Book Image

Mastering Wireshark

Book Image

Mastering Wireshark

Overview of this book

Wireshark is a popular and powerful tool used to analyze the amount of bits and bytes that are flowing through a network. Wireshark deals with the second to seventh layer of network protocols, and the analysis made is presented in a human readable form. Mastering Wireshark will help you raise your knowledge to an expert level. At the start of the book, you will be taught how to install Wireshark, and will be introduced to its interface so you understand all its functionalities. Moving forward, you will discover different ways to create and use capture and display filters. Halfway through the book, you’ll be mastering the features of Wireshark, analyzing different layers of the network protocol, looking for any anomalies. As you reach to the end of the book, you will be taught how to use Wireshark for network security analysis and configure it for troubleshooting purposes.
Table of Contents (16 chapters)
Mastering Wireshark
Credits
About the Author
About the Reviewer
www.PacktPub.com
Preface
Index

Index

A

  • ACK packets / WEP-open key
  • Address Resolution Protocol (ARP)
    • about / The layers in the TCP/IP model
    • poisoning / ARP poisoning, ARP poisoning
  • advantages, Wireshark
    • user friendly / Why use Wireshark?
    • robustness / Why use Wireshark?
    • platform independent / Why use Wireshark?
    • filters / Why use Wireshark?
    • cost / Why use Wireshark?
    • support / Why use Wireshark?
  • application-based issues
    • troubleshooting / Troubleshooting application-based issues
  • association request/response / WEP-open key

B

  • Base Service Set Identifier (BSSID) / Various modes in wireless communications
  • bottleneck issues
    • troubleshooting / Troubleshooting bottleneck issues
  • BPF syntax
    • identifiers / How to use capture filters
    • qualifiers / How to use capture filters
  • brute force attacks
    • malicious traffic, inspecting / Inspecting malicious traffic
    • real-world CTF challenges, solving / Solving real-world CTF challenges

C

  • capture filters
    • using / Why use capture filters
    • using, techniques / How to use capture filters
    • example / An example capture filter
    • with protocol header values / Capture filters that use protocol header values
  • capturing methodologies
    • about / Capturing methodologies
    • hub-based networks / Hub-based networks
    • switched environment / The switched environment
    • ARP poisoning / ARP poisoning
    • passing, through routers / Passing through routers
    • first capture, starting / Starting our first capture
  • Carrier Sense Multiple Access and Collision Avoidance protocol (CSMA/CA) / Various modes in wireless communications
  • client-side latency issues / Client- and server-side latencies
  • Command Line-fu
    • about / Command Line-fu
  • comparison operators
    • </lt / Display filters
    • ==/eq / Display filters
    • <=/le / Display filters
    • !=/ne / Display filters
    • >/gt / Display filters
    • >=/ge / Display filters
  • control frame
    • about / The IEEE 802.11 packet structure
    • Request-to-send (RTS) / The IEEE 802.11 packet structure
    • Clear-to-send (CTS) / The IEEE 802.11 packet structure
    • Acknowledgement (ACK) / The IEEE 802.11 packet structure
  • Conversations
    • about / Conversations
  • cyclic redundancy check (CRC) / The IEEE 802.11 packet structure

D

  • deauthentication packet / WPA-Enterprise
  • disassociation packet / WPA-Enterprise
  • display filters
    • about / Display filters
    • retaining, for later use / Retaining filters for later use
  • distribution system (DS) / The IEEE 802.11 packet structure
  • DNS error code
    • URL / Troubleshooting application-based issues
  • DNS packet
    • dissecting / Dissecting a DNS packet
  • Domain Name Service (DNS) / How it works
  • domain name system (DNS)
    • about / Domain name system
    • packet, dissecting / Dissecting a DNS packet
    • packet, fields / Dissecting a DNS packet
    • query/response, dissecting / Dissecting DNS query/response
    • unusual DNS traffic / Unusual DNS traffic
  • Dynamic Host Configuration Protocol (DHCP) / The DHCP
  • Dynamic Host Control Protocol (DHCP) / How it works

E

  • encrypted traffic (SSL/TLS)
    • decrypting / Decrypting encrypted traffic (SSL/TLS)
  • endpoints
    • about / Endpoints
  • Expert Info dialog
    • about / Expert Infos
    • Chat section / Expert Infos
    • Note section / Expert Infos
    • warning messages / Expert Infos
    • error section / Expert Infos
    • details / Expert Infos
    • Packet Comments / Expert Infos
  • Extended passive (ESPV) mode / Passive mode
  • Extended Port (EPRT) / Active mode

