39,59 €
This book contains practical recipes on troubleshooting a data communications network. This second version of the book focuses on Wireshark 2, which has already gained a lot of traction due to the enhanced features that it offers to users. The book expands on some of the subjects explored in the first version, including TCP performance, network security, Wireless LAN, and how to use Wireshark for cloud and virtual system monitoring. You will learn how to analyze end-to-end IPv4 and IPv6 connectivity failures for Unicast and Multicast traffic using Wireshark. It also includes Wireshark capture files so that you can practice what you’ve learned in the book. You will understand the normal operation of E-mail protocols and learn how to use Wireshark for basic analysis and troubleshooting. Using Wireshark, you will be able to resolve and troubleshoot common applications that are used in an enterprise network, like NetBIOS and SMB protocols. Finally, you will also be able to measure network parameters, check for network problems caused by them, and solve them effectively. By the end of this book, you’ll know how to analyze traffic, find patterns of various offending traffic, and secure your network from them.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 535
Copyright © 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Commissioning Editor:Vijin BorichaAcquisition Editor: Rahul NairContent Development Editor: Mayur PawanikarTechnical Editor: Dinesh PawarCopy Editor: Vikrant Phadkay, Safis EditingProject Coordinator: Nidhi JoshiProofreader: Safis EditingIndexer: Priyanka DhadkeGraphics: Tania DuttaProduction Coordinator: Arvindkumar Gupta
First published: December 2013 Second edition: March 2018
Production reference: 1280318
Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.
ISBN 978-1-78646-167-4
www.packtpub.com
I would like to dedicate this book to my beloved friend, Suresh Kumar, and his late wife, Dharshana Suresh.
I would like to dedicate this book to my parents, Ramdoss and Bhavani, who have dedicated their life for my success.
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Nagendra Kumar Nainar (CCIE#20987) is a senior technical leader with RP escalation team in Cisco Systems. He is the co-inventor of more than 80 patent applications and the coauthor of six internet RFCs, various internet drafts and IEEE papers. He is a guest lecturer in North Carolina State University and a speaker in different network forums.
Yogesh Ramdoss (CCIE #16183) is a senior technical leader in the technical services organization of Cisco Systems. He is a distinguished speaker at CiscoLive, sharing knowledge and educating customers on enterprise/datacenter technologies and platforms, troubleshooting and packet capturing tools, and open network programmability. Co-inventor of patent in machine/behavior learning.
Yoram Orzach gained his bachelor's degree in science from the Technion in Haifa, Israel, and worked in Bezeq as a systems engineer in the fields of transmission and access networks. From being the technical manager at Netplus, he is now the CTO of NDI Communications. His experience is with corporate networks, service providers, and internet service provider's networks, and his client companies are Comverse, Motorola, Intel, Ceragon networks, Marvel, HP, and others. His experience is in design, implementation, troubleshooting as well as training for R&D, engineering, and IT groups.
Abayomi Adefila is a technical leader in services organization of Cisco systems. His array of accomplishments include B.Tech, M.Sc, CCNA, CCDA, CCNP, CCIP, CCDP, CCIE (R&S) along with MPLS L3 VPN, VRF, ISIS, IPv6, BGP4, MP-BGP, OSPFv2&3, RIPng, Eigrpv6, DS1, DS3, Metro-Ethernet, EEM, OER, advanced routing and switching on Cisco network gears, VPN concentrator, GRE, IPSec, Junipere, and so on. He has been awarded with MCI's outstanding performance ovation award at Verizon and Multiple CAP awards for outstanding performances at Cisco.
Jason Morris is a systems and research engineer with 18+ years of experience in system architecture, research engineering, and large data analysis.
He is a speaker and a consultant for designing large-scale architectures, best security practices on the cloud, near real-time image detection analytics with deep learning, and serverless architectures to aid in ETL. His most recent roles include solution architect, big data engineer, big data specialist, and instructor at Amazon Web Services. He is currently the chief technology officer of Next Rev Technologies.
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Title Page
Copyright and Credits
Network Analysis Using Wireshark 2 Cookbook Second Edition
Dedication
Packt Upsell
Why subscribe?
PacktPub.com
Contributors
About the authors
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Sections
Getting ready
How to do it...
How it works...
There's more...
See also
Get in touch
Reviews
Introduction to Wireshark Version 2
Wireshark Version 2 basics
Locating Wireshark
Getting ready
How to do it...
Monitoring a server
Monitoring a router
Monitoring a firewall
Test access points and hubs
How it works...
There's more...
See also
Capturing data on virtual machines
Getting ready
How to do it...
Packet capture on a VM installed on a single hardware
Packet capture on a blade server
How it works...
Standard and distributed vSwitch
See also
Starting the capture of data
Getting ready
How to do it...
Capture on multiple interfaces
How to configure the interface you capture data from
Capture data to multiple files
Configure output parameters
Manage interfaces (under the Input tab)
Capture packets on a remote machine
Start capturing data – capture data on Linux/Unix machines
Collecting from a remote communication device
How it works...
There's more...
See also
Configuring the start window
Getting ready
The main menu
The main toolbar
Display filter toolbar
Status bar
How to do it...
