wireshark-network-analysis-second-edition

Chapter 20: Analyze Transmission Control Protocol (TCP) Traffic Wireshark Certified Network Analyst Exam Objectives covered: The Purpose of TCP Analyze Normal TCP Communications The Establishment of TCP Connections When TCP-based Services are Refused The Termination of TCP Connections How TCP Tracks Packets Sequentially How TCP Recovers from Packet Loss Improve Packet Loss Recovery with Selective Acknowledgments Understand TCP Flow Control Analyze TCP Problems Dissect the TCP Packet Structure Filter on TCP Traffic Set TCP Protocol Preferences Chapter 21: Graph IO Rates and TCP Trends Wireshark Certified Network Analyst Exam Objectives covered: Use Graphs to View Trends Generate Basic IO Graphs Filter IO Graphs Generate Advanced IO Graphs Compare Traffic Trends in IO Graphs Graph Round Trip Time Graph Throughput Rates Graph TCP Sequence Numbers over Time Interpret TCP Window Size Issues Interpret Packet Loss, Duplicate ACKs and Retransmissions Chapter 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6) Traffic Wireshark Certified Network Analyst Exam Objectives covered: The Purpose of DHCP Analyze Normal DHCP Traffic Analyze DHCP Problems Dissect the DHCP Packet Structure Filter on DHCP/DHCPv6 Traffic Display BOOTP-DHCP Statistics Chapter 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic Wireshark Certified Network Analyst Exam Objectives covered: The Purpose of HTTP Analyze Normal HTTP Communications Analyze HTTP Problems Dissect HTTP Packet Structures Filter on HTTP or HTTPS Traffic Export HTTP Objects Display HTTP Statistics Graph HTTP Traffic Flows Set HTTP Preferences Analyze HTTPS Communications Analyze SSL/TLS Handshake Analyze TLS Encrypted Alerts Decrypt HTTPS Traffic

Export SSL Keys Chapter 24: Analyze File Transfer Protocol (FTP) Traffic Wireshark Certified Network Analyst Exam Objectives covered: The Purpose of FTP Analyze Normal FTP Communications Analyze Passive Mode Connections Analyze Active Mode Connections Analyze FTP Problems Dissect the FTP Packet Structure Filter on FTP Traffic Reassemble FTP Traffic Chapter 25: Analyze Email Traffic Wireshark Certified Network Analyst Exam Objectives covered: Analyze Normal POP Communications Analyze POP Problems Dissect the POP Packet Structure Filter on POP Traffic Analyze Normal SMTP Communications Analyze SMTP Problems Dissect the SMTP Packet Structure Filter on SMTP Traffic Chapter 26: Introduction to 802.11 (WLAN) Analysis Wireshark Certified Network Analyst Exam Objectives covered: Analyze Signal Strength and Interference Capture WLAN Traffic Compare Monitor Mode vs. Promiscuous Mode Select the Wireless Interface Set Up WLAN Decryption Select to Prepend Radiotap or PPI Headers Compare Signal Strength and Signal-to-Noise Ratios Understand 802.11 Traffic Basics Analyze Normal 802.11 Communications Dissect the 802.11 Frame Structure Filter on All WLAN Traffic Analyze Frame Control Types and Subtypes Customize Wireshark for WLAN Analysis Chapter 27: Introduction to Voice over IP (VoIP) Analysis Wireshark Certified Network Analyst Exam Objectives covered: Understand VoIP Traffic Flows Session Bandwidth and RTP Port Definition Analyze VoIP Problems Examine SIP Traffic Examine RTP Traffic Play Back VoIP Conversations RTP Player Marker Definitions Create a VoIP Profile Filter on VoIP Traffic Chapter 28: Baseline “Normal” Traffic Patterns Wireshark Certified Network Analyst Exam Objectives covered:

