Wireshark 2 Quick Start Guide E-Book

Wireshark 2 Quick Start Guide

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor:Vijin BorichaAcquisition Editor: Reshma RamanContent Development Editor: Aditi GourTechnical Editor: Shweta JadhavCopy Editor: Safis EditingProject Coordinator: Hardik BhindeProofreader: Safis EditingIndexer: Aishwarya GangawaneGraphics: Jason MonteiroProduction Coordinator: Deepika Naik

First published: June 2018

Production reference: 1200618

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78934-278-9

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Charit Mishra is an ICS/SCADA professional, working as a security architect for critical infrastructure across several industries, including oil and gas, mining, utilities, renewable energy, transportation, and telecom. He has been involved in leading and executing complex projects involving the extensive application of security standards, frameworks, and technologies. A postgraduate in computer science, Charit's profile boasts of leading industry certifications such as OSCP, CEH, CompTIA Security+, and CCNA R&S. Moreover, he regularly delivers professional training and knowledge sessions on critical infrastructure security internationally.

About the reviewer

Anish has a YouTube channel named Zariga Tongy where he loves to post videos on security, hacking and other cloud related technology.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Wireshark 2 Quick Start Guide

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Installing Wireshark

Introduction to Wireshark

Why use Wireshark?

The installation process

Troubleshooting common installation errors

A brief overview of the TCP/IP model

The layers in the TCP/IP model

Summary

Introduction to Wireshark and Packet Analysis

What is Wireshark?

How Wireshark works

An introduction to packet analysis with Wireshark

How to do packet analysis

Capturing methodologies

Hub-based networks

The switched environment

ARP poisoning

Passing through routers

The Wireshark GUI

Starting our first capture

Summary

Filtering Our Way in Wireshark

Introducing filters

Capture filters

Why use capture filters

How to use capture filters

An example capture filter

Display filters

Retaining filters for later use

Searching for packets using the Find dialog

Colorize traffic

Create new Wireshark profiles

Summary

Analyzing Application Layer Protocols

Domain Name System (DNS)

Dissecting a DNS packet

Dissecting DNS query/response

File transfer protocol

Dissecting FTP communication packets

Hypertext Transfer Protocol (HTTP)

How request/response works

Request

Response

Simple Mail Transfer Protocol (SMTP)

Dissecting SMTP communication packets

Session Initiation Protocol (SIP) and Voice Over Internet Protocol(VOIP)

Reassembling packets for playback

Decrypting encrypted traffic (SSL/TLS)

Summary

Analyzing the Transport Layer Protocols TCP/UDP

The transmission control protocol

Understanding the TCP header and its various flags

How TCP communicates

How it works

How sequence numbers are generated and managed

RST (reset) packets

Unusual TCP traffic

The User Datagram Protocol

The UDP header

How it works

The DHCP

The TFTP

Unusual UDP traffic

Summary

Network Security Packet Analysis

Information gathering

PING sweep

Half-open scan (SYN)

OS fingerprinting

ARP poisoning

Analysing brute force attacks

Inspecting malicious traffic (malware)

Summary

Analyzing Traffic in Thin Air

Understanding IEEE 802.11

Various modes in wireless communications

Usual and unusual wireless traffic

WPA Enterprise

Decrypting wireless network traffic

Summary

Mastering the Advanced Features of Wireshark

The Statistics menu

Using the Statistics menu

Protocol Hierarchy

Conversations

Endpoints

Follow TCP Streams

Command line-fu

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Wireshark is the world's most popular free and open source protocol analyzer, and it is commonly used by networking and security professionals for troubleshooting, analysis, protocol development, and forensics. The primary objective of Wireshark is to capture network traffic and display the packet data in, as detailed a way as possible. It  helps professionals view the content of network traffic on a microscopic level.

This book is written from the standpoint of using Wireshark and learning how network protocols function and provides a practical approach to conducting protocol analysis,troubleshooting network anomalies, and examining security issues. I have tried to depict common scenarios that you may come across in day-to-day operations through practical demonstration wherever possible to help you understandthe concepts better.By reading this book, you will learn how to install Wireshark, work with Wireshark GUI elements, and learn some advanced features behind the scenes, such as the filtering options, the statistics menu, and decrypting wireless and encrypting traffic. You can bethe superhero of your team who helps resolve connectivity issues, network administration tasks, and computer forensics because Packets Are Life. If your routine job requiresdealing with computer networks and security, then this book will give you a strong head start.Happy sniffing!