Toolbars configuration
Main window configuration
Name resolution
Colorize packet list
Zoom
Mastering Wireshark for Network Troubleshooting
Introduction
Configuring the user interface, and global and protocol preferences
Getting ready
How to do it...
General appearance preferences
Layout preferences
Column preferences
Font and color preferences
Capture preferences
Filter expression preferences
Name resolution preferences
IPv4 preference configuration
TCP and UDP configuration
How it works...
There's more...
Importing and exporting files
Getting ready
How to do it...
Exporting an entire or partial file
Saving data in various formats
Printing data
How it works...
There's more...
Configuring coloring rules and navigation techniques
Getting ready
How to do it...
How it works...
See also
Using time values and summaries
Getting ready
How to do it...
How it works...
Building profiles for troubleshooting
Getting ready
How to do it...
How it works...
There's more...
See also
Using Capture Filters
Introduction
Configuring capture filters
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring Ethernet filters
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring hosts and network filters
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring TCP/UDP and port filters
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring compound filters
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring byte offset and payload matching filters
Getting ready
How to do it...
How it works...
There's more...
See also
Using Display Filters
Introduction
Configuring display filters
Getting ready
How to do it...
How it works...
There's more...
Configuring Ethernet, ARP, host, and network filters
Getting ready
How to do it...
How it works...
See also
Configuring TCP/UDP filters
Getting ready
TCP and UDP port number display filters
TCP header filters
How to do it...
How it works...
There's more...
See also
Configuring specific protocol filters
Getting ready
How to do it...
HTTP display filters
DNS display filters
FTP display filters
How it works...
See also
Configuring substring operator filters
Getting ready
How to do it...
How it works...
Configuring macros
Getting ready
How to do it...
How it works...
Using Basic Statistics Tools
Introduction
Using the statistics – capture file properties menu
Getting ready
How to do it...
How it works...
There's more...
Using the statistics – resolved addresses
Getting ready
How to do it...
How it works...
There's more
Using the statistics – protocol hierarchy menu
Getting ready
How to do it...
How it works...
There's more...
Using the statistics – conversations menu
Getting ready
How to do it...
How it works...
There's more...
Using the statistics – endpoints menu
Getting ready
How to do it...
How it works...
There's more...
Using the statistics – HTTP menu
Getting ready
How to do it...
How it works...
There's more...
Configuring a flow graph for viewing TCP flows
Getting ready
How to do it...
How it works...
There's more...
Creating IP-based statistics
Getting ready
How to do it...
How it works...
There's more...
Using Advanced Statistics Tools
Introduction
Configuring I/O graphs with filters for measuring network performance issues
Getting ready
How to do it...
How it works...
There's more...
Throughput measurements with I/O graphs
Getting ready
How to do it...
Measuring download/upload traffic
Measuring several streams between two end devices
Measuring application throughput
Measuring a TCP stream with TCP event analysis
How it works...
There's more...
Advanced I/O graph configurations with y axis parameters
Getting ready
How to do it...
Monitoring inter-frame time delta statistics
Monitoring the number of TCP events in a stream
Monitoring the number of field appearances
How it works...
There's more...
Getting information through TCP stream graphs – time/sequence (Steven's) window
Getting ready
How to do it...
How it works...
There's more...
Getting information through TCP stream graphs – time/sequences (TCP-trace) window
Getting ready
How to do it...
How it works...
There's more...
Getting information through TCP stream graphs – throughput window
Getting ready
How to do it...
How it works...
There's more...
Getting information through TCP stream graphs – round-trip-time window
Getting ready
How to do it...
How it works...
There's more...
Getting information through TCP stream graphs – window-scaling window
Getting ready
How to do it...
How it works...
There's more...
Using the Expert System
Introduction
The expert system window and how to use it for network troubleshooting
Getting ready
How to do it...
How it works...
There's more...
See also
Error events and what we can understand from them
Getting ready
How to do it...
How it works...
There's more...
See also
Warning events and what we can understand from them
Getting ready
How to do it...
How it works...
There's more...
See also
Note events and what we can understand from them
Getting ready
How to do it...
How it works...
There's more...
See also
Ethernet and LAN Switching
Introduction
Discovering broadcast and error storms
Getting ready
How to do it...
Spanning tree problems
A device that generates broadcasts
Fixed pattern broadcasts
How it works...
There's more...
See also
Analyzing spanning tree problems
Getting ready
How to do it...
Which STP version is running on the network?
Are there too many topology changes?
How it works...
Port states
There's more...
Analyzing VLANs and VLAN tagging issues
Getting ready
How to do it...
Monitoring traffic inside a VLAN
Viewing tagged frames going through a VLAN tagged port
How it works...
There's more...
See also
Wireless LAN
Skills learned
Introduction to wireless networks and standards
Understanding WLAN devices, protocols, and terminologies
Access point (AP)
Wireless LAN controller (WLC)
Wireless radio issues, analysis, and troubleshooting
Getting ready
How to do it...
Zero wireless connectivity
Poor or intermittent wireless connectivity
Capturing wireless LAN traffic
Capturing options
Getting ready
How to do it...
