book

Wireshark Revealed: Essential Skills for IT Professionals

Name: Wireshark Revealed: Essential Skills for IT Professionals
ISBN: 9781788833226

by James H Baxter, Yoram Orzach, Charit Mishra

December 2017

Intermediate to advanced

912 pages

20h 42m

English

Packt Publishing

Read now

Unlock full access

Wireshark Revealed: Essential Skills for IT Professionals
Table of Contents
Wireshark Revealed: Essential Skills for IT Professionals
Credits
Preface
What this learning path covers
What you need for this learning path
Who this learning path is for
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Module 1
1. Getting Acquainted with Wireshark
Installing WiresharkInstalling Wireshark on WindowsInstalling Wireshark on Mac OS XInstalling Wireshark on Linux/Unix

Performing your first packet capture
Selecting a network interfacePerforming a packet captureWireshark user interface essentialsFiltering out the noiseApplying a display filterSaving the packet trace
Summary
2. Networking for Packet Analysts
The OSI model – why it mattersUnderstanding network protocolsThe seven OSI layersLayer 1 – the physical layerLayer 2 – the data-link layerLayer 3 – the network layerInternet ProtocolAddress Resolution ProtocolLayer 4 – the transport layerUser Datagram ProtocolTransmission Control ProtocolLayer 5 – the session layerLayer 6 – the presentation layerLayer 7 – the application layerEncapsulation
IP networks and subnets
Switching and routing packets
Ethernet frames and switchesIP addresses and routers
WAN links
Wireless networking
Summary
3. Capturing All the Right Packets
Picking the best capture pointUser locationServer locationOther capture locationsMid-network capturesBoth sides of specialized network devices
Test Access Ports and switch port mirroring
Test Access PortSwitch port mirroringCapturing packets on high traffic rate links
Capturing interfaces, filters, and options
Selecting the correct network interfaceUsing capture filtersConfiguring capture filtersCapture optionsCapturing filenames and locationsMultiple file optionsRing bufferStop capture optionsDisplay optionsName resolution options
Verifying a good capture
Saving the bulk capture file
Isolating conversations of interest
Using the Conversations window
The Ethernet tabThe TCP and UDP tabsThe WLAN tab
Wireshark display filters
The Display Filter windowThe display filter syntaxTyping in a display filterDisplay filters from a Conversations or Endpoints window
Filter Expression Buttons
Using the Expressions window buttonRight-click menus on specific packet fields
Following TCP/UDP/SSL streams
Marking and ignoring packets
Saving the filtered traffic
Summary
4. Configuring Wireshark
Working with packet timestampsHow Wireshark saves timestampsWireshark time display optionsAdding a time columnConversation versus displayed packet time optionsChoosing the best Wireshark time display optionUsing the Time Reference option
Colorization and coloring rules
Packet colorization
Wireshark preferences
Wireshark profiles
Creating a Wireshark profileSelecting a Wireshark profile
Summary
5. Network Protocols
The OSI and DARPA reference modelsNetwork layer protocolsWireshark IPv4 filtersWireshark ARP filtersInternet Group Management ProtocolWireshark IGMP filtersInternet Control Message ProtocolICMP pingsICMP traceroutesICMP control message typesICMP redirectsWireshark ICMP filtersInternet Protocol Version 6IPv6 addressingIPv6 address typesIPv6 header fieldsIPv6 transition methodsWireshark IPv6 filtersInternet Control Message Protocol Version 6Multicast Listener DiscoveryWireshark ICMPv6 filters
Transport layer protocols
User Datagram ProtocolWireshark UDP filtersTransmission Control ProtocolTCP flagsTCP optionsWireshark TCP filters
Application layer protocols
Dynamic Host Configuration ProtocolWireshark DHCP filtersDynamic Host Configuration Protocol Version 6Wireshark DHCPv6 filtersDomain Name ServiceWireshark DNS filtersHypertext Transfer ProtocolHTTP MethodsHostRequest ModifiersWireshark HTTP filtersAdditional informationWireshark wikiProtocols on WikipediaRequests for Comments
Summary
6. Troubleshooting and Performance Analysis
Troubleshooting methodologyGathering the right informationEstablishing the general nature of the problemHalf-split troubleshooting and other logic
Troubleshooting connectivity issues
