第1页 / 共372页
第2页 / 共372页
第3页 / 共372页
第4页 / 共372页
第5页 / 共372页
第6页 / 共372页
第7页 / 共372页
第8页 / 共372页
[Wireshark]Practical Packet.Analysis.3rd.Edition.2017.4.pdf
Brief Contents
Contents in Detail
Acknowledgments
Introduction
Why This Book?
Concepts and Approach
How to Use This Book
About the Sample Capture Files
The Rural Technology Fund
Contacting Me
Chapter 1: Packet Analysis and
Network Basics
Packet Analysis and Packet Sniffers
Evaluating a Packet Sniffer
How Packet Sniffers Work
How Computers Communicate
Protocols
The Seven-Layer OSI Model
Network Hardware
Traffic Classifications
Broadcast Traffic
Multicast Traffic
Unicast Traffic
Final Thoughts
Chapter 2: Tapping into the Wire
Living Promiscuously
Sniffing Around Hubs
Sniffing in a Switched Environment
Port Mirroring
Hubbing Out
Using a Tap
ARP Cache Poisoning
Sniffing in a Routed Environment
Sniffer Placement in Practice
Chapter 3: Introduction to Wireshark
A Brief History of Wireshark
The Benefits of Wireshark
Installing Wireshark
Installing on Windows Systems
Installing on Linux Systems
Installing on OS X Systems
Wireshark Fundamentals
Your First Packet Capture
Wireshark’s Main Window
Wireshark Preferences
Packet Color Coding
Configuration Files
Configuration Profiles
Chapter 4: Working with Captured Packets
Working with Capture Files
Saving and Exporting Capture Files
Merging Capture Files
Working with Packets
Finding Packets
Marking Packets
Printing Packets
Setting Time Display Formats and References
Time Display Formats
Packet Time Referencing
Time Shifting
Setting Capture Options
Input Tab
Output Tab
Options Tab
Using Filters
Capture Filters
Display Filters
Saving Filters
Adding Display Filters to a Toolbar
Chapter 5: Advanced Wireshark Features
Endpoints and Network Conversations
Viewing Endpoint Statistics
Viewing Network Conversations
Identifying Top Talkers with Endpoints and Conversations
Protocol Hierarchy Statistics
Name Resolution
Enabling Name Resolution
Potential Drawbacks to Name Resolution
Using a Custom hosts File
Manually Initiated Name Resolution
Protocol Dissection
Changing the Dissector
Viewing Dissector Source Code
Following Streams
Following SSL Streams
Packet Lengths
Graphing
Viewing IO Graphs
Round-Trip Time Graphing
Flow Graphing
Expert Information
Chapter 6: Packet Analysis on the Command Line
Installing TShark
Installing tcpdump
Capturing and Saving Packets
Manipulating Output
Name Resolution
Applying Filters
Time Display Formats in TShark
Summary Statistics in TShark
Comparing TShark and tcpdump
Chapter 7: Network Layer Protocols
Address Resolution Protocol (ARP)
ARP Packet Structure
Packet 1: ARP Request
Packet 2: ARP Response
Gratuitous ARP
Internet Protocol
Internet Protocol Version 4 (IPv4)
Internet Protocol version 6 (IPv6)
Internet Control Message Protocol
ICMP Packet Structure
ICMP Types and Messages
Echo Requests and Responses
traceroute
ICMP version 6 (ICMPv6)
Chapter 8: Transport Layer Protocols
Transmission Control Protocol (TCP)
TCP Packet Structure
TCP Ports
The TCP Three-Way Handshake
TCP Teardown
TCP Resets
User Datagram Protocol (UDP)
UDP Packet Structure
Chapter 9: Common Upper-Layer Protocols
Dynamic Host Configuration Protocol (DHCP)
The DHCP Packet Structure
The DHCP Initialization Process
DHCP In-Lease Renewal
DHCP Options and Message Types
DHCPv6
Domain Name System (DNS)
The DNS Packet Structure
A Simple DNS Query
DNS Question Types
DNS Recursion
DNS Zone Transfers
Hypertext Transfer Protocol (HTTP)
Browsing with HTTP
Posting Data with HTTP
Simple Mail Transfer Protocol (SMTP)
Sending and Receiving Email
Tracking an Email Message
Sending Attachments via SMTP
Final Thoughts
Chapter 10: Basic Real-World Scenarios
Missing Web Content
Tapping into the Wire
Analysis
Lessons Learned
Unresponsive Weather Service
Tapping into the Wire
Analysis
Lessons Learned
No Internet Access
Gateway Configuration Problems
Unwanted Redirection
Upstream Problems
Inconsistent Printer
Tapping into the Wire
Analysis
Lessons Learned
No Branch Office Connectivity
Tapping into the Wire
Analysis
Lessons Learned
