Wireshark Revealed: Essential Skills for IT Professionals电子书

Wireshark Revealed: Essential Skills for IT Professionals

Table of Contents

Wireshark Revealed: Essential Skills for IT Professionals

Credits

Preface

What this learning path covers

What you need for this learning path

Who this learning path is for

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Module 1

1. Getting Acquainted with Wireshark

Installing Wireshark

Installing Wireshark on Windows

Installing Wireshark on Mac OS X

Installing Wireshark on Linux/Unix

Performing your first packet capture

Selecting a network interface

Performing a packet capture

Wireshark user interface essentials

Filtering out the noise

Applying a display filter

Saving the packet trace

Summary

2. Networking for Packet Analysts

The OSI model – why it matters

Understanding network protocols

The seven OSI layers

Layer 1 – the physical layer

Layer 2 – the data-link layer

Layer 3 – the network layer

Internet Protocol

Address Resolution Protocol

Layer 4 – the transport layer

User Datagram Protocol

Transmission Control Protocol

Layer 5 – the session layer

Layer 6 – the presentation layer

Layer 7 – the application layer

Encapsulation

IP networks and subnets

Switching and routing packets

Ethernet frames and switches

IP addresses and routers

WAN links

Wireless networking

Summary

3. Capturing All the Right Packets

Picking the best capture point

User location

Server location

Other capture locations

Mid-network captures

Both sides of specialized network devices

Test Access Ports and switch port mirroring

Test Access Port

Switch port mirroring

Capturing packets on high traffic rate links

Capturing interfaces, filters, and options

Selecting the correct network interface

Using capture filters

Configuring capture filters

Capture options

Capturing filenames and locations

Multiple file options

Ring buffer

Stop capture options

Display options

Name resolution options

Verifying a good capture

Saving the bulk capture file

Isolating conversations of interest

Using the Conversations window

The Ethernet tab

The TCP and UDP tabs

The WLAN tab

Wireshark display filters

The Display Filter window

The display filter syntax

Typing in a display filter

Display filters from a Conversations or Endpoints window

Filter Expression Buttons

Using the Expressions window button

Right-click menus on specific packet fields

Following TCP/UDP/SSL streams

Marking and ignoring packets

Saving the filtered traffic

Summary

4. Configuring Wireshark

Working with packet timestamps

How Wireshark saves timestamps

Wireshark time display options

Adding a time column

Conversation versus displayed packet time options

Choosing the best Wireshark time display option

Using the Time Reference option

Colorization and coloring rules

Packet colorization

Wireshark preferences

Wireshark profiles

Creating a Wireshark profile

Selecting a Wireshark profile

Summary

5. Network Protocols

The OSI and DARPA reference models

Network layer protocols

Wireshark IPv4 filters

Wireshark ARP filters

Internet Group Management Protocol

Wireshark IGMP filters

Internet Control Message Protocol

ICMP pings

ICMP traceroutes

ICMP control message types

ICMP redirects

Wireshark ICMP filters

Internet Protocol Version 6

IPv6 addressing

IPv6 address types

IPv6 header fields

IPv6 transition methods

Wireshark IPv6 filters

Internet Control Message Protocol Version 6

Multicast Listener Discovery

Wireshark ICMPv6 filters

Transport layer protocols

User Datagram Protocol

Wireshark UDP filters

Transmission Control Protocol

TCP flags

TCP options

Wireshark TCP filters

Application layer protocols

Dynamic Host Configuration Protocol

Wireshark DHCP filters

Dynamic Host Configuration Protocol Version 6

Wireshark DHCPv6 filters

Domain Name Service

Wireshark DNS filters

Hypertext Transfer Protocol

HTTP Methods

Host

Request Modifiers

Wireshark HTTP filters

Additional information

Wireshark wiki

Protocols on Wikipedia

Requests for Comments

Summary

6. Troubleshooting and Performance Analysis

Troubleshooting methodology

Gathering the right information

Establishing the general nature of the problem

Half-split troubleshooting and other logic

Troubleshooting connectivity issues

Enabling network interfaces

Confirming physical connectivity

Obtaining the workstation IP configuration

Obtaining MAC addresses

Obtaining network service IP addresses

Basic network connectivity

Connecting to the application services

Troubleshooting functional issues

