Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Learn Wireshark
  • Toc
  • feedback
Learn Wireshark

Learn Wireshark

By : Lisa Bock
4.9 (7)
close
Learn Wireshark

Learn Wireshark

4.9 (7)
By: Lisa Bock

Overview of this book

Wireshark is a popular and powerful packet analysis tool that helps network administrators investigate latency issues and potential attacks. Over the years, there have been many enhancements to Wireshark’s functionality. This book will guide you through essential features so you can capture, display, and filter data with ease. In addition to this, you’ll gain valuable tips on lesser-known configuration options, which will allow you to complete your analysis in an environment customized to suit your needs. This updated second edition of Learn Wireshark starts by outlining the benefits of traffic analysis. You’ll discover the process of installing Wireshark and become more familiar with the interface. Next, you’ll focus on the Internet Suite and then explore deep packet analysis of common protocols such as DNS, DHCP, HTTP, and ARP. The book also guides you through working with the expert system to detect network latency issues, create I/O and stream graphs, subset traffic, and save and export captures. Finally, you’ll understand how to share captures using CloudShark, a browser-based solution for analyzing packet captures. By the end of this Wireshark book, you’ll have the skills and hands-on experience you need to conduct deep packet analysis of common protocols and network troubleshooting as well as identify security issues.
Table of Contents (28 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1 Traffic Capture Overview
Part 1 Traffic Capture Overview
Free Chapter
2
Chapter 1: Appreciating Traffic Analysis
chevron up
Chapter 1: Appreciating Traffic Analysis
Reviewing packet analysis
Recognizing who benefits from using packet analysis
Identifying where to use packet analysis
Outlining when to use packet analysis
Getting to know Wireshark
Summary
Questions
3
Chapter 2: Using Wireshark
Chapter 2: Using Wireshark
Examining the Wireshark interface
Understanding the phases of packet analysis
Using CLI tools with Wireshark
Summary
Questions
4
Chapter 3: Installing Wireshark
Chapter 3: Installing Wireshark
Discovering support for different OSes
Comparing different capture engines
Performing a standard Windows installation
Reviewing available resources
Summary
Questions
Further reading
5
Chapter 4: Exploring the Wireshark Interface
Chapter 4: Exploring the Wireshark Interface
Opening the Wireshark welcome screen
Exploring the File menu
Discovering the Edit menu
Exploring the View menu
Summary
Questions
6
Part 2 Getting Started with Wireshark
Part 2 Getting Started with Wireshark
7
Chapter 5: Tapping into the Data Stream
Chapter 5: Tapping into the Data Stream
Reviewing network architectures
Learning various capture methods
Tapping into the stream
Realizing the importance of baselining
Summary
Questions
8
Chapter 6: Personalizing the Interface
Chapter 6: Personalizing the Interface
Personalizing the layout
Creating a tailored configuration profile
Adjusting columns, font, and colors
Adding comments
Summary
Questions
9
Chapter 7: Using Display and Capture Filters
Chapter 7: Using Display and Capture Filters
Filtering network traffic
Comprehending display filters
Creating capture filters
Understanding the expression builder
Discovering shortcuts and handy filters
Summary
Questions
Further reading
10
Chapter 8: Outlining the OSI Model
Chapter 8: Outlining the OSI Model
An overview of the OSI model
Discovering the purpose of each layer, the protocols, and the PDUs
Exploring the encapsulation process
Demonstrating frame formation in Wireshark
Summary
Questions
11
Part 3 The Internet Suite TCP/IP
Part 3 The Internet Suite TCP/IP
12
Chapter 9: Decoding TCP and UDP
Chapter 9: Decoding TCP and UDP
Reviewing the transport layer
Describing TCP
Examining the 11-field TCP header
Understanding UDP
Discovering the four-field UDP header
Summary
Questions
Further reading
13
Chapter 10: Managing TCP Connections
Chapter 10: Managing TCP Connections
Dissecting the three-way handshake
Learning TCP options
Understanding TCP protocol preferences
Tearing down a connection
Summary
Questions
Further reading
14
Chapter 11: Analyzing IPv4 and IPv6
Chapter 11: Analyzing IPv4 and IPv6
Reviewing the network layer
Outlining IPv4
Exploring IPv6
Editing protocol preferences
Discovering tunneling protocols
Summary
Questions
Further reading
15
Chapter 12: Discovering ICMP
Chapter 12: Discovering ICMP
Understanding the purpose of ICMP
Dissecting ICMP and ICMPv6
Sending ICMP messages
Evaluating type and code values
Configuring firewall rules
Summary
Questions
Further reading
16
Part 4 Deep Packet Analysis of Common Protocols
Part 4 Deep Packet Analysis of Common Protocols
17
Chapter 13: Diving into DNS
Chapter 13: Diving into DNS
Recognizing the purpose of DNS
Comparing types and classes of RRs
Reviewing the DNS packet
Evaluating queries and responses
Summary
Questions
Further reading
18
Chapter 14: Examining DHCP
Chapter 14: Examining DHCP
Recognizing the purpose of DHCP
Stepping through the DORA process
Dissecting a DHCP header
Following a DHCP example
Summary
Questions
Further reading
19
Chapter 15: Decoding HTTP
Chapter 15: Decoding HTTP
Describing HTTP
Keeping track of the connection
Comparing request and response messages
Following an HTTP stream
Summary
Questions
Further reading
20
Chapter 16: Understanding ARP
Chapter 16: Understanding ARP
Understanding the role and purpose of ARP
Exploring ARP headers and fields
Examining different types of ARP
Comparing ARP attacks and defense methods
Summary
Questions
Further reading
21
Part 5 Working with Packet Captures
Part 5 Working with Packet Captures
22
Chapter 17: Determining Network Latency Issues
Chapter 17: Determining Network Latency Issues
Analyzing latency issues
Understanding coloring rules
Exploring the Intelligent Scrollbar
Discovering expert information
Summary
Questions
23
Chapter 18: Subsetting, Saving, and Exporting Captures
Chapter 18: Subsetting, Saving, and Exporting Captures
Discovering ways to subset traffic
Understanding options to save a file
Recognizing ways to export components
Identifying why and how to add comments
Summary
Questions
24
Chapter 19: Discovering I/O and Stream Graphs
Chapter 19: Discovering I/O and Stream Graphs
Discovering the Statistics menu
Creating I/O graphs
Comparing TCP stream graphs
Summary
Questions
25
Chapter 20: Using CloudShark for Packet Analysis
Chapter 20: Using CloudShark for Packet Analysis
Discovering CloudShark
Outlining the various filters and graphs
Evaluating the different analysis tools
Locating sample captures
Summary
Questions
Further reading
26
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Chapter 18
Chapter 19
Chapter 20
Why subscribe?
27
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Identifying where to use packet analysis

