Wireshark network analysis: the official wireshark certified network analyst study guide

Search by :

ALL Author Subject ISBN/ISSN Advanced Search

Last search:

Image of Wireshark network analysis: the official wireshark certified network analyst study guide

Text

Wireshark network analysis: the official wireshark certified network analyst study guide

Chappell, Laura - Personal Name;

Table of Contents
Foreword by Gerald Combs, Creator of Wireshark xxi
Preface xxii
About This Book xxv
Who is This Book For? xxv
How is This Book Organized? xxvi
What Do Those Icons Mean? xxvii
What’s Online at www.wiresharkbook.com? xxvii
Which Version of Wireshark Did You Use to Write This Book? xxviii
How Can I Submit Comments/Change Requests for This Book? xxviii
Wireshark Certified Network Analyst™ Program Overview xxix
Why Should I Pursue the Wireshark CNA Certification? xxix
How Do I Earn the Wireshark CNA Certified Status? xxix
Wireshark CNA Exam Objectives xxix
Wireshark University™ and Wireshark University™ Training Partners xxx
Schedule Customized Onsite/Web-Based Training xxx

Chapter 1: The World of Network Analysis 1
Define Network Analysis 2
Follow an Analysis Example 3
Troubleshooting Tasks for the Network Analyst 6
Security Tasks for the Network Analyst 6
Optimization Tasks for the Network Analyst 6
Application Analysis Tasks for the Network Analyst 7
Understand Security Issues Related to Network Analysis 7
Define Policies Regarding Network Analysis 7
Files Containing Network Traffic Should be Secured 7
Protect Your Network against Unwanted “Sniffers” 7
Be Aware of Legal Issues of Listening to Network Traffic 8
Overcome the “Needle in the Haystack Issue” 9
Review a Checklist of Analysis Tasks 10
Understand Network Traffic Flows 11
Switching Overview 11
Routing Overview 12
Proxy, Firewall and NAT/PAT Overview 13
Other Technologies that Affect Packets 14
Warnings about “Smarter” Infrastructure Devices 15
Launch an Analysis Session 15
Case Study: Pruning the “Puke” 17
Case Study: The “Securely Invisible” Network 18
Summary 19
Practice What You’ve Learned 19
Review Questions 21
Answers to Review Questions 22

Chapter 2: Introduction to Wireshark 23
What is Wireshark? 24
Obtain the Latest Version of Wireshark 24
Compare Wireshark Release and Development Versions 25
Thanks to the Wireshark Developers! 26
Calculating the Value of the Wireshark Code 26
Report a Wireshark Bug or Submit an Enhancement 26
Following Export Regulations 27
Identifying Products that Leverage Wireshark’s Capabilities 28
Capture Packets on Wired or Wireless Networks 28
Libpcap 29
WinPcap 29
AirPcap 29
Open Various Trace File Types 29
Understand How Wireshark Processes Packets 30
Core Engine 30
Dissectors and Plugins and Display Filters 30
Graphical Toolkit (GTK) 30
Using the Start Page 31
The Capture Area 31
The Files Area 32
The Online Area 32
The Capture Help Area 32
Identify the Nine GUI Elements 33
Customizing the Title Bar 34
Displaying the Wireless Toolbar 34
Opening and Closing Panes 34
Interpreting the Status Bar 35
Navigate Wireshark’s Main Menu 36
File Menu Items 36
Edit Menu Items 38
View Menu Items 42
Go Menu Items 46
Capture Menu Items 47
Analyze Menu Items 49
Statistics Menu Items 53
Telephony Menu Items 57
Tools Menu Items 60
Help Menu Items 61
Use the Main Toolbar for Efficiency 62
Toolbar Icon Definitions 62
Focus Faster with the Filter Toolbar 65
Make the Wireless Toolbar Visible 65
Work Faster Using Right-Click Functionality 66
Right Click | Copy 68
Right Click | Apply As Column 69
Right Click | Wiki Protocol Page (Packet Details Pane) 69
Right Click | Filter Field Reference (Packet Details Pane) 70
Right Click | Protocol Preferences 71
Sign Up for the Wireshark Mailing Lists 72
Know Your Resources 72
Case Study: Detecting Database Death 73
Summary 75
Practice What You’ve Learned 75
Review Questions 77
Answers to Review Questions 78