Understand the Importance of Baselining Baseline Broadcast and Multicast Types and Rates Baseline Protocols and Applications Baseline Boot up Sequences Baseline Login/Logout Sequences Baseline Traffic during Idle Time Baseline Application Launch Sequences and Key Tasks Baseline Web Browsing Sessions Baseline Name Resolution Sessions Baseline Throughput Tests Baseline Wireless Connectivity Baseline VoIP Communications Chapter 29: Find the Top Causes of Performance Problems Wireshark Certified Network Analyst Exam Objectives covered: Troubleshoot Performance Problems Identify High Latency Times Point to Slow Processing Times Find the Location of Packet Loss Watch Signs of Misconfigurations Analyze Traffic Redirections Watch for Small Payload Sizes Look for Congestion Identify Application Faults Note Any Name Resolution Faults Chapter 30: Network Forensics Overview Wireshark Certified Network Analyst Exam Objectives covered: Compare Host vs. Network Forensics Gather Evidence Avoid Detection Handle Evidence Properly Recognize Unusual Traffic Patterns Color Unusual Traffic Patterns Chapter 31: Detect Scanning and Discovery Processes Wireshark Certified Network Analyst Exam Objectives covered: The Purpose of Discovery and Reconnaissance Processes Detect ARP Scans (aka ARP Sweeps) Detect ICMP Ping Sweeps Detect Various Types of TCP Port Scans Detect UDP Port Scans Detect IP Protocol Scans Understand Idle Scans Know Your ICMP Types and Codes Analyze Traceroute Path Discovery Detect Dynamic Router Discovery Understand Application Mapping Processes Use Wireshark for Passive OS Fingerprinting Detect Active OS Fingerprinting Identify Spoofed Addresses in Scans Chapter 32: Analyze Suspect Traffic Wireshark Certified Network Analyst Exam Objectives covered: Identify Vulnerabilities in the TCP/IP Resolution Processes

Find Maliciously Malformed Packets Identify Invalid or ‘Dark’ Destination Addresses Differentiate Between Flooding and Denial of Service Traffic Find Clear Text Passwords and Data Identify Phone Home Traffic Catch Unusual Protocols and Applications Locate Route Redirection that Uses ICMP Catch ARP Poisoning Catch IP Fragmentation and Overwriting Spot TCP Splicing Watch Other Unusual TCP Traffic Identify Password Cracking Attempts Build Filters and Coloring Rules from IDS Rules Chapter 33: Effective Use of Command-Line Tools Wireshark Certified Network Analyst Exam Objectives covered: Understand the Power of Command-Line Tools Use Wireshark.exe (Command-Line Launch) Capture Traffic with Tshark List Trace File Details with Capinfos Edit Trace Files with Editcap Merge Trace Files with Mergecap Convert Text with Text2pcap Capture Traffic with Dumpcap Understand Rawshark [1] If you are interested in working with the latest Development Release of Wireshark, visit www.wireshark.org/develop.html. [2] In this section, you will see recommendations for the Nmap Network Scanning book—get the book ordered and put that on your reading list right now! For more information on Nmap Network Scanning, visit nmap.org/book. [3] The proctored exam is available through Kryterion testing centers worldwide. In addition, the exam is offered in an online proctored format allowing you to take the exam from any location. For more information on the WCNA exam registration process, visit www.wiresharktraining.com. [4] The AirPcap adapters were originally developed by CACE Technologies. Riverbed Technology bought CACE Technology at the end of 2010. [5] Monitor Mode (also referred to as rfmon mode) and wireless network analysis are covered in Chapter 26: Introduction to 802.11 (WLAN) Analysis. [6] Imagine if you took a bad fall ice skating (computer geeks should not ice skate—that’s another story). You think you broke your arm. At the emergency room the doctors huddle around you perplexed. “It’s probably just a sprain—a pain killer and no movement for a week and you’ll be fine.” chimes in one doctor. “No. I think it’s broken—let’s re-break it and set it” Eeek… this scenario gets even uglier when you consider appendicitis. [7] In Figure 4, 5 and 6 we use a symbolic letter to represent the MAC addresses of the client and server. [8] Learn more about this in Cisco “Caveat” CSCsw70786. Ya gotta love a company that calls blatant performance bugs and faults by the name “caveats.” [9] To clear your DNS cache on a Windows host, go to a command prompt and type ipconfig /flushdns. On a Linux host, restart the nscd (name service cache) daemon. For MAC OS X 10.5.x or 10.6.x, type dscacheutil – flushcache at the terminal prompt. [10] If you’d like to get a glimpse of the Wireshark development process, watch the video at www.vimeo.com/9329501. Loris Degioanni (creator of WinPcap) used code_swarm, an organic visualization tool and the Wireshark code commits to graphically represent the entire life of Wireshark in a short 3-minute video.