To conduct an effective packet analysis, the first step is to get a good capture. There are many places in which to conduct packet analysis, including on a LAN, on a host, or in the real world. Let's start with using packet analysis on a LAN.

Analyzing traffic on a LAN

Today's networks are complex. An enterprise network provides connectivity, data applications, and services to the clients on the network, as shown in the following diagram:

Figure 1.7 – A LAN

Figure 1.7 – A LAN

Most LANs are heterogeneous, with various operating systems such as Windows, Linux, and macOS, along with a mixture of devices such as softphones, tablets, laptops, and mobile devices. Depending on the business requirements, the network might include wide area network connectivity along with telephony.

To effectively use packet analysis, placement is the key. Not all traffic is created equally. Depending on placement, you might only capture a portion of the total network traffic. If the packet sniffer is on a host or end device, then it will be able to see the traffic on the segment's collision domain. If the sniffer is mirroring all traffic on a backbone, then it will be able to see all the traffic.

In certain instances, you might need to perform packet analysis on an individual host, such as a PC, to only monitor traffic destined to that host. In other cases, you might need to gather traffic on a switch to see the traffic as it passes through the switch ports.

Sniffing network traffic

Packet analysis can be done on an individual host, within a switch, or in line with the traffic. The difference is as follows:

  • If the protocol analyzer is installed on a client device attached to a switch, then the view of network traffic is limited. While sniffing traffic on a single switch port, you will only see broadcasts, multicasts, and your own unicast traffic.
  • To see all the traffic on a switch, the network administrator can use port monitoring or Switched Port Analyzer (SPAN). In some cases, you may be able to monitor within the switch, as Wireshark is built into the Cisco Nexus 7000 series and many other devices.
  • Another option is to use a full-duplex tap in line with traffic. The tap makes a copy or mirror of the traffic, which is pulled into the device for analysis. If this option is used, then you might require a special adapter.

In addition to using packet analysis on a LAN or a host, packet analysis can be used in the real world to monitor traffic for threats.

Using packet analysis in the real world

Packet analysis is used in the real world in many forms. One example is the Department of Homeland Security (DHS) EINSTEIN system, which has an active role in federal government cybersecurity. The United States government is constantly at risk of many types of attacks, including DoS attacks, malware, unauthorized access, and active scanning and probing.

The EINSTEIN system actively monitors the traffic for threats. Its two main functions are as follows:

  • To observe and report possible cyber threats
  • To detect and block attacks from compromising federal agencies

The EINSTEIN system provides the situational awareness that is necessary to take a proactive approach against an active attack. The intelligence gathered helps agencies to defend against ongoing threats. 

As illustrated, packet analysis is effective in many locations. The following section provides guidance on what circumstances packet analysis will reap the most benefits under.

End of Section 4
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete