07.168000 09/25/2003
Ethernet header
Destination: 00: E0: 4C: 3C: 05: 20 / Target MAC Address
Source: 00: E0: 4C: 3B: F0: 46 / Source MAC Address
Protocol Type: 0x0806 IP ARP / Protocol Type
ARP - Address Resolution Protocol
Hardware: 1 Ethernet (10MB)
Protocol: 0x0800 IP
Hardware Address Length: 6
Protocol Address Length: 4
Operation: 2 ARP RESPONSE / ARP Response
Sender Hardware Address: 00: E0: 4C: 3B: F0: 46 / Send Mac address
Sender Internet Address: 192.168.11.2 / sender IP address
Target Hardware Address: 00: E0: 4C: 3C: 05: 20 / Receiver MAC Address
Target Internet Address: 192.168.11.3 / Receiver IP Address Extra Bytes
Number of bytes:
................ 0,000,000,000,000,000 0,000,000,000,000,000
.. 00 00 / fill data
FCS - Frame CHECK SEQUENCE
FCS (Calculate): 0xDec47B2A / Checksum
At this time, the network is full of ARP request data and ARP response data, which takes a lot of network bandwidth, which reduces the traffic and utilization of the network, whether you are analyzed by Capture to analyze or use the Etherpeek NX protocol Type data analysis or traffic analysis can be seen.
Next, the NETROBOP limit rights function is permissible to see how it limits the network of users on the network. The computer B is restricted on computer C, which is prohibited from being connected to other hosts. At this time, check the ARP cache table for computer A and Computer B. It can be seen that it is changed in the computer A and computer B's MAC address (part of the following box) in the ARP cache table.
Computer A C: / Windows / Desktop> ARP -A
Interface: 192.168.11.1 on interface 0x1000002
Internet Address Physical Address Type
192.168.11.2 00-E0-4C-02-88-24 Dynamic
192.168.11.3 00-E0-4C-3C-05-20 Dynamic
Computer B C: / Windows / Desktop> ARP -A
Interface: 192.168.11.2 on interface 0x1000002
Internet Address Physical Address Type
192.168.11.1 00-E0-4C-05-77-76 Dynamic
192.168.11.3 00-E0-4C-3C-05-20 Dynamic
In fact, this is an ARP spoof. At this time, if the computer B has data transmitted to the IP 192.168.11.1 by looking up the ARP cache table, it is converted to another MAC address. After the data arrives at the computer A, it is discovered by the control MAC address. This data, the computer A does not receive the data sent by the computer B, that is, computer B cannot connect to computer A. However, computer C can also control computer B, which does not modify its own MAC address, hold communication with computer B.
The process of implementing this ARP spoofing passes through Etherpeek NX, and it can be seen that it is also ARP response data. The ARP protocol does not only receive ARP response data only when the ARP request data is sent. When the computer receives the ARP response data, the local ARP cache table is updated, and the IP address and MAC address in the ARP response are stored in the ARP cache table.
This ARP spoofed ARP response data is actually that computer C has sent a randomly fake MAC address to computer B by using the IP address of computer A, and its packets are as follows:
Flags: 0x00
STATUS: 0x00
Packet Length: 64
TimeStamp: 11: 04: 08.318000 09/25/2003
Ethernet header
Destination: 00: E0: 4C: 3B: F0: 46
Source: 00: E0: 4C: 05: 77: 76 / Forged MAC Address
Protocol Type: 0x0806 IP Arparp - Address Resolution Protocol
Hardware: 1 Ethernet (10MB)
Protocol: 0x0800 IP
Hardware Address Length: 6
Protocol Address Length: 4
Operation: 2 ARP RESPONSE
Sender Hardware Address: 00: E0: 4C: 05: 77: 76 / Forged MAC Address
Sender Internet Address: 192.168.11.1 / Forged Computer A IP Address
Target Hardware Address: 00: E0: 4C: 3B: F0: 46
Target Internet Address: 192.168.11.2
Extra Bytes
Number of bytes:
20 20 20 20 20 20 20 20 20 20 20 20 20
20 20
FCS - Frame CHECK SEQUENCE
FCS (CALCULATED): 0xc3277168
The ARP cache table is dynamically updated. If only one such ARP response data is sent, it will be removed from the ARP cache table after a period of time. If there is connection, the ARP request is performed next time. And the ARP response, update to the correct MAC address. In order to prevent ARP cache updates, NETROBOCOP has sent this ARP response data that has been sent to the computer B constantly constantly. At the same time, it has always been sent to the computer A to send ARP response data with ARP spoof, which can fully block communication from both parties from computer A and Computer B.