Enabling network interfacesConfirming physical connectivityObtaining the workstation IP configurationObtaining MAC addressesObtaining network service IP addressesBasic network connectivityConnecting to the application services
Troubleshooting functional issues
Performance analysis methodology
Top five reasons for poor application performancePreparing the tools and approachPerforming, verifying, and saving a good packet captureInitial error analysisDetecting and prioritizing delaysServer processing time eventsApplication turn's delayNetwork path latencyBandwidth congestionData transportTCP StreamGraphIO GraphIO Graph – Wireshark 2.0
Summary
7. Packet Analysis for Security Tasks
Security analysis methodologyThe importance of baselining
Security assessment tools
Identifying unacceptable or suspicious traffic
Scans and sweeps
ARP scansICMP ping sweepsTCP port scansUDP port scans
OS fingerprinting
Malformed packets
Phone home traffic
Password-cracking traffic
Unusual traffic
Summary
8. Command-line and Other Utilities
Wireshark command-line utilities
Capturing traffic with Dumpcap
Capturing traffic with Tshark
Editing trace files with Editcap
Merging trace files with Mergecap
Mergecap batch file
Other helpful tools
HttpWatchSteelCentral Packet Analyzer Personal EditionAirPcap adapters
Summary
2. Module 2
1. Introducing Wireshark
Introduction
Locating Wireshark
Getting readyHow to do it...Monitoring a serverMonitoring a routerMonitoring a firewallHow it works...There's more...See also
Starting the capture of data
Getting readyHow to do it...How to choose the interface to start the captureHow to configure the interface you capture data fromHow it works...There's more...See also
Configuring the start window
Getting readyMain ToolbarDisplay Filter ToolbarStatus BarHow to do it...Configuring toolbarsConfiguring the main windowName ResolutionColorizing the packet listAuto scrolling in live capture
Using time values and summaries
Getting readyHow to do it...How it works...
Configuring coloring rules and navigation techniques
Getting readyHow to do it...How it works...See also
Saving, printing, and exporting data
Getting readyHow to do it...Saving data in various formatsHow to print dataHow it works...
Configuring the user interface in the Preferences menu
Getting readyHow to do it...Changing and adding columnsChanging the capture configurationConfiguring the name resolutionHow it works...
Configuring protocol preferences
Getting readyHow to do it...Configuring of IPv4 and IPv6 PreferencesConfiguring TCP and UDPHow it works...There's more...
2. Using Capture Filters
Introduction
Configuring capture filters
Getting readyHow to do it...How it works...There's more...See also
Configuring Ethernet filters
Getting readyHow to do it...How it works…There's more...See also
Configuring host and network filters
Getting readyHow to do it...How it works…There's more...See also
Configuring TCP/UDP and port filters
Getting readyHow to do it...How it works…There's more...See also
Configuring compound filters
Getting readyHow to do it...How it works…There's more...See also
Configuring byte offset and payload matching filters
Getting readyHow to do it...How it works…There's more...See also
3. Using Display Filters
Introduction
Configuring display filters
Getting readyHow to do it...Choosing from the filters menuWriting the syntax directly into the display filter windowChoosing a parameter in the packet pane and defining it as a filterHow it works...There's more...What is the parameter we filter?Adding a parameter columnSaving the displayed data
Configuring Ethernet, ARP, host, and network filters
Getting readyHow to do it...Ethernet filtersARP filtersIP and ICMP filtersComplex filtersHow it works...Ethernet broadcastsIPv4 multicastsIPv6 multicastsSee also
Configuring TCP/UDP filters
Getting readyHow to do it...How it works...There's more...See also
Configuring specific protocol filters
Getting readyHow to do it...HTTP display filtersDNS display filtersFTP display filtersHow it works...See also
Configuring substring operator filters
Getting readyHow to do it...How it works...
Configuring macros
Getting readyHow to do it...How it works...
4. Using Basic Statistics Tools
Introduction
Using the Summary tool from the Statistics menu
Getting readyHow to do it...How it works...There's more...
