You are previewing Practical Packet Analysis, 2nd Edition.
O'Reilly logo
Practical Packet Analysis, 2nd Edition

Book Description

This significantly revised and expanded second edition of Practical Packet Analysis shows you how to use Wireshark to capture raw network traffic, filter and analyze packets, and diagnose common network problems.

Table of Contents

  1. Practical Packet Analysis
    1. Praise for the First Edition of Practical Packet Analysis
    2. Acknowledgments
    3. Introduction
      1. Why This Book?
      2. Concepts and Approach
      3. How to Use This Book
      4. About the Sample Capture Files
      5. The Rural Technology Fund
      6. Contacting Me
    4. 1. Packet Analysis and Network Basics
      1. Packet Analysis and Packet Sniffers
        1. Evaluating a Packet Sniffer
        2. How Packet Sniffers Work
      2. How Computers Communicate
        1. Protocols
        2. The Seven-Layer OSI Model
        3. Data Encapsulation
        4. Network Hardware
          1. Hubs
          2. Switches
          3. Routers
      3. Traffic Classifications
        1. Broadcast Traffic
        2. Multicast Traffic
        3. Unicast Traffic
      4. Final Thoughts
    5. 2. Tapping into the Wire
      1. Living Promiscuously
      2. Sniffing Around Hubs
      3. Sniffing in a Switched Environment
        1. Port Mirroring
        2. Hubbing Out
        3. Using a Tap
          1. Aggregated Taps
          2. Nonaggregated Taps
          3. Choosing a Network Tap
        4. ARP Cache Poisoning
          1. The ARP Process
          2. How ARP Cache Poisoning Works
          3. Using Cain & Abel
          4. A Word of Caution on ARP Cache Poisoning
      4. Sniffing in a Routed Environment
      5. Sniffer Placement in Practice
    6. 3. Introduction to Wireshark
      1. A Brief History of Wireshark
      2. The Benefits of Wireshark
      3. Installing Wireshark
        1. Installing on Microsoft Windows Systems
        2. Installing on Linux Systems
          1. RPM-based Systems
          2. DEB-based Systems
          3. Compiling from Source
        3. Installing on Mac OS X Systems
      4. Wireshark Fundamentals
        1. Your First Packet Capture
        2. Wireshark’s Main Window
        3. Wireshark Preferences
        4. Packet Color Coding
    7. 4. Working with Captured Packets
      1. Working with Capture Files
        1. Saving and Exporting Capture Files
        2. Merging Capture Files
      2. Working with Packets
        1. Finding Packets
        2. Marking Packets
        3. Printing Packets
      3. Setting Time Display Formats and References
        1. Time Display Formats
        2. Packet Time Referencing
      4. Setting Capture Options
        1. Capture Settings
        2. Capture File(s) Settings
        3. Stop Capture Settings
        4. Display Options
        5. Name Resolution Settings
      5. Using Filters
        1. Capture Filters
          1. Capture/BPF Syntax
          2. Hostname and Addressing Filters
          3. Port and Protocol Filters
          4. Protocol Filters
          5. Protocol Field Filters
          6. Sample Capture Filter Expressions
        2. Display Filters
          1. The Filter Expression Dialog (the Easy Way)
          2. The Filter Expression Syntax Structure (the Hard Way)
          3. Sample Display Filter Expressions
        3. Saving Filters
    8. 5. Advanced Wireshark Features
      1. Network Endpoints and Conversations
        1. Viewing Endpoints
        2. Viewing Network Conversations
        3. Troubleshooting with the Endpoints and Conversations Windows
      2. Protocol Hierarchy Statistics
      3. Name Resolution
        1. Enabling Name Resolution
        2. Potential Drawbacks to Name Resolution
      4. Protocol Dissection
        1. Changing the Dissector
        2. Viewing Dissector Source Code
      5. Following TCP Streams
      6. Packet Lengths
      7. Graphing
        1. Viewing IO Graphs
        2. Round-Trip Time Graphing
        3. Flow Graphing
      8. Expert Information
    9. 6. Common Lower-Layer Protocols
      1. Address Resolution Protocol
        1. The ARP Header
        2. Packet 1: ARP Request
        3. Packet 2: ARP Response
        4. Gratuitous ARP
      2. Internet Protocol
        1. IP Addresses
        2. The IPv4 Header
        3. Time to Live
        4. IP Fragmentation
      3. Transmission Control Protocol
        1. The TCP Header
        2. TCP Ports
        3. The TCP Three-Way Handshake
        4. TCP Teardown
        5. TCP Resets
      4. User Datagram Protocol
        1. The UDP Header
      5. Internet Control Message Protocol
        1. The ICMP Header
        2. ICMP Types and Messages
        3. Echo Requests and Responses
        4. Traceroute
    10. 7. Common Upper-Layer Protocols
      1. Dynamic Host Configuration Protocol
        1. The DHCP Packet Structure
