Wireshark Essentials

Table of Contents

Wireshark Essentials

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Getting Acquainted with Wireshark

Installing Wireshark

Installing Wireshark on Windows

Installing Wireshark on Mac OS X

Installing Wireshark on Linux/Unix

Performing your first packet capture

Selecting a network interface

Performing a packet capture

Wireshark user interface essentials

Filtering out the noise

Applying a display filter

Saving the packet trace

Summary

2. Networking for Packet Analysts

The OSI model – why it matters

Understanding network protocols

The seven OSI layers

Layer 1 – the physical layer

Layer 2 – the data-link layer

Layer 3 – the network layer

Internet Protocol

Address Resolution Protocol

Layer 4 – the transport layer

User Datagram Protocol

Transmission Control Protocol

Layer 5 – the session layer

Layer 6 – the presentation layer

Layer 7 – the application layer

Encapsulation

IP networks and subnets

Switching and routing packets

Ethernet frames and switches

IP addresses and routers

WAN links

Wireless networking

Summary

3. Capturing All the Right Packets

Picking the best capture point

User location

Server location

Other capture locations

Mid-network captures

Both sides of specialized network devices

Test Access Ports and switch port mirroring

Test Access Port

Switch port mirroring

Capturing packets on high traffic rate links

Capturing interfaces, filters, and options

Selecting the correct network interface

Using capture filters

Configuring capture filters

Capture options

Capturing filenames and locations

Multiple file options

Ring buffer

Stop capture options

Display options

Name resolution options

Verifying a good capture

Saving the bulk capture file

Isolating conversations of interest

Using the Conversations window

The Ethernet tab

The TCP and UDP tabs

The WLAN tab

Wireshark display filters

The Display Filter window

The display filter syntax

Typing in a display filter

Display filters from a Conversations or Endpoints window

Filter Expression Buttons

Using the Expressions window button

Right-click menus on specific packet fields

Following TCP/UDP/SSL streams

Marking and ignoring packets

Saving the filtered traffic

Summary

4. Configuring Wireshark

Working with packet timestamps

How Wireshark saves timestamps

Wireshark time display options

Adding a time column

Conversation versus displayed packet time options

Choosing the best Wireshark time display option

Using the Time Reference option

Colorization and coloring rules

Packet colorization

Wireshark preferences

Wireshark profiles

Creating a Wireshark profile

Selecting a Wireshark profile

Summary

5. Network Protocols

The OSI and DARPA reference models

Network layer protocols

Wireshark IPv4 filters

Wireshark ARP filters

Internet Group Management Protocol

Wireshark IGMP filters

Internet Control Message Protocol

ICMP pings

ICMP traceroutes

ICMP control message types

ICMP redirects

Wireshark ICMP filters

Internet Protocol Version 6

IPv6 addressing

IPv6 address types

IPv6 header fields

IPv6 transition methods

Wireshark IPv6 filters

Internet Control Message Protocol Version 6

Multicast Listener Discovery

Wireshark ICMPv6 filters

Transport layer protocols

User Datagram Protocol

Wireshark UDP filters

Transmission Control Protocol

TCP flags

TCP options

Wireshark TCP filters

Application layer protocols

Dynamic Host Configuration Protocol

Wireshark DHCP filters

Dynamic Host Configuration Protocol Version 6

Wireshark DHCPv6 filters

Domain Name Service

Wireshark DNS filters

Hypertext Transfer Protocol

HTTP Methods

Host

Request Modifiers

Wireshark HTTP filters

Additional information

Wireshark wiki

Protocols on Wikipedia

Requests for Comments

Summary

6. Troubleshooting and Performance Analysis

Troubleshooting methodology

Gathering the right information

Establishing the general nature of the problem

Half-split troubleshooting and other logic

Troubleshooting connectivity issues

Enabling network interfaces

Confirming physical connectivity

Obtaining the workstation IP configuration

Obtaining MAC addresses

Obtaining network service IP addresses

Basic network connectivity

Connecting to the application services

Troubleshooting functional issues