Performance analysis methodology

Top five reasons for poor application performance

Preparing the tools and approach

Performing, verifying, and saving a good packet capture

Initial error analysis

Detecting and prioritizing delays

Server processing time events

Application turn's delay

Network path latency

Bandwidth congestion

Data transport

TCP StreamGraph

IO Graph

IO Graph – Wireshark 2.0

Summary

7. Packet Analysis for Security Tasks

Security analysis methodology

The importance of baselining

Security assessment tools

Identifying unacceptable or suspicious traffic

Scans and sweeps

ARP scans

ICMP ping sweeps

TCP port scans

UDP port scans

OS fingerprinting

Malformed packets

Phone home traffic

Password-cracking traffic

Unusual traffic

Summary

8. Command-line and Other Utilities

Wireshark command-line utilities

Capturing traffic with Dumpcap

Capturing traffic with Tshark

Editing trace files with Editcap

Merging trace files with Mergecap

Mergecap batch file

Other helpful tools

HttpWatch

SteelCentral Packet Analyzer Personal Edition

AirPcap adapters

Summary

2. Module 2

1. Introducing Wireshark

Introduction

Locating Wireshark

Getting ready

How to do it...

Monitoring a server

Monitoring a router

Monitoring a firewall

How it works...

There's more...

See also

Starting the capture of data

Getting ready

How to do it...

How to choose the interface to start the capture

How to configure the interface you capture data from

How it works...

There's more...

See also

Configuring the start window

Getting ready

Main Toolbar

Display Filter Toolbar

Status Bar

How to do it...

Configuring toolbars

Configuring the main window

Name Resolution

Colorizing the packet list

Auto scrolling in live capture

Using time values and summaries

Getting ready

How to do it...

How it works...

Configuring coloring rules and navigation techniques

Getting ready

How to do it...

How it works...

See also

Saving, printing, and exporting data

Getting ready

How to do it...

Saving data in various formats

How to print data

How it works...

Configuring the user interface in the Preferences menu

Getting ready

How to do it...

Changing and adding columns

Changing the capture configuration

Configuring the name resolution

How it works...

Configuring protocol preferences

Getting ready

How to do it...

Configuring of IPv4 and IPv6 Preferences

Configuring TCP and UDP

How it works...

There's more...

2. Using Capture Filters

Introduction

Configuring capture filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring Ethernet filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring host and network filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring TCP/UDP and port filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring compound filters

Getting ready

How to do it...

How it works…

There's more...

See also

Configuring byte offset and payload matching filters

Getting ready

How to do it...

How it works…

There's more...

See also

3. Using Display Filters

Introduction

Configuring display filters

Getting ready

How to do it...

Choosing from the filters menu

Writing the syntax directly into the display filter window

Choosing a parameter in the packet pane and defining it as a filter

How it works...

There's more...

What is the parameter we filter?

Adding a parameter column

Saving the displayed data

Configuring Ethernet, ARP, host, and network filters

Getting ready

How to do it...

Ethernet filters

ARP filters

IP and ICMP filters

Complex filters

How it works...

Ethernet broadcasts

IPv4 multicasts

IPv6 multicasts

See also

Configuring TCP/UDP filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring specific protocol filters

Getting ready

How to do it...

HTTP display filters

DNS display filters

FTP display filters

How it works...

See also

Configuring substring operator filters

Getting ready

How to do it...

How it works...

Configuring macros

Getting ready

How to do it...

How it works...

4. Using Basic Statistics Tools

Introduction

Using the Summary tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Using the Protocol Hierarchy tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Using the Conversations tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Ethernet conversations statistics

IP conversations statistics

TCP/UDP conversations statistics:

Using the Endpoints tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Using the HTTP tool from the Statistics menu

Getting ready

How to do it...