Chapter 3: Capture Traffic 79
Know Where to Tap Into the Network 80
Run Wireshark Locally 81
Portable Wireshark 81
Wireshark U3 82
Capture Traffic on Switched Networks 82
Use a Simple Hub on Half-Duplex Networks 83
Use a Test Access Port (TAP) on Full-Duplex Networks 84
Using Analyzer Agents for Remote Capture 87
Set up Port Spanning/Port Mirroring on a Switch 87
Example of Span Commands 88
Spanning VLANs 88
Analyze Routed Networks 89
Analyze Wireless Networks 90
Monitor Mode 91
Native Adapter Capture Issues 92
Capture at Two Locations Simultaneously (Dual Captures) 92
Select the Right Capture Interface 93
Interface Details 94
Capture Traffic Remotely 94
Configuration Parameters for rpcapd 96
Remote Capture: Active and Passive Mode Configurations 97
Save and Use Remote Capture Configurations 98
Automatically Save Packets to One or More Files 98
Create File Sets for Faster Access 98
Use a Ring Buffer to Limit the Number of Files Saved 99
Define an Automatic Stop Criteria 99
Optimize Wireshark to Avoid Dropping Packets 100
Capture Options for Optimization 100
Display Options for Optimization 100
Conserve Memory with Command-Line Capture 100
Case Study: Dual Capture Points the Finger 102
Case Study: Capturing Traffic at Home 104
Summary 105
Practice What You’ve Learned 105
Review Questions 107
Answers to Review Questions 108

Chapter 4: Create and Apply Capture Filters 109
The Purpose of Capture Filters 110
Build Your Own Set of Capture Filters 111
Identifiers 112
Qualifiers 112
Filter by a Protocol 114
Create MAC/IP Address or Host Name Capture Filters 114
Use a “My MAC” Capture Filter for Application Analysis 116
Filter Your Traffic Out of a Trace File (Exclusion Filter) 116
Capture One Application’s Traffic Only 117
Use Operators to Combine Capture Filters 118
Create Capture Filters to Look for Byte Values 118
Edit the Capture Filters File 119
Sample cfilters File 120
Share Capture Filters with Others 121
Case Study: Kerberos UDP to TCP Issue 122
Summary 124
Practice What You’ve Learned 124
Review Questions 125
Answers to Review Questions 126

Chapter 5: Define Global and Personal Preferences 127
Find Your Configuration Folders 128
Set Global and Personal Configurations 128
Customize Your User Interface Settings 131
“File Open” Dialog Behavior 131
Maximum List Entries 131
Pane Configurations 132
Columns 132
Define Your Capture Preferences 134
Select a Default Interface for Faster Capture Launch 135
Enable Promiscuous Mode to Analyze Other Hosts’ Traffic 135
The Future Trace File Format is Here: pcap-ng 135
See the Traffic in Real Time 136
Automatically Scroll During Capture 136
Automatically Resolve IP and MAC Names 136
Resolve Hardware Addresses (MAC Name Resolution) 137
Resolve IP Addresses (Network Name Resolution) 138
Resolve Port Numbers (Transport Name Resolution) 139
Resolve SNMP Information 139
Plot IP Addresses on a World Map 140
Configure Statistics Settings 140
Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings 141
Detect Duplicate IP Addresses and ARP Storms 141
Define How Wireshark Handles TCP Traffic 142
Set Additional Ports for HTTP and HTTPS Dissection 143
Enhance VoIP Analysis with RTP Settings 143
Configure Wireshark to Decrypt SSL Traffic 143
Configure Protocol Settings with Right-Click 143
Case Study: Non-Standard Web Server Setup 145
Summary 147
Practice What You’ve Learned 147
Review Questions 149
Answers to Review Questions 150

