CONTENTS IN DETAIL

ACKNOWLEDGMENTS

INTRODUCTION

Why This Book?

Concepts and Approach

How to Use This Book

About the Sample Capture Files

The Rural Technology Fund

Contacting Me

1
PACKET ANALYSIS AND NETWORK BASICS

Packet Analysis and Packet Sniffers

Evaluating a Packet Sniffer

How Packet Sniffers Work

How Computers Communicate

Protocols

The Seven-Layer OSI Model

Network Hardware

Traffic Classifications

Broadcast Traffic

Multicast Traffic

Unicast Traffic

Final Thoughts

2
TAPPING INTO THE WIRE

Living Promiscuously

Sniffing Around Hubs

Sniffing in a Switched Environment

Port Mirroring

Hubbing Out

Using a Tap

ARP Cache Poisoning

Sniffing in a Routed Environment

Sniffer Placement in Practice

3
INTRODUCTION TO WIRESHARK

A Brief History of Wireshark

The Benefits of Wireshark

Installing Wireshark

Installing on Windows Systems

Installing on Linux Systems

Installing on OS X Systems

Wireshark Fundamentals

Your First Packet Capture

Wireshark’s Main Window

Wireshark Preferences

Packet Color Coding

Configuration Files

Configuration Profiles

4
WORKING WITH CAPTURED PACKETS

Working with Capture Files

Saving and Exporting Capture Files

Merging Capture Files

Working with Packets

Finding Packets

Marking Packets

Printing Packets

Setting Time Display Formats and References

Time Display Formats

Packet Time Referencing

Time Shifting

Setting Capture Options

Input Tab

Output Tab

Options Tab

Using Filters

Capture Filters

Display Filters

Saving Filters

Adding Display Filters to a Toolbar

5
ADVANCED WIRESHARK FEATURES

Endpoints and Network Conversations

Viewing Endpoint Statistics

Viewing Network Conversations

Identifying Top Talkers with Endpoints and Conversations

Protocol Hierarchy Statistics

Name Resolution

Enabling Name Resolution

Potential Drawbacks to Name Resolution

Using a Custom hosts File

Manually Initiated Name Resolution

Protocol Dissection

Changing the Dissector

Viewing Dissector Source Code

Following Streams

Following SSL Streams

Packet Lengths

Graphing

Viewing IO Graphs

Round-Trip Time Graphing

Flow Graphing

Expert Information

6
PACKET ANALYSIS ON THE COMMAND LINE

Installing TShark

Installing tcpdump

Capturing and Saving Packets

Manipulating Output

Name Resolution

Applying Filters

Time Display Formats in TShark

Summary Statistics in TShark

Comparing TShark and tcpdump

7
NETWORK LAYER PROTOCOLS

Address Resolution Protocol (ARP)

ARP Packet Structure

Packet 1: ARP Request

Packet 2: ARP Response

Gratuitous ARP

Internet Protocol (IP)

Internet Protocol Version 4 (IPv4)

Internet Protocol Version 6 (IPv6)

Internet Control Message Protocol (ICMP)

ICMP Packet Structure

ICMP Types and Messages

Echo Requests and Responses

traceroute

ICMP Version 6 (ICMPv6)

8
TRANSPORT LAYER PROTOCOLS

Transmission Control Protocol (TCP)

TCP Packet Structure

TCP Ports

The TCP Three-Way Handshake

TCP Teardown

TCP Resets

User Datagram Protocol (UDP)

UDP Packet Structure

9
COMMON UPPER-LAYER PROTOCOLS

Dynamic Host Configuration Protocol (DHCP)

DHCP Packet Structure

The DHCP Initialization Process

DHCP In-Lease Renewal

DHCP Options and Message Types

DHCP Version 6 (DHCPv6)

Domain Name System (DNS)

DNS Packet Structure

A Simple DNS Query

DNS Question Types

DNS Recursion

DNS Zone Transfers

Hypertext Transfer Protocol (HTTP)

Browsing with HTTP

Posting Data with HTTP

Simple Mail Transfer Protocol (SMTP)

Sending and Receiving Email

Tracking an Email Message

Sending Attachments via SMTP

Final Thoughts

10
BASIC REAL-WORLD SCENARIOS

Missing Web Content

Tapping into the Wire

Analysis

Lessons Learned

Unresponsive Weather Service

Tapping into the Wire

Analysis

Lessons Learned

No Internet Access

Gateway Configuration Problems

Unwanted Redirection

Upstream Problems

Inconsistent Printer

Tapping into the Wire

Analysis

Lessons Learned

No Branch Office Connectivity

Tapping into the Wire

Analysis

Lessons Learned

Software Data Corruption

Tapping into the Wire

Analysis

Lessons Learned

Final Thoughts

11
FIGHTING A SLOW NETWORK

TCP Error-Recovery Features

TCP Retransmissions

TCP Duplicate Acknowledgments and Fast Retransmissions

TCP Flow Control

Adjusting the Window Size

Halting Data Flow with a Zero Window Notification

The TCP Sliding Window in Practice

Learning from TCP Error-Control and Flow-Control Packets

Locating the Source of High Latency

Normal Communications

Slow Communications: Wire Latency

Slow Communications: Client Latency

Slow Communications: Server Latency

Latency Locating Framework

Network Baselining

Site Baseline

Host Baseline

Application Baseline

Additional Notes on Baselines

Final Thoughts

12
PACKET ANALYSIS FOR SECURITY

Reconnaissance

SYN Scan

Operating System Fingerprinting

Traffic Manipulation

ARP Cache Poisoning

Session Hijacking

Malware

Operation Aurora

Remote-Access Trojan

Exploit Kit and Ransomware

Final Thoughts

13
WIRELESS PACKET ANALYSIS

Physical Considerations

Sniffing One Channel at a Time

Wireless Signal Interference

Detecting and Analyzing Signal Interference

Wireless Card Modes

Sniffing Wirelessly in Windows

Configuring AirPcap

Capturing Traffic with AirPcap

Sniffing Wirelessly in Linux

802.11 Packet Structure

Adding Wireless-Specific Columns to the Packet List Pane

Wireless-Specific Filters

Filtering Traffic for a Specific BSS ID

Filtering Specific Wireless Packet Types

Filtering a Specific Frequency

Saving a Wireless Profile

Wireless Security

Successful WEP Authentication

Failed WEP Authentication

Successful WPA Authentication

Failed WPA Authentication

Final Thoughts

A
FURTHER READING

Packet Analysis Tools

CloudShark

WireEdit

Cain & Abel

Scapy

TraceWrangler

Tcpreplay

NetworkMiner

CapTipper

ngrep

libpcap

Npcap

hping

Python

Packet Analysis Resources

Wireshark’s Home Page

Practical Packet Analysis Online Course

SANS’s Security Intrusion Detection In-Depth Course

Chris Sanders’s Blog

Brad Duncan’s Malware Traffic Analysis

IANA’s Website

W. Richard Stevens’s TCP/IP Illustrated Series

The TCP/IP Guide

B
NAVIGATING PACKETS

Packet Representation

Using Packet Diagrams

Navigating a Mystery Packet

Final Thoughts

INDEX