        2. The DHCP Renewal Process
          1. The Discover Packet
          2. The Offer Packet
          3. The Request Packet
          4. The Acknowledgment Packet
        3. DHCP In-Lease Renewal
        4. DHCP Options and Message Types
      2. Domain Name System
        1. The DNS Packet Structure
        2. A Simple DNS Query
        3. DNS Question Types
        4. DNS Recursion
        5. DNS Zone Transfers
      3. Hypertext Transfer Protocol
        1. Browsing with HTTP
        2. Posting Data with HTTP
      4. Final Thoughts
    11. 8. Basic Real-World Scenarios
      1. Social Networking at the Packet Level
        1. Capturing Twitter Traffic
          1. The Twitter Login Process
          2. Sending Data with a Tweet
          3. Twitter Direct Messaging
        2. Capturing Facebook Traffic
          1. The Facebook Login Process
          2. Private Messaging with Facebook
        3. Comparing Twitter vs. Facebook Methods
      2. Capturing ESPN.com Traffic
        1. Using the Conversations Window
        2. Using the Protocol Hierarchy Statistics Window
        3. Viewing DNS Traffic
        4. Viewing HTTP Requests
      3. Real-World Problems
        1. No Internet Access: Configuration Problems
          1. Tapping into the Wire
          2. Analysis
          3. Lessons Learned
        2. No Internet Access: Unwanted Redirection
          1. Tapping into the Wire
          2. Analysis
          3. Lessons Learned
        3. No Internet Access: Upstream Problems
          1. Tapping into the Wire
          2. Analysis
          3. Lessons Learned
        4. Inconsistent Printer
          1. Tapping into the Wire
          2. Analysis
          3. Lessons Learned
        5. Stranded in a Branch Office
          1. Tapping into the Wire
          2. Analysis
          3. Lessons Learned
        6. Ticked-Off Developer
          1. Tapping into the Wire
          2. Analysis
          3. Lessons Learned
      4. Final Thoughts
    12. 9. Fighting a Slow Network
      1. TCP Error-Recovery Features
        1. TCP Retransmissions
        2. TCP Duplicate Acknowledgments and Fast Retransmissions
      2. TCP Flow Control
        1. Adjusting the Window Size
        2. Halting Data Flow with a Zero Window Notification
        3. The TCP Sliding Window in Practice
      3. Learning from TCP Error-Control and Flow-Control Packets
      4. Locating the Source of High Latency
        1. Normal Communications
        2. Slow Communications—Wire Latency
        3. Slow Communications—Client Latency
        4. Slow Communications—Server Latency
        5. Latency Locating Framework
      5. Network Baselining
        1. Site Baseline
        2. Host Baseline
        3. Application Baseline
        4. Additional Notes on Baselines
      6. Final Thoughts
    13. 10. Packet Analysis for Security
      1. Reconnaissance
        1. SYN Scan
          1. Using Filters with SYN Scans
          2. Identifying Open and Closed Ports
        2. Operating System Fingerprinting
          1. Passive Fingerprinting
          2. Active Fingerprinting
      2. Exploitation
        1. Operation Aurora
        2. ARP Cache Poisoning
        3. Remote-Access Trojan
      3. Final Thoughts
    14. 11. Wireless Packet Analysis
      1. Physical Considerations
        1. Sniffing One Channel at a Time
        2. Wireless Signal Interference
        3. Detecting and Analyzing Signal Interference
      2. Wireless Card Modes
      3. Sniffing Wirelessly in Windows
        1. Configuring AirPcap
        2. Capturing Traffic with AirPcap
      4. Sniffing Wirelessly in Linux
      5. 802.11 Packet Structure
      6. Adding Wireless-Specific Columns to the Packet List Pane
      7. Wireless-Specific Filters
        1. Filtering Traffic for a Specific BSS ID
        2. Filtering Specific Wireless Packet Types
        3. Filtering a Specific Frequency
      8. Wireless Security
        1. Successful WEP Authentication
        2. Failed WEP Authentication
        3. Successful WPA Authentication
        4. Failed WPA Authentication
      9. Final Thoughts
    15. A. Further Reading
      1. Packet Analysis Tools
        1. tcpdump and Windump
        2. Cain & Abel
        3. Scapy
        4. Netdude
        5. Colasoft Packet Builder
        6. CloudShark
        7. pcapr
        8. NetworkMiner
        9. Tcpreplay
        10. ngrep
        11. libpcap
        12. hping
        13. Domain Dossier
        14. Perl and Python
      2. Packet Analysis Resources
        1. Wireshark Home Page
        2. SANS Security Intrusion Detection In-Depth Course
        3. Chris Sanders Blog
        4. Packetstan Blog
        5. Wireshark University
        6. IANA
        7. TCP/IP Illustrated (Addison-Wesley)
        8. The TCP/IP Guide (No Starch Press)
    16. Index
    17. About the Author
    18. Colophon
    19. B. Updates