Table of Contents. Contents iii

Transcription

1 Table of Contents Contents iii Foreword by Gerald Combs, Creator of Wireshark... xxvii Preface... xxix About This Book... xxxi Who is This Book For?... xxxi How is This Book Organized?... xxxi How Can I Find Something Fast in This Book?... xxxiii What Do Those Icons Mean?... xxxiii Trace Files Used in This Book (.pcapng Format)... xxxiii What s Online at xxxiv Which Version of Wireshark Did You Use to Write This Book?... xxxiv Which WCNA Exam Version Does This Book Cover?... xxxiv How Can I Submit Comments/Change Requests for This Book?... xxxv Wireshark Certified Network Analyst Program Overview... xxxv Why Should I Pursue the Wireshark CNA Certification?... xxxv How Do I Earn the Wireshark CNA Certified Status?... xxxv Wireshark CNA Exam Objectives... xxxvi Wireshark University and Wireshark University Training Partners... xxxvi Schedule Customized Onsite/Web-Based Training... xxxvi Chapter 1: The World of Network Analysis... 1 Define Network Analysis... 2 Follow an Analysis Example... 3 Walk-Through of a Troubleshooting Session... 6 Walk-Through of a Typical Security Scenario (aka Network Forensics)... 8 Troubleshooting Tasks for the Network Analyst... 9 Security Tasks for the Network Analyst Optimization Tasks for the Network Analyst Application Analysis Tasks for the Network Analyst Understand Security Issues Related to Network Analysis Define Policies Regarding Network Analysis Files Containing Network Traffic Should be Secured Protect Your Network against Unwanted Sniffers Be Aware of Legal Issues of Listening to Network Traffic Overcome the Needle in the Haystack Issue Review a Checklist of Analysis Tasks Understand Network Traffic Flows Switching Overview Routing Overview Proxy, Firewall and NAT/PAT Overview Other Technologies that Affect Packets Warnings about Smarter Infrastructure Devices Launch an Analysis Session... 19

2 iv Contents Case Study: Pruning the Puke Case Study: The Securely Invisible Network Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 2: Introduction to Wireshark Wireshark Creation and Maintenance Obtain the Latest Version of Wireshark Compare Wireshark Release and Development Versions Thanks to the Wireshark Developers! Calculating the Value of the Wireshark Code Report a Wireshark Bug or Submit an Enhancement Following Export Regulations Identifying Products that Leverage Wireshark s Capabilities Capture Packets on Wired or Wireless Networks Libpcap WinPcap AirPcap Open Various Trace File Types Understand How Wireshark Processes Packets Core Engine Dissectors and Plugins and Display Filters GIMP Toolkit (GTK+) Use the Start Page The Capture Area The Files Area The Online Area The Capture Help Area Identify the Nine GUI Elements Add the Wireshark Version to the Title Bar Displaying the Wireless Toolbar (Windows Only) Opening and Closing Panes Interpreting the Status Bar Navigate Wireshark s Main Menu File Menu Items Edit Menu Items View Menu Items Go Menu Items Capture Menu Items Analyze Menu Items Statistics Menu Items Telephony Menu Items Tools Menu Items Internals Menu Items Help Menu Items... 74

3 Use the Main Toolbar for Efficiency Toolbar Icon Definitions Focus Faster with the Filter Toolbar Make the Wireless Toolbar Visible Work Faster Using Right-Click Functionality Right Click Edit or Add Packet Comment Right Click Copy Right Click Apply As Column Right Click Wiki Protocol Page (Packet Details Pane) Right Click Filter Field Reference (Packet Details Pane) Right Click Resolve Name (Packet Details Pane) Right Click Protocol Preferences Sign Up for the Wireshark Mailing Lists Join ask.wireshark.org! Know Your Key Resources Get Some Trace Files Case Study: Detecting Database Death Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 3: Capture Traffic Know Where to Tap Into the Network Run Wireshark Locally Portable Wireshark Wireshark U Capture Traffic on Switched Networks Use a Simple Hub on Half-Duplex Networks Use a Test Access Port (TAP) on Full-Duplex Networks Using Analyzer Agents for Remote Capture Set up Port Spanning/Port Mirroring on a Switch Example of Span Commands Spanning VLANs Analyze Routed Networks Analyze Wireless Networks Monitor Mode Native Adapter Capture Issues Capture at Two Locations (Dual Captures) Select the Right Capture Interface Capture on Multiple Adapters Simultaneously Interface Details (Windows Only) Capture Traffic Remotely Configuration Parameters for Remote Capture with rpcapd.exe Remote Capture: Active and Passive Mode Configurations Save and Use Remote Capture Configurations Contents v