F

  • fields, domain name system (DNS) packet
    • Transaction ID / Dissecting a DNS packet
    • Query/response / Dissecting a DNS packet
    • Flag bits / Dissecting a DNS packet
    • Response code / Dissecting a DNS packet
    • Questions / Dissecting a DNS packet
    • Answers / Dissecting a DNS packet
    • Authority RRs / Dissecting a DNS packet
    • Additional RRs / Dissecting a DNS packet
    • Query section / Dissecting a DNS packet
    • Answer section / Dissecting a DNS packet
    • Type / Dissecting a DNS packet
    • Additional info / Dissecting a DNS packet
    • window size / Understanding the TCP header and its various flags
    • checksum / Understanding the TCP header and its various flags
    • urgent pointer / Understanding the TCP header and its various flags
    • options / Understanding the TCP header and its various flags
    • data / Understanding the TCP header and its various flags
  • file transfer protocol (FTP)
    • about / File transfer protocol
    • communications, dissecting / Dissecting FTP communications
    • packets, dissecting / Dissecting FTP packets
    • unusual FTP / Unusual FTP
  • File Transfer Protocol (FTP) / The layers in the TCP/IP model
  • filters
    • display filters / Display filters
  • Find dialog
    • used, for searching for packets / Searching for packets using the Find dialog
  • flags, TCP
    • SYN (synchronize) / Understanding the TCP header and its various flags
    • ACK (acknowledgement) / Understanding the TCP header and its various flags
    • RST (reset) / Understanding the TCP header and its various flags
    • FIN (finish) / Understanding the TCP header and its various flags
    • PSH (push) / Understanding the TCP header and its various flags
    • URG (urgent) / Understanding the TCP header and its various flags
    • CWR (congestion window reduced) / Understanding the TCP header and its various flags
  • flow control mechanism / The flow control mechanism
  • flow graphs
    • about / Flow graphs
  • FTP communications
    • dissecting / Dissecting FTP communications
    • passive mode / Passive mode
    • active mode / Active mode
  • FTP packets
    • Dissecting / Dissecting FTP packets

G

  • Google
    • reference link / Dissecting DNS query/response, Unusual DNS traffic
  • graph improvements / Graph improvements

H

  • half-open scan (SYN)
    • performing / Half-open scan (SYN)
    • open state / Half-open scan (SYN)
    • closed state / Half-open scan (SYN)
    • filtered state / Half-open scan (SYN)
  • header fields, TCP
    • source port / Understanding the TCP header and its various flags
    • destination port / Understanding the TCP header and its various flags
    • sequence number / Understanding the TCP header and its various flags
    • acknowledgement number / Understanding the TCP header and its various flags
    • data offset / Understanding the TCP header and its various flags
  • header types, IEEE 802.11 packet structure
    • management frames / The IEEE 802.11 packet structure
    • control frames / The IEEE 802.11 packet structure
    • data frames / The IEEE 802.11 packet structure
  • HTTP error code
    • URL / Troubleshooting application-based issues
  • HUB / Hub-based networks
  • hub-based networks / Hub-based networks
  • hubbing out / The switched environment
  • Hyper Text Transfer Protocol (HTTP) / The layers in the TCP/IP model
    • about / Hyper Text Transfer Protocol
    • working / How it works – request/response
    • request / Request
    • response / Response
    • unusual HTTP traffic / Unusual HTTP traffic

I

  • IEEE 802.11
    • about / Understanding IEEE 802.11
    • standards / Understanding IEEE 802.11
    • wireless communications, modes / Various modes in wireless communications
    • station (STA) / Various modes in wireless communications
    • wireless access point (AP) / Various modes in wireless communications
    • basic service set (BSS) / Various modes in wireless communications
    • extended service set (ESS) / Various modes in wireless communications
    • independent basic service set (IBSS) / Various modes in wireless communications
    • distribution system (DS) / Various modes in wireless communications
    • packet structure / The IEEE 802.11 packet structure
  • information gathering
    • about / Information gathering
    • PING sweep, performing / PING sweep
    • half-open scan (SYN), performing / Half-open scan (SYN)
    • OS fingerprinting / OS fingerprinting
  • Initial Sequence Numbers (ISN) / How it works
  • Internet Protocol (TCP) / How it works
  • IO graph
    • creating / Graph improvements
  • IO graphs
    • working with / Working with IO, Flow, and TCP stream graphs
    • about / IO graphs

L

  • layers, TCP/IP model
    • about / The layers in the TCP/IP model
    • Application Layer / The layers in the TCP/IP model
    • Transport Layer / The layers in the TCP/IP model
    • Internet layer / The layers in the TCP/IP model
    • Link Layer / The layers in the TCP/IP model
  • logical operators
    • AND/&& / Display filters
    • OR/|| / Display filters
    • NOT/! / Display filters

