You are previewing Network Analysis Using Wireshark Cookbook.
O'Reilly logo
Network Analysis Using Wireshark Cookbook

Book Description

This book will be a massive ally in troubleshooting your network using Wireshark, the world’s most popular analyzer. Over 100 practical recipes provide a focus on real-life situations, helping you resolve your own individual issues.

  • Place Wireshark in your network and configure it for effective network analysis

  • Configure capture and display filters to get the required data

  • Use Wireshark’s powerful statistical tools to analyze your network and its expert system to pinpoint network problems

  • In Detail

    Is your network slow? Are your users complaining? Disconnections? IP Telephony problems? Video freezes? Network analysis is the process of isolating these problems and fixing them, and Wireshark has long been the most popular network analyzer for achieving this goal. Based on hundreds of solved cases, Network Analysis using Wireshark Cookbook provides you with practical recipes for effective Wireshark network analysis to analyze and troubleshoot your network.

    "Network analysis using Wireshark Cookbook" highlights the operations of Wireshark as a network analyzer tool. This book provides you with a set of practical recipes to help you solve any problems in your network using a step-by-step approach.

    "Network analysis using Wireshark Cookbook" starts by discussing the capabilities of Wireshark, such as the statistical tools and the expert system, capture and display filters, and how to use them. The book then guides you through the details of the main networking protocols, that is, Ethernet, LAN switching, and TCP/IP, and then discusses the details of application protocols and their behavior over the network. Among the application protocols that are discussed in the book are standard Internet protocols like HTTP, mail protocols, FTP, and DNS, along with the behavior of databases, terminal server clients, Citrix, and other applications that are common in the IT environment.

    In a bottom-up troubleshooting approach, the book goes up through the layers of the OSI reference model explaining how to resolve networking problems. The book starts from Ethernet and LAN switching, through IP, and then on to TCP/UDP with a focus on TCP performance problems. It also focuses on WLAN security. Then, we go through application behavior issues including HTTP, mail, DNS, and other common protocols. The book finishes with a look at network forensics and how to search and find security problems that might harm the network.