What will happen if the sender is the same as the IP address of the receiver? That is, we often see the IP address conflict warning, NetRobocop uses it to generate an IP address conflict. The ARP response data of the IP conflict of computer C sent to computer A is as follows:
Flags: 0x00
STATUS: 0x01
Packet Length: 64
TimeStamp: 11: 06: 29.841000 09/25/2003
Ethernet header
Destination: 00: E0: 4C: 3C: 0F: 14
Source: 00: E0: 4C: 78: 84: 6B / Forged MAC Address
Protocol Type: 0x0806 IP ARP
ARP - Address Resolution Protocol
Hardware: 1 Ethernet (10MB)
Protocol: 0x0800 IP
Hardware Address Length: 6
Protocol Address Length: 4
Operation: 2 ARP RESPONSE
Sender Hardware Address: 00: E0: 4C: 78: 84: 6B / Forged MAC Address
Sender Internet Address: 192.168.11.1 / Forged and Receiver the same IP address
Target Hardware Address: 00: E0: 4C: 3C: 0F: 14
Target Internet Address: 192.168.11.1
Extra Bytes
Number of bytes:
................ 0,000,000,000,000,000 0,000,000,000,000,000
.. 00 00 00
FCS - Frame Check Sequencefcs (Calculate): 0xfe9194DA
Thus, after receiving this ARP response data from the IP conflict, the network card detects that the sender and the receiver use the same IP address, generate an IP address conflict interrupt, and the CPU will pop up a warning after receiving the interrupt. window. This ARP response data with IP conflicts is always sent, so computer A has always received this IP conflict warning.
V. Etherpeek NX Solution to NetRobocoP
By intercepting and analyzing NETROBOP data, the basic principle of the network software of NETROBOCOP is understood. Once this software is illegally used, some users may be illegally restricted, it is difficult to get rid of its control, and it is to use the underlying function of the network to achieve control, there is no ready-made tool and software to block this limit. Unless it cancels the restrictions on you, it is possible to use it normally. So do we have a harder to this restriction? The answer is of course negative. In fact, we can use the NETROBOCOP's ARP spoofing principle to counterattack, get rid of its control, keep the network normal status. Of course, in this case, the network will be filled with these ARP packets, which takes up large network traffic, which affects normal network use. The method of use can be implemented, because once it is subject to NetRobocop, you have no way to communicate with other computers, but control your computer can also communicate with you, we just use this clue to find control your computer. The Capture functionality through Etherpeek NX can be found, find its IP address and MAC address, and then send the data feature of EtherPeek NX to send the ARP response data with the ARP spoof, let it disconnect and other computers. To get rid of its control.
Sixth, conclude
These network tools such as EtherPeek NX and NetRoboco can be used by network managers to enhance security, strengthen the freedom of network, and can also be used by malicious users for illegal network activities. As long as we can analyze the principles of these network tools, we can use these tools to better maintain the security and smoothness of the network.
references:
[1] Ramadas Shanmugam, Yin Haoqiong, Li Jian, TCP / IP Detailed (Second Edition), Electronic Industry Press, 2003
[2] Anonymous, Maximum Security, Sams Publishing, 1997
[3] Yu Jianbin, hacker attack means and user countermeasures, People's Posts and Telecommunications Publishing House, 1998
[4] Anonymous, preamble, interior, network security technology, machinery industry publishing house, 1999
