Wireshark network analysis second edition pdf free download

Hacking For Dummies, 4th Edition. Book Detail. Latest Downloads. Java: The Complete Reference, 11th Edition. C plus plus Primer, 5th Edition.

Harry Potter and the Sorcerer's Stone. Cookie policy: We use cookies to ensure you get the best experience on our website. Watch for delays between server ACKs and responses.

In essence, Wireshark marks the first packet's arrival as 0. The Time column value for each packet after the first one is based on how much later it arrived during the capture process. This setting will be retained with the profile in which you are working. After changing this setting, click the Time column twice to sort from high to low to look for large delays in the trace file.

In Figure 40, we opened http-openofficeb. This trace file was taken at the client and this is a perfect indication of path latency. You might as well walk there! For example, consider what this column would display if you had five different conversations intertwined in the trace file.

The Time column is now measuring the delta time between each of the packets with no regard to the fact that there are five different intertwined conversations. We would want to see delays inside the separate conversations.

In Lab 7, you created your wireshark profile based on the Default profile so you should already have this setting in place. Now we will look at how we can create a column based on that preference setting so we can obtain separate delta time values for each conversation. You now have a new column in the Packet List pane. Enable Calculate conversation timestamps and add a new column to spot delays inside individual TCP conversations.

To rename a column, right-click the column heading and select Edit Column Details. Type the new column name in the Title field and click OK to save the new name. Right-click on a column heading and choose Edit Column Details to change the column name.

In Figure 43, we opened http-pcaprnet We sorted on the Time column from high to low to see the difference in time values between the Time column and TCP Delta column. SYN packets show up as high latency in this trace file, but these are false positives [http—pcaprnet In our browsing session to pcapr. Just like the loading of an. Don't focus on the following packet types.

It's not unusual to have delays preceding these packets. You may begin capturing and then ask a user to connect to a web server. Browsers send these packets when you click on another tab or when there has been no recent activity to a site or when the browsing session is configured to automatically close after a page has loaded. Users do not notice these delays. GET requests can be generated when a user clicks on a link to request the next page.

Other times, some GET requests may be launched by background processes that have no priority whatsoever such as in the. DNS queries may be sent at various times during a web browsing session, such as when a page that has numerous hyperlinks loads at the client. Although encrypted, the alert is likely a TLS Close request.

In Figure 44, we are still working in http-pcaprnet Previously, we sorted based on the Time column.

Now, when we sort the TCP Delta column from high to low we notice the 18 second delay before the three background graphics are requested. That common delay is typical of a background process. The OK responses in frame 20 and [20], however, are a very real concern. This is high server latency. In this trace file, there are delays of 1. We don't expect such large delays before the server sends the required web page element.

The server is either overloaded, it doesn't hold the information locally, or perhaps the requested element is located in a database that needs to be queried before responding. In this situation, the latter is the case. When you load the pcapr. You may have some of these columns set already if you followed along with the previous section.

Step 1: Open http-slow Step 2: Right-click the Length column heading and select Hide Column. This provides more room for your new column.

Click on your Time column heading twice to sort from high to low. Scroll to the top of the list. We can see some very high delays in this trace file. Now let's see what happens when we add and work with a column that depicts TCP conversation timestamps. Step 4: Click on the No. Number column heading to return the trace file to its default sort order.

Scroll up or click the Go To the First Packet button on the main toolbar to go to frame 1. You now have a new column in the Packet List pane, as shown below. Step 6: Right-click on the new column and select Edit Column Details. Click twice on your new TCP Delta column heading to sort from high to low.

Since there are multiple TCP conversations intertwined in this trace file, this TCP Delta column gives an accurate display of latency times in the trace file. In the image below, we scrolled to the right to view more of the Info column our Time column is no longer in view. Do you see anything in common with the top delays in the traffic? Step 8: Lab Clean-up Click once on the No. Number column heading to sort from low to high. This is the original sorting order of trace files.

If you want to view this column again later, you can right-click on any column heading and select Display Columns TCP Delta.

Look at the TCP delta times in your web browsing sessions, network logins, or email traffic. Get a feel for the round trip latency times from your client to numerous hosts. Chapter 1 Challenge Open challenge What response code does the server send in frame 17? What is the largest TCP delta value seen in this trace file? How many SYN packets arrived after at least a 1 second delay? Think of how people talk to each other, how they act when they want something, how they show gratitude when they get it.

Look for those types of themes in the packets and network traffic will become easier to understand and communication nuances will be easier to remember.