Software Data Corruption
Tapping into the Wire
Analysis
Lessons Learned
Final Thoughts
Chapter 11: Fighting a Slow Network
TCP Error-Recovery Features
TCP Retransmissions
TCP Duplicate Acknowledgments and Fast Retransmissions
TCP Flow Control
Adjusting the Window Size
Halting Data Flow with a Zero Window Notification
The TCP Sliding Window in Practice
Learning from TCP Error-Control and Flow-Control Packets
Locating the Source of High Latency
Normal Communications
Slow Communications: Wire Latency
Slow Communications: Client Latency
Slow Communications: Server Latency
Latency Locating Framework
Network Baselining
Site Baseline
Host Baseline
Application Baseline
Additional Notes on Baselines
Final Thoughts
Chapter 12: Packet Analysis for Security
Reconnaissance
SYN Scan
Operating System Fingerprinting
Traffic Manipulation
ARP Cache Poisoning
Session Hijacking
Malware
Operation Aurora
Remote-Access Trojan
Exploit Kit and Ransomware
Final Thoughts
Chapter 13: Wireless Packet Analysis
Physical Considerations
Sniffing One Channel at a Time
Wireless Signal Interference
Detecting and Analyzing Signal Interference
Wireless Card Modes
Sniffing Wirelessly in Windows
Configuring AirPcap
Capturing Traffic with AirPcap
Sniffing Wirelessly in Linux
802.11 Packet Structure
Adding Wireless-Specific Columns to the Packet List Pane
Wireless-Specific Filters
Filtering Traffic for a Specific BSS ID
Filtering Specific Wireless Packet Types
Filtering a Specific Frequency
Saving a Wireless Profile
Wireless Security
Successful WEP Authentication
Failed WEP Authentication
Successful WPA Authentication
Failed WPA Authentication
Final Thoughts
Appendix A: Further Reading
Packet Analysis Tools
CloudShark
WireEdit
Cain & Abel
Scapy
TraceWrangler
Tcpreplay
NetworkMiner
CapTipper
ngrep
libpcap
Npcap
hping
Python
Packet Analysis Resources
Wireshark’s Home Page
Practical Packet Analysis Online Course
SANS’s Security Intrusion Detection In-Depth Course
Chris Sanders’s Blog
Brad Duncan’s Malware Traffic Analysis
IANA’s Website
W. Richard Stevens’s TCP/IP Illustrated Series
The TCP/IP Guide
Appendix B: Navigating Packets
Packet Representation
Using Packet Diagrams
Navigating a Mystery Packet
Final Thoughts
Index
Blank Page
Blank Page
PR AC TICAL
PACKE T ANALYSIS
U S I NG W I R E S HA R K T O S O L V E R E A L - W O R L D
E
3
D
R
I
T
D
I
O
N
N E T W O R K PR O B L E M S
C H R I S S A N D E R S
D ON ’ T J U S T S T A R E
D O N ’ T J U S T S T A R E
A T C A P T U R E D
A T C A P T U R E D
P A C K E T S .
P A C K E T S .
A N A LY Z E T H E M .
A N A LY Z E T H E M .
Download the capture files
used in this book from
nostarch.com/packetanalysis3/
It’s easy to capture packets with Wireshark, the world’s
most popular network sniffer, whether off the wire or
from the air. But how do you use those packets to
understand what’s happening on your network?
Updated to cover Wireshark 2.x, the third edition
of Practical Packet Analysis will teach you to make
sense of your packet captures so that you can better
troubleshoot network problems. You’ll find added
coverage of IPv6 and SMTP, a new chapter on the
powerful command line packet analyzers tcpdump
and TShark, and an appendix on how to read and
reference packet values using a packet map.
Practical Packet Analysis will show you how to:
• Monitor your network in real time and tap live
network communications
• Build customized capture and display filters
• Use packet analysis to troubleshoot and resolve
common network problems, like loss of connectivity,
DNS issues, and slow speeds
• Explore modern exploits and malware at the packet
level
• Extract files sent across a network from packet
captures
• Graph traffic patterns to visualize the data flowing
across your network
• Use advanced Wireshark features to understand
confusing captures
• Build statistics and reports to help you better explain
technical network information to non-techies
No matter what your level of experience is, Practical
Packet Analysis will show you how to use Wireshark to
make sense of any network and get things done.
