Wireshark has long become the market standard for network analysis, and with the growth of the Internet and TCP/IP-base d networks, it became very popular for network analysis, troubleshooting, as well as for R&D engineers to understand what is actually running over the network and what are the problems that we face.
This book is written from a practical point of view. The first part of it, from Chapter 1, Introducing Wireshark, to Chapter 6, Using the Expert Infos Window, describes the Wireshark software and how to work with it. This includes how to start it, where to locate it in the network, how to work with statistical tools, and how to use the Expert system. The second part, from Chapter 7, Ethernet, LAN Switching, and Wireless LAN, to Chapter 14, Understanding Network Security, describes how to use it for the analysis and troubleshooting of common networking protocols; among them, the TCP/IP protocol stack with emphasis on TCP performance issues, common Internet protocols such as HTTP, SMTP, POP and DNS, databases, Citrix and Microsoft Terminal Server, IP telephony, and multimedia applications.
The last chapter is about network security. It describes how to locate security breaches and other problems in your network. As the name of the book implies, this is a Cookbook. It is a list of effective, targeted recipes of how to analyze networks. Every recipe comes with a specific issue, how to use Wireshark for it, where to look and what to look for, and what is the reason for what you see. To complete the picture, every recipe provides the theoretical foundations of the subject, in order to give the reader the required theoretical background.
You will see many examples in the book, and all of them are real cases. Some of them took me minutes to solve, some hours, and some of them took many days. There is one thing common to all of them: work systematically, use the proper tools, try to get inside the head of the application writer, and like someone told me once, “Try to think like the network”. Do this, use Wireshark, and you will get results. The purpose of this book is to try and get you there. Have fun!
What this book covers
Chapter 1, Introducing Wireshark, starts with introducing Wireshark, explaining where to locate it for effective network analysis. We will learn how to configure the basic parameters, the start window, the time values, and the coloring rules; and most importantly, we will learn how to use the Preferences window.
Chapter 2, Using Capture Filters, explains how to use capture filters which are used in order to define what data will be captured. This chapter explains how to configure these filters and how to use them in order to capture only the desired data.
Chapter 3, Using Display Filters, explains how to configure display filters which are used in order to display only the desired data, after the data is captured. This chapter explains how to configure these filters and how they can assist us in network troubleshooting.
Chapter 4, Using Basic Statistics Tools, explains how to work with the basic Wireshark statistical features, starting from the simple tables that provides us with “who is talking” information, conversations and HTTP statistics, and others.
Chapter 5, Using Advanced Statistics Tools, explains how to work with the advanced Wireshark statistical features, including the IO graphs and TCP stream graphs that provides us with powerful capabilities for network and application performance analysis. Chapter 6, Using the Expert Infos Window, explains how to work with the Expert system, which is a powerful tool that pinpoints various types of events, such as TCP retransmissions, zero-window, low TTL and routing loops, out-of-order segments, and other events that might influence the behavior of our network.
Chapter 7, Ethernet, LAN Switching, and Wireless LAN, explains the Ethernet protocol and LAN switching, along with problems that might occur in this layer. It also focuses on Wireless LAN (WiFi), how to test it, and how to resolve problems in these networks.
Chapter 8, ARP and IP Analysis, explains about ARP, IP, and how to analyze IP connectivity and routing problems. This chapter also explains how to find duplicate IP addresses, DHCP problems, and other related issues.
Chapter 9, UDP/TCP Analysis, focuses on layer 4 protocols, TCP, and UDP, with emphasis on TCP performance issues. It provides recipes for allocation of TCP performance problems, such as retransmission, duplicate ACKs, sliding-window problems such as window-full and zero-window, resets, and other related issues.
Chapter 10, HTTP and DNS, focuses on DNS, HTTP, and HTTPs. In this chapter, we will see how they work and what can go wrong in these protocols.
Chapter 11, Analyzing Enterprise Applications’, Behavior, talks about other applications such as FTP, mail protocols, terminal services, and databases. We will see how they are affected by network problems and how we can solve network-related problems in these applications.
Chapter 12, SIP, Multimedia, and IP Telephony, is about voice and video over IP, including recipes for finding VoIP SIP connectivity problems, RTP/RTCP performance problems, and video problems such as picture freezing and bad picture quality.
Chapter 13, Troubleshooting Bandwidth and Delay Problems, provides recipes for finding problems caused by low-bandwidth, high-delay, and high-jitter networks. The chapter explains the behavior of TCP over high-delay, high-jitter networks, and what we can do in order to improve this behavior.
Chapter 14, Understanding Network Security, focuses on TCP/IP-based network security, and it includes recipes for finding network scanning, SYN attacks, DOS/DDOS, and other attacks that can harm the network. This chapter provides recipes for finding various attack patterns and what causes them.
Appendix, Links, Tools, and Reading, provides references to some useful links from which you can get further information about Wireshark: learning sources, additional software, and so on.