[11] Gerald Combs states that the Wireshark “shark” is carcharodon photoshopia. It is most definitely based on carcharodon carcharias also known as the Great White shark. When the name change was imminent, one of the potential future names considered, and dismissed thankfully, was “EtherWeasel”. Sounds a bit like a porn project, eh? [12] All of us who solve network problems, optimize communications and spot security flaws faster and more accurately because of Wireshark owe a big THANKS to all the developers! Please thank them, report bugs and offer enhancement ideas to help the developers. [13] Gerald Combs is listed as the original author (and fearless leader). [14] Statistics listed at www.wireshark.org/download/automated/sloccount.txt as of May 16, 2012. [15] This is where the real power of Wireshark shines! Can you imagine decoding an HTTP GET request one byte at a time from a hex dump?! That is the kind of fun that screams “you have no life!” [16] Ok, ok… I’m not a great fan of the Start Page, but I understand its purpose to make someone’s first experience with Wireshark a warm and friendly one. I highly recommend you learn to use the Main Toolbar to be more efficient with Wireshark. [17] Visit www.wiresharkbook.com to see loads of other trace files. Another great resource for trace files is www.pcapr.net. This site is managed by Mu Dynamics and contains thousands of trace files. Members can edit and download trace files. [18] Ulf Lamping, Richard Sharpe and Ed Warnicke created the Wireshark User’s Guide which is remarkably comprehensive and includes examples of Wireshark usage and tips throughout. [19] The Network Media Specific Capturing page contains a matrix listing the various operating systems that Wireshark can run on and the physical interface types that libpcap/WinPcap can capture on. For example, the matrix indicates you cannot capture Bluetooth or USB traffic when running Wireshark on a Windows host, but you can capture Bluetooth and USB traffic when running Wireshark on a Linux host. [20] If you really want to impress someone, close the Packet List and Packet Details pane. Use the Accelerator Keys Ctrl+Down Arrow (next) and Ctrl+Up Arrow (back) to scroll through the packets as you mumble “hmmm… I see….” [21] Some combinations of libpcap and WinPcap with certain OS versions may not be able to detect and report dropped packets. If you experience packet drops while running Wireshark on a Windows host, consider increasing the Buffer size in the Capture Options window (Windows only). This buffer stores the packets until they are written to disk. The default value is 1 megabyte. [22] Rather than share the entire profile directory with another user, consider sharing the individual files contained in the profile’s directory. Be careful with the preferences file—some settings, such as gui.fileopen.dir (the directory to start in when opening a trace file) may not match the target host. [23] When working through network issues, I constantly switch back and forth between different trace files. Using Edit | Preferences, I set my Open Recent max. files setting to 30 so I can avoid wading through a directory of hundreds of trace files. You will learn some tricks on Wireshark customization in Chapter 5: Define Global and Personal Preferences. [24] You absolutely MUST consider time whenever you are troubleshooting network communications. Networking is a messy, dirty job. You may find that a process requests something 400 times unsuccessfully— but the entire process is over with in less than one-half of a second. It is doubtful that any user (no matter how “retentive” they are) recognizes your efforts if you cut that 400 packets to 200 and save them one-quarter of a second. Heck—they never say thank you when you save them thirty minutes! [25] You can locate your Personal Configuration directory by selecting Help | About Wireshark | Folders. [26] Not all versions of Wireshark have supported GeoIP location services which maps IP addresses to an OpenStreetMap location. For more information on GeoIP location services, see Plot IP Addresses on a World Map on page 169. [27] This amazing feature can dramatically reduce your troubleshooting time. [28] In earlier versions of Wireshark, the option of showing the Wireless Toolbar was only available when you used an AirPcap adapter and AirPcap driver. This is another reason to stay current with the latest Wireshark releases. [29] This is a different services file than the native operating system services file. This services file resides in