A B O U T T H E A U T H O R
Chris Sanders is a computer security consultant,
researcher, and educator. He is the author of Applied
Network Security Monitoring and blogs regularly at
ChrisSanders.org. Chris uses packet analysis daily to
catch bad guys and find evil.
The author’s royalties from this book
will be donated to the Rural Technology Fund
(http://ruraltechfund.org/).
COVERS WIR ESHAR K 2. X
TH E FI N EST I N G E EK E NTE RTA I N M E NT ™
www.nostarch.com
“I LI E FLAT.”
This book uses a durable binding that won’t snap shu t.
FSC LOGO
$49.95 ($57.95 CDN)
N
E
T
W
O
R
K
S
H
E
L
V
E
I
N
I
:
N
G
/
S
E
C
U
R
I
T
Y
E
D
I
T
I
O
N
3
R
D
P
R
A
C
T
I
C
A
L
P
A
C
K
E
T
A
N
A
L
Y
S
I
S
S
A
N
D
E
R
S
PRACTICAL PACKET ANALYSISPRACTICAL PACKET ANALYSIS
Praise for Practical Packet analysis
“A wealth of information. Smart, yet very readable, and honestly made me
excited to read about packet analysis.”
—TechRepublic
“I’d recommend this book to junior network analysts, software developers,
and the newly minted CSE/CISSP/etc.—folks that just need to roll up their
sleeves and get started troubleshooting network (and security) problems.”
—GunTeR Ollmann, fORmeR chief Technical OfficeR Of iOacTive
“The next time I investigate a slow network, I’ll turn to Practical Packet Analysis.
And that’s perhaps the best praise I can offer on any technical book.”
—michael W. lucas, auThOR Of Absolute FreebsD and Network Flow ANAlysis
“An essential book if you are responsible for network administration on
any level.”
—linux pRO maGazine
“A wonderful, simple-to-use, and well-laid-out guide.”
—aRsGeek.cOm
“If you need to get the basics of packet analysis down pat, this is a very good
place to start.”
—sTaTeOfsecuRiTy.cOm
“Very informative and held up to the key word in its title, practical. It does
a great job of giving readers what they need to know to do packet analysis
and then jumps right in with vivid real-life examples of what to do with
Wireshark.”
—linuxsecuRiTy.cOm
“Are there unknown hosts chatting away with each other? Is my machine talk-
ing to strangers? You need a packet sniffer to really find the answers to these
questions. Wireshark is one of the best tools to do this job, and this book is
one of the best ways to learn about that tool.”
—fRee sOfTWaRe maGazine
“Perfect for the beginner to intermediate.”
—daemOn neWs
Practical
Packet analysis
3rd edition
Using Wireshark to solve
real-World network Problems
by Chris sanders
San Francisco
Practical Packet analysis, 3rd edition. Copyright © 2017 by Chris Sanders.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
21 20 19 18 17
1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-802-0
ISBN-13: 978-1-59327-802-1
Publisher: William Pollock
Production Editor: Serena Yang
Cover Illustration: Octopod Studios
Interior Design: Octopod Studios
Developmental Editor: William Pollock and Jan Cash
Technical Reviewer: Tyler Reguly
Copyeditor: Paula L. Fleming
Compositor: Janelle Ludowise
Proofreader: James Fraleigh
Indexer: BIM Creatives, LLC.
For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900; info@nostarch.com
www.nostarch.com
The Library of Congress has catalogued the first edition as follows:
Sanders, Chris, 1986-
Practical packet analysis : using Wireshark to solve real-world network problems / Chris Sanders.
p. cm.
ISBN-13: 978-1-59327-149-7
ISBN-10: 1-59327-149-2
1. Computer network protocols. 2. Packet switching (Data transmission) I. Title.
TK5105.55.S265 2007
004.6'6--dc22
2007013453
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners. Rather
than use a trademark symbol with every occurrence of a trademarked name, we are using the names only
in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution
has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any
liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or
indirectly by the information contained in it.
“Amazing grace, how sweet the sound
That saved a wretch like me.
I once was lost but now I’m found.
Was blind but now I see.”
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
