You are previewing Packet Analysis with Wireshark.
O'Reilly logo
Packet Analysis with Wireshark

Book Description

Leverage the power of Wireshark to troubleshoot your networking issues by using effective packet analysis techniques and performing improved protocol analysis

About This Book

  • Gain hands-on experience of troubleshooting errors in TCP/IP and SSL protocols through practical use cases

  • Identify and overcome security flaws in your network to get a deeper insight into security analysis

  • This is a fast-paced book that focuses on quick and effective packet captures through practical examples and exercises

  • Who This Book Is For

    If you are a network or system administrator who wants to effectively capture packets, a security consultant who wants to audit packet flows, or a white hat hacker who wants to view sensitive information and remediate it, this book is for you. This book requires decoding skills and a basic understanding of networking.

    What You Will Learn

  • Utilize Wireshark's advanced features to analyze packet captures

  • Locate the vulnerabilities in an application server

  • Get to know more about protocols such as DHCPv6, DHCP, DNS, SNMP, and HTTP with Wireshark

  • Capture network packets with tcpdump and snoop with examples

  • Find out about security aspects such as OS-level ARP scanning

  • Set up 802.11 WLAN captures and discover more about the WAN protocol

  • Enhance your troubleshooting skills by understanding practical TCP/IP handshake and state diagrams

  • In Detail

    Wireshark provides a very useful way to decode an RFC and examine it. The packet captures displayed in Wireshark give you an insight into the security and flaws of different protocols, which will help you perform the security research and protocol debugging.

    The book starts by introducing you to various packet analyzers and helping you find out which one best suits your needs. You will learn how to use the command line and the Wireshark GUI to capture packets by employing filters. Moving on, you will acquire knowledge about TCP/IP communication and its use cases. You will then get an understanding of the SSL/TLS flow with Wireshark and tackle the associated problems with it. Next, you will perform analysis on application-related protocols. We follow this with some best practices to analyze wireless traffic. By the end of the book, you will have developed the skills needed for you to identify packets for malicious attacks, intrusions, and other malware attacks.

    Style and approach

    This is an easy-to-follow guide packed with illustrations and equipped with lab exercises to help you reproduce scenarios using a sample program and command lines.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. Packet Analysis with Wireshark
      1. Table of Contents
      2. Packet Analysis with Wireshark
      3. Credits
      4. About the Author
      5. About the Reviewers
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. Packet Analyzers
        1. Uses for packet analyzers
        2. Introducing Wireshark
          1. Wireshark features
          2. Wireshark's dumpcap and tshark
          3. The Wireshark packet capture process
        3. Other packet analyzer tools
          1. Mobile packet capture
        4. Summary
      9. 2. Capturing Packets
        1. Guide to capturing packets
          1. Capturing packets with Interface Lists
            1. Common interface names
          2. Capturing packets with Start options
          3. Capturing packets with Capture Options
            1. The capture filter options
          4. Auto-capturing a file periodically
        2. Troubleshooting
        3. Wireshark user interface
          1. The Filter toolbar
            1. Filtering techniques
            2. Filter examples
          2. The Packet List pane
          3. The Packet Details pane
          4. The Packet Bytes pane
        4. Wireshark features
          1. Decode-As
          2. Protocol preferences
          3. The IO graph
          4. Following the TCP stream
          5. Exporting the displayed packet
          6. Generating the firewall ACL rules
        5. Tcpdump and snoop
        6. References
        7. Summary
      10. 3. Analyzing the TCP Network
        1. Recapping TCP
          1. TCP header fields
          2. TCP states
        2. TCP connection establishment and clearing
          1. TCP three-way handshake
            1. Handshake message – first step [SYN]
            2. Handshake message – second step [SYN, ACK]
            3. Handshake message – third step [ACK]
        3. TCP data communication
        4. TCP close sequence
        5. Lab exercise
        6. TCP troubleshooting
          1. TCP reset sequence
            1. RST after SYN-ACK
            2. RST after SYN
            3. Lab exercise
          2. TCP CLOSE_WAIT
            1. Lab exercise
              1. How to resolve TCP CLOSE_STATE
          3. TCP TIME_WAIT
        7. TCP latency issues
          1. Cause of latency
          2. Identifying latency
          3. Server latency example
          4. Wire latency
        8. Wireshark TCP sequence analysis
          1. TCP retransmission
            1. Lab exercise
          2. TCP ZeroWindow
          3. TCP Window Update
          4. TCP Dup-ACK
        9. References
        10. Summary
      11. 4. Analyzing SSL/TLS
        1. An introduction to SSL/TLS
          1. SSL/TLS versions
          2. The SSL/TLS component
        2. The SSL/TLS handshake
          1. Types of handshake message
            1. Client Hello
            2. Server Hello
            3. Server certificate
            4. Server Key Exchange
            5. Client certificate request
            6. Server Hello Done
            7. Client certificate
            8. Client Key Exchange
            9. Client Certificate Verify
            10. Change Cipher Spec
            11. Finished
            12. Application Data
            13. Alert Protocol
        3. Key exchange
          1. The Diffie-Hellman key exchange
          2. Elliptic curve Diffie-Hellman key exchange
          3. RSA
        4. Decrypting SSL/TLS
          1. Decrypting RSA traffic
          2. Decrypting DHE/ECHDE traffic
            1. Forward secrecy
        5. Debugging issues
        6. Summary
      12. 5. Analyzing Application Layer Protocols
        1. DHCPv6
          1. DHCPv6 Wireshark filter
          2. Multicast addresses
          3. The UDP port information
          4. DHCPv6 message types
          5. Message exchanges
            1. The four-message exchange
            2. The two-message exchange
          6. DHCPv6 traffic capture
        2. BOOTP/DHCP
          1. BOOTP/DHCP Wireshark filter
          2. Address assignment
          3. Capture DHCPv4 traffic
        3. DNS
          1. DNS Wireshark filter
          2. Port
          3. Resource records
          4. DNS traffic
        4. HTTP
          1. HTTP Wireshark filter
          2. HTTP use cases
            1. Finding the top HTTP response time
            2. Finding packets based on HTTP methods
            3. Finding sensitive information in a form post
            4. Using HTTP status code
        5. References
        6. Summary
      13. 6. WLAN Capturing
        1. WLAN capture setup
          1. The monitor mode
        2. Analyzing the Wi-Fi networks
          1. Frames
            1. Management frames
            2. Data frames
            3. Control frames
          2. 802.11 auth process
          3. 802.1X EAPOL
          4. The 802.11 protocol stack
        3. Wi-Fi sniffing products
        4. Summary
      14. 7. Security Analysis
        1. Heartbleed bug
          1. The Heartbleed Wireshark filter
          2. Heartbleed Wireshark analysis
          3. The Heartbleed test
          4. Heartbleed recommendations
        2. The DOS attack
          1. SYN flood
            1. SYN flood mitigation
          2. ICMP flood
            1. ICMP flood mitigation
          3. SSL flood
        3. Scanning
          1. Vulnerability scanning
          2. SSL scans
        4. ARP duplicate IP detection
        5. DrDoS
        6. BitTorrent
        7. Wireshark protocol hierarchy
        8. Summary
      15. Index