4 vi Contents Automatically Save Packets to One or More Files Create File Sets for Faster Access Use a Ring Buffer to Limit the Number of Files Saved Define an Automatic Stop Criteria Optimize Wireshark to Avoid Dropping Packets Consider a Dedicated Analyzer Laptop Capture Options for Optimization Display Options for Optimization Conserve Memory with Command-Line Capture Case Study: Dual Capture Points the Finger Case Study: Capturing Traffic at Home Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 4: Create and Apply Capture Filters The Purpose of Capture Filters Apply a Capture Filter to an Interface Build Your Own Set of Capture Filters Identifiers Qualifiers Filter by a Protocol Filter Incoming Connection Attempts Create MAC/IP Address or Host Name Capture Filters Use a My MAC Capture Filter for Application Analysis Filter Your Traffic Out of a Trace File (Exclusion Filter) Capture One Application s Traffic Only Use Operators to Combine Capture Filters Create Capture Filters to Look for Byte Values Manually Edit the Capture Filters File Sample cfilters File Share Capture Filters with Others Case Study: Kerberos UDP to TCP Issue Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 5: Define Global and Personal Preferences Find Your Configuration Folders Set Global and Personal Configurations Customize Your User Interface Settings File Open Dialog Behavior Maximum List Entries Pane Configurations Columns

5 Contents vii Define Your Capture Preferences Select a Default Interface for Faster Capture Launch Enable Promiscuous Mode to Analyze Other Hosts Traffic The Future Trace File Format is Here: pcap-ng See the Traffic in Real Time Automatically Scroll During Capture Automatically Resolve IP and MAC Names Resolve Hardware Addresses (MAC Name Resolution) Resolve IP Addresses (Network Name Resolution) Plot IP Addresses on a World Map with GeoIP Resolve Port Numbers (Transport Name Resolution) Resolve SNMP Information Configure Filter Expressions Configure Statistics Settings Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings Detect Duplicate IP Addresses and ARP Storms Define How Wireshark Handles TCP Traffic Set Additional Ports for HTTP and HTTPS Dissection Enhance VoIP Analysis with RTP Settings Configure Wireshark to Decrypt SSL Traffic Configure Protocol Settings with Right-Click Case Study: Non-Standard Web Server Setup Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 6: Colorize Traffic Use Colors to Differentiate Traffic Types Disable One or More Coloring Rules Share and Manage Coloring Rules Identify Why a Packet is a Certain Color Create a Butt Ugly Coloring Rule for HTTP Errors Color Conversations to Distinguish Them Temporarily Mark Packets of Interest Alter Stream Reassembly Coloring Case Study: Colorizing SharePoint Connections During Login Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 7: Define Time Values and Interpret Summaries Use Time to Identify Network Problems Understand How Wireshark Measures Packet Time Choose the Ideal Time Display Format Deal with Timestamp Accuracy and Resolution Issues

6 viii Contents Send Trace Files Across Time Zones Identify Delays with Time Values Create Additional Time Columns Measure Packet Arrival Times with a Time Reference Identify Client, Server and Path Delays Calculate End-to-End Path Delays Locate Slow Server Responses Spot Overloaded Clients View a Summary of Traffic Rates, Packet Sizes and Overall Bytes Transferred Compare Up to Three Traffic Types in a Single Summary Window Compare Summary Information for Two or More Trace Files Case Study: Time Column Spots Delayed ACKs Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 8: Interpret Basic Trace File Statistics Launch Wireshark Statistics Identify Network Protocols and Applications Protocol Settings Can Affect Your Results Identify the Most Active Conversations List Endpoints and Map Them on the Earth Spot Suspicious Targets with GeoIP List Conversations or Endpoints for Specific Traffic Types Evaluate Packet Lengths List All IPv4/IPv6 Addresses in the Traffic List All Destinations in the Traffic List UDP and TCP Usage Analyze UDP Multicast Streams Graph the Flow of Traffic Gather Your HTTP Statistics Examine All WLAN Statistics Case Study: Application Analysis: Aptimize Website Accelerator Case Study: Finding VoIP Quality Issues Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 9: Create and Apply Display Filters Understand the Purpose of Display Filters Create Display Filters Using Auto-Complete Apply Saved Display Filters Use Expressions for Filter Assistance