How it works...

There's more...

Configuring Flow Graph for viewing TCP flows

Getting ready

How to do it...

How it works...

There's more...

Creating IP-based statistics

Getting ready

How to do it...

How it works...

There's more...

5. Using Advanced Statistics Tools

Introduction

Configuring IO Graphs with filters for measuring network performance issues

Getting ready

How to do it...

Filter configuration

X-Axis configuration

Y-Axis configuration

How it works...

There's more...

Throughput measurements with IO Graph

Getting ready

How to do it...

Measuring throughput between end devices

Measuring application throughput

How it works...

There's more...

Graph SMS usage – finding SMS messages sent by a specific subscriber

Graphing number of accesses to the Google web page

Advanced IO Graph configurations with advanced Y-Axis parameters

Getting ready

How to do it...

How to monitor inter-frame time delta statistics

How to monitor the number of TCP retransmissions in a stream

How to monitor a number of field appearances

How it works...

There's more...

Getting information through TCP stream graphs – the Time-Sequence (Stevens) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Time-Sequence (tcp-trace) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Throughput Graph window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Round Trip Time window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – the Window Scaling Graph window

Getting ready

How to do it...

How it works...

There's more...

6. Using the Expert Infos Window

Introduction

The Expert Infos window and how to use it for network troubleshooting

Getting ready

How to do it...

How it works...

There's more...

See also

Error events and understanding them

Getting ready

How to do it...

How it works...

There's more...

See also

Warning events and understanding them

Getting ready

How to do it...

How it works...

There's more...

See also

Notes events and understanding them

Getting ready

How to do it...

How it works...

There's more...

See also

7. Ethernet, LAN Switching, and Wireless LAN

Introduction

Discovering broadcast and error storms

Getting ready

How to do it...

Spanning Tree Problems

A device that generates Broadcasts

Fixed pattern broadcasts

How it works...

There's more…

See also

Analyzing Spanning Tree Protocols

Getting ready

How to do it...

Which STP version is running on the network?

Are there too many topology changes?

How it works...

Port states

There's more…

Analyzing VLANs and VLAN tagging issues

Getting ready

How to do it...

Monitoring traffic inside a VLAN

Viewing tagged frames going through a VLAN tagged port

How it works...

There's more…

See also

Analyzing wireless (Wi-Fi) problems

Getting ready

How to do it…

How it works…

8. ARP and IP Analysis

Introduction

Analyzing connectivity problems with ARP

Getting ready

How to do it...

ARP poisoning and Man-in-the-Middle attacks

Gratuitous ARP

ARP sweeps

Requests or replies, and who is the sender

How many ARPs

How it works...

There's more...

Using IP traffic analysis tools

Getting ready

How to do it...

IP statistics tools

How it works...

There's more...

Using GeoIP to look up physical locations of the IP address

Getting ready

How to do it...

How it works...

There's more...

Finding fragmentation problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing routing problems

Getting ready

How to do it...

How it works...

There's more...

Finding duplicate IPs

Getting ready

How to do it...

How it works...

There's more...

Analyzing DHCP problems

Getting ready

How to do it...

How it works...

There's more...

9. UDP/TCP Analysis

Introduction

Configuring TCP and UDP preferences for troubleshooting

Getting ready

How to do it...

UDP parameters

TCP parameters

How it works...

There's more…

TCP connection problems

Getting ready

How to do it...

How it works...

There's more…

TCP retransmission – where do they come from and why

Getting ready

How to do it...

Case 1 – retransmissions to many destinations

Case 2 – retransmissions on a single connection

Case 3 – retransmission patterns

Case 4 – retransmission due to a non-responsive application

Case 5 – retransmission due to delayed variations

Finding what it is

How it works...

Regular operation of the TCP Sequence/Acknowledge mechanism

What are TCP retransmissions and what do they cause

There's more...

