Book Image

Network Analysis using Wireshark Cookbook

By : Yoram Orzach
Book Image

Network Analysis using Wireshark Cookbook

By: Yoram Orzach

Overview of this book

Is your network slow? Are your users complaining? Disconnections? IP Telephony problems? Video freezes? Network analysis is the process of isolating these problems and fixing them, and Wireshark has long been the most popular network analyzer for achieving this goal. Based on hundreds of solved cases, Network Analysis using Wireshark Cookbook provides you with practical recipes for effective Wireshark network analysis to analyze and troubleshoot your network. "Network analysis using Wireshark Cookbook" highlights the operations of Wireshark as a network analyzer tool. This book provides you with a set of practical recipes to help you solve any problems in your network using a step-by-step approach. "Network analysis using Wireshark Cookbook" starts by discussing the capabilities of Wireshark, such as the statistical tools and the expert system, capture and display filters, and how to use them. The book then guides you through the details of the main networking protocols, that is, Ethernet, LAN switching, and TCP/IP, and then discusses the details of application protocols and their behavior over the network. Among the application protocols that are discussed in the book are standard Internet protocols like HTTP, mail protocols, FTP, and DNS, along with the behavior of databases, terminal server clients, Citrix, and other applications that are common in the IT environment. In a bottom-up troubleshooting approach, the book goes up through the layers of the OSI reference model explaining how to resolve networking problems. The book starts from Ethernet and LAN switching, through IP, and then on to TCP/UDP with a focus on TCP performance problems. It also focuses on WLAN security. Then, we go through application behavior issues including HTTP, mail, DNS, and other common protocols. The book finishes with a look at network forensics and how to search and find security problems that might harm the network.

Related Content you might be interested in

Current Title:

Small book image
Network Analysis using Wireshark Cookbook
Yoram Orzach
Dec, 2013 | 452 pages
No titles found
Table of Contents (23 chapters)
Network Analysis Using Wireshark Cookbook
Network Analysis Using Wireshark Cookbook
Credits
Credits
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introducing Wireshark
Introducing Wireshark
Introduction
Locating Wireshark
Starting the capture of data
Configuring the start window
Using time values and summaries
Configuring coloring rules and navigation techniques
Saving, printing, and exporting data
Configuring the user interface in the Preferences menu
Configuring protocol preferences
2
Using Capture Filters
Using Capture Filters
Introduction
Configuring capture filters
Configuring Ethernet filters
Configuring host and network filters
Configuring TCP/UDP and port filters
Configuring compound filters
Configuring byte offset and payload matching filters
3
Using Display Filters
Using Display Filters
Introduction
Configuring display filters
Configuring Ethernet, ARP, host, and network filters
Configuring TCP/UDP filters
Configuring specific protocol filters
Configuring substring operator filters
Configuring macros
4
Using Basic Statistics Tools
Using Basic Statistics Tools
Introduction
Using the Summary tool from the Statistics menu
Using the Protocol Hierarchy tool from the Statistics menu
Using the Conversations tool from the Statistics menu
Using the Endpoints tool from the Statistics menu
Using the HTTP tool from the Statistics menu
Configuring Flow Graph for viewing TCP flows
Creating IP-based statistics
5
Using Advanced Statistics Tools
Using Advanced Statistics Tools
Introduction
Configuring IO Graphs with filters for measuring network performance issues
Throughput measurements with IO Graph
Advanced IO Graph configurations with advanced Y-Axis parameters
Getting information through TCP stream graphs – the Time-Sequence (Stevens) window
Getting information through TCP stream graphs – the Time-Sequence (tcp-trace) window
Getting information through TCP stream graphs – the Throughput Graph window
Getting information through TCP stream graphs – the Round Trip Time window
Getting information through TCP stream graphs – the Window Scaling Graph window
6
Using the Expert Infos Window
Using the Expert Infos Window
Introduction
The Expert Infos window and how to use it for network troubleshooting
Error events and understanding them
Warning events and understanding them
Notes events and understanding them
7
Ethernet, LAN Switching, and Wireless LAN
Ethernet, LAN Switching, and Wireless LAN
Introduction
Discovering broadcast and error storms
Analyzing Spanning Tree Protocols
Analyzing VLANs and VLAN tagging issues
Analyzing wireless (Wi-Fi) problems
8
ARP and IP Analysis
ARP and IP Analysis
Introduction
Analyzing connectivity problems with ARP
Using IP traffic analysis tools
Using GeoIP to look up physical locations of the IP address
Finding fragmentation problems
Analyzing routing problems
Finding duplicate IPs
Analyzing DHCP problems
9
UDP/TCP Analysis
UDP/TCP Analysis
Introduction
Configuring TCP and UDP preferences for troubleshooting
TCP connection problems
TCP retransmission – where do they come from and why
Duplicate ACKs and fast retransmissions
TCP out-of-order packet events
TCP Zero Window, Window Full, Window Change, and other Window indicators
TCP resets and why they happen
10
HTTP and DNS
HTTP and DNS
Introduction
Filtering DNS traffic
Analyzing regular DNS operations
Analysing DNS problems
Filtering HTTP traffic
Configuring HTTP preferences
Analyzing HTTP problems
Exporting HTTP objects
HTTP flow analysis and the Follow TCP Stream window
Analyzing HTTPS traffic – SSL/TLS basics
11
Analyzing Enterprise Applications' Behavior
Analyzing Enterprise Applications' Behavior
Introduction
Finding out what is running over your network
Analyzing FTP problems
Analyzing e-mail traffic and troubleshooting e-mail problems – POP, IMAP, and SMTP
Analyzing MS-TS and Citrix communications problems
Analyzing problems in the NetBIOS protocols
Analyzing database traffic and common problems
12
SIP, Multimedia, and IP Telephony
SIP, Multimedia, and IP Telephony
Introduction
Using Wireshark's features for telephony and multimedia analysis
Analyzing SIP connectivity
Analyzing RTP/RTCP connectivity
Troubleshooting scenarios for video and surveillance applications
Troubleshooting scenarios for IPTV applications
Troubleshooting scenarios for video conferencing applications
Troubleshooting RTSP
13
Troubleshooting Bandwidth and Delay Problems
Troubleshooting Bandwidth and Delay Problems
Introduction
Measuring total bandwidth on a communication link
Measuring bandwidth and throughput per user and per application over a network connection
Monitoring jitter and delay using Wireshark
Discovering delay/jitter-related application problems
14
Understanding Network Security
Understanding Network Security
Introduction
Discovering unusual traffic patterns
Discovering MAC- and ARP-based attacks
Discovering ICMP and TCP SYN/Port scans
Discovering DoS and DDoS attacks
Locating smart TCP attacks
Discovering brute-force and application attacks
Links, Tools, and Reading
Links, Tools, and Reading
Useful Wireshark links
tcpdump
Some additional tools
Network analysers
Interesting websites
Books
Index
Index