7 Make Display Filters Quickly Using Right-Click Filtering Apply as Filter Prepare a Filter Copy As Filter Filter on Conversations and Endpoints Filter on the Protocol Hierarchy Window Understand Display Filter Syntax Combine Display Filters with Comparison Operators Alter Display Filter Meaning with Parentheses Filter on the Existence of a Field Filter on Specific Bytes in a Packet Find Key Words in Upper or Lower Case More Interesting Regex Filters Let Wireshark Catch Display Filter Mistakes Use Display Filter Macros for Complex Filtering Avoid Common Display Filter Mistakes Manually Edit the dfilters File Case Study: Using Filters and Graphs to Solve Database Issues Case Study: The Chatty Browser Case Study: Catching Viruses and Worms Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 10: Follow Streams and Reassemble Data The Basics of Traffic Reassembly Follow and Reassemble UDP Conversations Follow and Reassemble TCP Conversations Identify Common File Types Reassemble an FTP File Transfer Follow and Reassemble SSL Conversations Reassemble an SMB Transfer Case Study: Unknown Hosts Identified Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 11: Customize Wireshark Profiles Customize Wireshark with Profiles Create a New Profile Share Profiles Create a Troubleshooting Profile Create a Corporate Profile Create a WLAN Profile Create a VoIP Profile Create a Security Profile Contents ix

8 x Contents Case Study: Customizing Wireshark for the Customer Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 12: Annotate, Save, Export and Print Packets Annotate a Packet or an Entire Trace File Save Filtered, Marked and Ranges of Packets Export Packet Content for Use in Other Programs Export SSL Keys Save Conversations, Endpoints, IO Graphs and Flow Graph Information Export Packet Bytes Case Study: Saving Subsets of Traffic to Isolate Problems Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 13: Use Wireshark s Expert System Let Wireshark s Expert Information Guide You Launch Expert Info Quickly Colorize Expert Info Elements Filter on TCP Expert Information Elements Understand TCP Expert Information What Triggers TCP Retransmissions? What Triggers Previous Segment Lost? What Triggers ACKed Lost Packet? What Triggers Keep Alive? What Triggers Duplicate ACK? What Triggers Zero Window? What Triggers Zero Window Probe? What Triggers Zero Window Probe ACK? What Triggers Keep Alive ACK? What Triggers Out-of-Order? What Triggers Fast Retransmission? What Triggers Window Update? What Triggers Window is Full? What Triggers TCP Ports Reused? What Triggers 4 NOP in a Row? Case Study: Expert Info Catches Remote Access Headaches Summary Practice What You ve Learned Review Questions Answers to Review Questions

9 Chapter 14: TCP/IP Analysis Overview TCP/IP Functionality Overview When Everything Goes Right Follow the Multi-Step Resolution Process Step 1: Port Number Resolution Step 2: Network Name Resolution (Optional) Step 3: Route Resolution When the Target is Local Step 4: Local MAC Address Resolution Step 5: Route Resolution When the Target is Remote Step 6: Local MAC Address Resolution for a Gateway Build the Packet Case Study: Absolving the Network from Blame Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 15: Analyze Domain Name System (DNS) Traffic The Purpose of DNS Analyze Normal DNS Queries/Responses Analyze DNS Problems Dissect the DNS Packet Structure Transaction ID Flags Question Count Answer Resource Record (RR) Count Authority RRs Count Additional RRs Count Queries Answer RRs Authority RRs Additional RRs Resource Record Time to Live (TTL) Value Filter on DNS/MDNS Traffic Case Study: DNS Killed Web Browsing Performance Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 16: Analyze Address Resolution Protocol (ARP) Traffic Identify the Purpose of ARP Analyze Normal ARP Requests/Responses Analyze Gratuitous ARPs Analyze ARP Problems Contents xi

10 xii Contents Dissect the ARP Packet Structure Hardware Type Protocol Type Length of Hardware Address Length of Protocol Address Opcode Sender s Hardware Address Sender s Protocol Address Target Hardware Address Target Protocol Address Filter on ARP Traffic Case Study: Death by ARP Case Study: The Tale of the Missing ARP Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 17: Analyze Internet Protocol (IPv4/IPv6) Traffic Identify the Purpose of IP Analyze Normal IPv4 Traffic Analyze IPv4 Problems Dissect the IPv4 Packet Structure Version Field Header Length Field Differentiated Services Field and Explicit Congestion Notification Total Length Field Identification Field Flags Field Fragment Offset Field Time to Live Field Protocol Field Header Checksum Field IPv4 Source Address Field IPv4 Destination Address Field Options Field IPv4 Broadcast/Multicast Traffic An Introduction to IPv6 Traffic Dissect the IPv6 Packet Structure Version Field Traffic Class Fields (DiffServ, ECT and ECN-CE) Flow Label Field Payload Length Field Next Header Field Hop Limit Field Source IPv6 Address Field Destination IPv6 Address Field

11 Contents xiii Basic IPv6 Addressing Auto Configuration Mode (no DHCP Server) (M=0 and O=0) DHCPv6 Stateful Mode (M=1) DHCPv6 Stateless Mode (M=0 and O=1) to4 Tunneling (IPv6 Tunneled Inside IPv4) Teredo Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Sanitize Your IP Addresses in Trace Files Set Your IPv4 Protocol Preferences Reassemble Fragmented IP Datagrams Enable GeoIP Lookups Interpret the Reserved Flag as a Security Flag (RFC 3514) <g> Troubleshoot Encrypted Communications Filter on IPv4 Traffic Filter on IPv6 Traffic Case Study: Everyone Blamed the Router Case Study: It s Not the Network s Problem! Case Study: IPv6 Addressing Mayhem Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 18: Analyze Internet Control Message Protocol (ICMPv4/ICMPV6) Traffic The Purpose of ICMP Analyze Normal ICMP Traffic Analyze ICMP Problems Dissect the ICMP Packet Structure Type Code Checksum Basic ICMPv6 Functionality Filter on ICMP and ICMPv6 Traffic Case Study: The Dead-End Router Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 19: Analyze User Datagram Protocol (UDP) Traffic The Purpose of UDP Analyze Normal UDP Traffic Analyze UDP Problems

12 xiv Contents Dissect the UDP Packet Structure Source Port Field Destination Port Field Length Field Checksum Field Filter on UDP Traffic Case Study: Troubleshooting Time Synchronization Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 20: Analyze Transmission Control Protocol (TCP) Traffic The Purpose of TCP Analyze Normal TCP Communications The Establishment of TCP Connections When TCP-based Services are Refused The Termination of TCP Connections How TCP Tracks Packets Sequentially How TCP Recovers from Packet Loss Improve Packet Loss Recovery with Selective Acknowledgments Understand TCP Flow Control Understand Nagling and Delayed ACKs Analyze TCP Problems Dissect the TCP Packet Structure Source Port Field Destination Port Field Stream Index [Wireshark Field] Sequence Number Field Next Expected Sequence Number [Wireshark Field] Acknowledgment Number Field Data Offset Field Flags Field Window Field Checksum Field Urgent Pointer Field TCP Options Area (Optional) Filter on TCP Traffic Set TCP Protocol Preferences Validate the TCP Checksum if Possible Allow Subdissector to Reassemble TCP Streams Analyze TCP Sequence Numbers Relative Sequence Numbers Window Scaling is Calculated Automatically Track Number of Bytes in Flight Try Heuristic Sub-Dissectors First Ignore TCP Timestamps in Summary Calculate Conversation Timestamps