Chapter 6: Colorize Traffic 151
Use Colors to Separate Traffic Types 152
Share and Manage Coloring Rules 153
Identify Why a Packet is a Certain Color 153
Color Conversations to Distinguish Them 154
Temporarily Mark Packets of Interest 155
Alter Stream Reassembly Coloring 156
Case Study: Colorizing SharePoint Connections During Login 158
Summary 159
Practice What You’ve Learned 159
Review Questions 163
Answers to Review Questions 164

Chapter 7: Define Time Values and Interpret Summaries 165
Use Time to Identify Network Problems 166
Understand How Wireshark Measures Packet Time 166
Choose the Ideal Time Display Format 166
Deal with Timestamp Accuracy and Resolution Issues 169
Send Trace Files Across Time Zones 170
Identify Delays with Time Values 171
Create Additional Time Columns 172
Measure Packet Arrival Times with a Time Reference 172
Identify Client, Server and Path Delays 173
Calculate End-to-End Path Delays 174
Locate Slow Server Responses 174
Spot Overloaded Clients 175
View a Summary of Traffic Rates, Packet Sizes and Overall Bytes Transferred 175
Compare Up to Three Traffic Types in a Single Summary Window 175
Compare Summary Information for Two or More Trace Files 176
Case Study: Time Column Spots Delayed ACKs 179
Summary 181
Practice What You’ve Learned 181
Review Questions 183
Answers to Review Questions 184

Chapter 8: Interpret Basic Trace File Statistics 185
Launch Wireshark Statistics Windows 186
Identify Network Protocols and Applications 186
Identify the Most Active Conversations 188
List Endpoints and Map Them on the Earth 190
List Conversations or Endpoints for Specific Traffic Types 191
Evaluate Packet Lengths 192
List All IPv4/IPv6 Addresses in the Traffic 194
List All Destinations in the Traffic 195
List UDP and TCP Usage 196
Analyze UDP Multicast Streams 196
Graph the Flow of Traffic 197
Gather Your HTTP Statistics 198
Examine All WLAN Statistics 199
Case Study: Application Analysis: Aptimize Website Accelerator™ 201
Case Study: Finding VoIP Quality Issues 206
Summary 208
Practice What You’ve Learned 208
Review Questions 209
Answers to Review Questions 210

Chapter 9: Create and Apply Display Filters 211
Understand the Purpose of Display Filters 212
Create Display Filters Using Auto-Complete 214
Apply Saved Display Filters 215
Use Expressions for Filter Assistance 216
Make Display Filters Quickly Using Right-Click Filtering 217
Apply as Filter 218
Prepare a Filter 218
Copy | As Filter 218
Filter on Conversations and Endpoints 218
Understand Display Filter Syntax 219
Combine Display Filters with Comparison Operators 220
Alter Display Filter Meaning with Parentheses 222
Filter on Specific Bytes in a Packet 222
Let Wireshark Catch Display Filter Mistakes 223
Use Display Filter Macros for Complex Filtering 223
Avoid Common Display Filter Mistakes 225
Manually Edit the dfilters File 225
Case Study: Using Filters and Graphs to Solve Database Issues 228
Case Study: The Chatty Browser 229
Case Study: Catching Viruses and Worms 230
Summary 231
Practice What You’ve Learned 231
Review Questions 233
Answers to Review Questions 234

Chapter 10: Follow Streams and Reassemble Data 235
Reassemble Traffic 236
Follow and Reassemble UDP Conversations 236
Follow and Reassemble TCP Conversations 238
Identify Common File Types 241
Reassemble an FTP File Transfer 241
Follow and Reassemble SSL Conversations 242
Case Study: Unknown Hosts Identified 245
Summary 246
Practice What You’ve Learned 246
Review Questions 247
Answers to Review Questions 248

