Appendix A: Further Reading

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

A
FURTHER READING

Although the tool you’ve primarily used in this book is Wireshark, a great many additional tools will come in handy when you’re performing packet analysis—whether for general troubleshooting, slow networks, security issues, or wireless networks. This appendix lists some useful packet analysis tools and other learning resources.

Packet Analysis Tools

Let’s take a look at a few of the tools I’ve found useful for packet analysis.

CloudShark

CloudShark (developed by QA Café) is my favorite tool for storing, indexing, and sorting packet captures. CloudShark is a commercial web application that serves as a packet capture repository. It allows you to tag packet captures for quick reference and to add comments in the captures themselves. It even provides some analysis features similar to those in Wireshark (Figure A-1).

Figure A-1: A sample capture file viewed with CloudShark

If you or your organization maintains a large library of packet captures, or you’re like me and are always losing your files, then CloudShark can help. I have CloudShark deployed in my network, and I used it to store and organize all the packet captures for this book. You can learn more about CloudShark at https://www.cloudshark.org/.

WireEdit

You may need to create specifically formatted packets to support intrusion detection system testing, penetration testing, or network software development. One option is to re-create the scenario that will generate the packets you need in a lab, but doing so can be time-consuming. Another technique is to find a similar packet and manually edit it to match your needs. My favorite tool for this task is WireEdit, a graphical tool that allows you to edit specific values in a packet. The very intuitive user interface is similar to Wireshark’s. WireEdit will even recalculate packet checksums so that your packets don’t appear invalid when opened in Wireshark. You can learn more about WireEdit at https://wireedit.com/.

Cain & Abel

Discussed in Chapter 2, Cain & Abel is one of the better Windows tools for ARP cache poisoning. Cain & Abel is actually a very robust suite of tools, and you will surely be able to find other uses for it as well. It is available from http://www.oxid.it/cain.html.

Scapy

Scapy is a very powerful Python library that you can use to create and manipulate packets based on command line scripts within its environment. Simply put, Scapy is the most powerful and flexible packet-crafting application available. You can read more about Scapy, download it, and view sample Scapy scripts at http://www.secdev.org/projects/scapy/.

TraceWrangler

Packet captures contain a lot of information about your network. If you need to share a packet capture from your network with a vendor or colleague, you might not want them to have that information. TraceWrangler helps solve this problem by providing the ability to sanitize packet captures by anonymizing the different types of addresses present. It has a few other features, such as the ability to edit and merge capture files, but I primarily use it for sanitization. Download TraceWrangler at https://www.tracewrangler.com/.

Tcpreplay

Whenever I have a set of packets that I need to retransmit over the wire to see how a device reacts to them, I use Tcpreplay. This tool is designed specifically to retransmit the packets contained within a packet capture file. Download it from http://tcpreplay.synfin.net/.

NetworkMiner

NetworkMiner is a tool primarily used for network forensics, but I’ve found it useful in a variety of other situations as well. Although it can be used to capture packets, its real strength is how it parses packet capture files. NetworkMiner will take a PCAP file and break it down into the operating systems detected and the sessions between hosts. It even allows you to extract transferred files directly from the capture (Figure A-2). All these features are available in the free version; the commercial version offers a few other helpful features, such as the ability to perform OS fingerprinting, compare findings against a whitelist, and increase the speed of packet capture processing. NetworkMiner is free to download from http://www.netresec.com/?page=NetworkMiner.

Figure A-2: Using NetworkMiner to examine files in a packet capture

CapTipper

One thing I hope you’ve learned in this book is that finding the answers you need often involves looking at the same data in a different way. CapTipper is a tool designed for security practitioners who analyze malicious HTTP traffic (see Figure A-3). It provides a richly featured shell environment that allows the user to interactively explore individual conversations to find redirections, file objects, and malicious content. It also provides a few handy features for interacting with the data you uncover, including the ability to extract gzipped data and submit file hashes to VirusTotal. You can download CapTipper at https://www.github.com/omriher/CapTipper/.

Figure A-3: Analyzing an HTTP-based malware delivery with CapTipper

ngrep

If you are familiar with Linux, you’ve no doubt used grep to search data. ngrep is similar and allows you to perform very specific searches of packet capture data. I mostly use ngrep when capture and display filters won’t do the job or get too wildly complex. You can read more about ngrep at http://ngrep.sourceforge.net/.

libpcap

If you plan to do any advanced packet parsing or create applications that deal with packets, you’ll become very familiar with libpcap. Simply put, libpcap is a portable C/C++ library for network traffic capture. Wireshark, tcpdump, and most other packet analysis applications rely on the libpcap library at some level. You can read more about libpcap at http://www.tcpdump.org/.