See also

Duplicate ACKs and fast retransmissions

Getting ready

How to do it...

How it works...

There's more...

TCP out-of-order packet events

Getting ready

How to do it...

When will it happen?

How it works...

TCP Zero Window, Window Full, Window Change, and other Window indicators

Getting ready

How to do it...

TCP Zero Window, Zero Window Probe, and Zero Window Violation

TCP Window Update

TCP Window Full

How it works...

There's more…

TCP resets and why they happen

Getting ready

How to do it...

Cases in which reset is not a problem

Cases in which reset can indicate a problem

How it works...

10. HTTP and DNS

Introduction

Filtering DNS traffic

Getting ready

How to do it...

How it works...

There's more...

Analyzing regular DNS operations

Getting ready

How to do it...

How it works...

DNS operation

DNS namespace

The resolving process

There's more...

Analysing DNS problems

Getting ready

How to do it...

DNS cannot resolve a name

DNS slow responses

How it works...

There's more...

Filtering HTTP traffic

Getting ready

How to do it...

How it works...

HTTP methods

Status codes

There's more...

Configuring HTTP preferences

Getting ready

How to do it...

Custom HTTP headers fields

How it works...

There's more...

Analyzing HTTP problems

Getting ready

How to do it...

Informational codes

Success codes

Redirect codes

Client errors

Server errors

How it works...

There's more...

Exporting HTTP objects

Getting ready

How to do it...

How it works...

There's more...

HTTP flow analysis and the Follow TCP Stream window

Getting ready

How to do it...

How it works...

There's more...

Analyzing HTTPS traffic – SSL/TLS basics

Getting ready

How to do it...

How it works...

There's more...

11. Analyzing Enterprise Applications' Behavior

Introduction

Finding out what is running over your network

Getting ready

How to do it...

There's more...

Analyzing FTP problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing e-mail traffic and troubleshooting e-mail problems – POP, IMAP, and SMTP

Getting ready

How to do it...

POP3 communications

SMTP communications

Some other methods and problems

How it works...

POP3

SMTP and SMTP error codes (RFC3463)

There's more...

Analyzing MS-TS and Citrix communications problems

Getting ready

How to do it...

How it works...

There's more…

Analyzing problems in the NetBIOS protocols

Getting ready

How to do it...

General tests

Specific issues

How it works...

There's more…

Example 1 – application freezing

Example 2 – broadcast storm caused by SMB

Analyzing database traffic and common problems

Getting ready

How to do it...

How it works...

There's more...

12. SIP, Multimedia, and IP Telephony

Introduction

Using Wireshark's features for telephony and multimedia analysis

Getting ready

How to do it...

How it works...

There's more...

Analyzing SIP connectivity

Getting ready

How to do it...

1xx codes – provisional/informational

2xx codes – success

3xx codes – redirection

4xx codes – client error

5xx codes – server error

6xx codes – global failure

How it works...

There's more...

Analyzing RTP/RTCP connectivity

Getting ready

How to do it...

How it works...

RTP principles of operation

The RTCP principle of operation

There's more...

Troubleshooting scenarios for video and surveillance applications

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting scenarios for IPTV applications

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting scenarios for video conferencing applications

Getting ready

How to do it...

Troubleshooting RTSP

Getting ready

How to do it...

How it works...

There's more...

13. Troubleshooting Bandwidth and Delay Problems

Introduction

Measuring total bandwidth on a communication link

Getting ready

How to do it...

How it works...

There's more...

Measuring bandwidth and throughput per user and per application over a network connection

Getting ready

How to do it...

How it works...

See also

Monitoring jitter and delay using Wireshark

Getting ready

How to do it...

How it works...

There's more...

Discovering delay/jitter-related application problems

Getting ready

How to do it...

How it works...

There's more...

14. Understanding Network Security

Introduction

Discovering unusual traffic patterns

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering MAC- and ARP-based attacks

Getting ready

How to do it...

