One of the main tasks of any network administrator or security officer is traffic analysis. Skill in the use of protocol analysis tools will be essential to locate and limit network problems, resolve security incidents, check the correct operation of routing protocols, test applications using sockets, and so on. Tshark, the command-line version of Wireshark, is the ideal tool for professionals who wish to meet those needs or students who want to delve into the world of networking and understand in more depth the operation of TCP/IP network protocols. With Tshark, you could take advantage of all filtering features provided by Wireshark from lacking GUI environments, ideal for example in Unix/Linux servers, offering you great flexibility to identify and display network traffic. This book will develop the full potential of this tool from a completely practical standpoint, using real examples that represent the everyday life of many professionals dedicated to the world of security and communications.
Capturing data with Tshark (Must know) explains basic theoretical concepts about Tshark and the process of data collection. It also explains how to configure Tshark to capture traffic with the appropriate permissions without exposing the system for possible vulnerabilities.
Capturing traffic (Must know) explains some of the options for data collection. Each of the alternatives depends on the network infrastructure and the objectives of the analyst.
Delimiting network problems (Should know) offers practical examples to help us define and identify specific network traffic, in order to quickly identify the source of many problems of networking.
Implementing useful filters (Should know) presents useful examples that respond to many needs for both the network administrator and the security officer.
Decoding protocols (Become an expert) explains how to force Tshark to use a particular dissector. We also discuss how to decrypt SSL traffic.
Auditing network attacks (Become an expert) shows examples of filters to identify common network attacks: ARP-spoof, DoS attacks, DHCP/DNS spoof, and so on. Identifying such incidents quickly helps you take the necessary countermeasures to mitigate such attacks.
Analyzing network forensic data (Become an expert) explains how to obtain evidence from suspicious network traffic. We will look at tunneling techniques to attempt to circumvent security mechanisms (ICMP exfiltration, UDP tunnels, and so on) in addition to other post-exploitation attacks.
Auditing network applications (Must know) provides examples to help audit and understand the behavior of applications that make use of sockets.
Analyzing malware traffic (Must know) provides examples of filters that will help identify infected computers with malware. Likewise we'll see how, with the help of Tshark, we can generate signatures that block connections to C&C servers.
Automating tasks (Must know) explains some tricks to automate certain tasks with Tshark and python scripts.
You will need a Windows or Linux machine, either physical or virtual. All that is required is to install Wireshark, available from its official website (http://www.wireshark.org/). The package contains a suite of tools including Tshark. For Windows, the installer will guide you to download WinPcap (the libpcap version for Windows). The Wireshark distribution will also include various command-line tools for treating capture files. Some of these tools (Editcap MergeCap, Text2pcap, Capinfos, and so on) will be used at some points in the How-to. To carry out the examples shown in the book, the latest version of Tshark (1.8.4) has been compiled on an Ubuntu 12.04 machine.
The book is intended for network administrators and security officers who have to deal daily with a variety of network problems and security incidents. Also, the book will be a good support for Cisco students wishing to implement and understand in greater depth many theoretical concepts related to traffic data and communications.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "We can include other contexts through the use of the include directive."
Any command-line input or output is written as follows:
root@Mordor:~# groupadd tshark root@Mordor:~# usermod -a -G tshark bmerino root@Mordor:~# chgrp tshark /usr/bin/dumpcap
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes, for example, appear in the text like this: "Since each of the packets sent to the server contain random values we will look for the last Command not found server reply".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.