You are previewing Jay Beale’s Open Source Security Series: Wireshark & Ethereal Network Protocol Analyzer Toolkit.
O'Reilly logo
Jay Beale’s Open Source Security Series: Wireshark & Ethereal Network Protocol Analyzer Toolkit

Book Description

Ethereal Network Protocol Analyzer Toolkit provides the reader with a completely integrated book and companion Web site to analyze network traffic using Ethereal, the world's most popular network protocol analyzer on Windows, Unix, and Apple OS X. This book covers everything from the fundamentals of protocol analysis, to analyzing real world malicious code to programming advanced protocol dissectors. The companion Web site for the book offers dozens of working tools and scripts created for this book. This book provides complete information and step-by-step Instructions for analyzing protocols and network traffic on Windows, Unix or Mac OS X networks. First, readers will learn about the types of sniffers available today and see the benefits of using Ethereal. Readers will then learn to install Ethereal in multiple environments including Windows, Unix and Mac OS X as well as building Ethereal from source and will also be guided through Ethereal's graphical user interface. The following sections will teach readers to use command-line options of Ethereal as well as using Tethereal to capture live packets from the wire or to read saved capture files. This section also details how to import and export files between Ethereal and WinDump, Snort, Snoop, Microsoft Network Monitor, and EtherPeek. The book then teaches the reader to master advanced tasks such as creating sub-trees, displaying bitfields in a graphical view, tracking requests and reply packet pairs as well as exclusive coverage of MATE, Ethereal's brand new configurable upper level analysis engine. The final section to the book teaches readers to enable Ethereal to read new Data sources, program their own protocol dissectors, and to create and customize Ethereal reports.

Table of Contents

