O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Practical Packet Analysis, 3rd Edition

Book Description

Wireshark is the world's most popular network sniffer that makes capturing packets easy, but it won't be much help if you don't have a solid foundation in packet analysis.

Practical Packet Analysis, 3rd Edition will show you how to make sense of your PCAP data and let you start troubleshooting the problems on your network. This third edition is updated for Wireshark 2.0.5 and IPV6, making it the definitive guide to packet analysis and a must for any network technician, administrator, or engineer. This updated version includes two new chapters that will teach you how to use the powerful command-line packet analyzers tcpdump and TShark as well as how to read and reference packet values using a packet map.

Practical Packet Analysis will introduce you to the basics of packet analysis, starting with how networks work and how packets travel along the wire. Then you'll move onto navigating packets and using Wireshark to capture and analyze packets. The book then covers common lower-layer and upper-layer protocols and provides you with real-world scenarios like Internet connectivity issues, how to capture social media traffic, and fighting a slow network.

You'll learn how to:

  • Monitor your network in real-time and tap live network communications
  • Recognize common network protocols including TCP, IPv4 and IPv6, SMTP, and ARP
  • Build customized capture and display filters to quickly navigate through large numbers of packets
  • Troubleshoot and resolve common network problems like loss of connectivity, DNS issues, and sluggish speeds with packet analysis
  • Understand how modern exploits and malware behave at the packet level
  • Carve out data in a packet to retrieve the actual files sent across the network
  • Graph traffic patterns to visualize the data flowing across your network
  • Use advanced Wireshark features to understand confusing captures
  • Build statistics and reports to help you better explain technical network information to non-techies