Chapter 11: Customize Wireshark Profiles 249
Customize Wireshark with Profiles 250
Create a New Profile 251
Sharing Profiles 252
Create a Corporate Profile 253
Create a WLAN Profile 253
Create a VoIP Profile 254
Create a Security Profile 255
Case Study: Customizing Wireshark for the Customer 256
Summary 256
Practice What You’ve Learned 257
Review Questions 259
Answers to Review Questions 260

Chapter 12: Save, Export and Print Packets 261
Save Filtered, Marked and Ranges of Packets 262
Export Packet Content for Use in Other Programs 264
Save Conversations, Endpoints, IO Graphs and Flow Graph Information 267
Export Packet Bytes 269
Case Study: Saving Subsets of Traffic to Isolate Problems 270
Summary 272
Practice What You’ve Learned 272
Review Questions 273
Answers to Review Questions 274

Chapter 13: Use Wireshark’s Expert System 275
Let Wireshark’s Expert Information Guide You 276
Launch Expert Info Quickly 276
Colorize Expert Info Elements 278
Filter on TCP Expert Information Elements 279
Understand TCP Expert Information 280
What Triggers TCP Retransmissions? 281
What Triggers Previous Segment Lost? 281
What Triggers ACKed Lost Packet? 281
What Triggers Keep Alive? 281
What Triggers Duplicate ACK? 282
What Triggers Zero Window? 282
What Triggers Zero Window Probe? 282
What Triggers Zero Window Probe ACK? 282
What Triggers Keep Alive ACK? 282
What Triggers Out-of-Order? 282
What Triggers Fast Retransmission? 283
What Triggers Window Update? 283
What Triggers Window is Full? 283
Case Study: Expert Info Catches Remote Access Headaches 284
Summary 288
Practice What You’ve Learned 288
Review Questions 289
Answers to Review Questions 290

Chapter 14: TCP/IP Analysis Overview 291
TCP/IP Functionality Overview 292
When Everything Goes Right 293
The Multi-Step Resolution Process 293
Step 1: Port Number Resolution 295
Step 2: Network Name Resolution (Optional) 295
Step 3: Route Resolution—When the Target is Local 295
Step 4: Local MAC Address Resolution 296
Step 5: Route Resolution—When the Target is Remote 296
Step 6: Local MAC Address Resolution for a Gateway 296
Build the Packet 297
Case Study: Absolving the Network from Blame 299
Summary 300
Practice What You’ve Learned 300
Review Questions 301
Answers to Review Questions 302

Chapter 15: Analyze Domain Name System (DNS) Traffic 303
The Purpose of DNS 304
Analyze Normal DNS Queries/Responses 305
Analyze DNS Problems 306
Dissect the DNS Packet Structure 308
Transaction ID 309
Flags 309
Question Count 310
Answer Resource Record (RR) Count 310
Authority RRs Count 310
Additional RRs Count 310
Questions 310
Answer RRs 311
RR Time to Live 311
Authority RRs 311
Additional RRs 311
Filter on DNS/MDNS Traffic 311
Case Study: DNS Killed Web Browsing Performance 313
Summary 316
Practice What You’ve Learned 316
Review Questions 317
Answers to Review Questions 318

Chapter 16: Analyze Address Resolution Protocol (ARP) Traffic 319
The Purpose of ARP 320
Analyze Normal ARP Requests/Responses 320
Analyze Gratuitous ARPs 321
Analyze ARP Problems 322
Dissect the ARP Packet Structure 325
Hardware Type 325
Protocol Type 325
Length of Hardware Address 325
Length of Protocol Address 325
Opcode 325
Sender’s Hardware Address 326
Sender’s Protocol Address 326
Target Hardware Address 326
Target Protocol Address 326
Filter on ARP Traffic 326
Case Study: Death by ARP 327
Summary 328
Practice What You’ve Learned 328
Review Questions 329
Answers to Review Questions 330

