Book Image

Mastering Wireshark 2

By : Andrew Crouthamel
Book Image

Mastering Wireshark 2

By: Andrew Crouthamel

Overview of this book

Wireshark, a combination of a Linux distro (Kali) and an open source security framework (Metasploit), is a popular and powerful tool. Wireshark is mainly used to analyze the bits and bytes that flow through a network. It efficiently deals with the second to the seventh layer of network protocols, and the analysis made is presented in a form that can be easily read by people. Mastering Wireshark 2 helps you gain expertise in securing your network. We start with installing and setting up Wireshark2.0, and then explore its interface in order to understand all of its functionalities. As you progress through the chapters, you will discover different ways to create, use, capture, and display filters. By halfway through the book, you will have mastered Wireshark features, analyzed different layers of the network protocol, and searched for anomalies. You’ll learn about plugins and APIs in depth. Finally, the book focuses on pocket analysis for security tasks, command-line utilities, and tools that manage trace files. By the end of the book, you'll have learned how to use Wireshark for network security analysis and configured it for troubleshooting purposes.
Table of Contents (18 chapters)
Title Page
Copyright and Credits
Packt Upsell
Free Chapter
Installing Wireshark 2

TCP analysis I

In this section, we'll take a look at how TCP works, what's in the TCP header, and some of the flags and options.

If you'd like to learn more about TCP, you can look at the RFC that's available from the IETF at

You're looking for RFC: 793 for TCP, which is the original specification for TCP.

In the preceding screenshot, you can see different sections within IETF, which provide a little bit of interactivity. You can click on the different RFCs that have updated the TCP specifications; if you scroll down, it also provides you a nice little table of contents. The RFC shows a little diagram of what the TCP header looks like:

We have Source Port; Destination Port; Sequence Number; Acknowledgment Number; Data Offset; some Reserved bits; Window size; header Checksum; an Urgent Pointer; and Options, which is an expandable section. We have some Padding and then the actual data.

Go into Wireshark and let's go to a TCP packet. We can see we have some TLS...