Wireless station not joining a specific SSID
Users not able to authenticate after successful association
There's more...
Network Layer Protocols and Operations
Introduction
The IPv4 principles of operations
IP addressing
IPv4 address resolution protocol operation and troubleshooting
Getting ready
How to do it...
ARP attacks and mitigations
ARP poisoning and man-in-the-middle attacks
Gratuitous ARP
ARP sweep-based DoS attacks
How it works...
ICMP – protocol operation, analysis, and troubleshooting
Getting ready
How to do it...
ICMP attacks and mitigations
ICMP flood attack
ICMP smurf attack
How it works...
Analyzing IPv4 unicast routing operations
Getting ready
How it works...
IP TTL failures and attacks
Duplicate IP addresses
Analyzing IP fragmentation failures
TCP path MTU discovery
How to do it...
Fragmentation-based attack
How it works...
IPv4 multicast routing operations
How it works...
There's more...
IPv6 principle of operations
IPv6 addressing
IPv6 extension headers
IPv6 extension headers and attacks
Getting ready
How to do it...
IPv6 fragmentation
How it works...
ICMPv6 – protocol operations, analysis, and troubleshooting
Getting ready
How to do it...
IPv6 auto configuration
Getting ready
How to do it...
How it works...
DHCPv6-based address assignment
Getting ready
How to do it...
How it works...
IPv6 neighbor discovery protocol operation and analysis
How to do it...
IPv6 duplicate address detection
How it works...
Transport Layer Protocol Analysis
Introduction
UDP principle of operation
UDP protocol analysis and troubleshooting
Getting ready
How to do it...
TCP principle of operation
Troubleshooting TCP connectivity problems
Getting ready
How to do it...
How it works...
There's more...
Troubleshooting TCP retransmission issues
Getting ready
How to do it...
Case 1 – retransmissions to many destinations
Case 2 – retransmissions on a single connection
Case 3 – retransmission patterns
Case 4 – retransmission due to a non-responsive application
Case 5 - retransmission due to delayed variations
Finding out what it is
How it works...
Regular operation of the TCP sequence/acknowledge mechanism
What are TCP retransmissions and what do they cause?
There's more...
See also
TCP sliding window mechanism
Getting ready
How to do it...
How it works...
TCP enhancements – selective ACK and timestamps
Getting ready
How to do it...
TCP selective acknowledgement option
TCP timestamp option
How it works...
TCP selective acknowledgement
TCP timestamp
There's more...
Troubleshooting TCP throughput
Getting ready
How to do it...
How it works...
FTP, HTTP/1, and HTTP/2
Introduction
Analyzing FTP problems
Getting ready
How to do it...
How it works...
There's more...
Filtering HTTP traffic
Getting ready
How to do it...
How it works...
HTTP methods
Status codes
There's more...
Configuring HTTP preferences
Getting ready
How to do it...
Custom HTTP headers fields
How it works...
There's more...
Analyzing HTTP problems
Getting ready
How to do it...
How it works...
There's more...
Exporting HTTP objects
Getting ready
How to do it...
How it works...
There's more...
HTTP flow analysis
Getting ready
How to do it...
How it works...
There's more...
Analyzing HTTPS traffic – SSL/TLS basics
Getting ready
How to do it...
How it works...
There's more...
DNS Protocol Analysis
Introduction
Analyzing DNS record types
Getting ready
How to do it...
How it works...
SOA record
A resource record
AAAA resource record
CNAME resource record
There's more...
Analyzing regular DNS operations
Getting ready
How to do it...
How it works...
DNS server assignment
DNS operation
DNS namespace
The resolving process
There's more...
Analyzing DNSSEC regular operations
Getting ready
How to do it...
How it works...
There's more...
Troubleshooting DNS performance
Getting ready
How to do it...
How it works...
There's more...
Analyzing Mail Protocols
Introduction
Normal operation of mail protocols
Getting ready
How to do it...
POP3 communications
IMAP communications
SMTP communications
How it works...
POP3
IMAP
SMTP
There's more...
SSL decryption in Wireshark
Analyzing POP, IMAP, and SMTP problems
Getting ready
How to do it...
How it works...
Filtering and analyzing different error codes
Getting ready
How to do it...
SMTP
IMAP
POP3
How it works...
There's more...
IMAP response code (RFC 5530)
POP3 response code (RFC 2449)
SMTP and SMTP error codes (RFC 3463)
Malicious and spam email analysis
Getting ready
How to do it...
How it works...
NetBIOS and SMB Protocol Analysis
Introduction
Understanding the NetBIOS protocol
Understanding the SMB protocol
How it works...
Analyzing problems in the NetBIOS/SMB protocols
Getting ready
How to do it...
General tests
Specific issues
There's more...
Example 1 – application freezing
Example 2 – broadcast storm caused by SMB
Analyzing the database traffic and common problems
Getting ready
How to do it...
How it works...
There's more...
Exporting SMB objects
Getting ready
How to do it...
How it works...
Analyzing Enterprise Applications' Behavior
Introduction
Finding out what is running over your network
Getting ready
How to do it...
There's more...
Analyzing Microsoft Terminal Server and Citrix communications problems
Getting ready
How to do it...
