Packet Analysis with Wireshark电子书

Packet Analysis with Wireshark

Table of Contents

Packet Analysis with Wireshark

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Packet Analyzers

Uses for packet analyzers

Introducing Wireshark

Wireshark features

Wireshark's dumpcap and tshark

The Wireshark packet capture process

Other packet analyzer tools

Mobile packet capture

Summary

2. Capturing Packets

Guide to capturing packets

Capturing packets with Interface Lists

Common interface names

Capturing packets with Start options

Capturing packets with Capture Options

The capture filter options

Auto-capturing a file periodically

Troubleshooting

Wireshark user interface

The Filter toolbar

Filtering techniques

Filter examples

The Packet List pane

The Packet Details pane

The Packet Bytes pane

Wireshark features

Decode-As

Protocol preferences

The IO graph

Following the TCP stream

Exporting the displayed packet

Generating the firewall ACL rules

Tcpdump and snoop

References

Summary

3. Analyzing the TCP Network

Recapping TCP

TCP header fields

TCP states

TCP connection establishment and clearing

TCP three-way handshake

Handshake message – first step [SYN]

Handshake message – second step [SYN, ACK]

Handshake message – third step [ACK]

TCP data communication

TCP close sequence

Lab exercise

TCP troubleshooting

TCP reset sequence

RST after SYN-ACK

RST after SYN

Lab exercise

TCP CLOSE_WAIT

Lab exercise

How to resolve TCP CLOSE_STATE

TCP TIME_WAIT

TCP latency issues

Cause of latency

Identifying latency

Server latency example

Wire latency

Wireshark TCP sequence analysis

TCP retransmission

Lab exercise

TCP ZeroWindow

TCP Window Update

TCP Dup-ACK

References

Summary

4. Analyzing SSL/TLS

An introduction to SSL/TLS

SSL/TLS versions

The SSL/TLS component

The SSL/TLS handshake

Types of handshake message

Client Hello

Server Hello

Server certificate

Server Key Exchange

Client certificate request

Server Hello Done

Client certificate

Client Key Exchange

Client Certificate Verify

Change Cipher Spec

Finished

Application Data

Alert Protocol

Key exchange

The Diffie-Hellman key exchange

Elliptic curve Diffie-Hellman key exchange

RSA

Decrypting SSL/TLS

Decrypting RSA traffic

Decrypting DHE/ECHDE traffic

Forward secrecy

Debugging issues

Summary

5. Analyzing Application Layer Protocols

DHCPv6

DHCPv6 Wireshark filter

Multicast addresses

The UDP port information

DHCPv6 message types

Message exchanges

The four-message exchange

The two-message exchange

DHCPv6 traffic capture

BOOTP/DHCP

BOOTP/DHCP Wireshark filter

Address assignment

Capture DHCPv4 traffic

DNS

DNS Wireshark filter

Port

Resource records

DNS traffic

HTTP

HTTP Wireshark filter

HTTP use cases

Finding the top HTTP response time

Finding packets based on HTTP methods

Finding sensitive information in a form post

Using HTTP status code

References

Summary

6. WLAN Capturing

WLAN capture setup

The monitor mode

Analyzing the Wi-Fi networks

Frames

Management frames

Data frames

Control frames

802.11 auth process

802.1X EAPOL

The 802.11 protocol stack

Wi-Fi sniffing products

Summary

7. Security Analysis

Heartbleed bug

The Heartbleed Wireshark filter

Heartbleed Wireshark analysis

The Heartbleed test

Heartbleed recommendations

The DOS attack

SYN flood

SYN flood mitigation

ICMP flood

ICMP flood mitigation

SSL flood

Scanning

Vulnerability scanning

SSL scans

ARP duplicate IP detection

DrDoS

BitTorrent

Wireshark protocol hierarchy

Summary

Index