Book Image

Learn Wireshark, - Second Edition

By : Lisa Bock
5 (1)
Book Image

Learn Wireshark, - Second Edition

5 (1)
By: Lisa Bock

Overview of this book

Wireshark is a popular and powerful packet analysis tool that helps network administrators investigate latency issues and potential attacks. Over the years, there have been many enhancements to Wireshark’s functionality. This book will guide you through essential features so you can capture, display, and filter data with ease. In addition to this, you’ll gain valuable tips on lesser-known configuration options, which will allow you to complete your analysis in an environment customized to suit your needs. This updated second edition of Learn Wireshark starts by outlining the benefits of traffic analysis. You’ll discover the process of installing Wireshark and become more familiar with the interface. Next, you’ll focus on the Internet Suite and then explore deep packet analysis of common protocols such as DNS, DHCP, HTTP, and ARP. The book also guides you through working with the expert system to detect network latency issues, create I/O and stream graphs, subset traffic, and save and export captures. Finally, you’ll understand how to share captures using CloudShark, a browser-based solution for analyzing packet captures. By the end of this Wireshark book, you’ll have the skills and hands-on experience you need to conduct deep packet analysis of common protocols and network troubleshooting as well as identify security issues.

Related Content you might be interested in

Current Title:

Small book image
Learn Wireshark, - Second Edition
Lisa Bock
Aug, 2022 | 606 pages
Small book image
Mastering Wireshark 2
Andrew Crouthamel
May, 2018 | 326 pages
Small book image
Network Analysis using Wireshark 2 Cookbook
Yoram Orzach | Nagendra Kumar Nainar | Yogesh Ramdoss
Mar, 2018 | 626 pages
Small book image
Wireshark 2 Quick Start Guide
Charit Mishra
Jun, 2018 | 164 pages
Table of Contents (28 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1 Traffic Capture Overview
Part 1 Traffic Capture Overview
Free Chapter
2
Chapter 1: Appreciating Traffic Analysis
Chapter 1: Appreciating Traffic Analysis
Reviewing packet analysis
Recognizing who benefits from using packet analysis
Identifying where to use packet analysis
Outlining when to use packet analysis
Getting to know Wireshark
Summary
Questions
3
Chapter 2: Using Wireshark
Chapter 2: Using Wireshark
Examining the Wireshark interface
Understanding the phases of packet analysis
Using CLI tools with Wireshark
Summary
Questions
4
Chapter 3: Installing Wireshark
Chapter 3: Installing Wireshark
Discovering support for different OSes
Comparing different capture engines
Performing a standard Windows installation
Reviewing available resources
Summary
Questions
Further reading
5
Chapter 4: Exploring the Wireshark Interface
Chapter 4: Exploring the Wireshark Interface
Opening the Wireshark welcome screen
Exploring the File menu
Discovering the Edit menu
Exploring the View menu
Summary
Questions
6
Part 2 Getting Started with Wireshark
Part 2 Getting Started with Wireshark
7
Chapter 5: Tapping into the Data Stream
Chapter 5: Tapping into the Data Stream
Reviewing network architectures
Learning various capture methods
Tapping into the stream
Realizing the importance of baselining
Summary
Questions
8
Chapter 6: Personalizing the Interface
Chapter 6: Personalizing the Interface
Personalizing the layout
Creating a tailored configuration profile
Adjusting columns, font, and colors
Adding comments
Summary
Questions
9
Chapter 7: Using Display and Capture Filters
Chapter 7: Using Display and Capture Filters
Filtering network traffic
Comprehending display filters
Creating capture filters
Understanding the expression builder
Discovering shortcuts and handy filters
Summary
Questions
Further reading
10
Chapter 8: Outlining the OSI Model
Chapter 8: Outlining the OSI Model
An overview of the OSI model
Discovering the purpose of each layer, the protocols, and the PDUs
Exploring the encapsulation process
Demonstrating frame formation in Wireshark
Summary
Questions
11
Part 3 The Internet Suite TCP/IP
Part 3 The Internet Suite TCP/IP
12
Chapter 9: Decoding TCP and UDP
Chapter 9: Decoding TCP and UDP
Reviewing the transport layer
Describing TCP
Examining the 11-field TCP header
Understanding UDP
Discovering the four-field UDP header
Summary
Questions
Further reading
13
Chapter 10: Managing TCP Connections
Chapter 10: Managing TCP Connections
Dissecting the three-way handshake
Learning TCP options
Understanding TCP protocol preferences
Tearing down a connection
Summary
Questions
Further reading
14
Chapter 11: Analyzing IPv4 and IPv6
Chapter 11: Analyzing IPv4 and IPv6
Reviewing the network layer
Outlining IPv4
Exploring IPv6
Editing protocol preferences
Discovering tunneling protocols
Summary
Questions
Further reading
15
Chapter 12: Discovering ICMP
Chapter 12: Discovering ICMP
Understanding the purpose of ICMP
Dissecting ICMP and ICMPv6
Sending ICMP messages
Evaluating type and code values
Configuring firewall rules
Summary
Questions
Further reading
16
Part 4 Deep Packet Analysis of Common Protocols
Part 4 Deep Packet Analysis of Common Protocols
17
Chapter 13: Diving into DNS
Chapter 13: Diving into DNS
Recognizing the purpose of DNS
Comparing types and classes of RRs
Reviewing the DNS packet
Evaluating queries and responses
Summary
Questions
Further reading
18
Chapter 14: Examining DHCP
Chapter 14: Examining DHCP
Recognizing the purpose of DHCP
Stepping through the DORA process
Dissecting a DHCP header
Following a DHCP example
Summary
Questions
Further reading
19
Chapter 15: Decoding HTTP
Chapter 15: Decoding HTTP
Describing HTTP
Keeping track of the connection
Comparing request and response messages
Following an HTTP stream
Summary
Questions
Further reading
20
Chapter 16: Understanding ARP
Chapter 16: Understanding ARP
Understanding the role and purpose of ARP
Exploring ARP headers and fields
Examining different types of ARP
Comparing ARP attacks and defense methods
Summary
Questions
Further reading
21
Part 5 Working with Packet Captures
Part 5 Working with Packet Captures
22
Chapter 17: Determining Network Latency Issues
Chapter 17: Determining Network Latency Issues
Analyzing latency issues
Understanding coloring rules
Exploring the Intelligent Scrollbar
Discovering expert information
Summary
Questions
23
Chapter 18: Subsetting, Saving, and Exporting Captures
Chapter 18: Subsetting, Saving, and Exporting Captures
Discovering ways to subset traffic
Understanding options to save a file
Recognizing ways to export components
Identifying why and how to add comments
Summary
Questions
24
Chapter 19: Discovering I/O and Stream Graphs
Chapter 19: Discovering I/O and Stream Graphs
Discovering the Statistics menu
Creating I/O graphs
Comparing TCP stream graphs
Summary
Questions
25
Chapter 20: Using CloudShark for Packet Analysis
Chapter 20: Using CloudShark for Packet Analysis
Discovering CloudShark
Outlining the various filters and graphs
Evaluating the different analysis tools
Locating sample captures
Summary
Questions
Further reading
26
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Chapter 18
Chapter 19
Chapter 20
Why subscribe?
27
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Reviewing packet analysis

