Book Image

Network Analysis using Wireshark 2 Cookbook - Second Edition

By : Nagendra Kumar Nainar, Yoram Orzach, Yogesh Ramdoss

Book Image

Network Analysis using Wireshark 2 Cookbook - Second Edition

By: Nagendra Kumar Nainar, Yoram Orzach, Yogesh Ramdoss

Overview of this book

This book contains practical recipes on troubleshooting a data communications network. This second version of the book focuses on Wireshark 2, which has already gained a lot of traction due to the enhanced features that it offers to users. The book expands on some of the subjects explored in the first version, including TCP performance, network security, Wireless LAN, and how to use Wireshark for cloud and virtual system monitoring. You will learn how to analyze end-to-end IPv4 and IPv6 connectivity failures for Unicast and Multicast traffic using Wireshark. It also includes Wireshark capture files so that you can practice what you’ve learned in the book. You will understand the normal operation of E-mail protocols and learn how to use Wireshark for basic analysis and troubleshooting. Using Wireshark, you will be able to resolve and troubleshoot common applications that are used in an enterprise network, like NetBIOS and SMB protocols. Finally, you will also be able to measure network parameters, check for network problems caused by them, and solve them effectively. By the end of this book, you’ll know how to analyze traffic, find patterns of various offending traffic, and secure your network from them.

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

Introduction to Wireshark Version 2

Introduction to Wireshark Version 2

Wireshark Version 2 basics

Locating Wireshark

Capturing data on virtual machines

Starting the capture of data

Configuring the start window

Mastering Wireshark for Network Troubleshooting

Mastering Wireshark for Network Troubleshooting

Configuring the user interface, and global and protocol preferences

Importing and exporting files

Configuring coloring rules and navigation techniques

Using time values and summaries

Building profiles for troubleshooting

Using Capture Filters

Using Capture Filters

Configuring capture filters

Configuring Ethernet filters

Configuring hosts and network filters

Configuring TCP/UDP and port filters

Configuring compound filters

Configuring byte offset and payload matching filters

Using Display Filters

Using Display Filters

Configuring display filters

Configuring Ethernet, ARP, host, and network filters

Configuring TCP/UDP filters

Configuring specific protocol filters

Configuring substring operator filters

Configuring macros

Using Basic Statistics Tools

Using Basic Statistics Tools

Using the statistics – capture file properties menu

Using the statistics – resolved addresses

Using the statistics – protocol hierarchy menu

Using the statistics – conversations menu

Using the statistics – endpoints menu

Using the statistics – HTTP menu

Configuring a flow graph for viewing TCP flows

Creating IP-based statistics

Using Advanced Statistics Tools

Using Advanced Statistics Tools

Configuring I/O graphs with filters for measuring network performance issues

Throughput measurements with I/O graphs

Advanced I/O graph configurations with y axis parameters

Getting information through TCP stream graphs – time/sequence (Steven's) window

Getting information through TCP stream graphs – time/sequences (TCP-trace) window

Getting information through TCP stream graphs – throughput window

Getting information through TCP stream graphs – round-trip-time window

Getting information through TCP stream graphs – window-scaling window

Using the Expert System

Using the Expert System

The expert system window and how to use it for network troubleshooting

Error events and what we can understand from them

Warning events and what we can understand from them

Note events and what we can understand from them

Ethernet and LAN Switching

Ethernet and LAN Switching

Discovering broadcast and error storms

Analyzing spanning tree problems

Analyzing VLANs and VLAN tagging issues

Wireless LAN

Introduction to wireless networks and standards

Wireless radio issues, analysis, and troubleshooting

Capturing wireless LAN traffic

Network Layer Protocols and Operations

Network Layer Protocols and Operations

IPv4 address resolution protocol operation and troubleshooting

ICMP – protocol operation, analysis, and troubleshooting

Analyzing IPv4 unicast routing operations

Analyzing IP fragmentation failures

IPv4 multicast routing operations

IPv6 principle of operations

IPv6 extension headers

ICMPv6 – protocol operations, analysis, and troubleshooting

IPv6 auto configuration

DHCPv6-based address assignment

IPv6 neighbor discovery protocol operation and analysis

Transport Layer Protocol Analysis

Transport Layer Protocol Analysis

UDP principle of operation

UDP protocol analysis and troubleshooting

TCP principle of operation

Troubleshooting TCP connectivity problems

Troubleshooting TCP retransmission issues

TCP sliding window mechanism

TCP enhancements – selective ACK and timestamps

Troubleshooting TCP throughput

FTP, HTTP/1, and HTTP/2

FTP, HTTP/1, and HTTP/2

Analyzing FTP problems

Filtering HTTP traffic

Configuring HTTP preferences

Analyzing HTTP problems

Exporting HTTP objects

HTTP flow analysis

Analyzing HTTPS traffic – SSL/TLS basics

DNS Protocol Analysis

DNS Protocol Analysis

Analyzing DNS record types

Analyzing regular DNS operations

Analyzing DNSSEC regular operations

Troubleshooting DNS performance

Analyzing Mail Protocols

Analyzing Mail Protocols

Normal operation of mail protocols

Analyzing POP, IMAP, and SMTP problems

Filtering and analyzing different error codes

Malicious and spam email analysis

NetBIOS and SMB Protocol Analysis

NetBIOS and SMB Protocol Analysis

Understanding the NetBIOS protocol

Understanding the SMB protocol

Analyzing problems in the NetBIOS/SMB protocols

Analyzing the database traffic and common problems

Exporting SMB objects

Analyzing Enterprise Applications' Behavior

Analyzing Enterprise Applications' Behavior

Finding out what is running over your network

Analyzing Microsoft Terminal Server and Citrix communications problems

Analyzing the database traffic and common problems

Troubleshooting SIP, Multimedia, and IP Telephony

Troubleshooting SIP, Multimedia, and IP Telephony

IP telephony principle and normal operation

SIP principle of operation, messages, and error codes

Video over IP and RTSP

Wireshark features for RTP stream analysis and filtering

Wireshark feature for VoIP call replay

Troubleshooting Bandwidth and Delay Issues

Troubleshooting Bandwidth and Delay Issues

Measuring network bandwidth and application traffic

Measurement of jitter and delay using Wireshark

Analyzing network bottlenecks, issues, and troubleshooting

Security and Network Forensics

Security and Network Forensics

Discovering unusual traffic patterns

Discovering MAC-based and ARP-based attacks

Discovering ICMP and TCP SYN/port scans

Discovering DoS and DDoS attacks

Locating smart TCP attacks

Discovering brute force and application attacks

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Discovering unusual traffic patterns

In this recipe, we will learn what usual and unusual traffic patterns are and how to distinguish between them.

Getting ready

The first thing is to locate Wireshark. There are several options for this:

When you suspect an attack that comes from the internet, locate Wireshark after the firewall (1), and when you suspect that it crosses the firewall, locate it before (2).
When you suspect malicious traffic coming from a remote office, port-mirror traffic coming on the central line before (3) or after (4) the router. In this case, you can filter the suspicious traffic with IP networks to see patterns from different offices in order to isolate the problematic office.
You can also port-mirror...