The time investment is worth it. When you understand packets, you understand everything in networking. Interface List—Select one or more interfaces multi-adapter capture 2. Capture Filter—Displays applied capture filter double-click to change, remove or add a capture filter 3. Capture File s —Save to multiple files, set a ring buffer, and set an auto-stop condition based on number of files 5.

Display Options—Set auto-scroll and view packets while capturing 6. Stop Capture—Set an auto-stop condition based on number of packets, quantity of data captured, or elapsed time 7. Identify the Best Capture Location to Troubleshoot Slow Browsing or File Downloads The first step in analyzing network performance problems is to capture traffic in the right spot. Place Wireshark in the wrong spot and you may be spending too much time dealing with unrelated traffic or following a "false positive" for hours.

The Ideal Starting Point Begin by capturing traffic at or near the host that is experiencing a performance problem, as depicted in Figure This allows you to see traffic from that host's perspective.

You can detect the round trip latency times, packet loss, error responses, and other problems that the host is experiencing. If a user complains about slow email downloads, you want to see the performance problems from their perspective. If you capture somewhere in the middle of the network, your packet capture tool may be upstream from the point where performance issues are injected into the communications. You can see the concerns from this host's perspective when you start capturing as close to this host as possible.

Move if Necessary After getting a general idea of what is happening from the complaining host's perspective, you may have to move your packet capture tool to another location to get a different perspective. For example, if packet loss seems to be the cause of poor performance, you'll want to move Wireshark or set up a second Wireshark system on the other side of the switches or routers to determine where the packets are being dumped.

Most packet loss occurs at interconnecting devices, so that's where you would focus. Start capturing at the client system to get that client's perspective. Watch for high round trip times to a target, indications of packet loss, problems with buffer sizes zero window condition —as discussed in Receive Buffer Congestion Indications , and suspicious or unnecessary background traffic.

Many times you won't have to go any further than the client's perspective. Knowing your options will help ensure you use the most efficient method to capture traffic. You have three options for capturing close to the complaining host. Options 1 through 3 are displayed in Figure You have three basic options for capturing traffic on an Ethernet network. Option 1: Capture directly on the complaining host This may be a great option if you are allowed to install packet capture software on that host.

You don't have to install Wireshark. Consider using a simple packet capture utility such as tcpdump. Option 2: Span the host's switch port If the switch above the user supports port spanning and you have rights to configure that switch, consider setting up that switch to copy all traffic to or from the user's switch port down your Wireshark port.

One concern to note, however, is that switches will not forward link-layer error packets so you may not see all the traffic related to poor performance. By default, taps forward all network traffic, including link-layer errors.

Although taps can be expensive, they can be a life-saver if you want to listen to all traffic to or from a host. Prepare and practice your capture process well in advance. You don't want to run around looking for the switch port spanning configuration information while people are screaming about network problems.

Capture Traffic on Your Wireless Network Wireshark can help you understand how wireless networks WLANs work and also help you find the cause of lousy performance on your home or work network.

You have a few options for capturing on the WLAN side. Select Capture Interfaces to determine if your wireless adapter is listed and if it sees traffic through Wireshark.

If you do see some packets with your native adapter, select that adapter and click Start. If your adapter can see WLAN beacons as well as data packets and you see However, if the adapter does not add metadata, such as the signal strength at the time of capture, you are missing out on some important data required for analysis[22].

AirPcap adapters can capture In addition, these adapters run in monitor mode also referred to as RF monitor or RFMON mode , which enables the adapter to capture all traffic without having to associate with a specific Access Point. This means the AirPcap adapter can capture traffic on any These headers contain some great information, such as the frequency on which the frame arrived, the signal strength and noise level at the moment and location of capture, and more.

Figure 47 depicts a trace file wlan—ipadstartstop The Packet Details pane displays the additional information contained in the RadioTap header. For more information on AirPcap adapters, visit www. The AirPcap adapter enables you to see control, management, and data frames. In addition, the adapter prepends a Radiotap or PPI header with Try capturing on your native adapter to determine its capabilities.

You need to see true AirPcap adapters are a worthwhile investment if you are going to be analyzing wireless network traffic. Identify Active Interfaces If Wireshark can't see an interface, you can't capture traffic. If you have more than one interface, you need to determine which one to use.

Mastering the interface options is required to be successful as an analyst. Determine Which Adapter Sees Traffic Select Capture Interfaces or click the Interfaces button on the main toolbar to quickly determine which interface is seeing traffic and to which network each interface is connected. Click on the IPv6 address to see an adapter's IPv4 address, if one exists. Wireshark is now displaying the IPv4 address for that adapter.

