Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems

Download Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems

Post on 29-Nov-2015

143 views

Category:

Documents

9 download

Embed Size (px)

TRANSCRIPT

  • Its easy to capture packets with Wireshark, the worlds most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand whats happening on your network?

    With an expanded discussion of network protocols and 45 completely new scenarios, this extensively revised second edition of the best-selling Practical Packet Analysis will teach you how to make sense of your PCAP data. Youll find new sections on troubleshooting slow networks and packet analysis for security to help you better understand how modern exploits and malware behave at the packet level. Add to this a thorough introduction to the TCP/IP network stack and youre on your way to packet analysis proficiency.

    Learn how to:

    Use packet analysis to identify and resolve common network problems like loss of connectivity, DNS issues, sluggish speeds, and malware infections

    Build customized capture and display filters

    Monitor your network in real-time and tap live network communications

    DON T J U S T S TA R E A T C A P T UR E D PACK E T S .

    A N A LY Z E T H EM.

    DON T J U S T S TA R E A T C A P T UR E D PACK E T S .

    A N A LY Z E T H EM.

    Graph traffic patterns to visualize the data flowing across your network

    Use advanced Wireshark features to understand confusing captures

    Build statistics and reports to help you better explain technical network information to non-techies

    Practical Packet Analysis is a must for any network technician, administrator, or engineer. Stop guessing and start troubleshooting the problems on your network.

    ABOU T THE AU THOR

    Chris Sanders is a computer security consultant, author, and researcher. A SANS Mentor who holds several industry certifications, including CISSP, GCIA, GCIH, and GREM, he writes regularly for WindowSecurity.com and his blog, ChrisSanders.org. Sanders uses Wireshark daily for packet analysis. He lives in Charleston, South Carolina, where he works as a government defense contractor.

    Download the capture files

    used in this book from

    http://nostarch.com/packet2.htm

    SHELVE IN:

    NETWORKING/SECURITY

    $49.95 ($57.95 CDN)

    www.nostarch.com

    TH E F I N EST I N G E E K E NTE RTA I N M E NT

    I L I E F LAT .

    Th is book uses a lay-flat b ind ing that wont snap shut.

    FSC LOGO

    All of the authors royalties from this book

    will be donated to the Rural Technology Fund

    (http://ruraltechfund.org).

    PRACTICAL PACKET ANALYSIS

    PRACTICAL PACKET ANALYSISU S I N G W I R E S H A R K T O S O L V E R E A L - W O R L D

    N E T W O R K P R O B L E M S

    C H R I S S A N D E R S

    2NDED I T ION

    PRACTIC

    AL PACKET A

    NALY

    SIS

    PRACTIC

    AL PACKET A

    NALY

    SIS

    SANDERS

    2ND

    EDITIO

    N

  • PRAISE FOR THE FIRST EDITION OF PRACTICAL PACKET ANALYSIS

    An essential book if you are responsible for network administration on any level.LINUX PRO MAGAZINE

    A wonderful, simple to use and well laid out guide.ARSGEEK.COM

    If you need to get the basics of packet analysis down pat, this is a very good place to start.STATEOFSECURITY.COM

    Very informative and held up to the key word in its title, Practical. It does a great job of giving readers what they need to know to do packet analysis and then jumps right in with vivid real life examples of what to do with Wireshark.LINUXSECURITY.COM

    Are there unknown hosts chatting away with each other? Is my machine talking to strangers? You need a packet sniffer to really find the answers to these questions. Wireshark is one of the best tools to do this job and this book is one of the best ways to learn about that tool.FREE SOFTWARE MAGAZINE

    Perfect for the beginner to intermediate.DAEMON NEWS

  • PRACTICAL PACKET ANALYSIS

    2 N D E D I T I O NU s i n g W i r e s h a r k t o S o l v e

    R e a l - W o r l d N e t w o r k P r o b l e m s

    by Chris Sanders

    San Francisco

  • PRACTICAL PACKET ANALYSIS, 2ND EDITION. Copyright 2011 by Chris Sanders.

    All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

    Printed in Ca

    15 14 13 12 1

    ISBN-10: 1-59ISBN-13: 978

    Publisher: WiProduction ECover and InDevelopmentTechnical ReCopyeditor: MCompositor: Proofreader: Indexer: Nan

    For informat

    No Starch Pr38 Ringold Stphone: 415.8

    The Library o

    Sanders, Chri Practical p p. cm. ISBN-13: 97 ISBN-10: 1- 1. Computer TK5105.55.S26004.6'6--dc22

    No Starch Prcompany namsymbol with ebenefit of the

    The informattaken in the pperson or eninformation cnada

    1 1 2 3 4 5 6 7 8 9

    327-266-9-1-59327-266-1

    lliam Pollockditor: Alison Lawterior Design: Octopod Studiosal Editor: William Pollockviewer: Tyler Reguly

    arilyn SmithSusan Glinert StevensWard Webbercy Guenther

    ion on book distributors or translations, please contact No Starch Press, Inc. directly:

    ess, Inc.reet, San Francisco, CA 9410363.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com

    f Congress has cataloged the first edition as follows:

    s, 1986-acket analysis : using Wireshark to solve real-world network problems / Chris Sanders.