    Table of Contents

    1. Network Analysis Using Wireshark Cookbook
      1. Table of Contents
      2. Network Analysis Using Wireshark Cookbook
      3. Credits
      4. About the Author
      5. Acknowledgments
      6. About the Reviewers
      7. www.PacktPub.com
        1. Support files, eBooks, discount offers and more
          1. Why Subscribe?
          2. Free Access for Packt account holders
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Piracy
          2. Questions
      9. 1. Introducing Wireshark
        1. Introduction
        2. Locating Wireshark
          1. Getting ready
          2. How to do it...
            1. Monitoring a server
            2. Monitoring a router
            3. Monitoring a firewall
          3. How it works...
          4. There's more...
          5. See also
        3. Starting the capture of data
          1. Getting ready
          2. How to do it...
            1. How to choose the interface to start the capture
            2. How to configure the interface you capture data from
          3. How it works...
          4. There's more...
          5. See also
        4. Configuring the start window
          1. Getting ready
            1. Main Toolbar
            2. Display Filter Toolbar
            3. Status Bar
          2. How to do it...
            1. Configuring toolbars
            2. Configuring the main window
            3. Name Resolution
            4. Colorizing the packet list
            5. Auto scrolling in live capture
        5. Using time values and summaries
          1. Getting ready
          2. How to do it...
          3. How it works...
        6. Configuring coloring rules and navigation techniques
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
        7. Saving, printing, and exporting data
          1. Getting ready
          2. How to do it...
            1. Saving data in various formats
            2. How to print data
          3. How it works...
        8. Configuring the user interface in the Preferences menu
          1. Getting ready
          2. How to do it...
            1. Changing and adding columns
            2. Changing the capture configuration
            3. Configuring the name resolution
          3. How it works...
        9. Configuring protocol preferences
          1. Getting ready
          2. How to do it...
            1. Configuring of IPv4 and IPv6 Preferences
            2. Configuring TCP and UDP
          3. How it works...
          4. There's more...
      10. 2. Using Capture Filters
        1. Introduction
        2. Configuring capture filters
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        3. Configuring Ethernet filters
          1. Getting ready
          2. How to do it...
          3. How it works…
          4. There's more...
          5. See also
        4. Configuring host and network filters
          1. Getting ready
          2. How to do it...
          3. How it works…
          4. There's more...
          5. See also
        5. Configuring TCP/UDP and port filters
          1. Getting ready
          2. How to do it...
          3. How it works…
          4. There's more...
          5. See also
        6. Configuring compound filters
          1. Getting ready
          2. How to do it...
          3. How it works…
          4. There's more...
          5. See also
        7. Configuring byte offset and payload matching filters
          1. Getting ready
          2. How to do it...
          3. How it works…
          4. There's more...
          5. See also
      11. 3. Using Display Filters
        1. Introduction
        2. Configuring display filters
          1. Getting ready
          2. How to do it...
            1. Choosing from the filters menu
            2. Writing the syntax directly into the display filter window
            3. Choosing a parameter in the packet pane and defining it as a filter
          3. How it works...
          4. There's more...
            1. What is the parameter we filter?
            2. Adding a parameter column
            3. Saving the displayed data
        3. Configuring Ethernet, ARP, host, and network filters
          1. Getting ready
          2. How to do it...
            1. Ethernet filters
            2. ARP filters
            3. IP and ICMP filters
            4. Complex filters
          3. How it works...
            1. Ethernet broadcasts
            2. IPv4 multicasts
            3. IPv6 multicasts
          4. See also
        4. Configuring TCP/UDP filters
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        5. Configuring specific protocol filters
          1. Getting ready
          2. How to do it...
            1. HTTP display filters
            2. DNS display filters
            3. FTP display filters
          3. How it works...
          4. See also
        6. Configuring substring operator filters
          1. Getting ready
          2. How to do it...
          3. How it works...
        7. Configuring macros
          1. Getting ready
          2. How to do it...
          3. How it works...
      12. 4. Using Basic Statistics Tools
        1. Introduction
        2. Using the Summary tool from the Statistics menu
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        3. Using the Protocol Hierarchy tool from the Statistics menu
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        4. Using the Conversations tool from the Statistics menu
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Ethernet conversations statistics
            2. IP conversations statistics
            3. TCP/UDP conversations statistics:
        5. Using the Endpoints tool from the Statistics menu
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Using the HTTP tool from the Statistics menu
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        7. Configuring Flow Graph for viewing TCP flows
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        8. Creating IP-based statistics
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      13. 5. Using Advanced Statistics Tools
