book

Practical Packet Analysis, 2nd Edition

Name: Practical Packet Analysis, 2nd Edition
Author: Chris Sanders
ISBN: 9781593272661

by Chris Sanders

June 2011

Intermediate to advanced

280 pages

7h 56m

English

No Starch Press

Read now

Unlock full access

Practical Packet Analysis
Praise for the First Edition of Practical Packet Analysis
Acknowledgments
Introduction
Why This Book?
Concepts and Approach
How to Use This Book
About the Sample Capture Files
The Rural Technology Fund
Contacting Me
1. Packet Analysis and Network Basics
Packet Analysis and Packet SniffersEvaluating a Packet SnifferHow Packet Sniffers Work

How Computers Communicate
ProtocolsThe Seven-Layer OSI ModelData EncapsulationNetwork HardwareHubsSwitchesRouters
Traffic Classifications
Broadcast TrafficMulticast TrafficUnicast Traffic
Final Thoughts
2. Tapping into the Wire
Living Promiscuously
Sniffing Around Hubs
Sniffing in a Switched Environment
Port MirroringHubbing OutUsing a TapAggregated TapsNonaggregated TapsChoosing a Network TapARP Cache PoisoningThe ARP ProcessHow ARP Cache Poisoning WorksUsing Cain & AbelA Word of Caution on ARP Cache Poisoning
Sniffing in a Routed Environment
Sniffer Placement in Practice
3. Introduction to Wireshark
A Brief History of Wireshark
The Benefits of Wireshark
Installing Wireshark
Installing on Microsoft Windows SystemsInstalling on Linux SystemsRPM-based SystemsDEB-based SystemsCompiling from SourceInstalling on Mac OS X Systems
Wireshark Fundamentals
Your First Packet CaptureWireshark’s Main WindowWireshark PreferencesPacket Color Coding
4. Working with Captured Packets
Working with Capture FilesSaving and Exporting Capture FilesMerging Capture Files
Working with Packets
Finding PacketsMarking PacketsPrinting Packets
Setting Time Display Formats and References
Time Display FormatsPacket Time Referencing
Setting Capture Options
Capture SettingsCapture File(s) SettingsStop Capture SettingsDisplay OptionsName Resolution Settings
Using Filters
Capture FiltersCapture/BPF SyntaxHostname and Addressing FiltersPort and Protocol FiltersProtocol FiltersProtocol Field FiltersSample Capture Filter ExpressionsDisplay FiltersThe Filter Expression Dialog (the Easy Way)The Filter Expression Syntax Structure (the Hard Way)Sample Display Filter ExpressionsSaving Filters
5. Advanced Wireshark Features
Network Endpoints and ConversationsViewing EndpointsViewing Network ConversationsTroubleshooting with the Endpoints and Conversations Windows
Protocol Hierarchy Statistics
Name Resolution
Enabling Name ResolutionPotential Drawbacks to Name Resolution
Protocol Dissection
Changing the DissectorViewing Dissector Source Code
Following TCP Streams
Packet Lengths
Graphing
Viewing IO GraphsRound-Trip Time GraphingFlow Graphing
Expert Information
6. Common Lower-Layer Protocols
Address Resolution ProtocolThe ARP HeaderPacket 1: ARP RequestPacket 2: ARP ResponseGratuitous ARP
Internet Protocol
IP AddressesThe IPv4 HeaderTime to LiveIP Fragmentation
Transmission Control Protocol
The TCP HeaderTCP PortsThe TCP Three-Way HandshakeTCP TeardownTCP Resets
User Datagram Protocol
The UDP Header
Internet Control Message Protocol
The ICMP HeaderICMP Types and MessagesEcho Requests and ResponsesTraceroute
7. Common Upper-Layer Protocols
Dynamic Host Configuration ProtocolThe DHCP Packet StructureThe DHCP Renewal ProcessThe Discover PacketThe Offer PacketThe Request PacketThe Acknowledgment PacketDHCP In-Lease RenewalDHCP Options and Message Types
Domain Name System
The DNS Packet StructureA Simple DNS QueryDNS Question TypesDNS RecursionDNS Zone Transfers
Hypertext Transfer Protocol
Browsing with HTTPPosting Data with HTTP
Final Thoughts
8. Basic Real-World Scenarios