Npcap

Npcap is the Nmap Project’s packet-sniffing library for Windows that is based on WinPcap/libpcap. It is reported to deliver performance increases when capturing packets, and it provides extra security features related to restricting packet capture to administrators and leveraging Windows User Account control. Npcap can be installed as an alternative to WinPCap and used with Wireshark. You can learn more about it here: https://www.github.com/nmap/npcap/.

hping

hping is one of the more versatile tools to have in your arsenal. hping is a command line packet-crafting, -editing, and -transmission tool. It supports a variety of protocols and is very quick and intuitive to use. You can download hping from http://www.hping.org/.

Python

Python isn’t a tool but rather a scripting language that is well worth mentioning. As you become proficient in packet analysis, you’ll encounter cases in which no automated tool exists to meet your needs. In those cases, Python is the language of choice for making tools that can do interesting things with packets. You’ll also need to know a little Python to interact with the Scapy library. My favorite online resource for learning Python is the popular Learn Python the Hard Way series, which can be found here: https://www.learnpythonthehardway.org/.

Packet Analysis Resources

From Wireshark’s home page to courses and blogs, many resources for packet analysis are available. I’ll list a few of my favorites here.

Wireshark’s Home Page

The foremost resource for everything related to Wireshark is its home page, http://www.wireshark.org/. It has links to software documentation, a very helpful wiki that contains sample capture files, and sign-up information for the Wireshark mailing list. You can also browse to https://ask.wireshark.org/ to ask questions about things you’re seeing in Wireshark or specific features. This community is active and very helpful.

Practical Packet Analysis Online Course

If you like this book, you might also like the online training course that complements it. In the Practical Packet Analysis course, you’ll be able to follow along with videos as I go through all the captures in this book and several others. I also provide capture labs where you can test your skills and a discussion forum where you can learn from other students as you progress. This course launches in mid-2017. You can learn more about my training offerings at http://www.chrissanders.org/training/ and sign up for my mailing list to get notified about training opportunities here: http://www.chrissanders.org/list/.

SANS’s Security Intrusion Detection In-Depth Course

SANS SEC503: Intrusion Detection In-Depth focuses on the security aspects of packet analysis. Even if you aren’t focused on security, the first two days of the course provide a fantastic introduction to packet analysis and tcpdump. It is offered at live events several times a year at locations around the world.

You can read more about SEC503 and other SANS Institute courses at http://www.sans.org/.

Chris Sanders’s Blog

I occasionally write articles related to packet analysis and post them on my blog at http://www.chrissanders.org/. My blog also serves as a portal that links to other articles and books I have written and provides my contact information. You’ll also find links to packet captures included in this book and others.

Brad Duncan’s Malware Traffic Analysis

My favorite resource for security-related packet captures is Brad Duncan’s Malware Traffic Analysis (MTA) site. Brad posts packet captures containing real infection chains multiple times per week. These captures are complete with the associated malware binaries and a description of what is happening. If you want to gain experience dissecting malware infections and learn about current malware techniques, start by downloading some of these captures and trying to make sense of them. You can visit MTA at http://www.malware-traffic-analysis.net/ or follow Brad on Twitter at @malware_traffic to be alerted when he posts updates.

IANA’s Website

The Internet Assigned Numbers Authority (IANA), available at http://www.iana.org/, oversees the allocation of IP addresses and protocol number assignments for North America. Its website offers some valuable reference tools, such as the ability to look up port numbers, view information related to top-level domain names, and browse companion sites to find and view RFCs.

W. Richard Stevens’s TCP/IP Illustrated Series

Considered the TCP/IP bible by most, W. Richard Stevens’s TCP/IP Illustrated series (Addison-Wesley, 1994–1996) is a staple on the bookshelves of most who live at the packet level. These are my favorite TCP/IP books, and I consulted these volumes quite a bit while writing this book. A second edition of Volume 1, coauthored with Dr. Keven R. Fall, was published in 2012.

The TCP/IP Guide

The TCP/IP Guide by Charles Kozierok (No Starch Press, 2005) is another reference resource for TCP/IP protocol information. Weighing in at over 1,600 pages, it’s very detailed and contains many great diagrams for the visual learner.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Appendix A: Further Reading

Create new playlist

Sign In

Sign Up

AFURTHER READING