13 Contents xv Case Study: Connections Require Four Attempts Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 21: Graph IO Rates and TCP Trends Use Graphs to View Trends Generate Basic IO Graphs Filter IO Graphs Coloring Styles and Layers X and Y Axis Smoothing Print Your IO Graph Generate Advanced IO Graphs SUM(*) Calc MIN(*), AVG(*) and MAX(*) Calc Values COUNT(*) Calc LOAD(*) Calc Compare Traffic Trends in IO Graphs Graph Round Trip Time Graph Throughput Rates Graph TCP Sequence Numbers over Time Interpret TCP Window Size Issues Interpret Packet Loss, Duplicate ACKs and Retransmissions Case Study: Watching Performance Levels Drop Case Study: Graphing RTT to the Corporate Office Case Study: Testing QoS Policies Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6) Traffic The Purpose of DHCP Analyze Normal DHCP Traffic Analyze DHCP Problems Dissect the DHCP Packet Structure Message Type Hardware Type Hardware Length Hops Transaction ID Seconds Elapsed BOOTP Flags Client IP Address Your (Client) IP Address

14 xvi Contents Next Server IP Address Relay Agent IP Address Client MAC Address Server Host Name Boot File Name Magic Cookie Option An Introduction to DHCPv Display BOOTP-DHCP Statistics Filter on DHCP/DHCPv6 Traffic Case Study: Declining Clients Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic The Purpose of HTTP Analyze Normal HTTP Communications Analyze HTTP Problems Dissect HTTP Packet Structures HTTP Methods Host Request Modifiers Filter on HTTP or HTTPS Traffic Export HTTP Objects Display HTTP Statistics HTTP Load Distribution HTTP Packet Counter HTTP Requests Graph HTTP Traffic Flows Choose Packets Choose Flow Type Choose Node Address Type Set HTTP Preferences Analyze HTTPS Communications Analyze SSL/TLS Handshake Analyze TLS Encrypted Alerts Decrypt HTTPS Traffic Export SSL Keys Case Study: HTTP Proxy Problems Summary Practice What You ve Learned Review Questions Answers to Review Questions

15 Contents xvii Chapter 24: Analyze File Transfer Protocol (FTP) Traffic The Purpose of FTP Analyze Normal FTP Communications Analyze Passive Mode Connections Analyze Active Mode Connections Analyze FTP Problems Dissect the FTP Packet Structure Filter on FTP Traffic Reassemble FTP Traffic Case Study: Secret FTP Communications Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 25: Analyze Traffic The Purpose of POP Analyze Normal POP Communications Analyze POP Problems Dissect the POP Packet Structure Filter on POP Traffic The Purpose of SMTP Analyze Normal SMTP Communications Analyze SMTP Problems Dissect the SMTP Packet Structure Filter on SMTP Traffic Case Study: SMTP Problem Scan2 Job Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 26: Introduction to (WLAN) Analysis Analyze WLAN Traffic Analyze Signal Strength and Interference Capture WLAN Traffic Compare Monitor Mode vs. Promiscuous Mode Select the Wireless Interface Set Up WLAN Decryption Select to Prepend Radiotap or PPI Headers Compare Signal Strength and Signal-to-Noise Ratios Understand Traffic Basics Data Frames Management Frames Control Frames Analyze Normal Communications Dissect the Frame Structure

16 xviii Contents Filter on All WLAN Traffic Analyze Frame Control Types and Subtypes Customize Wireshark for WLAN Analysis Case Study: Cruddy Barcode Communications Case Study: Cooking the WLAN Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 27: Introduction to Voice over IP (VoIP) Analysis Understand VoIP Traffic Flows Session Bandwidth and RTP Port Definition Analyze VoIP Problems Packet Loss Jitter Examine SIP Traffic SIP Commands SIP Response Codes Examine RTP Traffic Play Back VoIP Conversations RTP Player Marker Definitions Create a VoIP Profile Filter on VoIP Traffic Case Study: Lost VoIP Tones Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 28: Baseline Normal Traffic Patterns Understand the Importance of Baselining Baseline Broadcast and Multicast Types and Rates Baseline Protocols and Applications Baseline Boot up Sequences Baseline Login/Logout Sequences Baseline Traffic during Idle Times Baseline Application Launch Sequences and Key Tasks Baseline Web Browsing Sessions Baseline Name Resolution Sessions Baseline Throughput Tests Baseline Wireless Connectivity Baseline VoIP Communications Case Study: Login Log Jam Case Study: Solving SAN Disconnects Summary Practice What You ve Learned Review Questions Answers to Review Questions

