How to identify the users in the network

30 pts.
Tags:
Network design
Network security
Network Topology
Routers
Switches
Wireshark
I am working on my Masters Project in which I am supposed to design a Network Monitoring tool which will identify the users in the network based on their network behavior. I have a network setup with 4 systems connected to a Switch --> Router --> Internet. I connected another system to the same switch which will capture all the packets across the switch in promiscuous mode. Using Wireshark I captured the packets of all the 4 users in the network with 4 different IPs. What are all the possible ways in which I can identify which user is using which system ??

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hm,

interesting project. I am not the best resource here, but I will give it a go. Really tackling this problem will require you to exploit the data gathered from multiple layers of the networking stack, not just one layer.

1) Consider Deep Packet Inspection – you can look into each individual packet and examine the content, and using that you might be able to tell a fair bit about the users. However, AFAIK this is not a cheap method. However, as you are logging all packets, and don’t have to do this in real time, you may be able to find a cheaper solution

2) The obvious stuff – usage patterns, common destination IP’s

The issue here is that you really only have access to the Layer 2 data – MAC data, in this case. I think there might be a way to query stations on a network and get some data about them (not sure what, perhaps protocols they support, or NIC card info, or encryption available) so this might be of some use, if you already know a bit about your users.

I am not sure what you are given in this problem, so you may want to clarify that a bit. If you know nothing at the beginning, and have to identify users, that is a much harder problem than if you are given a list of users, and some info about the computer of each user.

3) If you want a humorous solution, you could simply disable the MAC’s one by one and see who storms out of their office ;)

Also, one thing of interest to me is this – “I connected another system to the same switch which will capture all the packets across the switch in promiscuous mode.” Sounds like you are using a hub, not a switch. A hub emulates a typical LAN, meaning that all packets get sent to all stations and anyone in promiscuous mode can pick them up. However, a switch creates a virtual circuit between any two stations communicating, so no one can eavesdrop(it’s actually for performance reasons, but it also prevents eavesdropping).
So unless your sniffer is sitting between the switch and the router, or you are using a hub, then you cannot capture everyone’s packets. Note that if your sniffer is sitting between the hub and the router, then you cannot see communication between two stations on the network, as that only goes as far as the switch, and never to the router (as it has no need).

It seems like you really need to find some software that will help you dismantle the MAC frames. Also, you will probably want to see if there is any software to break SSL encryption, so you can possibly capture usernames/passwords being sent to the internet.

Sorry for such a long answer, HTHs!

crabpot

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Robert Stewart
    Quick question does Wireshark give both destintation ip and originating source ip of the machine making the request?? I believe this to be the case. if so you could first make a list or table of IP's already assigned to the pc's or clients. In this case I would probably try to assign the pc's, clients, workstations, static IP's. Is it possible for you to assign static ips to the workstations. If so you could print the list of static ip's for the workstations then compare the ip's from there to the traffic you are seeing in Wireshark. Of course you will have to know which static ip goes with which machine or user. Another tool which could be helpful determining which user is assigned to an ip would be angry ip, it will give you ip and computer name. I hope this helps you out, you seem to have the hard part done.
    1,810 pointsBadges:
    report
  • CRagsdale32
    Users (Hosts) can be recongnized by 1. their MAC address, and 2. Their IP. the first is simple to recognize and in an small office environment where IP address are more than likely statically set, Both 1 and 2 will be easy to track with any monitoring tool either custom designed as I understand what you have written, or as one you have found on the market. In an Enterprise environment, IP addresses will typically be DHCP for the majority of Hosts/Users, with Printers, routers and other network equipment being statically set. MAC address monitoring is still viable here, but tracing IP addreses and packets/frames moving around the network by IP address is a bit more involved and more difficult. Just something to think about.
    755 pointsBadges:
    report
  • Robert Stewart
    I agree Ragsdale32, static will be the easy way to do this IMHO. With only 4 workstations, and static ip's, I think he already has the hard work done.
    1,810 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following