Book Image

Packet Analysis with Wireshark

By : ANISH NATH
Book Image

Packet Analysis with Wireshark

By: ANISH NATH

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Packet Analysis with Wireshark
ANISH NATH
Dec, 2015 | 172 pages
No titles found
Table of Contents (14 chapters)
Packet Analysis with Wireshark
Packet Analysis with Wireshark
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Packet Analyzers
Packet Analyzers
Uses for packet analyzers
Introducing Wireshark
Other packet analyzer tools
Summary
2
Capturing Packets
Capturing Packets
Guide to capturing packets
Troubleshooting
Wireshark user interface
Wireshark features
Tcpdump and snoop
References
Summary
3
Analyzing the TCP Network
Analyzing the TCP Network
Recapping TCP
TCP connection establishment and clearing
TCP data communication
TCP close sequence
Lab exercise
TCP troubleshooting
TCP latency issues
Wireshark TCP sequence analysis
References
Summary
4
Analyzing SSL/TLS
Analyzing SSL/TLS
An introduction to SSL/TLS
The SSL/TLS handshake
Key exchange
Decrypting SSL/TLS
Debugging issues
Summary
5
Analyzing Application Layer Protocols
Analyzing Application Layer Protocols
DHCPv6
BOOTP/DHCP
DNS
HTTP
References
Summary
6
WLAN Capturing
WLAN Capturing
WLAN capture setup
Analyzing the Wi-Fi networks
Wi-Fi sniffing products
Summary
7
Security Analysis
Security Analysis
Heartbleed bug
The DOS attack
Scanning
ARP duplicate IP detection
DrDoS
BitTorrent
Wireshark protocol hierarchy
Summary
Index
Index

Introducing Wireshark

Wireshark is perhaps one of the best open source packet analyzers available today. Wireshark is a powerful packet analyzer tool, with an easy-to-use, rich GUI and a command-line utility with very active community support: http://ask.wireshark.org.

Wireshark uses pcap (libpcap) to capture packets, which means it can capture packets in offline mode—to view the captured packets—and online mode (live traffic) to capture and display the traffic in the Wireshark GUI. Once open, the Wireshark GUI looks like this:

Wireshark features

We will see some of the important features that are available in Wireshark in the following figure:

Wireshark has the following cool built-in features, few of them are listed as follows:

  • Available in both UNIX and Windows

  • Ability to capture live packets from various types of interface

  • Filters packets with many criteria

  • Ability to decode larger sets of protocols

  • Can save and merge captured packets

  • Can create various statistics

  • User-friendly GUI and command-line interface

  • Active community support (http://ask.wireshark.org)

Wireshark's dumpcap and tshark

The Wireshark installation provides some command-line tools such as dumpcap and tshark. Wireshark and tshark rely on dumpcap to capture traffic; more advanced functionality is performed by tshark. Also note that dumpcap can be run as its own standalone utility. tshark is a command-line version of Wireshark and can be used in the remote terminal.

The Wireshark packet capture process

The user must be aware of where Wireshark is installed and it should be obliged with your organization policy before start capturing on the TAP (Test Access Point) or Switch Port Analyzer (SPAN) port.

Usually developers install Wireshark on their personal laptop/desktop and capture packets, which goes in-out from the box.

Certain guidelines should be followed to perform this:

  1. Make sure you're allowed to do what you're going to do; check your corporate policies before capturing a packet.

  2. The operating system must support packet capturing:

    • Linux packet socket support is enabled in the kernel by default

    • Windows requires WinPCap to be installed

  3. Choose the interface and enable the promiscuous mode on it. Promiscuous mode accepts all packets whether they are addressed to the interface or not.

  4. If using a Wi-Fi interface, enable the monitor mode for WLAN capturing.

  5. Start capturing and use Wireshark's different features like (filters/statistics/IO/save) for further analysis

Previous Section
End of Section 3
Next Section