Network Analysis using Wireshark Cookbook电子书

Network Analysis Using Wireshark Cookbook

Table of Contents

Network Analysis Using Wireshark Cookbook

Credits

About the Author

Acknowledgments

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Piracy

Questions

1. Introducing Wireshark

Introduction

Locating Wireshark

Getting ready

How to do it...

Monitoring a server

Monitoring a router

Monitoring a firewall

How it works...

There's more...

See also

Starting the capture of data

Getting ready

How to do it...

How to choose the interface to start the capture

How to configure the interface you capture data from

How it works...

There's more...

See also

Configuring the start window

Getting ready

Main Toolbar

Display Filter Toolbar

Status Bar

How to do it...

Configuring toolbars

Configuring the main window

Name Resolution

Colorizing the packet list

Auto scrolling in live capture

Using time values and summaries

Getting ready

How to do it...

How it works...

Configuring coloring rules and navigation techniques

Getting ready

How to do it...

How it works...

See also

Saving, printing, and exporting data

Getting ready

How to do it...

Saving data in various formats

How to print data

How it works...

Configuring the user interface in the Preferences menu

Getting ready

How to do it...

Changing and adding columns

Changing the capture configuration

Configuring the name resolution

How it works...

Configuring protocol preferences

Getting ready

How to do it...

Configuring of IPv4 and IPv6 Preferences

Configuring TCP and UDP

How it works...

There's more...

2. Using Capture Filters

Introduction

Configuring capture filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring Ethernet filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring host and network filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring TCP/UDP and port filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring compound filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring byte offset and payload matching filters

Getting ready

How to do it...

How it works…

There's more...

See also

3. Using Display Filters

Introduction

Configuring display filters

Getting ready

How to do it...

Choosing from the filters menu

Writing the syntax directly into the display filter window

Choosing a parameter in the packet pane and defining it as a filter

How it works...

There's more...

What is the parameter we filter?

Adding a parameter column

Saving the displayed data

Configuring Ethernet, ARP, host, and network filters

Getting ready

How to do it...

Ethernet filters

ARP filters

IP and ICMP filters

Complex filters

How it works...

Ethernet broadcasts

IPv4 multicasts

IPv6 multicasts

See also

Configuring TCP/UDP filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring specific protocol filters

Getting ready

How to do it...

HTTP display filters

DNS display filters

FTP display filters

How it works...

See also

Configuring substring operator filters

Getting ready

How to do it...

How it works...

Configuring macros

Getting ready

How to do it...

How it works...

4. Using Basic Statistics Tools

Introduction

Using the Summary tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Using the Protocol Hierarchy tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Using the Conversations tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Ethernet conversations statistics

IP conversations statistics

TCP/UDP conversations statistics:

Using the Endpoints tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Using the HTTP tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Configuring Flow Graph for viewing TCP flows

Getting ready

How to do it...

How it works...

There's more...

Creating IP-based statistics

Getting ready

How to do it...

How it works...

There's more...

5. Using Advanced Statistics Tools

Introduction

Configuring IO Graphs with filters for measuring network performance issues

Getting ready

How to do it...

Filter configuration

X-Axis configuration

Y-Axis configuration

How it works...

There's more...

Throughput measurements with IO Graph

Getting ready

How to do it...

Measuring throughput between end devices

Measuring application throughput

How it works...

There's more...

Graph SMS usage – finding SMS messages sent by a specific subscriber

Graphing number of accesses to the Google web page

Advanced IO Graph configurations with advanced Y-Axis parameters

Getting ready

How to do it...

How to monitor inter-frame time delta statistics

How to monitor the number of TCP retransmissions in a stream

How to monitor a number of field appearances

How it works...

There's more...

Getting information through TCP stream graphs – the Time-Sequence (Stevens) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Time-Sequence (tcp-trace) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Throughput Graph window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Round Trip Time window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Window Scaling Graph window

Getting ready

How to do it...

How it works...

There's more...

6. Using the Expert Infos Window

Introduction

The Expert Infos window and how to use it for network troubleshooting

Getting ready

How to do it...

How it works...

There's more...

See also

Error events and understanding them

Getting ready

How to do it...

How it works...

There's more...

See also

Warning events and understanding them

Getting ready

How to do it...

How it works...

There's more...

See also

Notes events and understanding them

Getting ready

How to do it...

How it works...

There's more...

See also

7. Ethernet, LAN Switching, and Wireless LAN

Introduction

Discovering broadcast and error storms

Getting ready

How to do it...

Spanning Tree Problems

A device that generates Broadcasts

Fixed pattern broadcasts

How it works...

There's more…

See also

Analyzing Spanning Tree Protocols

Getting ready

How to do it...

Which STP version is running on the network?

Are there too many topology changes?

How it works...

Port states

There's more…

Analyzing VLANs and VLAN tagging issues

Getting ready

How to do it...

Monitoring traffic inside a VLAN

Viewing tagged frames going through a VLAN tagged port

How it works...

There's more…

See also

Analyzing wireless (Wi-Fi) problems

Getting ready

How to do it…

How it works…

8. ARP and IP Analysis

Introduction

Analyzing connectivity problems with ARP

Getting ready

How to do it...

ARP poisoning and Man-in-the-Middle attacks

Gratuitous ARP

ARP sweeps

Requests or replies, and who is the sender

How many ARPs

How it works...

There's more...

Using IP traffic analysis tools

Getting ready

How to do it...

IP statistics tools

How it works...

There's more...