How it works...
There's more...
Analyzing the database traffic and common problems
Getting ready
How to do it...
How it works...
There's more...
Analyzing SNMP
Getting ready
How to do it...
Polling a managed device with a wrong SNMP version
Polling a managed device with a wrong MIB object ID (OID)
How it works...
There's more...
Troubleshooting SIP, Multimedia, and IP Telephony
Introduction
IP telephony principle and normal operation
Getting ready
How to do it...
RTP operation
RTCP operation
How it works...
RTP principles of operation
The RTCP principle of operation
SIP principle of operation, messages, and error codes
Getting ready
How to do it...
How it works...
1xx codes – provisional/informational
2xx codes – success
3xx codes – redirection
4xx codes – client error
5xx codes – server error
6xx codes – global failure
Video over IP and RTSP
Getting ready
How to do it...
How it works...
There's more...
Wireshark features for RTP stream analysis and filtering
Getting ready
How to do it...
How it works...
Wireshark feature for VoIP call replay
Getting ready
How to do it...
How it works...
There's more...
Troubleshooting Bandwidth and Delay Issues
Introduction
Measuring network bandwidth and application traffic
Getting ready
How to do it...
How it works...
There's more...
Measurement of jitter and delay using Wireshark
Getting ready
How to do it...
How it works...
There's more...
Analyzing network bottlenecks, issues, and troubleshooting
Getting ready
How to do it...
How it works...
There's more...
Security and Network Forensics
Introduction
Discovering unusual traffic patterns
Getting ready
How to do it...
How it works...
There's more...
See also
Discovering MAC-based and ARP-based attacks
Getting ready
How to do it...
How it works...
There's more...
Discovering ICMP and TCP SYN/port scans
Getting ready
How to do it...
How it works...
There's more...
See also
Discovering DoS and DDoS attacks
Getting ready
How to do it...
How it works...
There's more...
Locating smart TCP attacks
Getting ready
How to do it
How it works...
There's more...
See also
Discovering brute force and application attacks
Getting ready
How to do it...
How it works...
There's more...
Wireshark has long since become the market standard for network analysis, and with the growth of the internet and TCP/IP-based networks, it became very popular for network analysis and troubleshooting, as well as for R&D engineering, to understand what is actually running over the network and what problems we face.
This book contains practical recipes on troubleshooting a data communications network. This second edition of the book focuses on Wireshark 2, which has already gained a lot of traction due to the enhanced features that it offers. The book expands on some of the subjects explored in the first edition, including TCP performance, network security, Wireless LANs, and how to use Wireshark for cloud and virtual system monitoring. You will learn how to analyze end-to-end IPv4 and IPv6 connectivity failures for unicast and multicast traffic using Wireshark. The book also includes Wireshark capture files so that you can practice what you've learned. You will understand the normal operation of email protocols and learn how to use Wireshark for basic analysis and troubleshooting. Using Wireshark, you will be able to troubleshoot common applications that are used in an enterprise network, such as NetBIOS and SMB protocols. Finally, you will also be able to measure network parameters, check for network problems caused by them, and solve them effectively. By the end of this book, you’ll know how to analyze traffic, how to find patterns of various offending traffic, and how to secure your network from them.
As the name of the book implies, this is a cookbook. It is a list of effective, targeted recipes on how to analyze networks. Every recipe targets a specific issue, how to use Wireshark for it, where to look for it, what to look for, and how to find the cause of the issue. To complete the picture, every recipe provides the theoretical foundations of the subject, in order to give the reader the required theoretical background.
You will see many examples in the book, and all of them are real-world cases. Some of them took me minutes to solve, some hours, and some took many days. But there is one process common to all of them: work systematically, use the proper tools, try to get inside the head of the application writer, and, as someone told me once, try to think like the network. Do this, use Wireshark, and you will get results. The purpose of this book is to try and get you there. Have fun!
This book is for security professionals, network administrators, R&D, engineering and technical support, and communication managers who use Wireshark for network analysis and troubleshooting. It requires a basic understanding of networking concepts but does not require specific and detailed technical knowledge of protocols or vendor implementations.
Chapter 1,Introduction to Wireshark Version 2, covers basic tasks related to Wireshark.
Chapter 2,Mastering Wireshark for Network Troubleshooting, covers issues that improve the use of Wireshark as a network analysis tool.
Chapter 3,Using Capture Filters, talks about capture filters.
Chapter 4,Using Display Filters, shows how to work with display filters.
Chapter 5,Using Basic Statistics Tools, looks at simple tools that provide us with basic network statistics.
Chapter 6,Using Advanced Statistics Tools, covers advanced statistical tools—I/O graphs, TCP stream graphs, and, in brief, UDP multicast streams.
Chapter 7,Using the Expert System, teaches you how to use the expert system, a tool that provides deeper analysis of network phenomena, including events and problems.
Chapter 8,Ethernet and LAN Switching, focuses on how to find and resolve layer 2-based problems, with a focus on Ethernet-based issues such as broadcast/multicast events, errors, and finding their source.
Chapter 9,Wireless LAN, analyzes wireless LAN traffic and diagnoses connectivity and performance problems reported by users.
