20,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Malware, DoS attacks, SQLi, and data exfiltration are some of the problems that many security officers have to face every day. Having advanced knowledge in communications and protocol analysis is therefore essential to investigate and detect any of these attacks. Tshark is the ideal tool for professionals who wish to meet these needs, or students who want to delve into the world of networking.Instant Traffic Analysis with Tshark How-to is a practical, hands-on guide for network administrators and security officers who want to take advantage of the filtering features provided by Tshark, the command-line version of Wireshark. With this guide you will learn how to get the most out of Tshark from environments lacking GUI, ideal for example in Unix/Linux servers, offering you much flexibility to identify and display network traffic.The book begins by explaining the basic theoretical concepts of Tshark and the process of data collection. Subsequently, you will see several alternatives to capture traffic based on network infrastructure and the goals of the network administrator. The rest of the book will focus on explaining the most interesting parameters of the tool from a totally practical standpoint.You will also learn how to decode protocols and how to get evidence of suspicious network traffic. You will become familiar with the many practical filters of Tshark that identify malware-infected computers and lots of network attacks such as DoS attacks, DHCP/ARP spoof, and DNS flooding. Finally, you will see some tricks to automate certain tasks with Tshark and python scripts.You will learn everything you need to get the most out of Tshark and overcome a wide range of network problems. In addition you will learn a variety of concepts related to networking and network attacks currently exploited.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 78
Veröffentlichungsjahr: 2013
Ähnliche
Table of Contents
Instant Traffic Analysis with Tshark How-to
Instant Traffic Analysis with Tshark How-to
Copyright © 2013 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: April 2013
Production Reference: 1170413
Livery Place
35 Livery Street
Birmingham B3 2PB, UK
ISBN 978-1-78216-538-5
www.packtpub.com
Credits
Author
Borja Merino
Reviewer
Nelo Belda Atoche
IT Content Commissioning Editor
James Jones
Commissioning Editor
Ameya Sawant
Technical Editor
Varun Pius Rodrigues
Project Coordinator
Sneha Modi
Proofreader
Stephen Copestake
Graphics
Ronak Dhruv
Production Coordinator
Shantanu Zagade
Cover Work
Shantanu Zagade
Cover Image
Conidon Miranda
About the Author
Borja Merino is a security researcher from León, Spain. He studied Computer Science at the Pontificia University of Salamanca and he is certified in OSCP, OSWP, OSCE, CCNA Security, CCSP, Cisco Firewall, SMFE, CISSP, and NSTISSI 4011. He has published several papers about pentesting and exploiting. He is also a Metasploit community contributor and one of the authors of the blog www.securityartwork.com, where he regularly writes security articles. You can follow him on Twitter at @BorjaMerino.
I would like to dedicate this book (my first mini book) to my family, especially my parents and my brother, the most important people to me. Of course, I also dedicate it to my girlfriend and my best colleagues although some of them do not even know what a protocol analyzer is.
Finally, I would like to give special thanks to the Technical Reviewer Nelo and my friend Alfon who, without hesitation, offered to help me with the review of the book. Thank you guys!
About the Reviewer
Nelo Belda Atoche is a Security Analyst in S2 Grupo. He received a Technical Engineering degree in Telecommunication from the Universitat Politècnica de València and a Master’s degree in Information Systems and Technology Management and Administration from the Universitat Oberta de Catalunya. Since his early student years, he has been focused on Computer Security.
He currently works as an Incident Handler (GIAC Certified on Incident Handler, GCIH) in a Computer Security Incident Response Team, at the Spanish company S2 Grupo. He performs tasks of network and computer analysis and forensics, incident response, and IDS/IPS management, among others. He also has collaborated on various technical reports, about critical infrastructure protection, as well as in the blog SecurityArtWork.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and, as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packts online digital book library. Here, you can access, read, and search across Packts entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Preface
One of the main tasks of any network administrator or security officer is traffic analysis. Skill in the use of protocol analysis tools will be essential to locate and limit network problems, resolve security incidents, check the correct operation of routing protocols, test applications using sockets, and so on. Tshark, the command-line version of Wireshark, is the ideal tool for professionals who wish to meet those needs or students who want to delve into the world of networking and understand in more depth the operation of TCP/IP network protocols. With Tshark, you could take advantage of all filtering features provided by Wireshark from lacking GUI environments, ideal for example in Unix/Linux servers, offering you great flexibility to identify and display network traffic. This book will develop the full potential of this tool from a completely practical standpoint, using real examples that represent the everyday life of many professionals dedicated to the world of security and communications.
What this book covers
Capturing data with Tshark (Must know) explains basic theoretical concepts about Tshark and the process of data collection. It also explains how to configure Tshark to capture traffic with the appropriate permissions without exposing the system for possible vulnerabilities.
Capturing traffic (Must know) explains some of the options for data collection. Each of the alternatives depends on the network infrastructure and the objectives of the analyst.
Delimiting network problems (Should know) offers practical examples to help us define and identify specific network traffic, in order to quickly identify the source of many problems of networking.
Implementing useful filters (Should know) presents useful examples that respond to many needs for both the network administrator and the security officer.
Decoding protocols (Become an expert) explains how to force Tshark to use a particular dissector. We also discuss how to decrypt SSL traffic.
Auditing network attacks (Become an expert) shows examples of filters to identify common network attacks: ARP-spoof, DoS attacks, DHCP/DNS spoof, and so on. Identifying such incidents quickly helps you take the necessary countermeasures to mitigate such attacks.
Analyzing network forensic data (Become an expert) explains how to obtain evidence from suspicious network traffic. We will look at tunneling techniques to attempt to circumvent security mechanisms (ICMP exfiltration, UDP tunnels, and so on) in addition to other post-exploitation attacks.
Auditing network applications (Must know) provides examples to help audit and understand the behavior of applications that make use of sockets.
Analyzing malware traffic (Must know) provides examples of filters that will help identify infected computers with malware. Likewise we'll see how, with the help of Tshark, we can generate signatures that block connections to C&C servers.
Automating tasks (Must know) explains some tricks to automate certain tasks with Tshark and python scripts.
What you need for this book
You will need a Windows or Linux machine, either physical or virtual. All that is required is to install Wireshark, available from its official website (http://www.wireshark.org/). The package contains a suite of tools including Tshark. For Windows, the installer will guide you to download WinPcap (the libpcap version for Windows). The Wireshark distribution will also include various command-line tools for treating capture files. Some of these tools (Editcap MergeCap, Text2pcap, Capinfos, and so on) will be used at some points in the How-to. To carry out the examples shown in the book, the latest version of Tshark (1.8.4) has been compiled on an Ubuntu 12.04 machine.
Who this book is for
The book is intended for network administrators and security officers who have to deal daily with a variety of network problems and security incidents. Also, the book will be a good support for Cisco students wishing to implement and understand in greater depth many theoretical concepts related to traffic data and communications.
