LESSON 7 ATTACK ANALYSIS part III

7.2.2 Decoding Network Traffic
Now that you can see the network data that's moving through your computer, you have to
figure out how to decode it.
In Ethereal, the first step, before you even end the capture session, is to look at the summary
capture screen that the program displays while it is performing the capture. For our web
browsing session, most of the packets should have been TCP packets (although if you
stopped to watch a streaming video, your UDP packet numbers will have been increased).
However, if you're capturing a simple web browsing session, and you see a large number of
ARP or ICMP packets, that could indicate a problem.

 

7.2.2 解码网络流量

现在你可以看到你电脑上流通的网络数据了，你需要弄清楚这些数据时怎么编码的。

在Ethereal上，在结束拦截窗口之前，第一步，查看拦截窗口上显示的拦截的数据总数。我们网站浏览器上，大多数的数据都是TCP协议数据（尽管你没有观看视频，UDP协议数据数目也将会增加）。但是，如果你正截获一个简单的网页浏览器传输器，你会看到大量的ARP或者ICMP数据包，这说明了一个问题。

After you've ended the capture session, you're going to see output similar to this:

结束俘获进程后，你会看到类似下面的输出：  （这个capture session一直让我很纠结，不知道该如何翻译才好，真是翻译的一塌糊涂）

 

In this example, these twelve packets illustrate the web browser's activity as it connects with
its specified start page. The most easily decoded information is in the Source and Destination
columns. IP address 257.10.3.250 is the local computer; the other IP addresses have been
resolved to names by Ethereal. Since the web browser used was the Mozilla Firefox browser,
and since its start page was the default Mozilla Firefox page, it is not surprising to see
addresses from the mozilla.org domain. The requests sent to name.server.com were probably
generated by Ethereal when it sent DNS queries to resolve the IP addresses into names. (Note:
these accesses by the Ethereal program were caused by the options you set in the Display
Options and Name Resolution boxes. They were set to on in this example in order to produce
a more readable output. If you toggle these options to off, then you won't have this extra
data.)
Looking at source and destination information can help you spot unauthorized activity. For
example, an unfamiliar domain name that is repeatedly accessed might indicate that you
have a spyware program installed.

 

在这个例子中，这12个数据包说明了网页浏览器在连接指定的首页时进行的动作。最简单的编码信息是在Source和Destination那两栏。IP地址257.10.3.250是本地电脑；Ethereal查询到了其它IP地址的域名。因为用的网页浏览器是火狐浏览器，首页是默认的火狐首页，所以可以在这12个IP地址中看到火狐域名。而对name.server.com的连接可能是由于Ethereal连接到该网站上进行域名查询，所以有这条记录产生。（注意：Ethereal程序的这些操作是由你在Display Options窗口和Name Resolution窗口中设置的，在这个例子中，为了使输出更可信，就这么设置了。如果你将这些功能去掉，你将不会得到这条比较特殊的记录）

查看source和destination信息能查看到未授权的行动。例如，一个不熟悉的域名重复出现在这上面，这说明你的电脑可能被安装了一个间谍程序。

 

The next column is the Protocol column, which tells you what protocol the packets used.
Again, to know when something is wrong here, you're going to have to know what to expect.
In our web browsing session, we expect TCP and HTTP, and we understand why the DNS
packets are there, but, for example, a large number of ICMP packets could mean that your
machine is being pinged or traced.
The last column, Info, provides more detailed information about the packets. Packets 2, 3 and
4 show the TCP three-handed handshake of SYN, SYN/ACK, ACK, which indicates that a
connection has been made. Packet 5 shows an HTTP GET command followed in packet 7 by
a 304 Not Modified response.
If you want more information about the packets, the bottom two panes in the Ethereal screen
show detailed explanations. The middle pane shows the details of the packet header. The
bottom pane shows a hex and ascii dump of the data in the packet.

 

下一栏是协议栏，告诉你这些数据包使用的协议，你需要知道这些数据应该是什么样子的，所以当出了问题时你才会发现。在网页浏览器访问过程中，我们认为数据包协议一般是TCP和HTTP，我们也明白会是这样的，但是，当大量的ICMP数据包出现，这说明你的电脑被追踪了。

最后一栏，信息，提供这些数据包更详细的信息。数据包2,3和4显示了TCP协议的三次握手，SYN，SYN/ACK,ACK,这说明这里进行过一次连接。数据包5显示一个HTTP下载命令，数据包7接着显示了一个304未修改的回答。

如果你想知道更多关于这些数据包的信息，Ethereal窗口底部的两个长窗格显示了详细的解释。中间的一个窗格给出了数据包头的详细信息。底部的窗格显示了数据包中数据的16进制和ascII表示。