Cover image for Practical Packet Analysis

Book description

It's easy enough to install Wireshark and begin capturing packets off the wire--or from the air. But how do you interpret those packets once you've captured them? And how can those packets help you to better understand what's going on under the hood of your network? Practical Packet Analysis shows how to use Wireshark to capture and then analyze packets as you take an indepth look at real-world packet analysis and network troubleshooting. The way the pros do it.

Wireshark (derived from the Ethereal project), has become the world's most popular network sniffing application. But while Wireshark comes with documentation, there's not a whole lot of information to show you how to use it in real-world scenarios. Practical Packet Analysis shows you how to:

  • Use packet analysis to tackle common network problems, such as loss of connectivity, slow networks, malware infections, and more

  • Build customized capture and display filters

  • Tap into live network communication

  • Graph traffic patterns to visualize the data flowing across your network

  • Use advanced Wireshark features to understand confusing packets

  • Build statistics and reports to help you better explain technical network information to non-technical users

Because net-centric computing requires a deep understanding of network communication at the packet level, Practical Packet Analysis is a must have for any network technician, administrator, or engineer troubleshooting network problems of any kind.

Table of Contents

  1. Practical Packet Analysis
    1. ACKNOWLEDGMENTS
    2. Introduction
      1. Why This Book?
      2. Concepts and Approach
      3. How to Use This Book
      4. About the Example Capture Files
    3. 1. PACKET ANALYSIS AND NETWORK BASICS
      1. What Is Packet Analysis?
      2. Evaluating a Packet Sniffer
        1. Supported Protocols
        2. User Friendliness
        3. Cost
        4. Program Support
        5. Operating System Support
      3. How Packet Sniffers Work
        1. Collection
        2. Conversion
        3. Analysis
      4. How Computers Communicate
        1. Networking Protocols
        2. The Seven-Layer OSI Model
          1. The Application Layer
          2. The Presentation Layer
          3. The Session Layer
          4. The Transport Layer
          5. The Network Layer
          6. The Data Link Layer
          7. The Physical Layer
        3. Protocol Interaction
        4. Data Encapsulation
        5. The Protocol Data Unit
        6. Network Hardware
          1. Hubs
          2. Switches
          3. Routers
        7. Traffic Classifications
          1. Broadcast Traffic
          2. Multicast Traffic
          3. Unicast Traffic
          4. Broadcast Domains
    4. 2. TAPPING INTO THE WIRE
      1. Living Promiscuously
      2. Sniffing Around Hubs
      3. Sniffing in a Switched Environment
        1. Port Mirroring
        2. Hubbing Out
        3. ARP Cache Poisoning
        4. Using Cain & Abel
      4. Sniffing in a Routed Environment
      5. Network Maps
    5. 3. INTRODUCTION TO WIRESHARK
      1. A Brief History of Wireshark
      2. The Benefits of Wireshark
        1. Supported Protocols
        2. User Friendliness
        3. Cost
        4. Program Support
        5. Operating System Support
      3. Installing Wireshark
        1. System Requirements
        2. Installing on Windows Systems
        3. Installing on Linux Systems
          1. RPM-based Systems
          2. DEB-based Systems
      4. Wireshark Fundamentals
        1. Your First Packet Capture
        2. The Main Window
          1. Packet List Pane
          2. Packet Details Pane
          3. Packet Bytes Pane
        3. The Preferences Dialog
          1. User Interface
          2. Capture
          3. Printing
          4. Name Resolution
          5. Protocols
        4. Packet Color Coding
    6. 4. WORKING WITH CAPTURED PACKETS
      1. Finding and Marking Packets
        1. Finding Packets
        2. Marking Packets
      2. Saving and Exporting Capture Files
        1. Saving Capture Files
        2. Exporting Capture Data
      3. Merging Capture Files
      4. Printing Packets
      5. Time Display Formats and References
        1. Time Display Formats
        2. Packet Time Referencing
      6. Capture and Display Filters
        1. Capture Filters
        2. Display Filters
        3. The Filter Expression Dialog (the Easy Way)
        4. The Filter Expression Syntax Structure (the Hard Way)
          1. Filtering Specific Protocols
          2. Comparison Operators
          3. Logical Operators
          4. Sample Filter Expressions
        5. Saving Filters
    7. 5. ADVANCED WIRESHARK FEATURES
      1. Name Resolution
        1. Types of Name Resolution Tools in Wireshark
          1. MAC Name Resolution
          2. Network Name Resolution
          3. Transport Name Resolution
        2. Enabling Name Resolution
        3. Potential Drawbacks to Name Resolution
      2. Protocol Dissection
      3. Following TCP Streams
      4. The Protocol Hierarchy Statistics Window
      5. Viewing Endpoints
      6. Conversations
      7. The IO Graphs Window
    8. 6. COMMON PROTOCOLS
      1. Address Resolution Protocol
      2. Dynamic Host Configuration Protocol
      3. TCP/IP and HTTP
        1. TCP/IP
        2. Establishing the Session
          1. The SYN Packet
          2. SYN/ACK, the Server Response
          3. The Final ACK Packet
        3. Beginning the Flow of Data
        4. HTTP Request and Transmission
        5. Terminating the Session
      4. Domain Name System
      5. File Transfer Protocol
        1. CWD Command
        2. SIZE Command
        3. RETR Command
      6. Telnet Protocol
      7. MSN Messenger Service
      8. Internet Control Message Protocol
      9. Final Thoughts
    9. 7. BASIC CASE SCENARIOS
      1. A Lost TCP Connection
      2. Unreachable Destinations and ICMP Codes
        1. Unreachable Destination
        2. Unreachable Port
      3. Fragmented Packets
        1. Determining Whether a Packet Is Fragmented
        2. Keeping Things in Order
      4. No Connectivity
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      5. The Ghost in Internet Explorer
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      6. Inbound FTP
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      7. It's Not My Fault!
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      8. An Evil Program
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
          1. Filtering out the Good
          2. Remote Connection Attempts
          3. Closing In on the Problem
        4. Summary
      9. Final Thoughts
    10. 8. FIGHTING A SLOW NETWORK
      1. Anatomy of a Slow Download
      2. A Slow Route
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      3. Double Vision
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      4. Did That Server Flash Me?
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      5. A Torrential Downfall
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      6. POP Goes the Email Server
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      7. Here's Something Gnu
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      8. Final Thoughts
    11. 9. SECURITY-BASED ANALYSIS
      1. OS Fingerprinting
      2. A Simple Port Scan
      3. The Flooded Printer
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      4. An FTP Break-In
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      5. Blaster Worm
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      6. Covert Information
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
      7. A Hacker's Point of View
        1. What We Know
        2. Tapping into the Wire
        3. Analysis
        4. Summary
    12. 10. SNIFFING INTO THIN AIR
      1. Sniffing One Channel at a Time
      2. Wireless Signal Interference
      3. Wireless Card Modes
      4. Sniffing Wirelessly in Windows
        1. Configuring AirPcap
        2. Capturing Traffic with AirPcap
      5. Sniffing Wirelessly in Linux
      6. 802.11 Packet Extras
        1. 802.11 Flags
        2. The Beacon Frame
      7. Wireless-Specific Columns
      8. Wireless-Specific Filters
        1. Filtering Traffic for a Specific BSS Id
        2. Filtering Specific Wireless Packet Types
        3. Filtering Specific Data Types
      9. A Bad Connection Attempt
        1. What We Know
        2. Tapping into the Wire Air
        3. Analysis
        4. Summary
      10. Final Thoughts
    13. 11. FURTHER READING
    14. AFTERWORD
    15. About the Authors
    16. COLOPHON