Practical Packet Analysis, 3rd Edition

Book description

It's easy to capture packets with Wireshark, the world's most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand what's happening on your network?

Updated to cover Wireshark 2.x, the third edition of Practical Packet Analysis will teach you to make sense of your packet captures so that you can better troubleshoot network problems. You'll find added coverage of IPv6 and SMTP, a new chapter on the powerful command line packet analyzers tcpdump and TShark, and an appendix on how to read and reference packet values using a packet map.

Practical Packet Analysis will show you how to:

  • Monitor your network in real time and tap live network communications
  • Build customized capture and display filters
  • Use packet analysis to troubleshoot and resolve common network problems, like loss of connectivity, DNS issues, and slow speeds
  • Explore modern exploits and malware at the packet level
  • Extract files sent across a network from packet captures
  • Graph traffic patterns to visualize the data flowing across your network
  • Use advanced Wireshark features to understand confusing captures
  • Build statistics and reports to help you better explain technical network information to non-techies
No matter what your level of experience is, Practical Packet Analysis will show you how to use Wireshark to make sense of any network and get things done.

Publisher resources

View/Submit Errata

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Brief Contents
  5. Contents in Detail
  6. Acknowledgments
  7. Introduction
    1. Why This Book?
    2. Concepts and Approach
    3. How to Use This Book
    4. About the Sample Capture Files
    5. The Rural Technology Fund
    6. Contacting Me
  8. Chapter 1: Packet Analysis and Network Basics
    1. Packet Analysis and Packet Sniffers
      1. Evaluating a Packet Sniffer
      2. How Packet Sniffers Work
    2. How Computers Communicate
      1. Protocols
      2. The Seven-Layer OSI Model
      3. Network Hardware
    3. Traffic Classifications
      1. Broadcast Traffic
      2. Multicast Traffic
      3. Unicast Traffic
    4. Final Thoughts
  9. Chapter 2: Tapping into the Wire
    1. Living Promiscuously
    2. Sniffing Around Hubs
    3. Sniffing in a Switched Environment
      1. Port Mirroring
      2. Hubbing Out
      3. Using a Tap
      4. ARP Cache Poisoning
    4. Sniffing in a Routed Environment
    5. Sniffer Placement in Practice
  10. Chapter 3: Introduction to Wireshark
    1. A Brief History of Wireshark
    2. The Benefits of Wireshark
    3. Installing Wireshark
      1. Installing on Windows Systems
      2. Installing on Linux Systems
      3. Installing on OS X Systems
    4. Wireshark Fundamentals
      1. Your First Packet Capture
      2. Wireshark’s Main Window
      3. Wireshark Preferences
      4. Packet Color Coding
    5. Configuration Files
    6. Configuration Profiles
  11. Chapter 4: Working with Captured Packets
    1. Working with Capture Files
      1. Saving and Exporting Capture Files
      2. Merging Capture Files
    2. Working with Packets
      1. Finding Packets
      2. Marking Packets
      3. Printing Packets
    3. Setting Time Display Formats and References
      1. Time Display Formats
      2. Packet Time Referencing
      3. Time Shifting
    4. Setting Capture Options
      1. Input Tab
      2. Output Tab
      3. Options Tab
    5. Using Filters
      1. Capture Filters
      2. Display Filters
      3. Saving Filters
      4. Adding Display Filters to a Toolbar
  12. Chapter 5: Advanced Wireshark Features
    1. Endpoints and Network Conversations
      1. Viewing Endpoint Statistics
      2. Viewing Network Conversations
      3. Identifying Top Talkers with Endpoints and Conversations
    2. Protocol Hierarchy Statistics
    3. Name Resolution
      1. Enabling Name Resolution
      2. Potential Drawbacks to Name Resolution
      3. Using a Custom hosts File
      4. Manually Initiated Name Resolution
    4. Protocol Dissection
      1. Changing the Dissector
      2. Viewing Dissector Source Code
    5. Following Streams
      1. Following SSL Streams
    6. Packet Lengths
    7. Graphing
      1. Viewing IO Graphs
      2. Round-Trip Time Graphing
      3. Flow Graphing
    8. Expert Information
  13. Chapter 6: Packet Analysis on the Command Line
    1. Installing TShark
    2. Installing tcpdump
    3. Capturing and Saving Packets
    4. Manipulating Output
    5. Name Resolution
    6. Applying Filters
    7. Time Display Formats in TShark
    8. Summary Statistics in TShark
    9. Comparing TShark and tcpdump
  14. Chapter 7: Network Layer Protocols
    1. Address Resolution Protocol (ARP)
      1. ARP Packet Structure
      2. Packet 1: ARP Request
      3. Packet 2: ARP Response
      4. Gratuitous ARP
    2. Internet Protocol (IP)
      1. Internet Protocol Version 4 (IPv4)
      2. Internet Protocol Version 6 (IPv6)