We can easily tell which interface is able to capture traffic. Click on the address to toggle between IPv4 and IPv6 addresses assigned to that interface. This is useful if you want to capture on the wired and wireless network simultaneously. For example, if you are trying to troubleshoot a WLAN client on the network, you can capture on the client's WLAN adapter and the wired network simultaneously, as shown in Figure You can simultaneously capture a client's traffic as it travels through to wireless and wired networks.

This information is piped up by the interface and may include details about the interface configuration and capabilities, as well as transmit and receive statistics.

Deal with TONS of Traffic Inside a busy enterprise, the traffic can overload Wireshark[23] leaving you with a corrupt trace file that makes your analysis thoroughly inaccurate.

Learn to deal with high rates of traffic to ensure you can track down problems on any size network. In Chapter 8 we will look at command-line capture techniques using Tshark and dumpcap. If a user is complaining about slow web browsing, begin capturing traffic and then ask the user to browse to some web sites. Keep capturing until your user has demonstrated the slow browsing problem. You will have captured traffic that will help you determine if the performance problem is linked to the client, server, or path.

When you capture close to the client, you should see much less traffic than if you'd tapped into the middle of the enterprise. It is likely that Wireshark can keep up with traffic rates to and from the client.

If you are dealing with a security issue perhaps you think a host contains malware , you may want to capture all traffic to or from this host for quite a while.

During this capture process, don't let a user access the keyboard of this machine. You don't want to capture user behavior. You can get severe back pains from sleeping on the office floor or quickly fill up a hard drive if you don't set this up as an unattended capture process.

This is the Best Reason to Use Capture Filters Dealing with too much data is one of the best reasons to use capture filters.

By reducing the number of packets Wireshark must capture, you reduce the load on Wireshark while reducing the amount of traffic you must wade through.

Keep in mind, however, that an overly restrictive capture filter may cause you to miss key packets. Look at capturing to file sets as a safe option. Capture to a File Set Wireshark can capture traffic to file sets. Select Capture Options and check the box next to the interface on which you want to capture traffic.

Enter the path and file name for the file set in the Capture File s section, as shown in Figure Check Use multiple files and define the criteria to create the next file. In our example, Wireshark will create a set of MB-sized files in. We didn't set a stop criteria so we'll need to manually stop the capture process at some point. We set up Wireshark to capture to a set of MB-sized files.

In the example shown in Figure 50 since we suspect malware is running on a host, we will let Wireshark capture the traffic to and from this host for the next 12 hours to see if there is a phone home process running in the background.

You may need to capture for longer or shorter times, depending on what you see in the trace file s. After opening the first file from this set, use File File Set List Files to see all the files in your file set. Click on the radio button in front of each file to quickly move from one file to another. Wireshark suddenly became a cumbersome tool to use on these files. Cascade Pilot handles large trace files, offers graphing and reporting capabilities missing in Wireshark, and integrates tightly so you can export specific packets for closer inspection.

One of Cascade Pilot's most welcome features is the ability to handle larger trace files. For example, in a recent test, it took 1 minute and 52 seconds to open a 1. Each time we added a display filter, column, or coloring rule, Wireshark had to reload the file. Wireshark essentially became unusable. In Cascade Pilot, we loaded the IP conversations view of the same file shown in Figure 51 in less than 3 seconds.

The IP Conversations view of our 1. Try to keep your file size below MB. Larger file sizes will cause Wireshark to become sluggish when you add columns, apply filters, or build graphs. Wireshark is not very good at handling huge trace files. If you must capture and work with very large trace files over MB , look into Cascade Pilot as an analyzer solution. Lab Capture to File Sets In this lab you will get a chance to practice capturing to file sets using an auto-stop condition.

Step 1: Click on the Capture Options button on the main toolbar. Step 2: Click on the checkbox in front of the adapter you are currently using to connect to the Internet. Step 3: In the Capture File s area, click the Browse button to navigate to and select the directory in which you want to save your trace files. Enter captureset Click OK. Step 4: Toggle back to the Capture Options window. Your directory and file name should appear in the File section.

Select Use multiple Files and define the next file every 1 MB and next file every 10 seconds. Whichever condition is met first causes the creation of the next file. Enter 4 in the Stop capture after area, as shown below. Step 5: Click Start. Step 6: Open your browser and visit www. Browse around the web site for at least 40 seconds. Toggle back to Wireshark and look in the File area of the Status Bar. Wireshark displays all four files of your file set. Click the radio button in front of the various files to move quickly from one file to another.

Note that Wireshark retains many of your capture options. You will need to check the capture option settings when you prepare for the next capture process.

When you are dealing with a lot of traffic, consider saving to file sets. Wireshark will load the files faster if they are under MB. You will find yourself using file sets more often as you need to capture larger amounts of traffic. Using a few key Wireshark functions you can be ready to catch these annoyingly elusive events.