Packet analysis examines packets to understand the characteristics and structure of the traffic flow, either during a live capture or by using a previously captured file. The analyst can complete packet analysis by either studying one packet at a time or as a complete capture.

When monitoring the network for analysis, we capture traffic using specialized software such as Wireshark or tshark. Once the data is captured and we save the file, the software stores the data in a file that is commonly called a packet capture or PCAP file.

Packet analysis benefits many groups, including the following:

  • Network administrators: Use packet analysis to gain information about current network conditions.
  • Security analysts: Use packet analysis to determine whether there is anything unusual or suspicious about the traffic when carrying out a forensic investigation.
  • Students: Use packet analysis as a learning tool to better understand the workings of different protocols.
  • Hackers: Use packet analysis to sniff network traffic while conducting footprinting and reconnaissance in order to gain valuable information about the network.

We use packet analysis in many places, including on a LAN, on a host, or in the real world. Additionally, we use packet analysis when troubleshooting latency issues, testing Internet of Things (IoT) devices, and as a tool when baselining the network.

Today, packet analysis using Wireshark is a valuable skill. However, analyzing packets has been around in the networking world for many years. As early as the 1990s, various tools enabled analysts to carry out packet analysis on the network to troubleshoot errors and to monitor server behavior. In the next section, we'll examine some of the early tools used to monitor network activity.