Chapter 17: Analyze Internet Protocol (IPv4/IPv6) Traffic 331
The Purpose of IP 332
Analyze Normal IPv4 Traffic 332
Analyze IPv4 Problems 333
Dissect the IPv4 Packet Structure 334
Version Field 335
Header Length Field 335
Differentiated Services Field and Explicit Congestion Notification 335
Total Length Field 336
Identification Field 336
Flags Field 336
Fragment Offset Field 337
Time to Live Field 337
Protocol Field 338
Header Checksum Field 338
Source Address Field 338
Destination Address Field 338
Options Field 339
Broadcast/Multicast Traffic 339
Sanitize Your IP Addresses in Trace Files 339
Set Your IPv4 Protocol Preferences 341
Reassemble Fragmented IP Datagrams 341
Enable GeoIP Lookups 341
Interpret the Reserved Flag as a Security Flag (RFC 3514) 341
Troubleshoot Encrypted Communications 341
Filter on IPv4 Traffic 343
Case Study: Everyone Blamed the Router 344
Case Study: It’s Not the Network’s Problem! 345
Summary 346
Practice What You’ve Learned 346
Review Questions 347
Answers to Review Questions 348

Chapter 18: Analyze Internet Control Message Protocol (ICMPv4/ICMPV6) Traffic 349
The Purpose of ICMP 350
Analyze Normal ICMP Traffic 350
Analyze ICMP Problems 351
Dissect the ICMP Packet Structure 353
Type 353
Code 355
Checksum 357
Filter on ICMP Traffic 357
Case Study: The Dead-End Router 358
Summary 359
Practice What You’ve Learned 359
Review Questions 360
Answers to Review Questions 361

Chapter 19: Analyze User Datagram Protocol (UDP) Traffic 363
The Purpose of UDP 364
Analyze Normal UDP Traffic 364
Analyze UDP Problems 365
Dissect the UDP Packet Structure 366
Source Port Field 367
Destination Port Field 367
Length Field 367
Checksum Field 367
Filter on UDP Traffic 368
Case Study: Troubleshooting Time Synchronization 369
Summary 370
Practice What You’ve Learned 370
Review Questions 371
Answers to Review Questions 372

Chapter 20: Analyze Transmission Control Protocol (TCP) Traffic 373
The Purpose of TCP 374
Analyze Normal TCP Communications 374
The Establishment of TCP Connections 374
When TCP-based Services are Refused 375
The Termination of TCP Connections 376
How TCP Tracks Packets Sequentially 376
How TCP Recovers from Packet Loss 379
Improve Packet Loss Recovery with Selective Acknowledgments 380
Understand TCP Flow Control 381
Understand Nagling and Delayed ACKs 383
Analyze TCP Problems 384
Dissect the TCP Packet Structure 387
Source Port Field 387
Destination Port Field 387
Sequence Number Field 388
Acknowledgment Number Field 388
Data Offset Field 388
Flags Field 388
Window Field 390
Checksum Field 390
Urgent Pointer Field (Optional) 390
TCP Options Area (Optional) 390
Filter on TCP Traffic 391
Set TCP Protocol Preferences 391
Validate the TCP Checksum if Possible 391
Allow Subdissector to Reassemble TCP Streams 391
Analyze TCP Sequence Numbers 394
Relative Sequence Numbers and Window Scaling 394
Track Number of Bytes in Flight 395
Calculate Conversation Timestamps 395
Case Study: Connections Require Four Attempts 396
Summary 397
Practice What You’ve Learned 397
Review Questions 399
Answers to Review Questions 400