How it works...

There's more...

Discovering ICMP and TCP SYN/Port scans

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering DoS and DDoS attacks

Getting ready

How to do it...

How it works...

There's more...

Locating smart TCP attacks

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering brute-force and application attacks

Getting ready

How to do it...

How it works...

There's more...

A. Links, Tools, and Reading

Useful Wireshark links

tcpdump

Some additional tools

SNMP tools

SNMP platforms

The NetFlow, JFlow, and SFlow analyzers

HTTP debuggers

Syslog

Other stuff

Network analysers

Interesting websites

Books

3. Module 3

1. Welcome to the World of Packet Analysis with Wireshark

Introduction to Wireshark

A brief overview of the TCP/IP model

The layers in the TCP/IP model

An introduction to packet analysis with Wireshark

How to do packet analysis

What is Wireshark?

How it works

Capturing methodologies

Hub-based networks

The switched environment

ARP poisoning

Passing through routers

Why use Wireshark?

The Wireshark GUI

The installation process

Starting our first capture

Summary

Practice questions

2. Filtering Our Way in Wireshark

An introduction to filters

Capture filters

Why use capture filters

How to use capture filters

An example capture filter

Capture filters that use protocol header values

Display filters

Retaining filters for later use

Searching for packets using the Find dialog

Colorize traffic

Create new Wireshark profiles

Summary

Practice questions

3. Mastering the Advanced Features of Wireshark

The Statistics menu

Using the Statistics menu

Protocol Hierarchy

Conversations

Endpoints

Working with IO, Flow, and TCP stream graphs

IO graphs

Flow graphs

TCP stream graphs

Round-trip time graphs

Throughput graphs

The Time-sequence graph (tcptrace)

Follow TCP streams

Expert Infos

Command Line-fu

Summary

Exercise

4. Inspecting Application Layer Protocols

Domain name system

Dissecting a DNS packet

Dissecting DNS query/response

Unusual DNS traffic

File transfer protocol

Dissecting FTP communications

Passive mode

Active mode

Dissecting FTP packets

Unusual FTP

Hyper Text Transfer Protocol

How it works – request/response

Request

Response

Unusual HTTP traffic

Simple Mail Transfer Protocol

Usual versus unusual SMTP traffic

Session Initiation Protocol and Voice Over Internet Protocol

Analyzing VOIP traffic

Reassembling packets for playback

Unusual traffic patterns

Decrypting encrypted traffic (SSL/TLS)

Summary

Practice questions

5. Analyzing Transport Layer Protocols

The transmission control protocol

Understanding the TCP header and its various flags

How TCP communicates

How it works

Graceful termination

RST (reset) packets

Relative verses Absolute numbers

Unusual TCP traffic

How to check for different analysis flags in Wireshark

The User Datagram Protocol

A UDP header

How it works

The DHCP

The TFTP

Unusual UDP traffic

Summary

Practice questions

6. Analyzing Traffic in Thin Air

Understanding IEEE 802.11

Various modes in wireless communications

Wireless interference and strength

The IEEE 802.11 packet structure

RTS/CTS

Usual and unusual WEP – open/shared key communication

WEP-open key

The shared key

WPA-Personal

WPA-Enterprise

Decrypting WEP and WPA traffic

Summary

Practice questions

7. Network Security Analysis

Information gathering

PING sweep

Half-open scan (SYN)

OS fingerprinting

ARP poisoning

Analyzing brute force attacks

Inspecting malicious traffic

Solving real-world CTF challenges

Summary

Practice questions

8. Troubleshooting

Recovery features

The flow control mechanism

Troubleshooting slow Internet and network latencies

Client- and server-side latencies

Troubleshooting bottleneck issues

Troubleshooting application-based issues

Summary

Practice questions

9. Introduction to Wireshark v2

The intelligent scroll bar

Translation

Graph improvements

TCP streams

USBPcap

Summary

Practice questions

Bibliography

Index