O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Wireshark Essentials

Book Description

Get up and running with Wireshark to analyze network packets and protocols effectively

In Detail

This book introduces the Wireshark network analyzer to IT professionals across multiple disciplines.

It starts off with the installation of Wireshark, before gradually taking you through your first packet capture, identifying and filtering out just the packets of interest, and saving them to a new file for later analysis. The subsequent chapters will build on this foundation by covering essential topics on the application of the right Wireshark features for analysis, network protocols essentials, troubleshooting, and analyzing performance issues. Finally, the book focuses on packet analysis for security tasks, command-line utilities, and tools that manage trace files.

Upon finishing this book, you will have successfully added strong Wireshark skills to your technical toolset and significantly increased your value as an IT professional.

What You Will Learn

  • Discover how packet analysts view networks and the role of protocols at the packet level
  • Capture and isolate all the right packets to perform a thorough analysis using Wireshark's extensive capture and display filtering capabilities
  • Use the optimal timestamp displays, packet marking and coloring, and protocol-level settings for effective analysis of packets
  • Select and configure the appropriate Wireshark features and functions for the analysis task at hand
  • Troubleshoot connectivity and functionality issues in your network
  • Analyze and report the leading causes of poor application performance
  • Analyze packets to detect and identify malicious traffic and security threats
  • Leverage the Wireshark command-line utilities for high performance or scripted analysis activities