Chapter 21: Graph IO Rates and TCP Trends 401
Use Graphs to View Trends 402
Generate Basic IO Graphs 402
Filter IO Graphs 403
Coloring 404
Styles and Layers 405
X and Y Axis 405
Generate Advanced IO Graphs 406
SUM(*) Calc 407
MIN(*), AVG(*) and MAX(*) Calc Values 408
COUNT(*) Calc 409
LOAD(*) Calc 410
Compare Traffic Trends in IO Graphs 411
Graph Round Trip Time 412
Graph Throughput Rates 414
Graph TCP Sequence Numbers over Time 415
Interpret TCP Window Size Issues 416
Interpret Packet Loss, Duplicate ACKs and Retransmissions 417
Case Study: Watching Performance Levels “Drop” 419
Case Study: Graphing RTT to the Corporate Office 420
Case Study: Testing QoS Policies 423
Summary 424
Practice What You’ve Learned 424
Review Questions 425
Answers to Review Questions 426

Chapter 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6)
Traffic 427
The Purpose of DHCP 428
Analyze Normal DHCP Traffic 428
Analyze DHCP Problems 432
Dissect the DHCP Packet Structure 433
Message Type 433
Hardware Type 433
Hardware Length 433
Hops 434
Transaction ID 434
Seconds Elapsed 434
BOOTP Flags 434
Client IP Address 434
Your (Client) IP Address 434
Next Server IP Address 434
Relay Agent IP Address 434
Client MAC Address 434
Server Host Name 434
Boot File Name 434
Magic Cookie 434
Option 435
Filter on DHCP Traffic 435
Display BOOTP-DHCP Statistics 436
Case Study: Declining Clients 437
Summary 439
Practice What You’ve Learned 449
Review Questions 441
Answers to Review Questions 442

Chapter 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic 443
The Purpose of HTTP 444
Analyze Normal HTTP Communications 444
Analyze HTTP Problems 447
Dissect HTTP Packet Structures 450
HTTP Methods 451
Host 451
Request Modifiers 451
Filter on HTTP or HTTPS Traffic 452
Export HTTP Objects 453
Rebuild a Web Page Using Copy 454
Display HTTP Statistics 455
HTTP Load Distribution 455
HTTP Packet Counter 456
HTTP Requests 457
Graph HTTP Traffic Flows 458
Choose Packets 459
Choose Flow Type 459
Choose Node Address Type 459
Set HTTP Preferences 460
Analyze HTTPS Communications 461
The HTTPS Handshake 462
Decrypt HTTPS Traffic 466
Case Study: HTTP Proxy Problems 470
Summary 472
Practice What You’ve Learned 472
Review Questions 474
Answers to Review Questions 475

Chapter 24: Analyze File Transfer Protocol (FTP) Traffic 477
The Purpose of FTP 478
Analyze Normal FTP Communications 478
Analyze Passive Mode Connections 481
Analyze Active Mode Connections 483
Analyze FTP Problems 484
Dissect the FTP Packet Structure 485
Filter on FTP Traffic 486
Reassemble FTP Traffic 487
Case Study: Secret FTP Communications 488
Summary 490
Practice What You’ve Learned 490
Review Questions 491
Answers to Review Questions 492

Chapter 25: Analyze Email Traffic 493
The Purpose of POP 494
Analyze Normal POP Communications 494
Analyze POP Problems 495
Dissect the POP Packet Structure 497
Filter on POP Traffic 499
The Purpose of SMTP 499
Analyze Normal SMTP Communications 500
Analyze SMTP Problems 501
Dissect the SMTP Packet Structure 502
Filter on SMTP Traffic 504
Case Study: SMTP Problem—Scan2Email Job 505
Summary 506
Practice What You’ve Learned 506
Review Questions 507
Answers to Review Questions 508