Using the Protocol Hierarchy tool from the Statistics menu
Getting readyHow to do it...How it works...There's more...
Using the Conversations tool from the Statistics menu
Getting readyHow to do it...How it works...There's more...Ethernet conversations statisticsIP conversations statisticsTCP/UDP conversations statistics:
Using the Endpoints tool from the Statistics menu
Getting readyHow to do it...How it works...There's more...
Using the HTTP tool from the Statistics menu
Getting readyHow to do it...How it works...There's more...
Configuring Flow Graph for viewing TCP flows
Getting readyHow to do it...How it works...There's more...
Creating IP-based statistics
Getting readyHow to do it...How it works...There's more...
5. Using Advanced Statistics Tools
Introduction
Configuring IO Graphs with filters for measuring network performance issues
Getting readyHow to do it...Filter configurationX-Axis configurationY-Axis configurationHow it works...There's more...
Throughput measurements with IO Graph
Getting readyHow to do it...Measuring throughput between end devicesMeasuring application throughputHow it works...There's more...Graph SMS usage – finding SMS messages sent by a specific subscriberGraphing number of accesses to the Google web page
Advanced IO Graph configurations with advanced Y-Axis parameters
Getting readyHow to do it...How to monitor inter-frame time delta statisticsHow to monitor the number of TCP retransmissions in a streamHow to monitor a number of field appearancesHow it works...There's more...
Getting information through TCP stream graphs – the Time-Sequence (Stevens) window
Getting readyHow to do it...How it works...There's more...
Getting information through TCP stream graphs – the Time-Sequence (tcp-trace) window
Getting readyHow to do it...How it works...There's more...
Getting information through TCP stream graphs – the Throughput Graph window
Getting readyHow to do it...How it works...There's more...
Getting information through TCP stream graphs – the Round Trip Time window
Getting readyHow to do it...How it works...There's more...
Getting information through TCP stream graphs – the Window Scaling Graph window
Getting readyHow to do it...How it works...There's more...
6. Using the Expert Infos Window
Introduction
The Expert Infos window and how to use it for network troubleshooting
Getting readyHow to do it...How it works...There's more...See also
Error events and understanding them
Getting readyHow to do it...How it works...There's more...See also
Warning events and understanding them
Getting readyHow to do it...How it works...There's more...See also
Notes events and understanding them
Getting readyHow to do it...How it works...There's more...See also
7. Ethernet, LAN Switching, and Wireless LAN
Introduction
Discovering broadcast and error storms
Getting readyHow to do it...Spanning Tree ProblemsA device that generates BroadcastsFixed pattern broadcastsHow it works...There's more…See also
Analyzing Spanning Tree Protocols
Getting readyHow to do it...Which STP version is running on the network?Are there too many topology changes?How it works...Port statesThere's more…
Analyzing VLANs and VLAN tagging issues
Getting readyHow to do it...Monitoring traffic inside a VLANViewing tagged frames going through a VLAN tagged portHow it works...There's more…See also
Analyzing wireless (Wi-Fi) problems
Getting readyHow to do it…How it works…
8. ARP and IP Analysis
Introduction
Analyzing connectivity problems with ARP
Getting readyHow to do it...ARP poisoning and Man-in-the-Middle attacksGratuitous ARPARP sweepsRequests or replies, and who is the senderHow many ARPsHow it works...There's more...
Using IP traffic analysis tools
Getting readyHow to do it...IP statistics toolsHow it works...There's more...
Using GeoIP to look up physical locations of the IP address
Getting readyHow to do it...How it works...There's more...
Finding fragmentation problems
Getting readyHow to do it...How it works...There's more...
Analyzing routing problems
Getting readyHow to do it...How it works...There's more...
Finding duplicate IPs
Getting readyHow to do it...How it works...There's more...
Analyzing DHCP problems
Getting readyHow to do it...How it works...There's more...
9. UDP/TCP Analysis
Introduction
Configuring TCP and UDP preferences for troubleshooting
