Know Your Network Passive Discovery - Part 3 Protocols and Applications Again

In the previous part of this blog set, we opened skill-passivediscovery1.pcapng, and focused on the Endpoints window to build the following diagram using passive discovery. [You can learn how to download the file on which I will be working (and hundreds of other public trace files) by visiting https://www.chappell-university.com/traces.]

So far, we have created the following view of a network based on the trace file traffic.

In Part 2 of this blog set, we looked at the NetBIOS and DNS traffic shown in Wireshark’s Protocol Hierarchy window.

Now we are going to look into the Data, Transport Layer Security (TLS), and Address Resolution Protocol (ARP) traffic to see if we can gain more insight into the network devices.

Examine the Data

Wireshark doesn’t recognize the application running over UDP upon which this data resides. Right click on the Data line in the Protocol Hierarchy window and select Apply as Filter | Selected to focus on this traffic.

Hint: I usually keep a Stream column visible at all times. You’ll find this field in a UDP or TCP header. Right-click on the field and select Apply as Column. If you want one column to display either the UDP or TCP stream information, right click on the new column and select Edit Column. Change the Fields value to tcp.stream || udp.stream and click OK.

There are two UDP conversations listed (UDP Stream 0 and UDP Stream 5).

Right click on UDP Stream 0 and select Follow | UDP Stream.

You may not recognize this traffic, but I know this is related to my DVR system that plays news clips in my office. I see a clear reference to “dvr” in the reassembled data.

Now change the display filter that Wireshark applied to udp.stream eq 5 and click Enter. Right click on any packet and select Follow | UDP Stream.

Hmmm… Is this interesting or not?

I think it is interesting. A quick Google query for “Kannou Archer C8 v4” brings up an image of a TP-LINK Archer C8 v1.x Wireless Dual Band Gigabit Router. That’s what we have here in my office.

Excellent. This UDP Stream 5 traffic is from 192.168.0.1 so we can put an accurate picture on our network diagram.

Examine the TLS Traffic

TLS traffic is encrypted after the handshake is completed. Before that point, we may get some valuable information for passive discovery. Client Hello packets may contain the name of the target server in the tls.handshake.extensions_server_name field.

By applying a tls.record.content_type == 22 filter, we can see any TLS Handshake packets contained in the trace file.

Dang it! There are no TLS Handshake packets in the trace file. That is something we’ll always look for when mapping networks in the future, however.

If you want to see an example of this TLS Handshake, go get tcp-spurious-retran.pcapng from our online trace file repository. Visiting https://www.chappell-university.com/traces for login information to access this repository.

Examine the ARP Traffic for Local MAC Address Information

We can either right click on the Address Resolution Protocol line in the Protocol Hierarchy window and select Apply as Filter | Selected or use the filter arp to see only ARP traffic.

Frame 4 is interesting because it provides the following information:

192.168.0.101: d4:3d:7e:a6:41:fd

192.168.0.1: 0c:80:63:d1:7e:f8

Frame 4 indicates that we are capturing on the network upon which these two IP hosts reside.

Based on its address, we can assume 192.168.0.102 is also on that network, we can look for a packet to or from that host to get its MAC address as well.

Using the filter ip.addr==192.168.0.102, we see four multicast packets from that host.

The Ethernet header in these packets indicates that the MAC address of 192.168.0.102 is 00:23:ee:e9:10:4a.

Here’s what our network diagram looks like now:

There are numerous other applications and protocols that contain details that can be used to fill out a network diagram.

• HTTP: Look inside GET requests for the http.host field value.

• DHCP: Way down inside these packets you should find a Host Name field.

• NetBIOS: Look for Name announcements.

• OUI: Local hosts only - within the Ethernet MAC address fields - may provide manufacturer of NIC.

Whether you’ve just been handed a trace file to analyze or you need to figure out what’s on your network, being able to draw a comprehensive picture of your network based on packets is a great skill to master!

Try it out on your trace files!

Cheers!

#passivediscovery #Wireshark #LauraChappell