Chapter 26: Introduction to 802.11 (WLAN) Analysis 509
Analyze WLAN Traffic 510
Analyze Signal Strength and Interference 511
Capture WLAN Traffic 513
Compare Monitor Mode vs. Promiscuous Mode 513
Select the Wireless Interface 515
Set Up WLAN Decryption 516
Select to Prepend Radiotap or PPI Headers 518
Compare Signal Strength and Signal-to-Noise Ratios 521
Understand 802.11 Traffic Basics 522
Data Frames 523
Management Frames 523
Control Frames 524
Analyze Normal 802.11 Communications 525
Dissect the 802.11 Frame Structure 526
Filter on All WLAN Traffic 526
Analyze Frame Control Types and Subtypes 527
Customize Wireshark for WLAN Analysis 533
Case Study: Cruddy Barcode Communications 534
Summary 536
Practice What You’ve Learned 536
Review Questions 538
Answers to Review Questions 539

Chapter 27: Introduction to Voice over IP (VoIP) Analysis 541
Understand VoIP Traffic Flows 542
Session Bandwidth and RTP Port Definition 544
Analyze VoIP Problems 546
Packet Loss 546
Jitter 548
Examine SIP Traffic 548
SIP Commands 549
SIP Response Codes 550
Examine RTP Traffic 553
Play Back VoIP Conversations 555
Create a VoIP Profile 556
Filter on VoIP Traffic 556
Case Study: Lost VoIP Tones 557
Summary 559
Practice What You’ve Learned 559
Review Questions 560
Answers to Review Questions 561

Chapter 28: Baseline “Normal” Traffic Patterns 563
Understand the Importance of Baselining 564
Baseline Broadcast and Multicast Types and Rates 565
Baseline Protocols and Applications 565
Baseline Boot up Sequences 566
Baseline Login/Logout Sequences 567
Baseline Traffic during Idle Times 567
Baseline Application Launch Sequences and Key Tasks 567
Baseline Web Browsing Sessions 568
Baseline Name Resolution Sessions 568
Baseline Throughput Tests 568
Baseline Wireless Connectivity 569
Baseline VoIP Communications 569
Case Study: Login Log Jam 570
Case Study: Solving SAN Disconnects 571
Summary 572
Practice What You’ve Learned 572
Review Questions 573
Answers to Review Questions 574

Chapter 29: Find the Top Causes of Performance Problems 575
Troubleshoot Performance Problems 576
Identify High Latency Times 576
Filter on Arrival Times 578
Filter on the Delta Times 578
Filter on the Time since Reference or First Packet 578
Point to Slow Processing Times 579
Find the Location of Packet Loss 579
Watch Signs of Misconfigurations 580
Analyze Traffic Redirections 581
Watch for Small Payload Sizes 582
Look for Congestion 583
Identify Application Faults 583
Note Any Name Resolution Faults 584
An Important Note about Analyzing Performance Problems 585
Case Study: One-Way Problems 586
Case Study: The Perfect Storm of Network Problems 587
Summary 591
Practice What You’ve Learned 591
Review Questions 593
Answers to Review Questions 594

Chapter 30: Network Forensics Overview 595
Compare Host vs. Network Forensics 596
Gather Evidence 596
Avoid Detection 596
Handle Evidence Properly 599
Recognize Unusual Traffic Patterns 599
Color Unusual Traffic Patterns 600
Check Out Complementary Forensic Tools 601
Case Study: SSL/TLS Vulnerability Studied 602
Summary 604
Practice What You’ve Learned 604
Review Questions 605
Answers to Review Questions 606

Chapter 31: Detect Scanning and Discovery Processes 607
The Purpose of Discovery and Reconnaissance Processes 608
Detect ARP Scans (aka ARP Sweeps 608
Detect ICMP Ping Sweeps 609
Detect Various Types of TCP Port Scans 610
TCP Half-Open Scan (aka “Stealth Scan”) 611
TCP Full Connect Scan 612
Null Scans 613
Xmas Scan 614
FIN Scan 615
ACK Scan 615
Detect UDP Port Scans 616
Detect IP Protocol Scans 617
Understand Idle Scans 618
Know Your ICMP Types and Codes 621
Try These Nmap Scan Commands 622
Analyze Traceroute Path Discovery 623
Detect Dynamic Router Discovery 625
Understand Application Mapping Processes 625
Use Wireshark for Passive OS Fingerprinting 627
Detect Active OS Fingerprinting 630
Identify Spoofed Addresses in Scans 633
Case Study: Learning the Conficker Lesson 635
Summary 637
Practice What You’ve Learned 637
Review Questions 638
Answers to Review Questions 639