Getting readyHow to do it...UDP parametersTCP parametersHow it works...There's more…
TCP connection problems
Getting readyHow to do it...How it works...There's more…
TCP retransmission – where do they come from and why
Getting readyHow to do it...Case 1 – retransmissions to many destinationsCase 2 – retransmissions on a single connectionCase 3 – retransmission patternsCase 4 – retransmission due to a non-responsive applicationCase 5 – retransmission due to delayed variationsFinding what it isHow it works...Regular operation of the TCP Sequence/Acknowledge mechanismWhat are TCP retransmissions and what do they causeThere's more...See also
Duplicate ACKs and fast retransmissions
Getting readyHow to do it...How it works...There's more...
TCP out-of-order packet events
Getting readyHow to do it...When will it happen?How it works...
TCP Zero Window, Window Full, Window Change, and other Window indicators
Getting readyHow to do it...TCP Zero Window, Zero Window Probe, and Zero Window ViolationTCP Window UpdateTCP Window FullHow it works...There's more…
TCP resets and why they happen
Getting readyHow to do it...Cases in which reset is not a problemCases in which reset can indicate a problemHow it works...
10. HTTP and DNS
Introduction
Filtering DNS traffic
Getting readyHow to do it...How it works...There's more...
Analyzing regular DNS operations
Getting readyHow to do it...How it works...DNS operationDNS namespaceThe resolving processThere's more...
Analysing DNS problems
Getting readyHow to do it...DNS cannot resolve a nameDNS slow responsesHow it works...There's more...
Filtering HTTP traffic
Getting readyHow to do it...How it works...HTTP methodsStatus codesThere's more...
Configuring HTTP preferences
Getting readyHow to do it...Custom HTTP headers fieldsHow it works...There's more...
Analyzing HTTP problems
Getting readyHow to do it...Informational codesSuccess codesRedirect codesClient errorsServer errorsHow it works...There's more...
Exporting HTTP objects
Getting readyHow to do it...How it works...There's more...
HTTP flow analysis and the Follow TCP Stream window
Getting readyHow to do it...How it works...There's more...
Analyzing HTTPS traffic – SSL/TLS basics
Getting readyHow to do it...How it works...There's more...
11. Analyzing Enterprise Applications' Behavior
Introduction
Finding out what is running over your network
Getting readyHow to do it...There's more...
Analyzing FTP problems
Getting readyHow to do it...How it works...There's more...
Analyzing e-mail traffic and troubleshooting e-mail problems – POP, IMAP, and SMTP
Getting readyHow to do it...POP3 communicationsSMTP communicationsSome other methods and problemsHow it works...POP3SMTP and SMTP error codes (RFC3463)There's more...
Analyzing MS-TS and Citrix communications problems
Getting readyHow to do it...How it works...There's more…
Analyzing problems in the NetBIOS protocols
Getting readyHow to do it...General testsSpecific issuesHow it works...There's more…Example 1 – application freezingExample 2 – broadcast storm caused by SMB
Analyzing database traffic and common problems
Getting readyHow to do it...How it works...There's more...
12. SIP, Multimedia, and IP Telephony
Introduction
Using Wireshark's features for telephony and multimedia analysis
Getting readyHow to do it...How it works...There's more...
Analyzing SIP connectivity
Getting readyHow to do it...1xx codes – provisional/informational2xx codes – success3xx codes – redirection4xx codes – client error5xx codes – server error6xx codes – global failureHow it works...There's more...
Analyzing RTP/RTCP connectivity
Getting readyHow to do it...How it works...RTP principles of operationThe RTCP principle of operationThere's more...
Troubleshooting scenarios for video and surveillance applications
Getting readyHow to do it...How it works...There's more...
Troubleshooting scenarios for IPTV applications
Getting readyHow to do it...How it works...There's more...
Troubleshooting scenarios for video conferencing applications
Getting readyHow to do it...
Troubleshooting RTSP
Getting readyHow to do it...How it works...There's more...
13. Troubleshooting Bandwidth and Delay Problems
Introduction
Measuring total bandwidth on a communication link
Getting readyHow to do it...How it works...There's more...
Measuring bandwidth and throughput per user and per application over a network connection