        1. Introduction
        2. Configuring IO Graphs with filters for measuring network performance issues
          1. Getting ready
          2. How to do it...
            1. Filter configuration
            2. X-Axis configuration
            3. Y-Axis configuration
          3. How it works...
          4. There's more...
        3. Throughput measurements with IO Graph
          1. Getting ready
          2. How to do it...
            1. Measuring throughput between end devices
            2. Measuring application throughput
          3. How it works...
          4. There's more...
            1. Graph SMS usage – finding SMS messages sent by a specific subscriber
            2. Graphing number of accesses to the Google web page
        4. Advanced IO Graph configurations with advanced Y-Axis parameters
          1. Getting ready
          2. How to do it...
            1. How to monitor inter-frame time delta statistics
            2. How to monitor the number of TCP retransmissions in a stream
            3. How to monitor a number of field appearances
          3. How it works...
          4. There's more...
        5. Getting information through TCP stream graphs – the Time-Sequence (Stevens) window
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Getting information through TCP stream graphs – the Time-Sequence (tcp-trace) window
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        7. Getting information through TCP stream graphs – the Throughput Graph window
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        8. Getting information through TCP stream graphs – the Round Trip Time window
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        9. Getting information through TCP stream graphs – the Window Scaling Graph window
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      14. 6. Using the Expert Infos Window
        1. Introduction
        2. The Expert Infos window and how to use it for network troubleshooting
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        3. Error events and understanding them
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        4. Warning events and understanding them
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        5. Notes events and understanding them
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
      15. 7. Ethernet, LAN Switching, and Wireless LAN
        1. Introduction
        2. Discovering broadcast and error storms
          1. Getting ready
          2. How to do it...
            1. Spanning Tree Problems
            2. A device that generates Broadcasts
            3. Fixed pattern broadcasts
          3. How it works...
          4. There's more…
          5. See also
        3. Analyzing Spanning Tree Protocols
          1. Getting ready
          2. How to do it...
            1. Which STP version is running on the network?
            2. Are there too many topology changes?
          3. How it works...
            1. Port states
          4. There's more…
        4. Analyzing VLANs and VLAN tagging issues
          1. Getting ready
          2. How to do it...
            1. Monitoring traffic inside a VLAN
            2. Viewing tagged frames going through a VLAN tagged port
          3. How it works...
          4. There's more…
          5. See also
        5. Analyzing wireless (Wi-Fi) problems
          1. Getting ready
          2. How to do it…
          3. How it works…
      16. 8. ARP and IP Analysis
        1. Introduction
        2. Analyzing connectivity problems with ARP
          1. Getting ready
          2. How to do it...
            1. ARP poisoning and Man-in-the-Middle attacks
            2. Gratuitous ARP
            3. ARP sweeps
            4. Requests or replies, and who is the sender
            5. How many ARPs
          3. How it works...
          4. There's more...
        3. Using IP traffic analysis tools
          1. Getting ready
          2. How to do it...
            1. IP statistics tools
          3. How it works...
          4. There's more...
        4. Using GeoIP to look up physical locations of the IP address
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        5. Finding fragmentation problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Analyzing routing problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        7. Finding duplicate IPs
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        8. Analyzing DHCP problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      17. 9. UDP/TCP Analysis
        1. Introduction
        2. Configuring TCP and UDP preferences for troubleshooting
          1. Getting ready
          2. How to do it...
            1. UDP parameters
            2. TCP parameters
          3. How it works...
          4. There's more…
        3. TCP connection problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more…
        4. TCP retransmission – where do they come from and why
          1. Getting ready
          2. How to do it...
            1. Case 1 – retransmissions to many destinations
            2. Case 2 – retransmissions on a single connection
            3. Case 3 – retransmission patterns
            4. Case 4 – retransmission due to a non-responsive application
            5. Case 5 – retransmission due to delayed variations
            6. Finding what it is
          3. How it works...
            1. Regular operation of the TCP Sequence/Acknowledge mechanism
            2. What are TCP retransmissions and what do they cause
          4. There's more...
          5. See also
        5. Duplicate ACKs and fast retransmissions
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. TCP out-of-order packet events
          1. Getting ready
          2. How to do it...
            1. When will it happen?
          3. How it works...
        7. TCP Zero Window, Window Full, Window Change, and other Window indicators
          1. Getting ready
          2. How to do it...
            1. TCP Zero Window, Zero Window Probe, and Zero Window Violation
            2. TCP Window Update