Exploring early packet sniffers 

Packet analysis has been around in some form for over 20 years, as a diagnostic tool, to observe data and other information traveling across the network. Packet analysis is also referred to as sniffing. The term refers to early packet sniffers, which sniffed or captured traffic as it traveled across the network. In the 1990s, Novell, a software company, developed the Novell LANalyzer, which had a graphical UI and dashboard to examine network traffic. Concurrently, Microsoft introduced its Network Monitor.

Over the last 20 years, there have been many other packet analyzers and tools to sniff traffic, including the following:

Table 1.1 – Packet analyzers and tools

Table 1.1 – Packet analyzers and tools

Most packet analyzers work in a similar manner. They capture data and then decode the raw bits in the field values according to the appropriate Request for Comment (RFC) or other specifications. Once done, the data is presented in a meaningful fashion.

Packet analysis tools range in appearance and functionality, as follows:

  • They provide simple text-based analysis, such as terminal-based Wireshark (tshark).
  • They deliver a rich graphical UI with advanced artificial intelligence (AI)-based expert systems that guide the analyst through a more targeted evaluation.

In the next section, we'll take a look at the various devices that use packet analysis today.

Evaluating devices that use packet analysis

Packet analysis and traffic sniffing are used by many devices on the network, including routers, switches, and firewall appliances. As data flows across the network, the devices gather and interpret the packet's raw bits and examine the field values in each packet to decide on what action should be taken.

Devices examine network traffic in the following manner:

  • A router captures the traffic and examines the IP header to determine where to send the traffic, as part of the routing process.
  • An IDS examines the traffic and alerts the network administrator if there is any unusual or suspicious behavior.
  • A firewall monitors all traffic and will drop any packets that are not in line with the Access Control List (ACL).

For example, when data passes through a firewall, the device examines the traffic and determines whether to allow or deny the packets according to the ACL.

Using an ACL

When using a firewall, an ACL governs the type of traffic that is allowed on the network. For example, an ACL has the following entries:

  • Allow outbound SYN packets. The destination port is 80.
  • Allow inbound SYN-ACK packets. The source port is 80.

To decide whether to allow or deny a packet, the firewall must check each header as it passes through the device. It will determine variables such as IP addresses, Transmission Control Protocol (TCP) flags, and port numbers that are in use. If the packet does not meet the ACL entry, the firewall will drop the packet. As shown in the following diagram, an inbound SYN packet with a destination port of 80 is blocked because it does not match the rule:

Figure 1.1 – A firewall with an ACL

Figure 1.1 – A firewall with an ACL

It's important to note that a packet sniffer examines traffic but doesn't modify the contents in any way. It simply gathers the traffic for analysis as it travels across the network.

As you can see, packet sniffing and analysis have been influential for many years as elements of managing networks. However, the first step of analysis is to capture traffic, which we will explore next.

Capturing network traffic

On today's networks, a Network Interface Card (NIC) will only monitor traffic that is addressed to that host. However, we can put the card into a state called promiscuous mode, which will allow the adapter to gather all the traffic that is on the network. Therefore, to capture and monitor all network traffic, the NIC must be in promiscuous mode.

On a Windows machine, you can check to see whether the interface card is in promiscuous mode by running the following command in PowerShell:

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\Admin> Get-NetAdapter | Format-List -Property PromiscuousMode
PromiscuousMode : False

We use packet analysis to understand the characteristics of the traffic flow. Although you can conduct packet analysis during a live capture, it's common to capture traffic and save it for further analysis. Common steps to capture packets for analysis include the following:

  1. Install Wireshark and the appropriate packet capture engine. 
  2. Launch Wireshark and select the capture options.
  3. Start the capture and run until you capture 2,000–3,000 packets.
  4. Stop the capture and save the trace file in the appropriate format.
  5. Analyze the capture by studying one packet at a time, or as a complete capture.

In some cases, you might need to send a packet capture to the corporate or security analyst for further analysis.

Wireshark allows us to capture, display, and filter data live from a single or multiple network interface(s). In addition, you can examine pre-captured packets, search with granular details, and follow the data stream. As a result, packet analysis is advantageous as it helps you to understand the nature of the network. The following section outlines the many different individuals who can benefit from using Wireshark for packet analysis.

Previous Section
End of Section 2
Next Section