Table of Contents

  1. Wireshark Essentials
    1. Table of Contents
    2. Wireshark Essentials
    3. Credits
    4. About the Author
    5. About the Reviewers
    6. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    8. 1. Getting Acquainted with Wireshark
      1. Installing Wireshark
        1. Installing Wireshark on Windows
        2. Installing Wireshark on Mac OS X
        3. Installing Wireshark on Linux/Unix
      2. Performing your first packet capture
        1. Selecting a network interface
        2. Performing a packet capture
        3. Wireshark user interface essentials
        4. Filtering out the noise
          1. Applying a display filter
        5. Saving the packet trace
      3. Summary
    9. 2. Networking for Packet Analysts
      1. The OSI model – why it matters
        1. Understanding network protocols
        2. The seven OSI layers
          1. Layer 1 – the physical layer
          2. Layer 2 – the data-link layer
          3. Layer 3 – the network layer
            1. Internet Protocol
            2. Address Resolution Protocol
          4. Layer 4 – the transport layer
            1. User Datagram Protocol
            2. Transmission Control Protocol
          5. Layer 5 – the session layer
          6. Layer 6 – the presentation layer
          7. Layer 7 – the application layer
            1. Encapsulation
      2. IP networks and subnets
      3. Switching and routing packets
        1. Ethernet frames and switches
        2. IP addresses and routers
      4. WAN links
      5. Wireless networking
      6. Summary
    10. 3. Capturing All the Right Packets
      1. Picking the best capture point
        1. User location
        2. Server location
        3. Other capture locations
          1. Mid-network captures
          2. Both sides of specialized network devices
      2. Test Access Ports and switch port mirroring
        1. Test Access Port
        2. Switch port mirroring
          1. Capturing packets on high traffic rate links
      3. Capturing interfaces, filters, and options
        1. Selecting the correct network interface
        2. Using capture filters
        3. Configuring capture filters
        4. Capture options
          1. Capturing filenames and locations
          2. Multiple file options
          3. Ring buffer
          4. Stop capture options
          5. Display options
          6. Name resolution options
      4. Verifying a good capture
      5. Saving the bulk capture file
      6. Isolating conversations of interest
      7. Using the Conversations window
        1. The Ethernet tab
        2. The TCP and UDP tabs
        3. The WLAN tab
      8. Wireshark display filters
        1. The Display Filter window
        2. The display filter syntax
        3. Typing in a display filter
        4. Display filters from a Conversations or Endpoints window
      9. Filter Expression Buttons
        1. Using the Expressions window button
        2. Right-click menus on specific packet fields
      10. Following TCP/UDP/SSL streams
      11. Marking and ignoring packets
      12. Saving the filtered traffic
      13. Summary
    11. 4. Configuring Wireshark
      1. Working with packet timestamps
        1. How Wireshark saves timestamps
        2. Wireshark time display options
        3. Adding a time column
          1. Conversation versus displayed packet time options
        4. Choosing the best Wireshark time display option
        5. Using the Time Reference option
      2. Colorization and coloring rules
        1. Packet colorization
      3. Wireshark preferences
      4. Wireshark profiles
        1. Creating a Wireshark profile
        2. Selecting a Wireshark profile
      5. Summary
    12. 5. Network Protocols
      1. The OSI and DARPA reference models
        1. Network layer protocols
          1. Wireshark IPv4 filters
          2. Wireshark ARP filters
        2. Internet Group Management Protocol
          1. Wireshark IGMP filters
        3. Internet Control Message Protocol
          1. ICMP pings
          2. ICMP traceroutes
          3. ICMP control message types
          4. ICMP redirects
            1. Wireshark ICMP filters
        4. Internet Protocol Version 6
          1. IPv6 addressing
          2. IPv6 address types
          3. IPv6 header fields
          4. IPv6 transition methods
            1. Wireshark IPv6 filters
        5. Internet Control Message Protocol Version 6
          1. Multicast Listener Discovery
            1. Wireshark ICMPv6 filters
      2. Transport layer protocols
        1. User Datagram Protocol
          1. Wireshark UDP filters
        2. Transmission Control Protocol
          1. TCP flags
          2. TCP options
            1. Wireshark TCP filters
      3. Application layer protocols
        1. Dynamic Host Configuration Protocol
          1. Wireshark DHCP filters
        2. Dynamic Host Configuration Protocol Version 6
          1. Wireshark DHCPv6 filters
        3. Domain Name Service
          1. Wireshark DNS filters
        4. Hypertext Transfer Protocol
          1. HTTP Methods
          2. Host
          3. Request Modifiers
            1. Wireshark HTTP filters
        5. Additional information
          1. Wireshark wiki
          2. Protocols on Wikipedia
          3. Requests for Comments
      4. Summary
    13. 6. Troubleshooting and Performance Analysis
      1. Troubleshooting methodology
        1. Gathering the right information
        2. Establishing the general nature of the problem
        3. Half-split troubleshooting and other logic
      2. Troubleshooting connectivity issues
        1. Enabling network interfaces
        2. Confirming physical connectivity
        3. Obtaining the workstation IP configuration
        4. Obtaining MAC addresses
        5. Obtaining network service IP addresses
        6. Basic network connectivity
          1. Connecting to the application services
      3. Troubleshooting functional issues
      4. Performance analysis methodology
        1. Top five reasons for poor application performance
          1. Preparing the tools and approach
          2. Performing, verifying, and saving a good packet capture
          3. Initial error analysis
          4. Detecting and prioritizing delays
          5. Server processing time events
          6. Application turn's delay
          7. Network path latency
          8. Bandwidth congestion
          9. Data transport
            1. TCP StreamGraph
            2. IO Graph
            3. IO Graph – Wireshark 2.0
      5. Summary
    14. 7. Packet Analysis for Security Tasks
      1. Security analysis methodology
        1. The importance of baselining
      2. Security assessment tools
      3. Identifying unacceptable or suspicious traffic
      4. Scans and sweeps
        1. ARP scans
        2. ICMP ping sweeps
        3. TCP port scans
        4. UDP port scans
      5. OS fingerprinting
      6. Malformed packets
      7. Phone home traffic
      8. Password-cracking traffic
      9. Unusual traffic
      10. Summary
    15. 8. Command-line and Other Utilities
      1. Wireshark command-line utilities
      2. Capturing traffic with Dumpcap
      3. Capturing traffic with Tshark
      4. Editing trace files with Editcap
      5. Merging trace files with Mergecap
        1. Mergecap batch file
      6. Other helpful tools
        1. HttpWatch
        2. SteelCentral Packet Analyzer Personal Edition
        3. AirPcap adapters
      7. Summary
    16. Index