Chapter 32: Analyze Suspect Traffic 641
What is “Suspect” Traffic? 642
Identify Vulnerabilities in the TCP/IP Resolution Processes 642
Port Resolution Vulnerabilities 643
Name Resolution Process Vulnerabilities 645
MAC Address Resolution Vulnerabilities 646
Route Resolution Vulnerabilities 646
Identify Unacceptable Traffic 646
Find Maliciously Malformed Packets 647
Identify Invalid or ‘Dark’ Destination Addresses 649
Differentiating Between Flooding and Denial of Service Traffic 650
Finding Clear Text Passwords and Data 652
Identifying Phone Home Traffic 653
Catching Unusual Protocols and Applications 654
Locating Route Redirection that Uses ICMP 656
Catching ARP Poisoning 657
Catching IP Fragmentation and Overwriting 659
Spotting TCP Splicing 660
Watching Other Unusual TCP Traffic 661
Identifying Password Cracking Attempts 662
Know Where to Look: Signature Locations 663
Header Signatures 664
Sequence Signatures 664
Payload Signatures 664
Case Study: The Flooding Host 665
Case Study: Catching Keylogging Traffic 666
Case Study: Passively Finding Malware 667
Summary 668
Practice What You’ve Learned 668
Review Questions 670
Answers to Review Questions 671

Chapter 33: Effective Use of Command-Line Tools 673
Understand the Power of Command-Line Tools 674
Use Wireshark.exe (Command-Line Launch) 675
Wireshark Syntax 675
Customize Wireshark’s Launch 677
Capture Traffic with Tshark 680
Tshark Syntax 680
View Tshark Statistics 683
Tshark Examples 686
List Trace File Details with Capinfos 687
Capinfos Syntax 687
Capinfos Examples 688
Edit Trace Files with Editcap 690
Editcap Syntax 690
Editcap Examples 692
Merge Trace Files with Mergecap 693
Mergecap Syntax 694
Mergecap Examples 694
Convert Text with Text2pcap 695
Text2pcap Syntax 696
Text2pcap Examples 697
Capture Traffic with Dumpcap 698
Dumpcap Syntax 698
Dumpcap Examples 699
Understand Rawshark 700
Rawshark Syntax 700
Case Study: Getting GETS and a Suspect 702
Summary 703
Practice What You’ve Learned 703
Review Questions 705
Answers to Review Questions 706

Appendix A: Resources on the Book Website 707
Chanalyzer Pro/Wi-Spy Recordings (.wsr Files) 708
MaxMind GeoIP Database Files (.dat Files) 709
PhoneFactor SSL/TLS Vulnerabilities Documents/Trace Files 710
Wireshark Customized Profiles 710
Practice Trace Files 711

Availability

Perpustakaan Poltek SSN (Rak 000) 004.62 CHA w

b0001383

Available - Available

Detail Information

Series Title: --
Call Number: 004.62 CHA w
Publisher: California : Chappell University., 2013
Collation: xxxvi, 938 hal.; ilus.; 25 cm
Language: English
ISBN/ISSN: 9781893939943
Classification: 004.62
Content Type: -
Media Type: -
Carrier Type: -
Edition: Second Edition
Subject(s): Electric Network Analysis
Network performance (Telecommunication)
wireshark
Computer networks -- Security measures
Computer networks -- Quality control
Specific Detail Info: --
Statement of Responsibility: Laura Chappell

Other version/related

No other version available

File Attachment

No Data

Comments

You must be logged in to post a comment