Vinit Jain - Wireshark Fundamentals: A Network Engineer’s Handbook to Analyzing Network Traffic

WiresharkFundamentalsA Network EngineersHandbook to AnalyzingNetwork TrafficVinit JainWireshark Fundamentals: A Network Engineers Handbook to AnalyzingNetwork Traffic Vinit Jain San Jose, CA, USA ISBN-13 (pbk): 978-1-4842-8001-0 ISBN-13 (electronic): 978-1-4842-8002-7 https://doi.org/10.1007/978-1-4842-8002-7 Copyright 2022 by Vinit Jain This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made.

The publisher makes no warranty, express or implied, with respect to the material contained herein. Managing Director, Apress Media LLC: Welmoed Spahr Acquisitions Editor: Aditee Mirashi Development Editor: Laura Berendson Coordinating Editor: Aditee Mirashi Cover designed by eStudioCalamar Cover image designed by Freepik (www.freepik.com) Distributed to the book trade worldwide by Springer Science+Business Media New York, 1 New York Plaza, Suite 4600, New York, NY 10004-1562, USA. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation. For information on translations, please e-mail booktranslations@springernature.com; for reprint, paperback, or audio rights, please e-mail bookpermissions@springernature.com.

Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Print and eBook Bulk Sales web page at http://www.apress.com/bulk-sales. Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the books product page, located at www.apress.com/978-1-4842-8001-0. For more detailed information, please visit http://www.apress.com/source- code. Printed on acid-free paper I would like to dedicate this book to my late brotherLalit Jain (Dada Bhai), who was and will alwaysbe an inspiration in my life.

You always treated me asyour son and gave me so much love my whole life. DadaBhai, I will always miss our conversations, your jokes andsmile even during the tough moments, your love, and thebonding we shared. I didnt even get a chance to hug youand bid you a goodbye. It will always be the biggest regretof my life that I wasnt there when you needed me the most.I wish I was there to save you. With you gone it feels likeI have lost the roof above my head for the rest of my life.I know I have lost a gem of a brother in this life buthopefully we will meet again in the life beyond this one.I just want to let you know that I will always love you andwill keep doing my best to reach the heights thatyou wanted me to. May your soul rest in peace.Table of Contents About the Author ix About the Technical Reviewers xi Acknowledgments xiii Introduction xv Chapter 1: Introduction to Wireshark 1 Introduction to Network Traffic Analysis 1 Network Sniffing 6 Overview of Wireshark 16 Installing Wireshark 17 Installing Wireshark on Windows17 Installing Wireshark on Mac 19 Setting Up Port Mirroring 22 SPAN on Cisco IOS/IOS-XE 23 SPAN on Cisco Nexus Switches 25 Enabling Port Mirroring on Arista EOS 30 Enabling Port Mirroring on JunOS 31 Summary33 References in This Chapter 33 v Table of ConTenTs Chapter 2: Getting Familiar with Wireshark 35 Overview of Wireshark Tool 35 Wireshark Preferences 36 Performing Packet Capture Using Wireshark 41 Dissectors 43 Configuration Profiles 45 Filtering with Wireshark 47 Working with Wireshark Capture Files 60 PCAP vs PCAPng 60 Splitting Packet Captures into Multiple Files 65 Merging Multiple Capture Files 66 Analyzing Packets in Wireshark 68 OSI Model 69 Analyzing Packets 71 Summary78 Chapter 3: Analyzing Layer 2 and Layer 3 Traffic 79 Layer 2 Frames 79 Ethernet Frames 81 Layer 3 Packets 86 Address Resolution Protocol 86 IPv4 Packets 90 IPv6 Packets 111 Analyzing QoS Markings 127 Summary133 Reference in This Chapter 134 vi Table of ConTenTs Chapter 4: Analyzing Layer 4 Traffic 135 Understanding the TCP/IP Model 135 Problem of Ownership 140 Transmission Control Protocol 141 TCP Flags 146 TCP Three-Way Handshake 148 Port Scanning 157 Investigating Packet Loss 159 Troubleshooting with Wireshark Graphs 164 TCP Expert 182 User Datagram Protocol 187 Summary193 References in This Chapter 194 Chapter 5: Analyzing Control Plane Traffic 195 Analyzing Routing Protocol Traffic 195 OSPF 196 EIGRP 210 BGP 218 PIM 226 Analyzing Overlay Traffic 235 GRE 236 IPSec 237 VXLAN 244 Summary249 Index 251 vii About the AuthorVinit Jain is a Senior Technical Leader for Network Engineering at Cisco, focusing on architecting network infrastructure for edge computing solutions.

Prior to that, he worked as a Network Development Engineer at Amazon as part of Amazons backbone network operations team and as a technical leader at Cisco Technical Assistance Center, providing escalation support in enterprise, service provider, and data center technologies. Vinit is a speaker at various networking forums, including Cisco Live events, NANOG, and CHINOG. He has coauthored several Cisco Press books and video courses with Cisco Press. Vinit holds a bachelor of arts degree in mathematics from Delhi University and also holds a master of science in information technology. Apart from CCIE, he also holds multiple certifications in programming, database, and system administration and is also a Certified Ethical Hacker. ix About the Technical ReviewersCarsten Thomsen is primarily a back-end developer, but he works with smaller front-end bits as well. ix