M

  • malicious traffic
    • inspecting / Inspecting malicious traffic
  • management frames
    • about / The IEEE 802.11 packet structure
    • beacon frame / The IEEE 802.11 packet structure
    • authentication frame / The IEEE 802.11 packet structure
    • association request frame / The IEEE 802.11 packet structure
    • associate response frame / The IEEE 802.11 packet structure
    • deauthentication frame / The IEEE 802.11 packet structure
    • disassociation frame / The IEEE 802.11 packet structure
    • probe request frame / The IEEE 802.11 packet structure
    • probe response frame / The IEEE 802.11 packet structure
    • reassociation (request/response) frame / The IEEE 802.11 packet structure
  • Master Key exchange / WPA-Enterprise
  • maximum segment size (MSS) / Understanding the TCP header and its various flags
  • Message integrity check (MIC) / WPA-Personal
  • MetaGeek
    • reference link / Wireless interference and strength
  • modes, wireless communications
    • about / Various modes in wireless communications
    • infrastructure/managed mode / Various modes in wireless communications
    • Ad Hoc mode / Various modes in wireless communications
    • master mode / Various modes in wireless communications
    • monitor mode / Various modes in wireless communications
    • wireless interference / Wireless interference and strength
    • strength / Wireless interference and strength
  • Multiple-Input Multiple-output (MIMO) / Understanding IEEE 802.11

N

  • Name Resolution
    • about / Endpoints
  • Network Interface Card (NIC) / The layers in the TCP/IP model
    • about / Endpoints
  • network latencies
    • troubleshooting / Troubleshooting slow Internet and network latencies
  • Nmap
    • reference link / Half-open scan (SYN)
  • Null Function packets / WEP-open key

O

  • Orthogonal Frequency Division Multiplexing (OFDM) / Understanding IEEE 802.11
  • OS fingerprinting
    • about / OS fingerprinting
    • active fingerprinting / OS fingerprinting
    • passive fingerprinting / OS fingerprinting

P

  • packet analysis
    • with Wireshark / An introduction to packet analysis with Wireshark
  • packet analysis, Wireshark used
    • about / An introduction to packet analysis with Wireshark
    • aspects / An introduction to packet analysis with Wireshark
    • performing / How to do packet analysis
  • packets
    • searching, Find dialog used / Searching for packets using the Find dialog
    • traffic colorization / Colorize traffic
  • packet structure, IEEE 802.11
    • about / The IEEE 802.11 packet structure
    • RTS/CTS / RTS/CTS
  • Pairwise Transient Key (PTK) / WPA-Personal
  • Password-based key derivation function (PBKDF2) / Summary
  • ping sweep attack
    • performing / PING sweep
  • Point to Pont (PPP) / The layers in the TCP/IP model
  • port mirroring / The switched environment
  • Pre Shared Key (PSK) / WPA-Personal
  • processes, protocol analyzer
    • collect / How it works
    • convert / How it works
    • analyze / How it works
  • Protocol data unit (PDU) / The layers in the TCP/IP model
  • Protocol Hierarchy
    • about / Protocol Hierarchy

Q

  • QOS data packet / WEP-open key
  • qualifiers
    • type / How to use capture filters
    • direction / How to use capture filters
    • proto / How to use capture filters

R

  • Radio Frequency (RF) / Wireless interference and strength
  • Radio Frequency Monitor Mode (RFMON) / Various modes in wireless communications
  • RADIUS server / WPA-Enterprise
  • Read filter
    • about / Command Line-fu
  • real-world CTF challenges
    • solving / Solving real-world CTF challenges
  • Real time transport protocol (RTP) / Session Initiation Protocol and Voice Over Internet Protocol
  • receive sequence counter (RSC) / WPA-Personal
  • recovery features
    • flow control mechanism / The flow control mechanism
    • slow Internet, troubleshooting / Troubleshooting slow Internet and network latencies
    • network latencies, troubleshooting / Troubleshooting slow Internet and network latencies
    • client-side latency issues / Client- and server-side latencies
    • server-side latency issues / Client- and server-side latencies
    • bottleneck issues, troubleshooting / Troubleshooting bottleneck issues
    • application-based issues, troubleshooting / Troubleshooting application-based issues
  • Request-to-send (RTS) frame / The IEEE 802.11 packet structure
  • routers
    • passing through / Passing through routers

