Co-worker Jamie Dixon turned me onto this book: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems.
If you work in Information Technology in any capacity:
- Duh-veloper, like me
- Systems manager
- Network manager
- Etc, etc…
You could benefit from this book. It starts from square-one and expects that you are generally familiar with TCP/IP and networking – but not hardcore.
It then breaks down the steps to capturing network traffic, and then analyzing it. It’s not nearly as simple as it used to be. Nowadays with switches and routers, it can actually be quite tricky to capture network traffic between two computers! Luckily, they cover several techniques for this. Then, once you capture a bunch of network traffic – how do you make sense of it all? Well, the book tells you!
What is this?
When you use a computer on a network, the data you send across that network has structure. This book delves into using free software to capture those network packets and using that information to discover problems, slow response, and other things which could lead to trouble. You don’t need to be a programmer – this uses all free, open source tools on a Windows, Mac, or Linux machine which will act as your network “sniffer”.
It covers some topics for Mac and Linux, but this book is primarily based around Wireshark on Windows.
Here’s a list of the main themes covered:
- Strategies for physically capturing network traffic
- Port mirroring – with a managed switch, have all traffic from the target get mirrored to your sniffer.
- Hubbing out – plug the target machine and your sniffer into the hub, and then plug that into the network.
- Using a tap – using a physical device to share network traffic to your sniffer.
- ARP cache poisoning – report that YOU are the source and destination MAC address so all traffic gets routed through your sniffer.
- Direct install – install sniffing software on the target system.
- Actually capturing network traffic
- Setting up Wireshark (on Windows, Mac, and Linux)
- How to actually use Wireshark – a walk through the features and windows.
- Working with captures (saving, exporting, merging, etc).
- Understanding capture filters, display filters, and triggers.
- Understanding “conversations” and endpoints in Wireshark.
- Working with name resolution.
- Advanced Wireshark topics
- Dissecting protocols (actually picking apart what was sent/received).
- Re-assembling (follow) TCP streams – reconstituting a stream of data.
- Walkthrough of graphing and charting capabilities of Wireshark.
- Understanding the lower-level protocols
- Address Resolution Protocol (ARP)
- Internet Protocol (IP)
- Transmission Control Protocol (TCP) – reliable, stateful connections.
- User Datagram Protocol (UDP) – unreliable, fast, stateless transmissions.
- Internet Control Message Protocol (ICMP) – also known as the protocol for “ping”
- Understanding the upper-level protocols
- Dynamic Host Configuration Protocol (DHCP) – getting a TCP/IP address when your computer boots.
- Domain Name System (DNS) – resolving a friendly name (e.g. http://www.google.com) to a TCP/IP address.
- Hypertext Transfer Protocol (HTTP) – what web pages and web services use.
- Real-world Examples
- Capturing Twitter and Facebook traffic.
- Viewing HTTP and DNS traffic.
- Troubleshooting no internet access for a user.
- Troubleshooting an inconsistent printer.
- Troubleshooting intranet DNS problems in a remote branch office.
- Troubleshooting corrupt data being sent from an in-house developed application.
- A whole chapter on troubleshooting a “slow network”.
- Establishing a network baseline – so you can compare best-case, to a perceived network slow down.
- Packet analysis for security (ethical hacking)
- SYN scans – a “quiet” way to detect which ports are open on your target.
- Port scans – a louder way to detect which ports are open on your target.
- Operating system “fingerprinting” – figuring which operating system your target is running.
- Analysis of the “aurora” exploit.
- More on ARP cache poisoning.
- Analysis of Remote Access Trojans (RATs)
- Wireless Packet Analysis
- Analysis of the differences for wireless networks.
- Walkthrough of the AirPcap device – for wireless network sniffing.
- How 802.11 wireless packets differ from regular wired Ethernet.
- Wireless-specific filters in Wireshark.
- How wireless authentication works (WEP and WPA)
The book then wraps up with TONS of resources for other programs you can try, along with lots of additional reading. As you can see, this is a really great overview of some pretty useful topics. If you are not familiar with these – the walkthroughs are pretty straight-forward and include lots of screenshots.
I was already familiar with some of this, but I learned a LOT! This filled in a lot of cracks in my knowledge about networking, and about protocol analyzers. In short, I definitely recommend this book!
Ethics and Legal Stuff:
Please do not take this lightly.
WARNING: You should NEVER attempt any of these practices on a network you don’t own.
If you have visions of being a “hacker” and capturing public network traffic, and/or try to break into a network – understand that there are significant provisions in many laws to jail you or indefinitely detain you without a trial, including (but not limited to):
- USA PATRIOT Act (sections 209, 217, and 220 – at least)
- Computer Fraud and Abuse Act (the law)
- Electronic Communications Privacy Act (ECPA) [18 U.S.C. Sections 2510-2521, 2701-2710]
- Economic Espionage Act (EEA) (the law)
- Wire Fraud Act (overview of how this can apply)
- Identity Theft and Assumption Deterrence Act (ITADA) [18 U.S.C. Section 1028(a)(7)]
Also consider that most states have state-specific laws too with which you can be charged – and the Department of Justice also has a long list of ways in which they can prosecute you too. You can easily be labeled a domestic terrorist and subject to indefinite detention with no trial and no charges. This is no longer the days of Kevin Mitnick where the law “didn’t know” what to do with phreakers.
Nowadays, they do – and those caught go to Gitmo to send a message. Or, if you’re lucky, you’ll just go to jail for 25 years.
So please – only use these techniques on a network you OWN (like, at home) or one where you are responsible (like, at work – where you are a network administrator with permission to do these things). Otherwise, you credibly put yourself at serious risk of being jailed for the rest of your adult life. Be warned!
Lastly, even if you are a network administrator, you may still want to look into a Certified Ethical Hacker (CEH) certification for example, because if you accidentally bring down your company network, you may not be arrested – but you could end up getting fired. So be careful out there.
“With great power comes great responsibility.” –Uncle Ben (from Spiderman)