CONTENTS IN DETAIL ACKNOWLEDGMENTS INTRODUCTION 1 PACKET ANALYSIS AND NETWORK BASICS 1 2 TAPPING INTO THE WIRE 17 3 INTRODUCTION TO WIRESHARK 35

Transcription

1 CONTENTS IN DETAIL ACKNOWLEDGMENTS xv INTRODUCTION xvii Why This Book?...xvii Concepts and Approach...xviii How to Use This Book... xix About the Sample Capture Files... xx The Rural Technology Fund... xx Contacting Me... xx 1 PACKET ANALYSIS AND NETWORK BASICS 1 Packet Analysis and Packet Sniffers... 2 Evaluating a Packet Sniffer... 2 How Packet Sniffers Work... 3 How Computers Communicate... 4 Protocols... 4 The Seven-Layer OSI Model... 5 Data Encapsulation... 8 Network Hardware Traffic Classifications Broadcast Traffic Multicast Traffic Unicast Traffic Final Thoughts TAPPING INTO THE WIRE 17 Living Promiscuously Sniffing Around Hubs Sniffing in a Switched Environment Port Mirroring Hubbing Out Using a Tap ARP Cache Poisoning Sniffing in a Routed Environment Sniffer Placement in Practice INTRODUCTION TO WIRESHARK 35 A Brief History of Wireshark The Benefits of Wireshark... 36

2 Installing Wireshark Installing on Microsoft Windows Systems Installing on Linux Systems Installing on Mac OS X Systems Wireshark Fundamentals Your First Packet Capture Wireshark s Main Window Wireshark Preferences Packet Color Coding WORKING WITH CAPTURED PACKETS 47 Working with Capture Files Saving and Exporting Capture Files Merging Capture Files Working with Packets Finding Packets Marking Packets Printing Packets Setting Time Display Formats and References Time Display Formats Packet Time Referencing Setting Capture Options Capture Settings Capture File(s) Settings Stop Capture Settings Display Options Name Resolution Settings Using Filters Capture Filters Display Filters Saving Filters ADVANCED WIRESHARK FEATURES 67 Network Endpoints and Conversations Viewing Endpoints Viewing Network Conversations Troubleshooting with the Endpoints and Conversations Windows Protocol Hierarchy Statistics Name Resolution Enabling Name Resolution Potential Drawbacks to Name Resolution Protocol Dissection Changing the Dissector Viewing Dissector Source Code Following TCP Streams Packet Lengths x Contents in Detail

3 Graphing Viewing IO Graphs Round-Trip Time Graphing Flow Graphing Expert Information COMMON LOWER-LAYER PROTOCOLS 85 Address Resolution Protocol The ARP Header Packet 1: ARP Request Packet 2: ARP Response Gratuitous ARP Internet Protocol IP Addresses The IPv4 Header Time to Live IP Fragmentation Transmission Control Protocol The TCP Header TCP Ports The TCP Three-Way Handshake TCP Teardown TCP Resets User Datagram Protocol The UDP Header Internet Control Message Protocol The ICMP Header ICMP Types and Messages Echo Requests and Responses Traceroute COMMON UPPER-LAYER PROTOCOLS 113 Dynamic Host Configuration Protocol The DHCP Packet Structure The DHCP Renewal Process DHCP In-Lease Renewal DHCP Options and Message Types Domain Name System The DNS Packet Structure A Simple DNS Query DNS Question Types DNS Recursion DNS Zone Transfers Hypertext Transfer Protocol Browsing with HTTP Posting Data with HTTP Final Thoughts Contents in Detail xi

4 8 BASIC REAL-WORLD SCENARIOS 133 Social Networking at the Packet Level Capturing Twitter Traffic Capturing Facebook Traffic Comparing Twitter vs. Facebook Methods Capturing ESPN.com Traffic Using the Conversations Window Using the Protocol Hierarchy Statistics Window Viewing DNS Traffic Viewing HTTP Requests Real-World Problems No Internet Access: Configuration Problems No Internet Access: Unwanted Redirection No Internet Access: Upstream Problems Inconsistent Printer Stranded in a Branch Office Ticked-Off Developer Final Thoughts FIGHTING A SLOW NETWORK 165 TCP Error-Recovery Features TCP Retransmissions TCP Duplicate Acknowledgments and Fast Retransmissions TCP Flow Control Adjusting the Window Size Halting Data Flow with a Zero Window Notification The TCP Sliding Window in Practice Learning from TCP Error-Control and Flow-Control Packets Locating the Source of High Latency Normal Communications Slow Communications Wire Latency Slow Communications Client Latency Slow Communications Server Latency Latency Locating Framework Network Baselining Site Baseline Host Baseline Application Baseline Additional Notes on Baselines Final Thoughts PACKET ANALYSIS FOR SECURITY 189 Reconnaissance SYN Scan Operating System Fingerprinting xii Contents in Detail

5 Exploitation Operation Aurora ARP Cache Poisoning Remote-Access Trojan Final Thoughts WIRELESS PACKET ANALYSIS 215 Physical Considerations Sniffing One Channel at a Time Wireless Signal Interference Detecting and Analyzing Signal Interference Wireless Card Modes Sniffing Wirelessly in Windows Configuring AirPcap Capturing Traffic with AirPcap Sniffing Wirelessly in Linux Packet Structure Adding Wireless-Specific Columns to the Packet List Pane Wireless-Specific Filters Filtering Traffic for a Specific BSS ID Filtering Specific Wireless Packet Types Filtering a Specific Frequency Wireless Security Successful WEP Authentication Failed WEP Authentication Successful WPA Authentication Failed WPA Authentication Final Thoughts APPENDIX FURTHER READING 235 Packet Analysis Tools tcpdump and Windump Cain & Abel Scapy Netdude Colasoft Packet Builder CloudShark pcapr NetworkMiner Tcpreplay ngrep libpcap hping Domain Dossier Perl and Python Contents in Detail xiii

6 Packet Analysis Resources Wireshark Home Page SANS Security Intrusion Detection In-Depth Course Chris Sanders Blog Packetstan Blog Wireshark University IANA TCP/IP Illustrated (Addison-Wesley) The TCP/IP Guide (No Starch Press) INDEX 241 xiv Contents in Detail