Chapter 10,Network Layer Protocols and Operations, primarily focuses on layer 3 of the OSI reference model and shows how to analyze the layer 3 protocol (IPv4/IPv6) operations. We also cover unicast and multicast traffic flow analysis.
Chapter 11,Transport Layer Protocol Analysis, primarily focuses on the transport layer of the OSI reference model, but also teaches you how to analyze various layer 4 protocol (TCP/UDP/SCTP) operations.
Chapter 12,FTP, HTTP/1, and HTTP/2, discusses these protocols, how they work, and how to use Wireshark to find common errors and problems in the network.
Chapter 13, DNS Protocol Analysis, covers the basic principles of the DNS protocol, the functionality, commonly faced issues, and the use of Wireshark to analyze and troubleshoot the protocol.
Chapter 14,Analyzing Mail Protocols, looks at the normal operation of email protocols and how to use Wireshark for basic analysis and troubleshooting.
Chapter 15,NetBIOS and SMB Protocol Analysis, teaches you how to use Wireshark to resolve and troubleshoot common applications that are used in an enterprise network, such as NetBIOS and SMB protocols.
Chapter 16,Analyzing Enterprise Applications' Behavior, explains how to use Wireshark to resolve and troubleshoot common applications that are used in an enterprise network.
Chapter 17,Troubleshooting SIP, Multimedia, and IP Telephony, discusses different protocols and how to analyze audio and video streams using Wireshark.
Chapter 18,Troubleshooting Bandwidth and Delay Issues, teaches you how to measure these network parameters, check for network problems caused by them, and solve these when possible.
Chapter 19,Security and Network Forensics, starts by differentiating between normal and unusual network traffic. Then, the chapter introduces the various types of attacks, where they come from, and how to isolate and solve them.
You will need to install the Wireshark software. It can be downloaded from www.wireshark.org.
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/NetworkAnalysisUsingWireshark2CookbookSecondEdition_ColorImages.pdf.
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Add the string tcp.window_sizeto view the TCP window size."
A block of code is set as follows:
tcp[Offset:Bytes] //Orudp[Offset:Bytes]
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "When you go to the configuration menu and choose Networking."
In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).
To give clear instructions on how to complete a recipe, use these sections as follows:
This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.
This section contains the steps required to follow the recipe.
This section usually consists of a detailed explanation of what happened in the previous section.
This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.
This section provides helpful links to other useful information for the recipe.
Feedback from our readers is always welcome.
General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packtpub.com.
In this chapter, you will learn about:
Wireshark version 2 basics
Locating Wireshark
Capturing data on virtual machines and on the cloud
Starting the capture of data
Configuring the start window
Saving, printing, and exporting data
In this chapter, we will cover the basic tasks related to Wireshark. In the Preface of this book, we talked a little bit about network troubleshooting, and we saw various tools that can help us in the process. After we reached the conclusion that we need to use the Wireshark protocol analyzer, it's time to locate it for testing in the network, configure it with basic configurations, and adapt it to be friendly.
While setting Wireshark for basic data capture is considered to be very simple and intuitive, there are many options that we can use in special cases; for example, when we capture data continuously over a connection and we want to split the capture file into small files, when we want to see names of devices participating in the connection and not only IP addresses, and so on. In this chapter, we will learn how to configure Wireshark for these special cases.
After this short introduction to Wireshark version 2, we present in this chapter several recipes to describe how to locate and start to work with the software.
The first recipe in this chapter is Locating Wireshark; it describes how and where to locate Wireshark for capturing data. Will it be on a server? On a switch port? Before a firewall? After it? On which side of the router should we connect it, the LAN side or on the WAN side? What should we expect to receive in each one of them? The first recipe describes this issue, along with recommendations on how to do it.
The next recipe is about an issue that has become very important in the last few years, and that is the recipe Capturing data on virtual machines that describes practical aspects of how to install and configure Wireshark in order to monitor virtual machines that have been used by the majority of servers in the last several years.
Another issue that has come up in recent years is how to monitor virtual machines that are stored in the cloud. In the Capture data on the cloud recipe,we have several issues to discuss, among them how to decrypt the data that in most of the cases is encrypted between you and the cloud, how to use analysis tools available on the cloud and also which tools are available from major cloud vendors like Amazon AWS, Microsoft Azure, and others.
The next recipe in this chapter is Starting the Capture of data, which is actually how to start working with the software, and configuring, printing and exporting data. We talk about file manipulations, that is, how to save the captured data whether we want to save the whole of it, part of it, or only filtered data. We export that data into various formats, merge files (for example, when you want to merge captured files on two different router interfaces), and so on.
The first step after understanding the problem and deciding to use Wireshark is the decision on where to locate it. For this purpose, we need to have a precise network illustration (at least the part of the network that is relevant to our test) and locate Wireshark.
The principle is basically to locate the device that you want to monitor, connect your laptop to the same switch that it is connected to, and configure a port mirror or in Cisco it is called a port monitor or Switched Port Analyzer (SPAN to the monitored device. This operation enables you to see all traffic coming in and out of the monitored device. This is the simplest case.
You can monitor a LAN port, WAN port, server or router port, or any other device connected to the network.