S

  • Secure File Transfer Protocol (SFTP) / Dissecting FTP packets
  • server-side latency issues / Client- and server-side latencies
  • Service Set Identifier (SSID) / Various modes in wireless communications
  • Session Initiation Protocol (SIP) / Session Initiation Protocol and Voice Over Internet Protocol
  • Simple Mail Transfer Protocol (SMTP) / The layers in the TCP/IP model
    • about / Simple Mail Transfer Protocol
    • usual, versus unusual SMTP traffic / Usual versus unusual SMTP traffic
    • Session Initiation Protocol (SIP) / Session Initiation Protocol and Voice Over Internet Protocol
    • Voice Over Internet Protocol (VOIP) / Session Initiation Protocol and Voice Over Internet Protocol
    • Voice Over Internet Protocol (VOIP) traffic, analyzing / Analyzing VOIP traffic
    • unusual traffic patterns / Unusual traffic patterns
    • encrypted traffic (SSL/TLS), decrypting / Decrypting encrypted traffic (SSL/TLS)
  • Simple Network Management Protocol (SNMP) / The layers in the TCP/IP model
  • slow Internet
    • troubleshooting / Troubleshooting slow Internet and network latencies
  • STA / WPA-Enterprise
  • standards, IEEE 802.11
    • about / Understanding IEEE 802.11
    • 802.11 / Understanding IEEE 802.11
    • 802.11b / Understanding IEEE 802.11
    • 802.11a / Understanding IEEE 802.11
    • 802.11g / Understanding IEEE 802.11
    • 802.11n / Understanding IEEE 802.11
  • Statistics menu
    • about / The Statistics menu
    • using / Using the Statistics menu
    • Protocol Hierarchy / Protocol Hierarchy
  • switched environment / The switched environment

T

  • TCP / The layers in the TCP/IP model
    • about / The transmission control protocol
    • header / Understanding the TCP header and its various flags
    • flags / Understanding the TCP header and its various flags
    • communicating / How TCP communicates
    • working / How it works
    • graceful termination / Graceful termination
    • RST (reset) packets / RST (reset) packets
    • relative, verses absolute numbers / Relative verses Absolute numbers
    • unusual TCP traffic / Unusual TCP traffic
    • analysis flags, checking in Wireshark / How to check for different analysis flags in Wireshark
  • TCP/IP model
    • overview / A brief overview of the TCP/IP model
    • layers / The layers in the TCP/IP model
  • TCP sliding window mechanism / The flow control mechanism
  • TCP stream graphs
    • about / TCP stream graphs
    • Round-trip time (RTT) / Round-trip time graphs
    • Throughput graphs / Throughput graphs
    • Time-Sequence graph (tcptrace) / The Time-sequence graph (tcptrace)
  • TCP streams
    • following / Follow TCP streams
    / TCP streams
  • Temporal Key Integrity Protocol (TKIP) / WPA-Personal
  • three-way handshake / The transmission control protocol
  • translation / Translation
  • Transmission Control Protocol (TCP) / How it works
  • Trivial File Transfer Protocol (TFTP) / The TFTP

U

  • UDP / The layers in the TCP/IP model
    • about / The User Datagram Protocol
    • header / A UDP header
    • working / How it works
    • Dynamic Host Configuration Protocol (DHCP) / The DHCP
    • Trivial File Transfer Protocol (TFTP) / The TFTP
    • unusual traffic / Unusual UDP traffic
  • UDP header
    • about / A UDP header
    • source port field / A UDP header
    • destination port field / A UDP header
    • packet length field / A UDP header
    • checksum field / A UDP header
  • Uniform Resource Locator (URL) / Request
  • unusual FTP / Unusual FTP
  • USBPcap
    • about / USBPcap
  • usual SMTP traffic
    • versus unusual SMTP traffic / Usual versus unusual SMTP traffic

V

  • VirusTotal
    • reference link / Inspecting malicious traffic
  • Voice Over Internet Protocol (VOIP)
    • about / Session Initiation Protocol and Voice Over Internet Protocol
    • traffic, analyzing / Analyzing VOIP traffic
    • packets, resembling for playback / Reassembling packets for playback
  • VOIP traffic
    • analyzing / Analyzing VOIP traffic
    • packets, reassembling for playback / Reassembling packets for playback

W

  • WEP
    • open key / Usual and unusual WEP – open/shared key communication, WEP-open key
    • shared key / Usual and unusual WEP – open/shared key communication, The shared key
    • about / Usual and unusual WEP – open/shared key communication
    • personal / WPA-Personal
    • traffic, decrypting / Decrypting WEP and WPA traffic
  • Wi-Fi Protected Access (WPA)
    • about / WPA-Personal
    • enterprise / WPA-Enterprise
    • traffic, decrypting / Decrypting WEP and WPA traffic
  • Wireshark
    • about / Introduction to Wireshark, What is Wireshark?
    • packet analysis / An introduction to packet analysis with Wireshark
    • reference link / What is Wireshark?, Passing through routers, Summary
    • working / How it works
    • advantages / Why use Wireshark?
    • Statistics menu / The Statistics menu
    • analysis flags, checking / How to check for different analysis flags in Wireshark
  • Wireshark GUI
    • about / The Wireshark GUI
    • installation process / The installation process
  • Wireshark profiles
    • creating / Create new Wireshark profiles
  • Wireshark v2
    • translation / Translation
    • graph improvements / Graph improvements
    • TCP streams / TCP streams
    • USBPcap / USBPcap

Z

  • Zero window notification / The flow control mechanism