    3. Internet Control Message Protocol (ICMP)
      1. ICMP Packet Structure
      2. ICMP Types and Messages
      3. Echo Requests and Responses
      4. traceroute
      5. ICMP Version 6 (ICMPv6)
  15. Chapter 8: Transport Layer Protocols
    1. Transmission Control Protocol (TCP)
      1. TCP Packet Structure
      2. TCP Ports
      3. The TCP Three-Way Handshake
      4. TCP Teardown
      5. TCP Resets
    2. User Datagram Protocol (UDP)
      1. UDP Packet Structure
  16. Chapter 9: Common Upper-Layer Protocols
    1. Dynamic Host Configuration Protocol (DHCP)
      1. DHCP Packet Structure
      2. The DHCP Initialization Process
      3. DHCP In-Lease Renewal
      4. DHCP Options and Message Types
      5. DHCP Version 6 (DHCPv6)
    2. Domain Name System (DNS)
      1. DNS Packet Structure
      2. A Simple DNS Query
      3. DNS Question Types
      4. DNS Recursion
      5. DNS Zone Transfers
    3. Hypertext Transfer Protocol (HTTP)
      1. Browsing with HTTP
      2. Posting Data with HTTP
    4. Simple Mail Transfer Protocol (SMTP)
      1. Sending and Receiving Email
      2. Tracking an Email Message
      3. Sending Attachments via SMTP
    5. Final Thoughts
  17. Chapter 10: Basic Real-World Scenarios
    1. Missing Web Content
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    2. Unresponsive Weather Service
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    3. No Internet Access
      1. Gateway Configuration Problems
      2. Unwanted Redirection
      3. Upstream Problems
    4. Inconsistent Printer
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    5. No Branch Office Connectivity
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    6. Software Data Corruption
      1. Tapping into the Wire
      2. Analysis
      3. Lessons Learned
    7. Final Thoughts
  18. Chapter 11: Fighting a Slow Network
    1. TCP Error-Recovery Features
      1. TCP Retransmissions
      2. TCP Duplicate Acknowledgments and Fast Retransmissions
    2. TCP Flow Control
      1. Adjusting the Window Size
      2. Halting Data Flow with a Zero Window Notification
      3. The TCP Sliding Window in Practice
    3. Learning from TCP Error-Control and Flow-Control Packets
    4. Locating the Source of High Latency
      1. Normal Communications
      2. Slow Communications: Wire Latency
      3. Slow Communications: Client Latency
      4. Slow Communications: Server Latency
      5. Latency Locating Framework
    5. Network Baselining
      1. Site Baseline
      2. Host Baseline
      3. Application Baseline
      4. Additional Notes on Baselines
    6. Final Thoughts
  19. Chapter 12: Packet Analysis for Security
    1. Reconnaissance
      1. SYN Scan
      2. Operating System Fingerprinting
    2. Traffic Manipulation
      1. ARP Cache Poisoning
      2. Session Hijacking
    3. Malware
      1. Operation Aurora
      2. Remote-Access Trojan
    4. Exploit Kit and Ransomware
    5. Final Thoughts
  20. Chapter 13: Wireless Packet Analysis
    1. Physical Considerations
      1. Sniffing One Channel at a Time
      2. Wireless Signal Interference
      3. Detecting and Analyzing Signal Interference
    2. Wireless Card Modes
    3. Sniffing Wirelessly in Windows
      1. Configuring AirPcap
      2. Capturing Traffic with AirPcap
    4. Sniffing Wirelessly in Linux
    5. 802.11 Packet Structure
    6. Adding Wireless-Specific Columns to the Packet List Pane
    7. Wireless-Specific Filters
      1. Filtering Traffic for a Specific BSS ID
      2. Filtering Specific Wireless Packet Types
      3. Filtering a Specific Frequency
    8. Saving a Wireless Profile
    9. Wireless Security
      1. Successful WEP Authentication
      2. Failed WEP Authentication
      3. Successful WPA Authentication
      4. Failed WPA Authentication
    10. Final Thoughts
  21. Appendix A: Further Reading
    1. Packet Analysis Tools
      1. CloudShark
      2. WireEdit
      3. Cain & Abel
      4. Scapy
      5. TraceWrangler
      6. Tcpreplay
      7. NetworkMiner
      8. CapTipper
      9. ngrep
      10. libpcap
      11. Npcap
      12. hping
      13. Python
    2. Packet Analysis Resources
      1. Wireshark’s Home Page
      2. Practical Packet Analysis Online Course
      3. SANS’s Security Intrusion Detection In-Depth Course
      4. Chris Sanders’s Blog
      5. Brad Duncan’s Malware Traffic Analysis
      6. IANA’s Website
      7. W. Richard Stevens’s TCP/IP Illustrated Series
      8. The TCP/IP Guide
  22. Appendix B: Navigating Packets
    1. Packet Representation
    2. Using Packet Diagrams
    3. Navigating a Mystery Packet
    4. Final Thoughts
  23. Index
  24. The Electronic Frontier Foundation (EFF)
  25. DON’T JUST STARE AT CAPTURED PACKETS. ANALYZE THEM

Product information

  • Title: Practical Packet Analysis, 3rd Edition
  • Author(s): Chris Sanders
  • Release date: March 2017
  • Publisher(s): No Starch Press
  • ISBN: 9781593278021