In the example presented in this diagram, the Wireshark software is installed on the laptop on the left and a server S2 that we want to monitor:
In the simplest case, we configure the port mirror in the direction as in the diagram; that will monitor all traffic coming in and out of server S2. Of course, we can also install Wireshark directly on the server itself, and by doing so we will be able to watch the traffic directly on the server.
Some LAN switch vendors also enable other features, such as:
Monitoring a whole VLAN
: We can monitor a server's VLAN, telephony VLAN, and so on. In this case, you will see all traffic on a specific VLAN.
Monitoring several ports to a single analyzer
: We can monitor traffic on servers
S1
and
S2
together.
Filtering
: Filtering consists of configuring whether to monitor incoming traffic, outgoing traffic, or bo
th.
To start working with Wireshark, go to the Wireshark website and download the latest version of the tool.
An updated version of Wireshark can be found on the website http://www.wireshark.org/; choose Download. This brings you the Download Wireshark page. Download the latest Wireshark Version 2.X.X stable release that is available at https://www.wireshark.org/#download.
Each Wireshark Windows package comes with the latest stable release of WinPcap, which is required for live packet capture. The WinPcap driver is a Windows version of the UNIX libpcap library for traffic capture.
During the installation, you will get the package's installation window, presented in the following screenshot:
Usually in these setup windows, we simply check all and install. In this case, we have some interesting things:
Wireshark
: This is the Wireshark version 2 software.
TSark
: A command-line protocol analyzer.
Wireshark 1
: The good old Wireshark version 1. When you check this, the legacy Wireshark version 1 will be also installed. Personally, I prefer to install it for the next several versions, so if something doesn't work with Wireshark version 2 or you don't know how to work with it, you always have the good old version available.
Plugins & Extensions
:
Dissector Plugins
: Plugins with some extended dissections
Tree Statistics Plugins
: Extended statistics
Mate: Meta-Analysis and Tracing Engine
: User-configurable extension(s) of the display filter engine
SNMP MIBs
: For a more detailed SNMP dissection
Tools
:
Editcap
: Reads a capture file and writes some or all of the packets into another capture file
Text2Pcap
: Reads in an ASCII hex dump and writes the data into a pcap capture file
Reordercap
: Reords a capture file by timestamp
Mergecap
: Combines multiple saved capture files into a single output file
Capinfos
: Provides information on capture files
Rawshark
: Raw packet filter
Let's take a look at the typical network architecture, the network devices, how they work, how to configure them when required, and where to locate Wireshark:
Let's have a look at the simple and common network architecture in the preceding diagram.
This is one of the most common requirements that we have. It can be done by configuring the port monitor to the server (numbered 1 in the preceding diagram) or installing Wireshark on the server itself.
In order to monitor a router, we can use the following:
Case 1: Monitoring the switch port that the router is connected to:
In this case, numbered
2
in the previous drawing, we connect our laptop to the switch that the router is connected to
On the switch, configure the port mirror from the port that the router is connected to, to the port that the laptop is connected to
Case 2: Router with a switch module
In this case, numbered
5
and
6
in the previous diagram, we have a switch module on the router (for example,
Cisco EtherSwitch®
or
HWIC
modules), we can use it the same way as a standard switch (numbered
5
for the LAN port and 6 for the WAN port, in the previous diagram)
In this case, you will be able to monitor only those ports that are connected to the switch module
Case 3: Router without switch module
In this case you can connect a switch between the router port and the
Service Provider
(
SP
) network, and configure the port monitor on this switch, as in the following diagram:
In this case, configure the port monitor from the port the router is connected to, to the port your laptop is connected to.
Case 4: Router with embedded packet capture
In routers from recent years, you will have also an option for integrated packet capture in the router itself. This is the case, for example, in Cisco IOS Release 12.4(20)T or later, Cisco IOS-XE Release 15.2(4)S-3.7.0 or later, and also from SRX/J-Series routers from Juniper, Stealhead from Riverbed, and many other brands.
When monitoring a router, don't forget this: it might happen that not all packets coming in to a router will be forwarded out! Some packets can be lost, dropped on the router buffers, or routed back on the same port that they came in from, and there are, of course, broadcasts that are not forwarded by the router.
When monitoring a firewall, it is, of course, different whether you monitor the internal port (numbered 1 in the following diagram) or the external port (numbered 2 in the following diagram):
On the internal port, you will see all the internal addresses and all traffic initiated by the users working in the internal network, while on the external port, you will see the external addresses that we go out with (translated by NAT from the internal addresses), and you will not see requests from the internal network that were blocked by the firewall. If someone is attacking the firewall from the internet, you will see it (hopefully) only on the external port.
Two additional devices that you can use are TAPs and Hubs:
Test Access Point (TAPs): Instead of connecting a switch to the link you wish to monitor, you can connect a device called a TAP, a simple three-port device that, in this case, will play the same role as the switch. The advantage of a TAP over a switch is the simplicity and price. TAPs also forward errors that can be monitored on Wireshark, unlike a LAN switch that drops them. Switches, on the other hand, are much more expensive, take a few minutes to configure, but provide you with additional monitoring capabilities, for example, SNMP. When you troubleshoot a network, it is better to have an available managed LAN switch, even a simple one, for this purpose.