            3. TCP Window Full
          3. How it works...
          4. There's more…
        8. TCP resets and why they happen
          1. Getting ready
          2. How to do it...
            1. Cases in which reset is not a problem
            2. Cases in which reset can indicate a problem
          3. How it works...
      18. 10. HTTP and DNS
        1. Introduction
        2. Filtering DNS traffic
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        3. Analyzing regular DNS operations
          1. Getting ready
          2. How to do it...
          3. How it works...
            1. DNS operation
            2. DNS namespace
            3. The resolving process
          4. There's more...
        4. Analysing DNS problems
          1. Getting ready
          2. How to do it...
            1. DNS cannot resolve a name
            2. DNS slow responses
          3. How it works...
          4. There's more...
        5. Filtering HTTP traffic
          1. Getting ready
          2. How to do it...
          3. How it works...
            1. HTTP methods
            2. Status codes
          4. There's more...
        6. Configuring HTTP preferences
          1. Getting ready
          2. How to do it...
            1. Custom HTTP headers fields
          3. How it works...
          4. There's more...
        7. Analyzing HTTP problems
          1. Getting ready
          2. How to do it...
            1. Informational codes
            2. Success codes
            3. Redirect codes
            4. Client errors
            5. Server errors
          3. How it works...
          4. There's more...
        8. Exporting HTTP objects
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        9. HTTP flow analysis and the Follow TCP Stream window
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        10. Analyzing HTTPS traffic – SSL/TLS basics
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      19. 11. Analyzing Enterprise Applications' Behavior
        1. Introduction
        2. Finding out what is running over your network
          1. Getting ready
          2. How to do it...
          3. There's more...
        3. Analyzing FTP problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        4. Analyzing e-mail traffic and troubleshooting e-mail problems – POP, IMAP, and SMTP
          1. Getting ready
          2. How to do it...
            1. POP3 communications
            2. SMTP communications
            3. Some other methods and problems
          3. How it works...
            1. POP3
            2. SMTP and SMTP error codes (RFC3463)
          4. There's more...
        5. Analyzing MS-TS and Citrix communications problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more…
        6. Analyzing problems in the NetBIOS protocols
          1. Getting ready
          2. How to do it...
            1. General tests
            2. Specific issues
          3. How it works...
          4. There's more…
            1. Example 1 – application freezing
            2. Example 2 – broadcast storm caused by SMB
        7. Analyzing database traffic and common problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      20. 12. SIP, Multimedia, and IP Telephony
        1. Introduction
        2. Using Wireshark's features for telephony and multimedia analysis
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        3. Analyzing SIP connectivity
          1. Getting ready
          2. How to do it...
            1. 1xx codes – provisional/informational
            2. 2xx codes – success
            3. 3xx codes – redirection
            4. 4xx codes – client error
            5. 5xx codes – server error
            6. 6xx codes – global failure
          3. How it works...
          4. There's more...
        4. Analyzing RTP/RTCP connectivity
          1. Getting ready
          2. How to do it...
          3. How it works...
            1. RTP principles of operation
            2. The RTCP principle of operation
          4. There's more...
        5. Troubleshooting scenarios for video and surveillance applications
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Troubleshooting scenarios for IPTV applications
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        7. Troubleshooting scenarios for video conferencing applications
          1. Getting ready
          2. How to do it...
        8. Troubleshooting RTSP
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      21. 13. Troubleshooting Bandwidth and Delay Problems
        1. Introduction
        2. Measuring total bandwidth on a communication link
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        3. Measuring bandwidth and throughput per user and per application over a network connection
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
        4. Monitoring jitter and delay using Wireshark
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        5. Discovering delay/jitter-related application problems
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      22. 14. Understanding Network Security
        1. Introduction
        2. Discovering unusual traffic patterns
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        3. Discovering MAC- and ARP-based attacks
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        4. Discovering ICMP and TCP SYN/Port scans
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        5. Discovering DoS and DDoS attacks
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Locating smart TCP attacks
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        7. Discovering brute-force and application attacks
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      23. A. Links, Tools, and Reading
        1. Useful Wireshark links
        2. tcpdump
        3. Some additional tools
          1. SNMP tools
          2. SNMP platforms
          3. The NetFlow, JFlow, and SFlow analyzers
          4. HTTP debuggers
          5. Syslog
          6. Other stuff
        4. Network analysers
        5. Interesting websites
        6. Books
      24. Index