17 Contents xix Chapter 29: Find the Top Causes of Performance Problems Troubleshoot Performance Problems Identify High Latency Times Filter on Arrival Times Filter on the Delta Times Filter on the Time since Reference or First Packet Filter on TCP Conversation Times Point to Slow Processing Times Practice Working with Time Issues Find the Location of Packet Loss Watch Signs of Misconfigurations Analyze Traffic Redirections Watch for Small Payload Sizes Look for Congestion Identify Application Faults Note Any Name Resolution Faults An Important Note about Analyzing Performance Problems Case Study: One-Way Problems Case Study: The Perfect Storm of Network Problems Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 30: Network Forensics Overview Compare Host vs. Network Forensics Gather Evidence Avoid Detection Handle Evidence Properly Recognize Unusual Traffic Patterns Color Unusual Traffic Patterns Check Out Complementary Forensic Tools Case Study: SSL/TLS Vulnerability Studied Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 31: Detect Scanning and Discovery Processes The Purpose of Discovery and Reconnaissance Processes Detect ARP Scans (aka ARP Sweeps) Detect ICMP Ping Sweeps Detect Various Types of TCP Port Scans TCP Half-Open Scan (aka Stealth Scan ) TCP Full Connect Scan Null Scans Xmas Scan

18 xx Contents FIN Scan ACK Scan Detect UDP Port Scans Detect IP Protocol Scans Understand Idle Scans Know Your ICMP Types and Codes Try These Nmap Scan Commands Analyze Traceroute Path Discovery Detect Dynamic Router Discovery Understand Application Mapping Processes Use Wireshark for Passive OS Fingerprinting Detect Active OS Fingerprinting Identify Attack Tools Identify Spoofed Addresses in Scans Case Study: Learning the Conficker Lesson Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 32: Analyze Suspect Traffic What is Suspect Traffic? Identify Vulnerabilities in the TCP/IP Resolution Processes Port Resolution Vulnerabilities Name Resolution Process Vulnerabilities MAC Address Resolution Vulnerabilities Route Resolution Vulnerabilities Identify Unacceptable Traffic Find Maliciously Malformed Packets Identify Invalid or Dark Destination Addresses Differentiate Between Flooding and Denial of Service Traffic Find Clear Text Passwords and Data Identify Phone Home Traffic Catch Unusual Protocols and Applications Locate Route Redirection that Uses ICMP Catch ARP Poisoning Catch IP Fragmentation and Overwriting Spot TCP Splicing Watch Other Unusual TCP Traffic Identify Password Cracking Attempts Build Filters and Coloring Rules from IDS Rules Header Signatures Sequence Signatures Payload Signatures Sample Wireshark Filters from IDS/IPS Rules

19 Contents xxi Case Study: The Flooding Host Case Study: Catching Keylogging Traffic Case Study: Passively Finding Malware Summary Practice What You ve Learned Review Questions Answers to Review Questions Chapter 33: Effective Use of Command-Line Tools Understand the Power of Command-Line Tools Use Wireshark.exe (Command-Line Launch) Wireshark Syntax Customize Wireshark s Launch Capture Traffic with Tshark Tshark Syntax View Tshark Statistics Gather Host Name with Tshark Examine Service Response Times (SRT) with Tshark Tshark Examples Dealing with Bug List Trace File Details with Capinfos Capinfos Syntax Capinfos Examples Edit Trace Files with Editcap Editcap Syntax Editcap Examples Merge Trace Files with Mergecap Mergecap Syntax Mergecap Examples Convert Text with Text2pcap Text2pcap Syntax Text2pcap Examples Capture Traffic with Dumpcap Dumpcap Syntax Dumpcap Examples Understand Rawshark Rawshark Syntax Case Study: Getting GETS and a Suspect Summary Practice What You ve Learned Review Questions Answers to Review Questions

20 xxii Contents Appendix A: Resources on the Book Website Video Starters Chanalyzer Pro/Wi-Spy Recordings (.wsx Files) MaxMind GeoIP Database Files (.dat Files) PhoneFactor SSL/TLS Vulnerabilities Documents/Trace Files Wireshark Customized Profiles Practice Trace Files Index