Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
Chris Sanders
Language: English
Pages: 280
ISBN: 1593272669
Format: PDF / Kindle (mobi) / ePub
It's easy to capture packets with Wireshark, the world's most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand what's happening on your network?
With an expanded discussion of network protocols and 45 completely new scenarios, this extensively revised second edition of the best-selling Practical Packet Analysis will teach you how to make sense of your PCAP data. You'll find new sections on troubleshooting slow networks and packet analysis for security to help you better understand how modern exploits and malware behave at the packet level. Add to this a thorough introduction to the TCP/IP network stack and you're on your way to packet analysis proficiency.
Learn how to:
- Use packet analysis to identify and resolve common network problems like loss of connectivity, DNS issues, sluggish speeds, and malware infections
- Build customized capture and display filters
- Monitor your network in real-time and tap live network communications
- Graph traffic patterns to visualize the data flowing across your network
- Use advanced Wireshark features to understand confusing captures
- Build statistics and reports to help you better explain technical network information to non-techies
Practical Packet Analysis is a must for any network technician, administrator, or engineer. Stop guessing and start troubleshooting the problems on your network.
hub, test it to make sure it really is a hub—if it is, it's a keeper! The best way to determine whether or not the device you are using is a true hub is to hook a pair of computers up to it and see if one can sniff the other's traffic. If so, you have a true hub in your possession. ARP Cache Poisoning Recall from Chapter 1 that the two main types of packet addressing are at Layers 2 and 3 of the OSI model. These Layer 2 addresses, or MAC addresses, are used in conjunction with whichever
or not you want to install WinPcap, make sure the box next to the words Install WinPcap is checked, and click Install (Figure 3-2). The installation process should begin. Figure 3-2. Selecting the option to install the WinPcap driver About halfway through the Wireshark installation, the WinPcap installation should start. When it does, click Next in the introductory window. Then read the licensing agreement and click I Agree if you do. WinPcap should install on your computer. Once it has
that is the case, the first thing you probably noticed when you opened Wireshark were the different colors of the packets in the Packet List pane (Figure 3-7). It may seem like these colors are randomly assigned to each individual packet, but this is not the case. * * * Note Whenever I refer to traffic, you can assume I am referring to all of the packets displayed in the Packet List pane. More specifically, when I refer to it in the context of DNS traffic, I am talking about all of the
that all packets are duplicated for all communications from Jeff's computer. * * * Figure 8-14. You aren't seeing double—every packet is repeated! There are two common causes for duplicate packets in a capture file: inconsistencies in routing and improperly configured port mirroring. Before we get down to the nitty gritty and try to determine the cause here, let's make sure the packets we are looking at are true duplicates of one another. One way to determine whether two packets are
interpret those responses to make an educated guess at the operating system the target computer is using. Knowing the operating system of a computer you wish to exploit allows you to quickly find exploits specific to that operating system. When you open osfingerprinting.pcap, you'll see several different types of ICMP traffic, as shown in Figure 9-1. Some of this traffic, like Echo (ping) request and Echo (ping) reply, are common and should not be cause for alarm. However, traffic like