    8-1-59327-149-759327-149-2network protocols. 2. Packet switching (Data transmission) I. Title. 5 2007 2007013453

    ess and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and es mentioned herein may be the trademarks of their respective owners. Rather than use a trademark

    very occurrence of a trademarked name, we are using the names only in an editorial fashion and to the trademark owner, with no intention of infringement of the trademark.

    ion in this book is distributed on an As Is basis, without warranty. While every precaution has been reparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any

    tity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the ontained in it.

  • This book, my life, and everything I will ever do is a direct result of faith given and faith received. This book is dedicated to God, my parents, and everyone who has ever shown faith in me.

    I tell you the truth, if you have faith as small as a mustard seed, you can say to this mountain, Move from here to there and it will move. Nothing will be impossible for you.

    Matthew 17:20

  • Acknowledg

    Introduction

    Chapter 1:

    Chapter 2:

    Chapter 3:

    Chapter 4:

    Chapter 5:

    Chapter 6:

    Chapter 7:

    Chapter 8:

    Chapter 9:

    Chapter 10

    Chapter 11

    Appendix: F

    Index ........B R I E F C O N T E N T S

    ments .........................................................................................................xv

    ................................................................................................................xvii

    Packet Analysis and Network Basics ................................................................1

    Tapping into the Wire ..................................................................................17

    Introduction to Wireshark ..............................................................................35

    Working with Captured Packets .....................................................................47

    Advanced Wireshark Features .......................................................................67

    Common Lower-Layer Protocols ......................................................................85

    Common Upper-Layer Protocols ...................................................................113

    Basic Real-World Scenarios ........................................................................133

    Fighting a Slow Network ............................................................................165

    : Packet Analysis for Security .......................................................................189

    : Wireless Packet Analysis ..........................................................................215

    urther Reading ..........................................................................................235

    .................................................................................................................241

  • C O N T E N T S I N D E T A I L

    ACKNOWLEDGMENTS xv

    INTRODWhy This BoConcepts anHow to UseAbout the SThe Rural TeContacting

    1 PACKETPacket Anal

    EvHo

    How CompProThDaNe

    Traffic ClassBroMuUn

    Final Thoug

    2 TAPPINGLiving PromiSniffing AroSniffing in a

    PoHuUsAR

    Sniffing in aSniffer Place

    3 INTRODA Brief HistoThe BenefitsUCTION xviiok? .....................................................................................................xviid Approach ........................................................................................xviii

    This Book ............................................................................................. xixample Capture Files ................................................................................ xxchnology Fund ....................................................................................... xxMe ........................................................................................................ xx

    ANALYSIS AND NETWORK BASICS 1ysis and Packet Sniffers ............................................................................. 2aluating a Packet Sniffer ............................................................................ 2w Packet Sniffers Work............................................................................. 3

    uters Communicate.................................................................................... 4tocols ..................................................................................................... 4

    e Seven-Layer OSI Model .......................................................................... 5ta Encapsulation ...................................................................................... 8twork Hardware .................................................................................... 10ifications ............................................................................................... 14adcast Traffic ........................................................................................ 14lticast Traffic.......................................................................................... 15icast Traffic............................................................................................ 15hts......................................................................................................... 16

    INTO THE WIRE 17scuously ................................................................................................ 18und Hubs .............................................................................................. 19 Switched Environment............................................................................ 20rt Mirroring ............................................................................................ 21bbing Out ............................................................................................. 22ing a Tap............................................................................................... 24P Cache Poisoning ................................................................................. 26 Routed Environment ............................................................................... 30ment in Practice ..................................................................................... 31

    UCTION TO WIRESHARK 35ry of Wireshark..................................................................................... 35

    of Wireshark......................................................................................... 36

  • x Contents

    Installing Wireshark................................................................................................. 37Installing on Microsoft Windows Systems ...................................................... 37Installing on Linux Systems........................................................................... 39Installing on Mac OS X Systems ................................................................... 40

    Wireshark Fundamentals.......................................................................................... 41YoWWPa

    4 WORKINWorking wi

    SaMe

    Working wiFinMaPri

    Setting TimeTimPa

    Setting CapCaCaStoDisNa

    Using FiltersCaDisSa

    5 ADVANCNetwork En

    VieVieTro

    Protocol HieName Reso

    EnPo

    Protocol DisChVie

    Following TCPacket Lengin Detai l

    ur First Packet Capture ............................................................................ 41iresharks Main Window ......................................................................... 42ireshark Preferences ................................................................................ 43cket Color Coding .................................................................................. 45

    G WITH CAPTURED PACKETS 47th Capture Files ...................................................................................... 47ving and Exporting Capture Files.............................................................. 48rging Capture Files ................................................................................ 49th Packets .............................................................................................. 49ding Packets .......................................................................................... 50rking Packets ........................................................................................ 51

    nting Packets.......................................................................................... 51 Display Formats and References.............................................................. 52e Display Formats.................................................................................. 52

    cket Time Referencing.............................................................................. 52ture Options........................................................................................... 53pture Settings......................................................................................... 53pture File(s) Settings................................................................................ 54p Capture Settings ................................................................................. 55play Options ......................................................................................... 56me Resolution Settings ............................................................................ 56............................................................................................................ 56pture Filters ........................................................................................... 56play Filters ............................................................................................ 62ving Filters .................................

Recommended

View more >