What this book covers
Chapter 1, Appreciating Traffic Analysis, describes the countless places and reasons to conduct packet analysis. In addition, we'll cover the many benefits of using Wireshark, an open source protocol analyzer that includes many rich features.
Chapter 2, Using Wireshark, starts with an overview of the beginnings of today's Wireshark. We'll examine the interface and review the phases of packet analysis. Finally, we'll cover the built-in tools, with a closer look at tshark (or terminal-based Wireshark), a lightweight alternative to Wireshark.
Chapter 3, Installing Wireshark, illustrates how Wireshark provides support for different operating systems. We'll compare the different capture engines, such as WinPCap, LibPcap, and Npcap, walk through a standard Windows installation, and then review the resources available at https://www.wireshark.org/.
Chapter 4, Exploring the Wireshark Interface, provides a deeper dive into some of the common elements of Wireshark to improve your workflow. We'll investigate the welcome screen and common menu choices, such as File, Edit, and View, so that you can easily navigate the interface during an analysis.
Chapter 5, Tapping into the Data Stream, starts with a comparison of the different network architectures and then moves on to the various capture options. You'll discover the conversations and endpoints you'll see when tapping into the stream, and then learn about the importance of baselining network traffic.
Chapter 6, Personalizing the Interface, helps you to realize all the ways you can customize the many aspects of the interface. You'll learn how to personalize the layout and general appearance, create a tailored configuration profile, adjust the columns, font, and color, and create buttons.
Chapter 7, Using Display and Capture Filters, helps you to make examining a packet capture less overwhelming. We'll take a look at how to narrow your scope by filtering network traffic. We'll compare and contrast display and capture filters, discover the shortcuts used to build filters, and conclude with a review of the expression builder.
Chapter 8, Outlining the OSI Model, provides an overview of the Open Systems Interconnection (OSI) model, a seven-layer framework that outlines how the OS prepares data for transport on the network. We'll review the purpose, protocols, and Protocol Data Units (PDUs) of each layer, explore the encapsulation process, and demonstrate the frame formation in Wireshark.
Chapter 9, Decoding TCP and UDP, is a deep dive into two of the key protocols in the transport layer – the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). We'll review the purpose of the transport layer and then evaluate the header and field values of both the TCP and the UDP.
Chapter 10, Managing TCP Connections, begins by examining the three-way handshake. We'll discover the TCP options, get a better understanding of the TCP protocol preferences, and then conclude with an overview of the TCP teardown process.
Chapter 11, Analyzing IPv4 and IPv6, provides a breakdown of the purpose of the Internet Protocol (IP). We'll outline IPv4 and the header fields and then explore the streamlined header of IPv6. We'll summarize with a discussion of the protocol preferences and see how IPv4 and IPv6 can coexist by using tunneling protocols.
Chapter 12, Discovering ICMP, details the purpose of the Internet Control Message Protocol (ICMP). We'll dissect ICMP and ICMPv6, compare query and error messages, and discuss the ICMP type and code values. We'll cover how ICMP can be used in malicious ways and outline the importance of configuring firewall rules.
Chapter 13, Diving into DNS, outlines the significance of the Domain Name System (DNS). You'll learn how DNS works when resolving a hostname to an IP address. We'll compare the different types of records, step through a query and response, review the DNS header, and calculate the DNS response time using Wireshark.
Chapter 14, Examining DHCP, begins by explaining the need for the Dynamic Host Configuration Protocol (DHCP). We'll then outline the DORA process – Discover Offer Request Acknowledge. We'll dissect a DHCP header and review all the field values, flags, and port numbers, and then finish by stepping through a DHCP example.
Chapter 15, Decoding HTTP, highlights the Hypertext Transfer Protocol (HTTP), an application layer protocol used when browsing the web. We'll learn the details of HTTP, explore common methods of transport, and dissect the header and fields. We'll then compare request and response messages, and then summarize by following an HTTP stream.
Chapter 16, Understanding ARP, takes a closer look at the Address Resolution Protocol (ARP), which is a significant protocol in delivering data. We'll outline the role and purpose of ARP, explore the header and fields, describe the different types of ARP, and take a brief look at ARP attacks.
Chapter 17, Determining Network Latency Issues, outlines how even a beginner can diagnose network problems. We'll explore coloring rules and the Intelligent Scrollbar, and then conclude with an overview of the expert information, which divides the alerts into categories and guides you through a more targeted evaluation.
Chapter 18, Subsetting, Saving, and Exporting Captures, helps you to explore the many different ways in which to break down a packet capture into smaller files for analysis. We'll cover the different options when saving a file, discover ways to export components such as objects, session keys, and packet bytes, and then outline why and how to add comments.
Chapter 19, Discovering I/O and Stream Graphs, begins by covering the many ways the statistics menu can help us when analyzing a capture file. We'll create basic I/O graphs to help visualize network issues and summarize by comparing how the different TCP stream graphs provide a visual representation of the streams.
Chapter 20, Using CloudShark for Packet Analysis, covers CloudShark, an online application that is similar to Wireshark. You'll learn how to filter traffic and generate graphs. We'll then review how you can share captures with colleagues and outline where you can find sample captures so that you can continue improving your skills.