Configuring the start window

In this recipe we will see some basic configurations for the start window. We will talk about configuring the main window, file formats, and viewing options.

Getting ready

Start Wireshark, and you will get the start window. There are several parameters you can change here in order to adapt the capture window to meet your requirements:

  • Toolbars configuration

  • Main window configuration

  • Time format configuration

  • Name resolution

  • Colorize packet list

  • Auto scroll in live capture

  • Zoom

  • Columns configuration

  • Coloring rules

First, let's have a look at the toolbars that are used by the software:

For operations with the other toolbars as follows, which are covered in the coming subsections in this recipe:

  • Main Toolbar

  • Display Filter Toolbar

  • Status Bar

Main Toolbar

In the main toolbar you have the icons shown in the following screenshot:

The five leftmost symbols are for capture operations, then you have symbols for file operations, zoom and "go to packet" operations, colorize and auto-scroll, zoom and resize, filters, preferences, and help.

Display Filter Toolbar

In the filter toolbar, you have the following fields:

Status Bar

In the status bar on the lower side of the Wireshark window, you can see the data shown in the following screenshot:

In the preceding screenshot you can see the following:

  • Errors in the expert system

  • The option to add a comment to the file

  • The name of the captured file (during capture, it will show you a temporary name assigned by the software)

  • Total number of captured packets, displayed packets (those which are actually displayed on the screen), and marked packets (those that you have marked).

How to do it...

In this part we will go step by step and configure the main menu.

Configuring toolbars

Usually for regular packet capture, you don't have to change anything. This is different when you want to capture wireless data over the network (not only from your laptop); you will have to enable the wireless toolbar, and this will be done by clicking on it under the view menu, as shown in the following screenshot:

Configuring the main window

To configure the main menu for capturing, you can configure Wireshark to show the following windows:

In most of the cases you will not need to change anything here. In some cases, you can cancel the packet bytes when you don't need to see them, and you will get more "space" for the packet list and details.

Name Resolution

Name Resolution is the translation of layer 2 (MAC addresses), layer 3 (IP addresses), and layer 4 (Port numbers) into meaningful information.

In the preceding screenshot, we see the MAC address 60:d8:19:c7:8e:73 (from Hon Hai Precision Ind., used by Lenovo), the website (that is, Packtpub.com), and the HTTP port number (that is 80).

Colorizing the packet list

Usually you start a capture in order to establish a baseline profile of what normal traffic looks like on your network. During the capture, you look at the captured data and you might find a TCP connection, IP or Ethernet connectivity that are suspects, and you want to see them in another color.

To do so, right-click on the packet that belongs to the conversation you want to color, choose Ethernet, IP, or TCP/UDP (the appearance of TCP or UDP will depend on the packet), and choose the color for the conversation.

In the example you see that we want to color a Transport Layer Security (TLS) conversation.

For canceling the coloring rule:

  1. Go to the View menu.

  2. In the lower part of the menu, choose Reset Coloring 1-10 or simply click on Ctrl + Space bar.

Auto scrolling in live capture

To configure Wireshark to auto-scroll the packets as it captures them, do the following:

  1. Go to the View menu.

  2. Mark the Auto Scroll in Live Capture item.

  3. Zoom

For zooming in and out:

  1. Go to the View menu.

  2. Click on Zoom In or press Ctrl + + to zoom in.

  3. Click on Zoom Out or press Ctrl + - to zoom out.

Previous Section
End of Section 5
Next Section