PRAISE FOR PRACTICAL PACKET ANALYSIS
A wealth of information. Smart, yet very readable, and honestly made me excited to read about packet analysis.
TECHREPUBLIC
Id recommend this book to junior network analysts, software developers, and the newly minted CSE/CISSP/etc.folks that just need to roll up their sleeves and get started troubleshooting network (and security) problems.
GUNTER OLLMANN, FORMER CHIEF TECHNICAL OFFICER OF IOACTIVE
The next time I investigate a slow network, Ill turn to Practical Packet Analysis. And thats perhaps the best praise I can offer on any technical book.
MICHAEL W. LUCAS, AUTHOR OF ABSOLUTE FREEBSD AND NETWORK FLOW ANALYSIS
An essential book if you are responsible for network administration on any level.
LINUX PRO MAGAZINE
A wonderful, simple-to-use, and well-laid-out guide.
ARSGEEK.COM
If you need to get the basics of packet analysis down pat, this is a very good place to start.
STATEOFSECURITY.COM
Very informative and held up to the key word in its title, practical. It does a great job of giving readers what they need to know to do packet analysis and then jumps right in with vivid real-life examples of what to do with Wireshark.
LINUXSECURITY.COM
Are there unknown hosts chatting away with each other? Is my machine talking to strangers? You need a packet sniffer to really find the answers to these questions. Wireshark is one of the best tools to do this job, and this book is one of the best ways to learn about that tool.
FREE SOFTWARE MAGAZINE
Perfect for the beginner to intermediate.
DAEMON NEWS
PRACTICAL PACKET ANALYSIS
3RD EDITION
Using Wireshark to Solve Real-World Network Problems
Chris Sanders
San Francisco
PRACTICAL PACKET ANALYSIS, 3RD EDITION. Copyright 2017 by Chris Sanders.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.
21 20 19 18 17 1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-802-0
ISBN-13: 978-1-59327-802-1
Publisher: William Pollock
Production Editor: Serena Yang
Cover Illustration: Octopod Studios
Interior Design: Octopod Studios
Developmental Editor: William Pollock and Jan Cash
Technical Reviewer: Tyler Reguly
Copyeditor: Paula L. Fleming
Compositor: Janelle Ludowise
Proofreader: James Fraleigh
Indexer: BIM Creatives, LLC.
For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900;
www.nostarch.com
The Library of Congress has catalogued the first edition as follows:
Sanders, Chris, 1986
Practical packet analysis : using Wireshark to solve real-world network problems / Chris Sanders.
p. cm.
ISBN-13: 978-1-59327-149-7
ISBN-10: 1-59327-149-2
1. Computer network protocols. 2. Packet switching (Data transmission) I. Title.
TK5105.55.S265 2007
004.6'6--dc22
2007013453
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.
Amazing grace, how sweet the sound
That saved a wretch like me.
I once was lost but now Im found.
Was blind but now I see.
BRIEF CONTENTS
CONTENTS IN DETAIL
PACKET ANALYSIS AND NETWORK BASICS
TAPPING INTO THE WIRE
INTRODUCTION TO WIRESHARK
WORKING WITH CAPTURED PACKETS
ADVANCED WIRESHARK FEATURES
PACKET ANALYSIS ON THE COMMAND LINE
NETWORK LAYER PROTOCOLS
TRANSPORT LAYER PROTOCOLS
COMMON UPPER-LAYER PROTOCOLS
BASIC REAL-WORLD SCENARIOS
FIGHTING A SLOW NETWORK
PACKET ANALYSIS FOR SECURITY
WIRELESS PACKET ANALYSIS
A
FURTHER READING
B
NAVIGATING PACKETS
ACKNOWLEDGMENTS
Id like to express sincere gratitude for the people whove supported me and the development of this book.
Ellen, thank you for your unconditional love and for putting up with me pecking away at the keyboard in bed for countless nights while you were trying to sleep.
Mom, even in death the example of kindness you set continues to motivate me. Dad, I learned what hard work was from you and none of this happens without that.
Jason Smith, youre like a brother to me, and I cant thank you enough for being a constant sounding board.
Regarding my coworkers past and present, Im very fortunate to have surrounded myself with people whove made me a smarter, better person. Theres no way I can name everyone, but I want to sincerely thank Dustin, Alek, Martin, Patrick, Chris, Mike, and Grady for supporting me every day and embracing what it means to be servant leaders.
Thanks to Tyler Reguly who served as the primary technical editor. I make stupid mistakes sometimes, and you make me look less stupid. Also, thanks to David Vaughan for providing an extra set of eyes, Jeff Carrell for helping edit the IPv6 content, Brad Duncan for providing a capture file used in the security chapter, and the team at QA Caf for providing a Cloudshark license that I used to organize the packet captures for the book.
Of course, I also have to extend thanks to Gerald Combs and the Wireshark development team. Its the dedication of Gerald and hundreds of other developers that makes Wireshark such a great analysis platform. If it werent for their efforts, information technology and network security would be significantly worse off.
Finally, thanks to Bill, Serena, Anna, Jan, Amanda, Alison, and the rest of the No Starch Press staff for their diligence in editing and producing all three editions of Practical Packet Analysis.
INTRODUCTION
This third edition of Practical Packet Analysis was written and edited over the course of a year and a half, from late 2015 to early 2017, approximately 6 years after the second editions release and 10 years since publication of the original. This book contains a significant amount of new content, with completely new capture files and scenarios and an entirely new chapter covering packet analysis from the command line with TShark and tcpdump. If you liked the first two editions, then youll like this one. Its written in the same tone and breaks down explanations in a simple, understandable manner. If you were hesitant to try out the last two editions because they didnt include the latest information on networking or Wireshark updates, youll want to read this one because of the expanded content on new network protocols and updated information on Wireshark 2.