Performance analysis methodology

Top five reasons for poor application performance

Preparing the tools and approach

Performing, verifying, and saving a good packet capture

Initial error analysis

Detecting and prioritizing delays

Server processing time events

Application turn's delay

Network path latency

Bandwidth congestion

Data transport

TCP StreamGraph

IO Graph

IO Graph – Wireshark 2.0

Summary

7. Packet Analysis for Security Tasks

Security analysis methodology

The importance of baselining

Security assessment tools

Identifying unacceptable or suspicious traffic

Scans and sweeps

ARP scans

ICMP ping sweeps

TCP port scans

UDP port scans

OS fingerprinting

Malformed packets

Phone home traffic

Password-cracking traffic

Unusual traffic

Summary

8. Command-line and Other Utilities

Wireshark command-line utilities

Capturing traffic with Dumpcap

Capturing traffic with Tshark

Editing trace files with Editcap

Merging trace files with Mergecap

Mergecap batch file

Other helpful tools

HttpWatch

SteelCentral Packet Analyzer Personal Edition

AirPcap adapters

Summary

Index

Wireshark Essentials

Wireshark Essentials

Copyright © 2014 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: October 2014

Production reference: 1211014

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78355-463-8

www.packtpub.com

Credits

Author

James H. Baxter

Reviewers

Sarath Lakshman

Bruno Vernay

Ms. Samia Yousif

Commissioning Editor

Pramila Balan

Acquisition Editor

Larissa Pinto

Content Development Editor

Sweny M. Sukumaran

Technical Editor

Shashank Desai

Copy Editor

Roshni Banerjee

Project Coordinator

Akash Poojary

Proofreaders

Simran Bhogal

Maria Gould

Ameesha Green

Paul Hindle

Indexers

Hemangini Bari

Rekha Nair

Graphics

Sheetal Aute

Abhinash Sahu

Production Coordinator

Nitesh Thakur

Cover Work

Nitesh Thakur

About the Author

James H. Baxter is the President and CEO of PacketIQ Inc., a company which specializes in network and application performance analysis and management, including development of advanced analysis frameworks and tools.

With over 30 years of experience in the IT industry, his diverse technical background includes electronics, RF, satellite, data/telecom, LAN/WAN and voice design, network management, speech technologies, and Java/.NET programming. For most of the last 20 years, he has been working specifically with network and application performance issues.

James is a Wireshark Certified Network Analyst (WCNA). He is a member of the IEEE, Computer Measurement Group, and Association of Computing Machinery, and he follows advancements in artificial intelligence.

James is also a private pilot who holds an amateur radio Extra class license. He is also a guitar player and an amateur astronomer. You can find out more about James and PacketIQ Inc. at www.packetiq.com.

About the Reviewers

Sarath Lakshman is a software engineer at Couchbase. He is a core developer for Couchbase MapReduce View Engine, and he works on storage and indexing problems at Couchbase. Before Couchbase, he worked at Zynga for over 2 years, building ZBase—a distributed storage platform that powered the entire social games infrastructure at Zynga. He was attracted to Linux in his teenage years, and he created a user-friendly Linux distribution called Slynux. He is also the author of Linux Shell Scripting Cookbook, Packt Publishing. He holds a Bachelor's degree in Computer Science from Model Engineering College, India. He is an open source software enthusiast and has contributed to various projects in the past. To find out more about Sarath, you can visit www.sarathlakshman.com.

Bruno Vernay has been working with all forms of web application design and development for the last 15 years—a bit of CSS/JavaScript and a lot of Java, SQL, Linux, and network. He even had the chance to work with Complex Event Processing, Rules Engines, and Geographic Information Systems. He also touched on large clusters as well as embedded devices and has been through various paradigms, from modeling via UML to Test or Domain Driven Development and Domain Specific Language. If he has time, he would like to work on Synthetic Biology and Biohacking. Now, he is focusing on IoT Security, enjoying the variety of systems and opportunities.