Getting readyHow to do it...How it works...See also
Monitoring jitter and delay using Wireshark
Getting readyHow to do it...How it works...There's more...
Discovering delay/jitter-related application problems
Getting readyHow to do it...How it works...There's more...
14. Understanding Network Security
Introduction
Discovering unusual traffic patterns
Getting readyHow to do it...How it works...There's more...See also
Discovering MAC- and ARP-based attacks
Getting readyHow to do it...How it works...There's more...
Discovering ICMP and TCP SYN/Port scans
Getting readyHow to do it...How it works...There's more...See also
Discovering DoS and DDoS attacks
Getting readyHow to do it...How it works...There's more...
Locating smart TCP attacks
Getting readyHow to do it...How it works...There's more...See also
Discovering brute-force and application attacks
Getting readyHow to do it...How it works...There's more...
A. Links, Tools, and Reading
Useful Wireshark links
tcpdump
Some additional tools
SNMP toolsSNMP platformsThe NetFlow, JFlow, and SFlow analyzersHTTP debuggersSyslogOther stuff
Network analysers
Interesting websites
Books
3. Module 3
1. Welcome to the World of Packet Analysis with Wireshark
Introduction to Wireshark
A brief overview of the TCP/IP model
The layers in the TCP/IP model
An introduction to packet analysis with Wireshark
How to do packet analysisWhat is Wireshark?How it works
Capturing methodologies
Hub-based networksThe switched environmentARP poisoningPassing through routersWhy use Wireshark?The Wireshark GUIThe installation processStarting our first capture
Summary
Practice questions
2. Filtering Our Way in Wireshark
An introduction to filters
Capture filters
Why use capture filtersHow to use capture filtersAn example capture filterCapture filters that use protocol header values
Display filters
Retaining filters for later use
Searching for packets using the Find dialog
Colorize traffic
Create new Wireshark profiles
Summary
Practice questions
3. Mastering the Advanced Features of Wireshark
The Statistics menuUsing the Statistics menuProtocol Hierarchy
Conversations
Endpoints
Working with IO, Flow, and TCP stream graphs
IO graphs
Flow graphs
TCP stream graphs
Round-trip time graphsThroughput graphsThe Time-sequence graph (tcptrace)
Follow TCP streams
Expert Infos
Command Line-fu
Summary
Exercise
4. Inspecting Application Layer Protocols
Domain name systemDissecting a DNS packetDissecting DNS query/responseUnusual DNS traffic
File transfer protocol
Dissecting FTP communicationsPassive modeActive modeDissecting FTP packetsUnusual FTP
Hyper Text Transfer Protocol
How it works – request/responseRequestResponseUnusual HTTP traffic
Simple Mail Transfer Protocol
Usual versus unusual SMTP trafficSession Initiation Protocol and Voice Over Internet ProtocolAnalyzing VOIP trafficReassembling packets for playbackUnusual traffic patternsDecrypting encrypted traffic (SSL/TLS)
Summary
Practice questions
5. Analyzing Transport Layer Protocols
The transmission control protocolUnderstanding the TCP header and its various flagsHow TCP communicatesHow it worksGraceful terminationRST (reset) packetsRelative verses Absolute numbersUnusual TCP trafficHow to check for different analysis flags in Wireshark
The User Datagram Protocol
A UDP headerHow it worksThe DHCPThe TFTPUnusual UDP traffic
Summary
Practice questions
6. Analyzing Traffic in Thin Air
Understanding IEEE 802.11Various modes in wireless communicationsWireless interference and strengthThe IEEE 802.11 packet structureRTS/CTS
Usual and unusual WEP – open/shared key communication
WEP-open keyThe shared keyWPA-PersonalWPA-Enterprise
Decrypting WEP and WPA traffic
Summary
Practice questions
7. Network Security Analysis
Information gatheringPING sweepHalf-open scan (SYN)OS fingerprinting
ARP poisoning
Analyzing brute force attacks
Inspecting malicious trafficSolving real-world CTF challenges
Summary
Practice questions
8. Troubleshooting
Recovery featuresThe flow control mechanismTroubleshooting slow Internet and network latenciesClient- and server-side latenciesTroubleshooting bottleneck issuesTroubleshooting application-based issues
Summary
Practice questions
9. Introduction to Wireshark v2
The intelligent scroll bar
Translation
Graph improvements
TCP streams
USBPcap
Summary
Practice questions
Bibliography
Index