  1. Copyright
  2. Visit us at: www.syngress.com
  3. Acknowledgments
  4. About the CD
  5. Lead Author
  6. Technical Editor and Contributing Author
  7. Contributing Authors
  8. Series Editor
  9. 1. Introducing Network Analysis
    1. Introduction
    2. What Is Network Analysis and Sniffing?
    3. Who Uses Network Analysis?
      1. How Are Intruders Using Sniffers?
      2. What Does Sniffed Data Look Like?
      3. Common Network Analyzers
    4. How Does It Work?
      1. Explaining Ethernet
      2. Understanding the Open Systems Interconnection Model
        1. Layer 1: Physical
        2. Layer 2: Data Link
          1. The MAC Sublayer
          2. The LLC Sublayer
        3. Layer 3: Network
        4. Layer 4: Transport
        5. Layer 5: Session
        6. Layer 6: Presentation
        7. Layer 7 Application
      3. CSMA/CD
      4. The Major Protocols: IP, TCP, UDP, and ICMP
        1. IP
        2. Internet Control Message Protocol
        3. TCP
          1. The TCP Handshake
          2. TCP Sequence
        4. UDP
      5. Hardware: Cable Taps, Hubs, and Switches
      6. Port Mirroring
      7. Defeating Switches
    5. Detecting Sniffers
    6. Sniffing Wireless
      1. Hardware Requirements
      2. Software
    7. Protocol Dissection
      1. DNS
      2. NTP
      3. HTTP
      4. SMTP
    8. Protecting Against Sniffers
    9. Network Analysis and Policy
    10. Summary
    11. Solutions Fast Track
      1. What is Network Analysis and Sniffing?
      2. Who Uses Network Analysis?
      3. How Does it Work?
      4. Detecting Sniffers
      5. Protocol Dissection
      6. Protecting Against Sniffers
      7. Network Analysis and Policy
    12. Frequently Asked Questions
  10. 2. Introducing Wireshark: Network Protocol Analyzer
    1. Introduction
    2. What is Wireshark?
      1. History of Wireshark
      2. Compatibility
      3. Supported Protocols
      4. Wireshark’s User Interface
      5. Filters
      6. Great Resources
    3. Supporting Programs
      1. Tshark
      2. Editcap
      3. Mergecap
      4. Text2pcap
    4. Using Wireshark in Your Network Architecture
    5. Using Wireshark for Network Troubleshooting
    6. Using Wireshark for System Administration
      1. Checking for Network Connectivity
      2. Checking for Application Network Availability
        1. Scenario 1: SYN no SYN+ACK
        2. Scenario 2: SYN immediate response RST
        3. Scenario 3: SYN SYN+ACK ACK Connection Closed
    7. Using Wireshark for Security Administration
      1. Detecting Internet Relay Chat Activity
      2. Wireshark As a Network Intrusion Detection System
      3. Wireshark as a Detector for Proprietary Information Transmission
    8. Securing Ethereal
    9. Optimizing Wireshark
      1. Network Link Speed
      2. Minimizing Wireshark Extras
      3. CPU
      4. Memory
    10. Advanced Sniffing Techniques
      1. Dsniff
      2. Ettercap
      3. MITM Attacks
      4. Cracking
      5. Switch Tricks
        1. ARP Spoofing
        2. MAC Flooding
      6. Routing Games
    11. Securing Your Network from Sniffers
      1. Using Encryption
        1. SSH
      2. SSL
      3. Pretty Good Protection and Secure/Multipurpose Internet Mail Extensions
      4. Switching
    12. Employing Detection Techniques
      1. Local Detection
      2. Network Detection
        1. DNS Lookups
        2. Latency
        3. Driver Bugs
        4. NetMon
    13. Summary
    14. Solutions Fast Track
      1. What is Wireshark?
      2. Supporting Programs
      3. Using Wireshark in Your Network Architecture
      4. System and Security Troubleshooting
      5. Securing and Optimizing Wireshark
      6. Advanced Sniffing Techniques
      7. Securing Your Network from Sniffers
      8. Employing Detection Techniques
    15. Frequently Asked Questions
  11. 3. Getting and Installing Wireshark
    1. Introduction
    2. Getting Wireshark
      1. Platforms and System Requirements
    3. Packet Capture Drivers
      1. Installing libpcap
        1. Installing libpcap Using the RPMs
        2. Installing libpcap from the Source Files
      2. Installing WinPcap
    4. Installing Wireshark on Windows
    5. Installing Wireshark on Linux
      1. Installing Wireshark from the RPMs
    6. Installing Wireshark on Mac OS X
      1. Installing Wireshark on Mac OS X from Source
      2. Installing Wireshark on Mac OS X Using DarwinPorts
      3. Installing Wireshark on Mac OS X Using Fink
    7. Installing Wireshark from Source
      1. Enabling and Disabling Features via configure
    8. Summary
    9. Solutions Fast Track
      1. Getting Wireshark
      2. Packet Capture Drivers
      3. Installing Wireshark on Windows
      4. Installing Wireshark on Linux
      5. Installing Wireshark on Mac OS X
      6. Installing Wireshark from Source