Whether you're a budding network analyst in need of a headfirst dive into packet analysis or an experienced administrator searching for new tricks, look no further than the third edition of Practical Packet Analysis.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Brief Contents
  5. Contents in Detail
  6. Acknowledgments
  7. Introduction
    1. Why This Book?
    2. Concepts and Approach
    3. How to Use This Book
    4. About the Sample Capture Files
    5. The Rural Technology Fund
    6. Contacting Me
  8. Chapter 1: Packet Analysis and Network Basics
    1. Packet Analysis and Packet Sniffers
      1. Evaluating a Packet Sniffer
      2. How Packet Sniffers Work
    2. How Computers Communicate
      1. Protocols
      2. The Seven-Layer OSI Model
      3. Network Hardware
    3. Traffic Classifications
      1. Broadcast Traffic
      2. Multicast Traffic
      3. Unicast Traffic
    4. Final Thoughts
  9. Chapter 2: Tapping into the Wire
    1. Living Promiscuously
    2. Sniffing Around Hubs
    3. Sniffing in a Switched Environment
      1. Port Mirroring
      2. Hubbing Out
      3. Using a Tap
      4. ARP Cache Poisoning
    4. Sniffing in a Routed Environment
    5. Sniffer Placement in Practice
  10. Chapter 3: Introduction to Wireshark
    1. A Brief History of Wireshark
    2. The Benefits of Wireshark
    3. Installing Wireshark
      1. Installing on Windows Systems
      2. Installing on Linux Systems
      3. Installing on OS X Systems
    4. Wireshark Fundamentals
      1. Your First Packet Capture
      2. Wireshark’s Main Window
      3. Wireshark Preferences
      4. Packet Color Coding
    5. Configuration Files
    6. Configuration Profiles
  11. Chapter 4: Working with Captured Packets
    1. Working with Capture Files
      1. Saving and Exporting Capture Files
      2. Merging Capture Files
    2. Working with Packets
      1. Finding Packets
      2. Marking Packets
      3. Printing Packets
    3. Setting Time Display Formats and References
      1. Time Display Formats
      2. Packet Time Referencing
      3. Time Shifting
    4. Setting Capture Options
      1. Input Tab
      2. Output Tab
      3. Options Tab
    5. Using Filters
      1. Capture Filters
      2. Display Filters
      3. Saving Filters
      4. Adding Display Filters to a Toolbar
  12. Chapter 5: Advanced Wireshark Features
    1. Endpoints and Network Conversations
      1. Viewing Endpoint Statistics
      2. Viewing Network Conversations
      3. Identifying Top Talkers with Endpoints and Conversations
    2. Protocol Hierarchy Statistics
    3. Name Resolution
      1. Enabling Name Resolution
      2. Potential Drawbacks to Name Resolution
      3. Using a Custom hosts File
      4. Manually Initiated Name Resolution
    4. Protocol Dissection
      1. Changing the Dissector
      2. Viewing Dissector Source Code
    5. Following Streams
      1. Following SSL Streams
    6. Packet Lengths
    7. Graphing
      1. Viewing IO Graphs
      2. Round-Trip Time Graphing
      3. Flow Graphing
    8. Expert Information
  13. Chapter 6: Packet Analysis on the Command Line
    1. Installing TShark
    2. Installing tcpdump
    3. Capturing and Saving Packets
    4. Manipulating Output
    5. Name Resolution
    6. Applying Filters
    7. Time Display Formats in TShark
    8. Summary Statistics in TShark
    9. Comparing TShark and tcpdump
  14. Chapter 7: Network Layer Protocols
    1. Address Resolution Protocol (ARP)
      1. ARP Packet Structure
      2. Packet 1: ARP Request
      3. Packet 2: ARP Response
      4. Gratuitous ARP
    2. Internet Protocol (IP)
      1. Internet Protocol Version 4 (IPv4)
      2. Internet Protocol Version 6 (IPv6)
    3. Internet Control Message Protocol (ICMP)
      1. ICMP Packet Structure
      2. ICMP Types and Messages
      3. Echo Requests and Responses
      4. traceroute
      5. ICMP Version 6 (ICMPv6)
  15. Chapter 8: Transport Layer Protocols
    1. Transmission Control Protocol (TCP)
      1. TCP Packet Structure
      2. TCP Ports
      3. The TCP Three-Way Handshake
      4. TCP Teardown
      5. TCP Resets
    2. User Datagram Protocol (UDP)
      1. UDP Packet Structure
  16. Chapter 9: Common Upper-Layer Protocols
    1. Dynamic Host Configuration Protocol (DHCP)
      1. DHCP Packet Structure
      2. The DHCP Initialization Process
      3. DHCP In-Lease Renewal
      4. DHCP Options and Message Types
      5. DHCP Version 6 (DHCPv6)
    2. Domain Name System (DNS)
      1. DNS Packet Structure
      2. A Simple DNS Query
      3. DNS Question Types
      4. DNS Recursion
      5. DNS Zone Transfers
    3. Hypertext Transfer Protocol (HTTP)
      1. Browsing with HTTP
      2. Posting Data with HTTP
    4. Simple Mail Transfer Protocol (SMTP)
      1. Sending and Receiving Email
      2. Tracking an Email Message
      3. Sending Attachments via SMTP
    5. Final Thoughts
  17. Chapter 10: Basic Real-World Scenarios
    1. Missing Web Content
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    2. Unresponsive Weather Service
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    3. No Internet Access
      1. Gateway Configuration Problems
      2. Unwanted Redirection
      3. Upstream Problems
    4. Inconsistent Printer
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    5. No Branch Office Connectivity
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    6. Software Data Corruption
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    7. Final Thoughts
  18. Chapter 11: Fighting a Slow Network
    1. TCP Error-Recovery Features
      1. TCP Retransmissions
      2. TCP Duplicate Acknowledgments and Fast Retransmissions
    2. TCP Flow Control
      1. Adjusting the Window Size
      2. Halting Data Flow with a Zero Window Notification
      3. The TCP Sliding Window in Practice
    3. Learning from TCP Error-Control and Flow-Control Packets
    4. Locating the Source of High Latency
      1. Normal Communications
      2. Slow Communications: Wire Latency
      3. Slow Communications: Client Latency
      4. Slow Communications: Server Latency
      5. Latency Locating Framework
    5. Network Baselining
      1. Site Baseline
      2. Host Baseline
      3. Application Baseline
      4. Additional Notes on Baselines
    6. Final Thoughts
  19. Chapter 12: Packet Analysis for Security
    1. Reconnaissance
      1. SYN Scan
      2. Operating System Fingerprinting
    2. Traffic Manipulation
      1. ARP Cache Poisoning
      2. Session Hijacking
    3. Malware
      1. Operation Aurora
      2. Remote-Access Trojan
    4. Exploit Kit and Ransomware
    5. Final Thoughts
  20. Chapter 13: Wireless Packet Analysis
    1. Physical Considerations
      1. Sniffing One Channel at a Time
      2. Wireless Signal Interference
      3. Detecting and Analyzing Signal Interference
    2. Wireless Card Modes
    3. Sniffing Wirelessly in Windows
      1. Configuring AirPcap
      2. Capturing Traffic with AirPcap
    4. Sniffing Wirelessly in Linux
    5. 802.11 Packet Structure
    6. Adding Wireless-Specific Columns to the Packet List Pane
    7. Wireless-Specific Filters
      1. Filtering Traffic for a Specific BSS ID
      2. Filtering Specific Wireless Packet Types
      3. Filtering a Specific Frequency
    8. Saving a Wireless Profile
    9. Wireless Security
      1. Successful WEP Authentication
      2. Failed WEP Authentication
      3. Successful WPA Authentication
      4. Failed WPA Authentication
    10. Final Thoughts
  21. Appendix A: Further Reading
    1. Packet Analysis Tools
      1. CloudShark
      2. WireEdit
      3. Cain & Abel
      4. Scapy
      5. TraceWrangler
      6. Tcpreplay
      7. NetworkMiner
      8. CapTipper
      9. ngrep
      10. libpcap
      11. Npcap
      12. hping
      13. Python
    2. Packet Analysis Resources
      1. Wireshark’s Home Page
      2. Practical Packet Analysis Online Course
      3. SANS’s Security Intrusion Detection In-Depth Course
      4. Chris Sanders’s Blog
      5. Brad Duncan’s Malware Traffic Analysis
      6. IANA’s Website
      7. W. Richard Stevens’s TCP/IP Illustrated Series
      8. The TCP/IP Guide
  22. Appendix B: Navigating Packets
    1. Packet Representation
    2. Using Packet Diagrams
    3. Navigating a Mystery Packet
    4. Final Thoughts
  23. Index
  24. The Electronic Frontier Foundation (EFF)
  25. DON’T JUST STARE AT CAPTURED PACKETS. ANALYZE THEM