Ms. Samia Yousif holds Master's and Bachelor's degrees from the University of Bahrain as well as CCNA, CCNP, and CCDA from Bahrain Training Institute and Diploma Mr. Tabatabai in culture Quranic from Islamic Enlightenment Society. She has developed extensive knowledge and skills in various technical fields of Computer Science and IT. She has published conference publications and books and received the Research Award from Ahlia University and the e-Government Excellence Award (e-Education Award). She has delivered several IT workshops and has attended many seminars. Samia has 10 years of teaching experience at an undergraduate level in Computer Science and IT. Furthermore, she has worked on the development of numerous systems and professional website applications using the most up-to-date web technologies. She is now an Assistant Director of ICT at Ahlia University, Kingdom of Bahrain, and she is planning to undertake a PhD program.

She has contributed to the book Computer Jobs & Certifications Choose & Improve Your IT Career, Dr. Mansoor Al-Aali, Lulu.com and also reviewed the book Packet Tracer Network Simulator, Jesin A, Packt Publishing. She has also written a lab manual, HTML Fundamental, for the Royal University for Women in October 2006 and AMA International University, Bahrain, in May 2006.

To find out more about her, visit her website http://samiayousif.hostoi.com.

www.PacktPub.com

Support files, eBooks, discount offers, and more

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

http://PacktLib.PacktPub.com

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Free access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.

Preface

Wireshark is perhaps the world's most popular network packet analyzer used to troubleshoot and analyze network and application protocols across wide variety of technologies. Wireshark is free, open source, and available for Windows, Mac OS X, Linux, and several Unix-like platforms, and it is continuously being improved and expanded by its original developer, Gerald Combs, and over 500 code contributors.

Wireshark has a rich feature set, including the ability to capture, save, and import packet files in a variety of formats. It provides an extensive filtering capability, detailed protocol information, statistics, and built-in analysis and packet coloring features to help you identify and analyze important events. This powerful analysis capability is available to anyone who is willing to invest a little time to learn Wireshark's basic features and how to interpret a relatively small set of core network and application protocols.

This book is designed to introduce Wireshark and essential packet analysis techniques to not only network engineers and administrators, but also application developers, database designers and administrators, server administrators, and IT security professionals. It also gives them the essential knowledge and practical examples needed to effectively utilize Wireshark so they can include packet-level analysis in their daily tasks.

Application developers can use Wireshark to view and understand how the routines in their code that make network calls translate into request/response packets, inspect how the application-related data fields within those packets are structured, and verify that these calls are efficient and work in the way that they are anticipated and intended.

Database designers and administrators can utilize the packet details provided by Wireshark to examine the queries and responses carried by packets and to check whether they are efficient. Are there a lot of small request/response cycles involved in a transactional query that could be replaced by fewer, more efficient requests to improve performance?

Server processing times can be a huge factor and point of contention in performance-related issues across almost all IT arenas. This book will show you how easy it is to use Wireshark to identify and measure server processing times at the packet level where there can be no disputing the evidence.

IT security professionals inherently utilize protocol-level parameters to configure firewalls and intrusion detection and prevention devices, but may lack the skills to confidently establish and verify these factors themselves—instead relying upon others for this critical input. The ability of a security professional to inspect packet captures to identify, characterize, and guard against malicious traffic is assumed, and a small investment of time with this book will open the door to mastering this essential skill.

Finally, network support personnel are called upon on an almost daily basis to troubleshoot strange connectivity or slow network issues. They need the visibility and evidence that packet-level analysis provides to not only defend their domain, but also to assist in identifying and resolving the real problem; that's usually the only way the heat gets permanently turned off. Good Wireshark skills are a must-have for these folks.

The focus of this book is to teach you how to become comfortable and proficient in using basic Wireshark skills within your respective domain. At first glance, looking at a screen full of packets of seemingly endless varieties and sources can be very intimidating, but it