EXPERIMENT NO.

AIM: Study the following Network Analysis Tools and perform the experiment to understand the following
tools:
I. NMAP
II. Wireshark

THEORY:

NMAP

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security
auditing. Many systems and network administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets
in novel ways to determine what hosts are available on the network, what services (application name and
version) those hosts are offering, what operating systems (and OS versions) they are running, what type
of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan
large networks, but works fine against single hosts. Nmap runs on all major computer operating systems,
and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic
command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer
(Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan
results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and
Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4,Girl
With the Dragon Tattoo, and The Bourne Ultimatum.

Nmap is ...
● Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters,
firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP
& UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
● Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of
machines.
● Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD,
OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
● Easy: While Nmap offers a rich set of advanced features for power users, you can start out as
simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are
available to suit your preference. Binaries are available for those who do not wish to compile
Nmap from source.
● Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and
to provide administrators/auditors/hackers with an advanced tool for exploring their networks.
Nmap is available for free download, and also comes with full source code that you may modify
and redistribute under the terms of the license.
● Well Documented: Significant effort has been put into comprehensive and up-to-date man
pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
● Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of
developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports
and questions should be sent to the nmap-dev list, but only after you read the guidelines. We
recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can
 also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode
or EFNet.
● Acclaimed: Nmap has won numerous awards, including "Information Security Product of the
Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of
magazine articles, several movies, dozens of books, and one comic book series. Visit the press
page for further details.
● Popular: Thousands of people download Nmap every day, and it is included with many operating
systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten
(out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends
Nmap its vibrant development and user support communities.

WIRESHARK

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.

You could think of a network packet analyzer as a measuring device used to examine what’s going on
inside a network cable, just like a voltmeter is used by an electrician to examine what’s going on inside an
electric cable (but at a higher level, of course).
In the past, such tools were either very expensive, proprietary, or both. However, with the advent of
Wireshark, all that has changed.
Wireshark is perhaps one of the best open source packet analyzers available today.
Here are some examples people use Wireshark for:

· Network administrators use it to troubleshoot network problems

• Network security engineers use it to examine security problems
• Developers use it to debug protocol implementations
• People use it to learn network protocol internals
Beside these examples Wireshark can be helpful in many other situations too.
Features:
The following are some of the many features Wireshark provides:

· Available for UNIX and Windows.

• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Save packet data captured.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.
Getting Wireshark
You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or
another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if
you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.

Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work
unless you have permission.

Once Wireshark is installed, start it up and you'll be presented with the blank screen shown below:

To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window similar to the
one below:

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS
names, or limiting the time or size of the capture -- click the Options button corresponding to the interface
you wish to configure.
Many of these options can help to improve the performance of Wireshark. For example, you can adjust
settings to avoid name-resolution issues, as they will otherwise slow down your capture system and
generate large numbers of name queries. Time and size limits can also place limitations on unattended
captures.
Otherwise, simply click the Start button next to the name of the interface on which you wish to capture
traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as
shown below:

Each line in the top pane of the Wireshark window corresponds to a single packet seen on the network.
The default display shows the time of the packet (relative to the initiation of the capture), the source and
destination IP addresses, the protocol used and some information about the packet. You can drill down
and obtain more information by clicking on a row. This causes the bottom two window panes to fill with
information.

The middle pane contains drill-down details on the packet selected in the top frame. The "+" icons reveal
varying levels of detail about each layer of information contained within the packet.
In the example above, I've selected a DNS response packet. I've expanded the DNS response
(application layer) section of the packet to show that the original was requesting a DNS resolution for
www.cnn.com, and this response is informing us that the available IP addresses include 64.236.91.21.
The bottom window pane shows the contents of the packet in both hexadecimal and ASCII
representations.

Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is
color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic,
and the green rows signify HTTP traffic.

Wireshark includes a complex color-coding scheme (which you can customize). The default settings
appear below:
CONCLUSION:
We have successfully studied and understood Network Analysis Tools.