Who this book is for

This book is for students/professionals who have basic experience and knowledge of the networking and who want to get up to speed with Wireshark in no time. This book will take you from the installation to the usage of commonly used tools/tricks. The book will get you comfortable with the GUI elements of Wireshark and explain the fundamentals of the science behind protocol analysis.

What this book covers

Chapter 1, Installing Wireshark, will provide you with an introduction to the basics of the TCP/IP model and a step-by-step walk-through of the installation of Wireshark on your favorite operating system.

Chapter 2, Introduction to Wireshark and Packet Analysis, will help you understand the basics and science behind packet analysis, as Wireshark come in handy and proves to be a Swiss Army knife for professionals dealing with network, security, and digital forensics. In this chapter, you will also understand the trick of placing the sniffer in a strategic location to get most out of your network.

Chapter 3, Filtering Our Way in Wireshark, will help you identify and apply the Wireshark filters, namely the capturing and displaying filters. Filtering provides a powerful way to capture or see the traffic you desire; it's an effective way to remove the noise from the stream of packets we desire to analyze.

Chapter 4, Analyzing Application Layer Protocols, will help you understand the approach and methodology for analyzing application layer protocols such as HTTP, SMTP, FTP, and DNS through Wireshark. As we know, application layer protocols typically interface between a client and a server. It is critical to understand the structure and behavior of application layer protocols packets in order to identify anomalies with efficiency.

Chapter 5, Analyzing the Transport Layer Protocols TCP/UDP, will help you understand the underlying network technology, enabling the movement of network packets across routing infrastructures through the analysis of transport layer protocols such as TCP and UDP. TCP and UDP are the basis of networking protocol, and it is important to understand their structure and behavior.

Chapter 6, Network Security  Packet Analysis, will guide you through using Wireshark to analyze security issues, such as analyzing malware traffic and footprinting attempts in your network.

Chapter 7, Analyzing Traffic in Thin Air, will help you in understand the methodology and approach involved in performing wireless packet analysis. This chapter shows you how to analyze wireless traffic and pinpoint any problems that may follow. We will also learn the cool trick of decrypting wireless traffic using Wireshark.

Chapter 8, Mastering the Advanced Features of Wireshark, will provide you with insight into the advanced options and elements available in Wireshark, such as a statistics menu, and will also provide a brief and summarized approach on how to work with command-line packet sniffing applications, such as Tshark.

To get the most out of this book

Basic understanding of networking protocols, OSI and TCP/IP model

A computer system with a basic internet connection to follow the depicted scenarios

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/Wireshark2QuickStartGuide_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Installing Wireshark

This chapter provides you with an introduction to the basics of the TCP/IP model and a step-by-step walkthrough of how to install Wireshark on your favorite operating system. You will be introduced to the following topics:

What is Wireshark?

A brief overview of the TCP/IP model

Installing and running Wireshark on different platforms

Troubleshooting common installation errors

Introduction to Wireshark

Wireshark is an advanced network and protocol analyser, it lets you visualize network's activity in graphical form, and assists professionals in debugging network-level issues. Wireshark enhances the ability of network and security professionals by providing detailed insight into the network traffic. However, Wireshark is also used by malicious users to sniff network traffic in order to obtain sensitive data in the form of plain text.

Why use Wireshark?

Many people, including myself, are obsessed with the simplicity of the packet-capturing features that Wireshark provides us with. Let's quickly go through a few of the reasons why most professionals prefer Wireshark to other packet sniffers:

User friendly

: The interface of Wireshark is easy to use and understand, tools & features are very well organized and represented.

Robustness

: Wireshark is capable of handling enormous volumes of network traffic with ease.

Platform independent

: Wireshark is available for different flavors of operating system, whether Windows, Linux, and Macintosh.

Filters

: There are two kinds of filtering options available in Wireshark:

You choose what to capture (

capture filters

)

You choose what to display after you've captured (

display filters

)

Cost

: Wireshark is a free and open source packet analyzer that is developed and maintained by a dedicated community of professionals. Wireshark also offers a few paid professional applications as well. For more details, refer to Wireshark's official website

https://www.wireshark.org/

.

Support

: Wireshark is being continuously developed  by a group of contributors that are scattered around the globe. We can sign up to Wireshark's mailing list or we can get help from the online documentation, which can be accessed through the GUI itself. Various other online forums are also available for you to get the most effective help; go to Google Paid Wireshark Support to learn more about the available support.