Overview

Master Wireshark and discover how to analyze network packets and protocols effectively, along with engaging recipes to troubleshoot network problems

About This Book

Gain valuable insights into the network and application protocols, and the key fields in each protocol
Use Wireshark's powerful statistical tools to analyze your network and leverage its expert system to pinpoint network problems
Master Wireshark and train it as your network sniffer

Who This Book Is For

This book is aimed at IT professionals who want to develop or enhance their packet analysis skills. A basic familiarity with common network and application services terms and technologies is assumed.

What You Will Learn

Discover how packet analysts view networks and the role of protocols at the packet level
Capture and isolate all the right packets to perform a thorough analysis using Wireshark's extensive capture and display filtering capabilities
Decrypt encrypted wireless traffic
Use Wireshark as a diagnostic tool and also for network security analysis to keep track of malware
Find and resolve problems due to bandwidth, throughput, and packet loss
Identify and locate faults in communication applications including HTTP, FTP, mail, and various other applications ? Microsoft OS problems, databases, voice, and video over IP
Identify and locate faults in detecting security failures and security breaches in the network

In Detail

This Learning Path starts off installing Wireshark, before gradually taking you through your first packet capture, identifying and filtering out just the packets of interest, and saving them to a new file for later analysis. You will then discover different ways to create and use capture and display filters. By halfway through the book, you'll be mastering Wireshark features, analyzing different layers of the network protocol, and looking for any anomalies.We then start Ethernet and LAN switching, through IP, and then move on to TCP/UDP with a focus on TCP performance problems. It also focuses on WLAN security. Then, we go through application behavior issues including HTTP, mail, DNS, and other common protocols. This book finishes with a look at network forensics and how to locate security problems that might harm the network.This course provides you with highly practical content explaining Metasploit from the following books:

Wireshark Essentials
Network Analysis Using Wireshark Cookbook
Mastering Wireshark

Style and approach

This step-by-step guide follows a practical approach, starting from the basic to the advanced aspects. Through a series of real-world examples, this learning path will focus on making it easy for you to become an expert at using Wireshark.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Wireshark & Ethereal Network Protocol Analyzer Toolkit

Publisher Resources

ISBN: 9781788833226Purchase Link Other Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Wireshark Revealed: Essential Skills for IT Professionals

by James H Baxter, Yoram Orzach, Charit Mishra

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Wireshark & Ethereal Network Protocol Analyzer Toolkit

How Being a Design-Driven Company Will Get You From Good to Great

Zabbix 4 Network Monitoring - Third Edition

The Three Traps That Stymie Reinvention

Publisher Resources