    10. Frequently Asked Questions
  12. 4. Using Wireshark
    1. Introduction
    2. Getting Started with Wireshark
    3. Exploring the Main Window
      1. Summary Window
      2. Protocol Tree Window
      3. Data View Window
    4. Other Window Components
      1. Filter Bar
      2. Information Field
      3. Display Information Field
    5. Exploring the Menus
      1. File
        1. Open
        2. Save As
        3. Print
      2. Edit
        1. Find Packet
        2. Set Time Reference (toggle)
        3. Preferences
      3. View
        1. Time Display Information
        2. Auto Scroll in Live Capture
        3. Apply Color Filters
        4. Show Packet in New Window
      4. Go
        1. Go To Packet
      5. Capture
        1. Capture Interfaces
        2. Capture Options
          1. Ring Buffer Captures
        3. Edit Capture Filter List
      6. Analyze
        1. Edit Display Filter List
        2. “Apply as Filter” and “Prepare a Filter” Submenus
        3. Enabled Protocols
        4. Decode As
        5. Decode As: Show
        6. Follow TCP Stream and Follow SSL Stream
        7. Expert Info and Expert Info Composite
      7. Statistics
        1. Summary
        2. Protocol Hierarchy
        3. TCP Stream Graph Submenu
          1. RTT Graph
          2. Throughput Graph
          3. Time-sequence Graph (Stevens)
          4. Time-Sequence Graph (tcptrace)
          5. Throughput Graph
          6. Graph Control
      8. Help
        1. Contents
        2. Supported Protocols
        3. Manual Pages Submenu
        4. Wireshark Online Submenu
        5. About Wireshark
      9. Pop-up Menus
        1. Summary Window Pop-up Menu
        2. Protocol Tree Window Pop-up Menu
        3. Data View Window Pop-up Menu
    6. Using Command-line Options
      1. Capture and File Options
      2. Filter Options
      3. Other Options
    7. Summary
    8. Solutions Fast Track
      1. Getting started with Wireshark
      2. Exploring the Main Windows
      3. Other Window Components
      4. Exploring the Menus
      5. Using Command-line Options
    9. Frequently Asked Questions
  13. 5. Filters
    1. Introduction
    2. Writing Capture Filters
      1. tcpdump Syntax Explained
        1. Host Names and Addresses
        2. Hardware Addresses
        3. Ports
        4. Logical Operations
        5. Protocols
        6. Protocol Fields
        7. Bitwise Operators
        8. Packet Size
      2. Examples
        1. Using Capture Filters
    3. Writing Display Filters
      1. Writing Expressions
        1. Integers
        2. Booleans
        3. Floating Point Numbers
        4. Strings
          1. Regular Expressions
        5. Byte Sequences
        6. Addresses
        7. Time Fields
        8. Other Field Types
        9. Ranges
        10. Logical Operators
        11. Functions
        12. Multiple Occurrences of Fields
        13. Hidden Fields
    4. Summary
    5. Solutions Fast Track
      1. Writing Capture Filters
      2. Writing Display Filters
    6. Frequently Asked Questions
  14. 6. Wireless Sniffing with Wireshark
    1. Introduction
    2. Challenges of Sniffing Wireless
      1. Selecting a Static Channel
      2. Using Channel Hopping
      3. Range in Wireless Networks
      4. Interference and Collisions
    3. Recommendations for Sniffing Wireless
    4. Understanding Wireless Card Modes
    5. Getting Support for Monitor Mode - Linux
      1. Linux Wireless Extensions Compatible Drivers
      2. MADWIFI 0.9.1 Driver Configuration
    6. Capturing Wireless Traffic - Linux
      1. Starting a Packet Capture - Linux
    7. Getting Support for Monitor Mode - Windows
      1. Introducing AirPcap
      2. Specifying the Capture Channel
    8. Capturing Wireless Traffic - Windows
    9. Analyzing Wireless Traffic
      1. Navigating the Packet Details Window
        1. Frame Statistics
        2. IEEE 802.11 Header
      2. Leveraging Display Filters
        1. Traffic for a Specific Basic Service Set
          1. Identify the Station MAC Address
          2. Filter for Station MAC
          3. Filter on BSSID
        2. Traffic for a Specific Extended Service Set
          1. Filter on SSID
          2. Exclude Each BSSID
          3. Invert Filter
        3. Data Traffic Only
        4. Unencrypted Data Traffic Only
        5. Identifying Hidden SSIDs
        6. Examining EAP Exchanges
          1. Identifying the EAP type
          2. Evaluating Username Disclosure
          3. Identifying EAP Authentication Failures
          4. Identifying Key Negotiation Properties
        7. Identifying Wireless Encryption Mechanisms
          1. Identifying WEP
          2. Identifying TKIP and CCMP
          3. Identifying IPSec/VPN
      3. Leveraging Colorized Packet Displays
        1. Marking From DS and To DS
        2. Marking Interfering Traffic