Hubs: You can simply connect a hub in parallel to the link you want to monitor, and since a hub is a half-duplex device, every packet sent between the router and the SP device will be watched on your Wireshark. The biggest con of this method is that the hub itself slows the traffic, and therefore it influences the test. In many cases, you also want to monitor 1 Gbps ports, and since there is no hub available for this, you will have to reduce the speed to 100 Mbps that again will influence the traffic. Therefore, hubs are not commonly used for this purpose.
For understanding how the port monitor works, it is first important to understand the way that a LAN switch works. A LAN switch forwards packets in the following way:
The LAN switch continuously learns the MAC addresses of the devices connected to it
Now, if a packet is sent to a destination MAC, it will be forwarded only to the physical port that the switch has learned that this MAC address is coming from
If a broadcast is sent, it will be forwarded to all ports of the switch
If a multicast is sent, and CGMP or IGMP is disabled, it will be forwarded to all ports of the switch (CGMP and IGMP are protocols that enable multicast packets to be forwarded only to devices on a specific multicast group)
If a packet is sent to a MAC address that the switch has not learned (which is a very rare case), it will be forwarded to all ports of the switch
In the following diagram, you see an example for how a layer 2-based network operates. Every device connected to the network sends periodic broadcasts. It can be ARP requests, NetBIOS advertisements, and others. The moment a broadcast is sent, it is forwarded through the entire layer 2 network (dashed arrows in the drawing). In the example, all switches learn the MAC address M1 on the port they have received it from.
Now, when PC2 wants to send a frame to PC1, it sends the frame to the switch that it is connected to, SW5. SW5 has learned the MAC address M1 on the fifth port to the left, and that is where the frame is forwarded. In the same way, every switch forwards the frame to the port it has learned it from, and finally it is forwarded to PC1.
Therefore, when you configure a port monitor to a specific port, you will see all traffic coming in and out of it. If you connect your laptop to the network, without configuring anything, you will see only traffic coming in and out of your laptop, along with broadcasts and multicasts from the network.
There are some tricky scenarios when capturing data that you should be aware of.
Monitoring a VLAN—when monitoring a VLAN, you should be aware of several important issues. The first issue is that even when you monitor a VLAN, the packet must physically be transferred through the switch you are connected to in order to see it. If, for example, you monitor VLAN-10 that is configured across the network, and you are connected to your floor switch, you will not see traffic that goes from other switches to the servers on the central switch. This is because in building networks, the users are usually connected to floor switches, in single or multiple locations in the floor, that are connected to the building central switch (or two redundant switches). For monitoring all traffic on a VLAN, you have to connect to a switch on which all traffic of the VLAN goes through, and this is usually the central switch:
In the preceding diagram, if you connect Wireshark to Switch SW2, and configure a monitor to VLAN30, you will see all packets coming in and out of P2, P4, and P5, inside or outside the switch. You will not see packets transferred between devices on SW3, SW1, or packets between SW1 and SW3.
Another issue when monitoring a VLAN is that you might see duplicate packets. This is because when you monitor a VLAN and packets are going in and out of the VLAN, you will see the same packet when it is coming in and going out of the VLAN.
You can see the reason in the following illustration. When, for example, S4 sends a packet to S2 and you configure the port mirror to VLAN30, you will see the packet once sent from S4 to the switch and entering the VLAN30, and then when leaving VLAN30 to S2:
For information on how to configure the port mirror, refer to the vendor's instructions. It can be called port monitor, port mirror, or SPAN from Cisco.
There are also advanced features such as remote monitoring, when you monitor a port that is not directly connected to your switch, advanced filtering (such as filtering specific MAC addresses), and so on. There are also advanced switches that have capture and analysis capabilities on the switch itself. It is also possible to monitor virtual ports (for example, a LAG or EtherChannel groups). For all cases, and other cases described in this recipe, refer to the vendor's specifications.
For vendor information you can look, for example, at these links:
Cisco IOS SPAN (for catalyst switches):
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html
Cisco IOS Embedded Packet Capture feature:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
Check point Packet Sniffer feature:
https://www.checkpoint.com/smb/help/utm1/8.2/2002.htm
Fortinet FortiOS packet sniffer:
http://kb.fortinet.com/kb/viewContent.do?externalId=11186
In the last few years, a significant amount of servers are moving to virtual environments—that is a large amount of servers on a single hardware device.
First, to put some order in the terms. There are two major terms to remember in the virtual world:
A virtual machine is an emulation of a computer system that is installed on single or multiple hardware platforms. A virtual machine is mostly used in the context of virtual servers. The major platforms used for server virtualization are
VMware ESX
,
Microsoft Hyper-V
, or
Citrix XenServer.
A Blade server is a cage that holds inside server cards and LAN switches to connect them to the world.
In this section, we will look at each one of these components and see how to monitor each one of them.
Let's see how to do it.
A single hardware with virtual machines is illustrated in the following diagram:
As you see in the preceding diagram, we have the applications that run on the operating systems (guest OS in the drawing). Several guest OSs are running on the virtualization software that runs on the hardware platform.
