Network traffic becomes easier to understand, both for beginners and experts, if we look at the messages firsthand. We use Wireshark to watch hosts exchange packets and to examine individual packets in detail. Wireshark provides a graphical interface organized around a single window, as shown in FIGURE 11.14.

The Wireshark window contains four major sections. The topmost section provides Wireshark’s functions and controls. The remaining three sections display packets or parts thereof:

1. Packet list pane lists the captured packets in sorted order, one packet per line. We can change the sort order by clicking on the column headings.

   • Each line summarizes the packet type and content.

   • The highlighted packet from this list appears in the next three sections.

2. Packet details pane lists the headers in the highlighted packet, one per header.

   • Each line summarizes the header’s contents.

   • Each header has an “expand” symbol on the left; clicking the symbol expands the header to display its detailed contents.

3. Packet bytes pane displays the entire packet in hexadecimal and ASCII. When we select part of the packet in the details pane, that part is highlighted in the packet bytes.

Wireshark contains built-in descriptions of most protocols used on the internet, and by typical commercial equipment. When we expand a header, Wireshark uses its library of descriptions to interpret the packet’s contents. Wireshark provides the following features:

• ■   Opens a packet capture file (pcap), a file containing a collection of network packets.

• ■   Collects packets from a network interface in real time. If Wireshark collects the packets itself, it may save them in a pcap for further inspection.

• ■   Displays a list of the captured packets in order of receipt or in other sorted orders.

• ■   Displays the detailed contents of individual packet headers in a readable format.

• ■   Displays the packet contents in raw hexadecimal.

Wireshark is an open-source program available for Windows and Unix-based systems, including Apple’s MacOS. The Wireshark website distributes it either as an easy-to-install binary or in source code form. To capture packets, the user must have administrator rights. The user needs no special permission to examine a previously collected pcap.

ARP is the most common protocol that travels by itself in Ethernet packets. FIGURE 11.16 shows the Wireshark display of an ARP Request packet.

The packet list effectively summarizes the ARP packet’s contents: It identifies the host asking the question and the IP address being queried. The expanded packet shows the details, including the sender’s MAC address.

FIGURE 11.17 displays the ARP Response packet. Again, the packet list summarizes the essential contents. In practice, we rarely need to expand an ARP packet. Note how the contents displayed by Wireshark parallel those shown in Figure 11.16.

FIGURE 11.18 shows an expanded IP header displayed in Wireshark. The essential information is, of course, the host addresses. The expanded header shows the TTL (255), the checksum, and information about fragmentation.

Nmap is a well-respected open source utility for mapping computer networks. It also helps with security scanning because it often can identify the versions of network protocol software each host is running. Although we can run nmap from a graphical interface, the features we need are most easily performed with the keyboard command. We type the nmap command as follows:

nmap <options> <addresses>

• <options> may contain a list of options, each prefixed with a hyphen

• <addresses> contains a host name, an IP address, or a range of IP addresses in dotted decimal format

FIGURE 11.20 shows the output of a simple nmap command that identifies a single host to scan.

When we scan a single host, we receive a list of the open ports on that host, the services provided by those ports, and the time required to perform the search.

We can select the “service version” option “-sV” to add detail to the list of ports. Nmap will try to guess the specific type and version of protocol software being used on that port (FIGURE 11.21).

If we give nmap a range of addresses to search, it searches for live hosts and for open ports. If a host ignores its initial ping, it assumes the host is down and goes to the next one. If nmap’s ping yields a response, it scans the service ports, testing for open ones. It reports each open port. This continues until it has scanned all ports of all hosts it finds. FIGURE 11.22 shows what happened when it scanned a running laptop with Windows 7 installed.

Similar things happen when scanning other modern systems. Thus, ping is no longer very reliable for locating live hosts. If we know a host is up, we can direct nmap to scan it anyway by using the “-PN” option. In FIGURE 11.23, we combine it with the “-O” option, which tells nmap to try to identify the computer’s operating system.

Nmap is designed to search networks for active hosts and to search those hosts for visible services. Although this is useful when managing a network, it is disruptive and troublesome if done unnecessarily. At best, it generates a lot of unnecessary traffic—and we mean a lot of traffic, especially when scanning a larger network.

Even worse, it could uncover security weaknesses, which could open the network or its hosts to additional attacks.

Using nmap to scan other hosts on your ISP will almost certainly violate your ISP’s acceptable use policy. Your ISP then may terminate your internet service connection.

Using nmap at your school or place of business without permission also may get you into serious trouble. Do not scan hosts on someone else’s network without explicit, written permission. Thus, if anything goes wrong, you have evidence that your actions were legitimate.

Remember, if you are using nmap on someone else’s network, then you are doing security research on their behalf. Your scan results are sensitive data and must not be shared with or leaked to unauthorized people. Keep the information secret and under your personal control.