Using GeoIP to look up physical locations of the IP address

Getting ready

How to do it...

How it works...

There's more...

Finding fragmentation problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing routing problems

Getting ready

How to do it...

How it works...

There's more...

Finding duplicate IPs

Getting ready

How to do it...

How it works...

There's more...

Analyzing DHCP problems

Getting ready

How to do it...

How it works...

There's more...

9. UDP/TCP Analysis

Introduction

Configuring TCP and UDP preferences for troubleshooting

Getting ready

How to do it...

UDP parameters

TCP parameters

How it works...

There's more…

TCP connection problems

Getting ready

How to do it...

How it works...

There's more…

TCP retransmission – where do they come from and why

Getting ready

How to do it...

Case 1 – retransmissions to many destinations

Case 2 – retransmissions on a single connection

Case 3 – retransmission patterns

Case 4 – retransmission due to a non-responsive application

Case 5 – retransmission due to delayed variations

Finding what it is

How it works...

Regular operation of the TCP Sequence/Acknowledge mechanism

What are TCP retransmissions and what do they cause

There's more...

See also

Duplicate ACKs and fast retransmissions

Getting ready

How to do it...

How it works...

There's more...

TCP out-of-order packet events

Getting ready

How to do it...

When will it happen?

How it works...

TCP Zero Window, Window Full, Window Change, and other Window indicators

Getting ready

How to do it...

TCP Zero Window, Zero Window Probe, and Zero Window Violation

TCP Window Update

TCP Window Full

How it works...

There's more…

TCP resets and why they happen

Getting ready

How to do it...

Cases in which reset is not a problem

Cases in which reset can indicate a problem

How it works...

10. HTTP and DNS

Introduction

Filtering DNS traffic

Getting ready

How to do it...

How it works...

There's more...

Analyzing regular DNS operations

Getting ready

How to do it...

How it works...

DNS operation

DNS namespace

The resolving process

There's more...

Analysing DNS problems

Getting ready

How to do it...

DNS cannot resolve a name

DNS slow responses

How it works...

There's more...

Filtering HTTP traffic

Getting ready

How to do it...

How it works...

HTTP methods

Status codes

There's more...

Configuring HTTP preferences

Getting ready

How to do it...

Custom HTTP headers fields

How it works...

There's more...

Analyzing HTTP problems

Getting ready

How to do it...

Informational codes

Success codes

Redirect codes

Client errors

Server errors

How it works...

There's more...

Exporting HTTP objects

Getting ready

How to do it...

How it works...

There's more...

HTTP flow analysis and the Follow TCP Stream window

Getting ready

How to do it...

How it works...

There's more...

Analyzing HTTPS traffic – SSL/TLS basics

Getting ready

How to do it...

How it works...

There's more...

11. Analyzing Enterprise Applications' Behavior

Introduction

Finding out what is running over your network

Getting ready

How to do it...

There's more...

Analyzing FTP problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing e-mail traffic and troubleshooting e-mail problems – POP, IMAP, and SMTP

Getting ready

How to do it...

POP3 communications

SMTP communications

Some other methods and problems

How it works...

POP3

SMTP and SMTP error codes (RFC3463)

There's more...

Analyzing MS-TS and Citrix communications problems

Getting ready

How to do it...

How it works...

There's more…

Analyzing problems in the NetBIOS protocols

Getting ready

How to do it...

General tests

Specific issues

How it works...

There's more…

Example 1 – application freezing

Example 2 – broadcast storm caused by SMB

Analyzing database traffic and common problems

Getting ready

How to do it...

How it works...

There's more...

12. SIP, Multimedia, and IP Telephony

Introduction

Using Wireshark's features for telephony and multimedia analysis

Getting ready

How to do it...

How it works...

There's more...

Analyzing SIP connectivity

Getting ready

How to do it...

1xx codes – provisional/informational

2xx codes – success

3xx codes – redirection

4xx codes – client error

5xx codes – server error

6xx codes – global failure

How it works...

There's more...

Analyzing RTP/RTCP connectivity

Getting ready

How to do it...

How it works...

RTP principles of operation

The RTCP principle of operation

There's more...

Troubleshooting scenarios for video and surveillance applications

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting scenarios for IPTV applications

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting scenarios for video conferencing applications

Getting ready

How to do it...

Troubleshooting RTSP

Getting ready

How to do it...

How it works...

There's more...

13. Troubleshooting Bandwidth and Delay Problems

Introduction

Measuring total bandwidth on a communication link

Getting ready

How to do it...

How it works...

There's more...

Measuring bandwidth and throughput per user and per application over a network connection

Getting ready

How to do it...

How it works...

See also

Monitoring jitter and delay using Wireshark

Getting ready

How to do it...

How it works...

There's more...

Discovering delay/jitter-related application problems

Getting ready

How to do it...

How it works...

There's more...

14. Understanding Network Security

Introduction

Discovering unusual traffic patterns

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering MAC- and ARP-based attacks

Getting ready

How to do it...

How it works...

There's more...

Discovering ICMP and TCP SYN/Port scans

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering DoS and DDoS attacks

Getting ready

How to do it...

How it works...

There's more...

Locating smart TCP attacks

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering brute-force and application attacks

Getting ready

How to do it...

How it works...

There's more...

A. Links, Tools, and Reading

Useful Wireshark links

tcpdump

Some additional tools

SNMP tools

SNMP platforms

The NetFlow, JFlow, and SFlow analyzers

HTTP debuggers

Syslog

Other stuff

Network analysers

Interesting websites

Books

Index