Social Networking at the Packet LevelCapturing Twitter TrafficThe Twitter Login ProcessSending Data with a TweetTwitter Direct MessagingCapturing Facebook TrafficThe Facebook Login ProcessPrivate Messaging with FacebookComparing Twitter vs. Facebook Methods
Capturing ESPN.com Traffic
Using the Conversations WindowUsing the Protocol Hierarchy Statistics WindowViewing DNS TrafficViewing HTTP Requests
Real-World Problems
No Internet Access: Configuration ProblemsTapping into the WireAnalysisLessons LearnedNo Internet Access: Unwanted RedirectionTapping into the WireAnalysisLessons LearnedNo Internet Access: Upstream ProblemsTapping into the WireAnalysisLessons LearnedInconsistent PrinterTapping into the WireAnalysisLessons LearnedStranded in a Branch OfficeTapping into the WireAnalysisLessons LearnedTicked-Off DeveloperTapping into the WireAnalysisLessons Learned
Final Thoughts
9. Fighting a Slow Network
TCP Error-Recovery FeaturesTCP RetransmissionsTCP Duplicate Acknowledgments and Fast Retransmissions
TCP Flow Control
Adjusting the Window SizeHalting Data Flow with a Zero Window NotificationThe TCP Sliding Window in Practice
Learning from TCP Error-Control and Flow-Control Packets
Locating the Source of High Latency
Normal CommunicationsSlow Communications—Wire LatencySlow Communications—Client LatencySlow Communications—Server LatencyLatency Locating Framework
Network Baselining
Site BaselineHost BaselineApplication BaselineAdditional Notes on Baselines
Final Thoughts
10. Packet Analysis for Security
ReconnaissanceSYN ScanUsing Filters with SYN ScansIdentifying Open and Closed PortsOperating System FingerprintingPassive FingerprintingActive Fingerprinting
Exploitation
Operation AuroraARP Cache PoisoningRemote-Access Trojan
Final Thoughts
11. Wireless Packet Analysis
Physical ConsiderationsSniffing One Channel at a TimeWireless Signal InterferenceDetecting and Analyzing Signal Interference
Wireless Card Modes
Sniffing Wirelessly in Windows
Configuring AirPcapCapturing Traffic with AirPcap
Sniffing Wirelessly in Linux
802.11 Packet Structure
Adding Wireless-Specific Columns to the Packet List Pane
Wireless-Specific Filters
Filtering Traffic for a Specific BSS IDFiltering Specific Wireless Packet TypesFiltering a Specific Frequency
Wireless Security
Successful WEP AuthenticationFailed WEP AuthenticationSuccessful WPA AuthenticationFailed WPA Authentication
Final Thoughts
A. Further Reading
Packet Analysis Toolstcpdump and WindumpCain & AbelScapyNetdudeColasoft Packet BuilderCloudSharkpcaprNetworkMinerTcpreplayngreplibpcaphpingDomain DossierPerl and Python
Packet Analysis Resources
Wireshark Home PageSANS Security Intrusion Detection In-Depth CourseChris Sanders BlogPacketstan BlogWireshark UniversityIANATCP/IP Illustrated (Addison-Wesley)The TCP/IP Guide (No Starch Press)
Index
About the Author
Colophon
B. Updates

Content preview from Practical Packet Analysis, 2nd Edition

Protocol Dissection

A protocol dissector allows Wireshark to break down a protocol into various sections so that it can be analyzed. For example, the ICMP protocol dissector allows Wireshark to take the raw data off the wire and format it as an ICMP packet.

You can think of a dissector as the translator between the raw data flowing across the wire and the Wireshark program. In order for a protocol to be supported by Wireshark, it must have a dissector built into it (or you can write your own in C or Python).

Wireshark uses several dissectors in unison to interpret each packet. It determines which dissectors to use by using its programmed logic and making a well-educated guess.

Changing the Dissector

wrongdissector.pcap

Unfortunately, Wireshark does ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781593272661Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Packet Analysis, 2nd Edition

by Chris Sanders

Protocol Dissection

Changing the Dissector

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.