As mentioned earlier in this chapter, in order to capture packets we have two possibilities: to install Wireshark on the device that we want to monitor, or to configure port mirror to the LAN switch to which the Network Interface Card (NIC) is connected.
For this reason, in the case of a virtual platform on a single hardware, we have the following possibilities:
Install Wireshark on the specific server that you want to monitor, and start capturing packets on the server itself.
Connect your laptop to the switch
8
, and configure a port mirror to the server. In the preceding diagram, it would be to connect a laptop to a free port on the switch, with a port mirror to ports
1
and
2
.
The problem
that can
happen
here is that you monitor.
The first case is obvious, but some problems can happen in the second one:
As illustrated in the preceding diagram, there are usually two ports or more that are connected between the server and the LAN switch. This
topology
is called
Link Aggregation
(
LAG
), teaming, or if you are using Cisco switches, EtherChannel. When
monitoring
a server, check
whether
it is configured with
load sharing
or
port redundancy
(also referred to as
Failover
). If it is configured with port redundancy, it is simple: check what the active port is and configure the port mirror to it. If it is configured with load sharing, you have to configure one of the following:
Port
mirror
to LAG interface: that is, port mirror
to
the virtual interface that holds the two or more
physical
interfaces. Usually, it
is
termed by the switch vendor as
Port-Group
or
Port-Channel
interface.
The server NICs are configured in the port redundancy: the port mirror from one port to two physical ports (in the diagram to ports 1 and 2 of the switch).
Configure two port mirrors from two interface cards on your PC to the two interfaces on the LAN switch at the same time. A diagram of the three cases is presented here:
There is another problem that might happen. When monitoring heavy traffic on ports configured with load sharing, in
Option A
you will have a mirror of two NICs sending data to a single one, for example, two ports of 1 Gbps to a single port of 1 Gbps. Then of course, in case of traffic that exceeds the speed of the laptop, not all packets will be captured and some of them will be lost. For this reason, when you use this method, make sure that the laptop has a faster NIC than the monitored ports or use
Option C
(capture with two interfaces).
In the case of using a BLADE Center, we have the following hardware topology:
As illustrated, we have a BLADE Center that contains the following components:
Blade servers
: These are hardware cards, usually located at the front side of the blade.
Servers
: The virtual servers installed on the hardware servers, also called
VMs
.
Internal LAN switch
: Internal LAN switches that are installed at the front or back of the blade center. These switches usually have 12-16 internal or virtual ports (
Int
in the diagram) and 4-8 external or physical ports (
Ext
in the diagram).
External switch
: Installed in the communication rack, and it's not a part of the
BLADE Center
.
Monitoring a blade center is more difficult because we don't have direct access to all of the traffic that goes through it. There are several options for doing so:
Internal monitoring on the blade center:
For traffic on a specific server, install Wireshark on the virtual server. In this case you just have to make sure from which virtual ports traffic is sent and received. You will see this in the VM configuration, and also choose one interface a the time on the Wireshark and see to which one the traffic goes.
A second option is to install Wireshark on a different VM and configure the port mirror in the blade center switch, between the server you wish to monitor and the VM with the Wireshark installed on it.
From servers to blade center switch (
1
) in the previous diagram:
For traffic that goes from the servers to the switch, configure, port mirror from the virtual ports the server is connected to, to the physical port where you connect the laptop. Most vendors support this option, and it can be configured.
For external monitoring, traffic from the internal blade center switch to the external switches:
Use a standard port mirror on the internal or external switches
As described before, there are several types of virtual platforms. I will explain the way one operates on VMware, which is one of the popular ones.
On every virtual platform, you configure hosts that are provided with the CPU and memory resources that virtual machines use and give virtual machines access to these resources.
In the next screenshot, you see a virtualization server with address 192.168.1.110, configured with four virtual machines: Account1, Account2, Term1, and Term2. These are the virtual servers, in this case, two servers for accounting and two terminal servers:
When you go to the configuration menu and choose Networking, as illustrated in the next screenshot, you see the vSwitch. On the left, you see the internal ports connected to the servers, and on the right, you see the external port.
In this example, we see the virtual servers Account1, Account2, Term1 and Term2; on the right, we see the physical port vmnic0.
The VMware platform vSphere offers two kinds of virtual switches, standard and distributed:
The
standard vSwitch
is what every vSphere installation has, no matter what license it is running on
Distributed
vSwitches
are only available for those who have an
Enterprise Plus
license
Port mirror is enabled in distributed vSwitch; how to configure it? You can find that out in the Working With Port Mirroring section on the VMware vSphere 6.0 documentation center: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.networking.doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.html.
For specific vendor's mirroring configuration:
For Alteon (now Radware) blade switches:
http://www.bladenetwork.net/userfiles/file/PDFs/IBM_GbE_L2-3_Applicat_Guide.pdf
For Cisco blade switches (called SPAN):
http://www.cisco.com/c/dam/en/us/td/docs/switches/blades/igesm/software/release/12-1_14_ay/configuration/guide/25K8411B.pdf
, Page 340,
SPAN and RSPAN Concepts and Terminology