Book Image

Learn Wireshark, - Second Edition

By : Lisa Bock

5 (1)

Book Image

Learn Wireshark, - Second Edition

5 (1)

By: Lisa Bock

Overview of this book

Wireshark is a popular and powerful packet analysis tool that helps network administrators investigate latency issues and potential attacks. Over the years, there have been many enhancements to Wireshark’s functionality. This book will guide you through essential features so you can capture, display, and filter data with ease. In addition to this, you’ll gain valuable tips on lesser-known configuration options, which will allow you to complete your analysis in an environment customized to suit your needs. This updated second edition of Learn Wireshark starts by outlining the benefits of traffic analysis. You’ll discover the process of installing Wireshark and become more familiar with the interface. Next, you’ll focus on the Internet Suite and then explore deep packet analysis of common protocols such as DNS, DHCP, HTTP, and ARP. The book also guides you through working with the expert system to detect network latency issues, create I/O and stream graphs, subset traffic, and save and export captures. Finally, you’ll understand how to share captures using CloudShark, a browser-based solution for analyzing packet captures. By the end of this Wireshark book, you’ll have the skills and hands-on experience you need to conduct deep packet analysis of common protocols and network troubleshooting as well as identify security issues.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Share Your Thoughts

Part 1 Traffic Capture Overview

Part 1 Traffic Capture Overview

Free Chapter

Chapter 1: Appreciating Traffic Analysis

Chapter 1: Appreciating Traffic Analysis

Reviewing packet analysis

Recognizing who benefits from using packet analysis

Identifying where to use packet analysis

Outlining when to use packet analysis

Getting to know Wireshark

Chapter 2: Using Wireshark

Chapter 2: Using Wireshark

Examining the Wireshark interface

Understanding the phases of packet analysis

Using CLI tools with Wireshark

Chapter 3: Installing Wireshark

Chapter 3: Installing Wireshark

Discovering support for different OSes

Comparing different capture engines

Performing a standard Windows installation

Reviewing available resources

Further reading

Chapter 4: Exploring the Wireshark Interface

Chapter 4: Exploring the Wireshark Interface

Opening the Wireshark welcome screen

Exploring the File menu

Discovering the Edit menu

Exploring the View menu

Part 2 Getting Started with Wireshark

Part 2 Getting Started with Wireshark

Chapter 5: Tapping into the Data Stream

Chapter 5: Tapping into the Data Stream

Reviewing network architectures

Learning various capture methods

Tapping into the stream

Realizing the importance of baselining

Chapter 6: Personalizing the Interface

Chapter 6: Personalizing the Interface

Personalizing the layout

Creating a tailored configuration profile

Adjusting columns, font, and colors

Adding comments

Chapter 7: Using Display and Capture Filters

Chapter 7: Using Display and Capture Filters

Filtering network traffic

Comprehending display filters

Creating capture filters

Understanding the expression builder

Discovering shortcuts and handy filters

Further reading

Chapter 8: Outlining the OSI Model

Chapter 8: Outlining the OSI Model

An overview of the OSI model

Discovering the purpose of each layer, the protocols, and the PDUs

Exploring the encapsulation process

Demonstrating frame formation in Wireshark

Part 3 The Internet Suite TCP/IP

Part 3 The Internet Suite TCP/IP

Chapter 9: Decoding TCP and UDP

Chapter 9: Decoding TCP and UDP

Reviewing the transport layer

Examining the 11-field TCP header

Understanding UDP

Discovering the four-field UDP header

Further reading

Chapter 10: Managing TCP Connections

Chapter 10: Managing TCP Connections

Dissecting the three-way handshake

Learning TCP options

Understanding TCP protocol preferences

Tearing down a connection

Further reading

Chapter 11: Analyzing IPv4 and IPv6

Chapter 11: Analyzing IPv4 and IPv6

Reviewing the network layer

Editing protocol preferences

Discovering tunneling protocols

Further reading

Chapter 12: Discovering ICMP

Chapter 12: Discovering ICMP

Understanding the purpose of ICMP

Dissecting ICMP and ICMPv6

Sending ICMP messages

Evaluating type and code values

Configuring firewall rules

Further reading

Part 4 Deep Packet Analysis of Common Protocols

Part 4 Deep Packet Analysis of Common Protocols

Chapter 13: Diving into DNS

Chapter 13: Diving into DNS

Recognizing the purpose of DNS

Comparing types and classes of RRs

Reviewing the DNS packet

Evaluating queries and responses

Further reading

Chapter 14: Examining DHCP

Chapter 14: Examining DHCP

Recognizing the purpose of DHCP

Stepping through the DORA process

Dissecting a DHCP header

Following a DHCP example

Further reading

Chapter 15: Decoding HTTP

Chapter 15: Decoding HTTP

Describing HTTP

Keeping track of the connection

Comparing request and response messages

Following an HTTP stream

Further reading

Chapter 16: Understanding ARP

Chapter 16: Understanding ARP

Understanding the role and purpose of ARP

Exploring ARP headers and fields

Examining different types of ARP

Comparing ARP attacks and defense methods

Further reading

Part 5 Working with Packet Captures

Part 5 Working with Packet Captures

Chapter 17: Determining Network Latency Issues

Chapter 17: Determining Network Latency Issues

Analyzing latency issues

Understanding coloring rules

Exploring the Intelligent Scrollbar

Discovering expert information

Chapter 18: Subsetting, Saving, and Exporting Captures

Chapter 18: Subsetting, Saving, and Exporting Captures

Discovering ways to subset traffic

Understanding options to save a file

Recognizing ways to export components

Identifying why and how to add comments

Chapter 19: Discovering I/O and Stream Graphs

Chapter 19: Discovering I/O and Stream Graphs

Discovering the Statistics menu

Creating I/O graphs

Comparing TCP stream graphs

Chapter 20: Using CloudShark for Packet Analysis

Chapter 20: Using CloudShark for Packet Analysis

Discovering CloudShark

Outlining the various filters and graphs

Evaluating the different analysis tools

Locating sample captures

Further reading

Assessments

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 (1)

5 star

100%

4 star

0

3 star

0

2 star

0

1 star

0

Understanding the expression builder

In addition to building simple display filters, Wireshark has the ability to create an expression that zeroes in on specific field values. To build an expression, go to Analyze and then select Display Filter Expression, as shown here:

Figure 7.18– The Display Filter Expression menu choice

Click the link to launch the expression builder. On the left-hand side, you will see a list of all of Wireshark's supported protocols, as shown in the following screenshot:

Figure 7.19 – Display Filter Expression

Wireshark is capable of dissecting hundreds of protocols with more added all the time, so the list will be long.

To further refine the filter, you can select from the four variables listed on the right-hand side:

Relation: This is a list of comparison operators to compare a field value against another value using logical operators:
- is present: Indicates the selected field...