If you have a sporadic problem, one that seems to appear on and off through a network, you will need to be a bit more creative with your capture process.

In this case, you should capture traffic continuously until the problem occurs again. Use File Sets and the Ring Buffer In this situation, set up Wireshark to capture traffic to file sets, but use the ring buffer option. In Figure 52, we defined a new file name roamingprob. We are going to examine the last MB of traffic leading up to the problem point in time.

Let Wireshark run continuously. The file set feature won't fill up the hard drive and you will have the last MB leading up to the problem. Stop When Complaints Arise When the user complains about performance, stop the capture process manually and look at the most recent file to see what happened. Wireshark will keep numbering the files so you know how many MB files have been created and deleted if older than the last five files.

Practice this skill by configuring Wireshark to capture to file sets with a ring buffer as you are going about your daily work. As Wireshark runs in the background, you are ready to capture the traffic leading up to any type of problem that arises. For example, if you suddenly notice a web site loads slower than usual, you can toggle to Wireshark and stop the capture to see what recently happened.

Lab Use a Ring Buffer to Conserve Drive Space In this lab exercise, we will set up a ring buffer to ensure we see the most recent traffic. We will create a problem and manually stop the capture to analyze the issue. Enter stopatproblem Select Use multiple files and define the next file every 10 MB and next file every 30 seconds. Select the Ring Buffer option and enter 3 to define the maximum number of files to keep.

Uncheck the Stop capture after setting, as shown below. Spend at least 30 seconds browsing around the site. Step 7: Now browse to www. This should generate a error because the file does not exist. Step 8: Quickly toggle back to Wireshark and click the Stop Capture button. Step 9: Look in the File area of the Status Bar. You can see how many file numbers have been assigned to this point. When you look at the directory to which you saved files, you only see three files because your ring buffer was set up to save only the last three files.

Step Click the Go To Last Packet button and scroll backwards through the tracefile from the end towards the start to locate the error message from the server, as shown below. In Lab 19, you will use a display filter to quickly locate error responses. Step Lab Clean-up Note that Wireshark retains many of your capture options.

Using a ring buffer and manual stop process allows you to detect what happened up to and at the time performance went awry. Reduce the Amount of Traffic You have to Work With Rather than prepare for a week of sifting through packets, consider reducing the work load significantly by capturing at the proper location and filtering during the capture process.

If you must capture traffic inside the enterprise or on a server that is very busy, you may find that Wireshark cannot keep up with the traffic rate. Wireshark pulls the traffic from dumpcap. If dumpcap cannot keep up with the traffic during a capture process most likely because Wireshark is not pulling the traffic from dumpcap fast enough , the phrase "Dropped: x" will appear on Wireshark's Status Bar in the center column.

You cannot work with a faulty trace file. Your assumptions and analysis would be as incomplete as the data from which you worked. Such a trace file is unusable. This is a perfect time to apply capture filters. By applying capture filters at this point, you have a better chance of avoiding dropped packets. Capture filters reduce the load on the Capture Engine. Detect when a Spanned Switch Can't Keep Up Packet drops can also occur when you are spanning ports on a very busy switch.

Consider what would happen if you spanned a physical switch port that connects to a very busy network. You connect to the network on a 1 Gb link which is actually 2 Gb because of full-duplex operations. If this network is very busy and you span several switch ports down your lowly 1 Gb downlink, that switch is likely going to drop some packets.

This situation is called oversubscription. In this case, Wireshark won't note Dropped: x in the Status Bar. Wireshark doesn't indicate that it has dropped any packets, because it hasn't—the switch didn't forward the packets to Wireshark. This switch span capture configuration is not going to work. You'll need to change where and how you capture traffic. A full-duplex tap is a great solution in this case, as shown in Figure Intelligent taps can even offer some capture filtering capability at the tap.

Place the tap between the server and the switch. You also might consider capturing to file sets with a maximum file size of MB. Learn to customize Wireshark for faster and more accurate analysis of your network traffic.

Build graphs to identify and expose issues such as packet loss, receiver congestion, slow server response, network queuing and more. Refer to www.

Network Analysis Using Wireshark Cookbook. Over 80 recipes to analyze and troubleshoot network problems using Wireshark Overview Place Wireshark in the network and configure it for effective network analysis Use Wireshark's powerful statistical tools and expert system for pinpointing network problems Use Wireshark for troubleshooting network performance, applications, and security problems in the network In Detail Is your network slow?

Are your users complaining? We also do not have links that lead to sites DMCA copyright infringement. If You feel that this book is belong to you and you want to unpublish it, Please Contact us.

Download e-Book.