        3. Marking Retries
      4. Adding Informative Columns
      5. Decrypting Traffic
    10. Real-world Wireless Traffic Captures
      1. Identifying a Station’s Channel
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
      2. Wireless Connection Failures
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
          1. Capture 1
          2. Capture 2
          3. Capture 3
      3. Wireless Network Probing
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
      4. EAP Authentication Account Sharing
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
      5. IEEE 802.11 DoS Attacks
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
      6. IEEE 802.11 Spoofing Attacks
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
      7. Malformed Traffic Analysis
        1. Introduction
        2. Systems Affected
        3. Breakdown and Analysis
          1. Capture 1
    11. Summary
    12. Solutions Fast Track
      1. Techniques for Effective Wireless Sniffing
      2. Understanding Wireless Card Operating Modes
      3. Configuring Linux for Wireless Sniffing
      4. Configuring Windows for Wireless Sniffing
      5. Using Wireless Protocol Dissectors
      6. Useful Wireless Display Filters
      7. Leveraging Wireshark Wireless Analysis Features
    13. Frequently Asked Questions
  15. 7. Real World Packet Captures
    1. Introduction
    2. Scanning
      1. TCP Connect Scan
      2. SYN Scan
      3. XMAS Scan
      4. Null Scan
    3. Remote Access Trojans
      1. SubSeven Legend
      2. NetBus
      3. RST.b
    4. Dissecting Worms
      1. SQL Slammer Worm
      2. Code Red Worm
        1. Code Red Details
        2. Code Red Capture Overview
        3. Detailed CodeRed_Stage1 Capture Analysis
        4. Detailed CodeRed_Stage2 Capture Analysis
        5. References
      3. Ramen Worm
    5. Active Response
    6. Summary
    7. Solutions Fast Track
      1. Scanning
      2. Remote Access Trojans
      3. Dissecting Worms
      4. Active Response
    8. Frequently Asked Questions
  16. 8. Developing Wireshark
    1. Introduction
    2. Prerequisites for Developing Wireshark
      1. Skills
      2. Tools/Libraries
    3. Other Developer Resources
      1. The Wireshark Wiki
        1. The Wireshark Wish List
        2. The Wireshark Mailing List
        3. Wireshark Design
      2. .svn
      3. aclocal-fallback and autom4te.cache
      4. ASN1 Directory
      5. Debian Directory
      6. Diameter Directory
      7. doc Directory
      8. DocBook
      9. dtds Definition
      10. epan Directory
      11. gtk Directory
      12. gtk2.tmp Directory
      13. Help Directory
      14. IDL Directory
      15. Image Directory
      16. Packaging Directory
      17. Plug-ins
      18. Radius Directory
      19. Test Directory
      20. Tools Directory
      21. Wiretap Directory
    4. Developing a Dissector
      1. Step 1 Copy the Template
      2. Step 2 Define the Includes
      3. Step 3 Create the Function to Register
      4. Step 4 Instruct Wireshark
      5. Step 5 Create the Dissector
      6. Step 6 Pass Payloads
    5. Running a Dissector
      1. The Dissection Process
    6. Advanced Topics
      1. Dissector Considerations
        1. Creating Subtrees
        2. Bitfields
        3. Unicode Strings
        4. Conversations
        5. Packet Retransmissions
        6. Passing Data Between Dissectors
        7. Saving Preference Settings
        8. Packet Fragmentation
        9. Value Strings
        10. The Expert TAP
        11. Debugging Your Dissector
      2. The Wireshark GUI
        1. The Item Factory
        2. Using GTK
      3. TAPs
      4. Plug-ins
    7. Summary
    8. Solutions Fast Track
      1. Prerequisites for Developing Wireshark
      2. Wireshark Design
      3. Developing a Dissector
      4. Advanced Topics
    9. Frequently Asked Questions
  17. 9. Other Programs Packaged with Wireshark
    1. Introduction
    2. TShark
      1. TShark Statistics
        1. Protocol Hierarchy Statistics
        2. Protocol Statistics by Interval
        3. Conversation Statistics
        4. Packet Length Distribution
        5. Destinations Tree
        6. Packet Summary Columns
        7. SIP Statistics
        8. H.225 Counters
        9. H.225 Service Response Time
        10. Media Gateway Control Protocol Round Trip Delay
        11. SMB Round Trip Data
        12. SMB Security Identifier Name Snooping
        13. BOOTP Statistics
        14. HTTP Statistics
        15. HTTP Tree Statistics
        16. HTTP Request Statistics
    3. editcap
    4. mergecap
    5. text2pcap
    6. capinfos
    7. dumpcap
    8. Summary
    9. Solutions Fast Track
      1. TShark
      2. editcap
      3. mergecap
      4. text2pcap
      5. Capinfos
      6. dumpcap
    10. Frequently Asked Questions
  18.