the Wireshark program directory and is only used by Wireshark when correlating port numbers with service names when transport name resolution is enabled. [30] Note that as of Wireshark 1.7.2 some custom columns did not refresh properly when you choose to display a saved column. For example, if you created a pkt_comments column it may not show all your comments. You may have to wait for this to be fixed. [31] Coloring rules are the “ring tones” of the analysis world. They alert you to possible problem traffic (“your ex-wife/ex-husband is calling”) or just packets of particular interest (“your attorney is calling”). Spend some time in Chapter 6: Colorize Traffic to set up your Wireshark system to be more visually effective. [32] One fun trick with coloring rules (I use it with ugly NetBIOS traffic that I don’t want to ‘see’) is to set the foreground and background of these packets to white… now you can filter on these ugly packets and select Edit | Ignore all displayed packets to avoid those gag reflexes from kicking in on ugly packets. [33] The Details option is not available on all operating systems. [34] This is one of my favorite features of Wireshark—I use it to quickly add columns for the fields I want to see in the Packet List pane. This greatly speeds up my analysis sessions. [35] I highly recommend you use Prepare a Filter when you begin working with Wireshark. This allows you to take a moment and view the filter—and consider adding to it—before applying it. [36] Pay attention to the Expert information that Wireshark provides. When troubleshooting communications, the Expert can quickly point out problems and save you lots of time in identifying the source of those problems. [37] This is a great feature for analyzing Microsoft’s SMB traffic—if you are a Microsoft shop, capture your login sequence and a file transfer sequence. Open the Statistics | Service Response Time window to identify average service response times in the trace file. [38] It seems that Wireshark’s Statistics menu is getting a bit cluttered with items that may not be commonly found on networks. Perhaps at some point the core developers will bury these under a submenu to make this Statistics menu a bit more efficient for typical use. [39] No one ever promised us that every feature in Wireshark is useful, right? Well this is an example of one statistic that could probably be thrown into the bit bucket. It doesn’t give us a breakdown of all the traffic that can run over IP (such as ICMP)—it just lists UDP, TCP and then everything else is just “None.” If you want to know what is running over IP, view the Protocol Hierarchy statistics instead. [40] Yes—VoIP analysts can be a strange and misunderstood bunch. It really messes with your mind when you are in charge of the application that is at the top of the QoS food chain! [41] This is a great way to find a particular ASCII string in a packet because by default “Case sensitive” is disabled. In the example shown in Figure 49, we are looking for the string “nessus” in either upper or lower case anywhere in the Packet Bytes pane. Another good way to locate these packets is by using a display filter that is defined for upper and lower case ASCII detection as shown in Find Key Words in Upper or Lower Case. [42] The older I get, the more valuable this feature becomes. [43] Currently, the AirPcap adapters are only available for Windows hosts. [44] This is a GREAT timesaving feature—especially if you are a horrible typist! [45] This feature is one of my favorites! There may still be times when we use Edit | Preferences | Columns | Add, but this is the preferred way to create new columns to view information quickly. [46] Check out ask.wireshark.org instead of joining this Wireshark-users mailing list. [47] This can be one of the more unpleasant aspects of network analysis—sitting close to the complaining user. Consider dazzling them with a dissertation on how the TCP sliding window and congestion avoidance mechanisms help improve throughput rates of packets. This is another great time to close the Packet List and Packet Details panes and just peruse the Packet Bytes panes while randomly shouting hex values. They’ll leave you alone right away. [48] Network analysis is not a “sit down and do it” type of process. Get a hot laptop loaded with power and memory and a comfortable pair of shoes. Don’t hesitate to move your analyzer to another location when tracking down problems on the network. [49] The down side of installing Wireshark on Client A’s computer is that they will want to keep it on their

systems. The term “ignorance is bliss” means that when the users are ignorant about Wireshark and packet analysis in general, we feel blissful. [50] This file really does contain a typo on the file name line. The correct file name is wiresharkportable.ini. [51] It’s a good idea to test this. Capture traffic on your host that is connected to a switch. If you see traffic between other devices, then your switch has a problem. It’s acting like a hub—probably a very expensive hub. [52] Be careful with devices sold as “hubs”—some “hubs” are actually switches. In addition, dual-speed hubs (hubs that can connect to 10Mbps or 100Mbps hosts) can become switches between the different media speeds. [53] A note from Ron Nutter on this tip: “If the network you are using your cheap switch on is using some of the Cisco Port Security commands, putting another switch between the computer you are trying do a packet capture on and the switch port it plugs into will result in a port that is shut down which could bring you to the attention of the network Security folks. Even if you using a true "hub" this could still cause problems because the closet switch could still see a 2nd MAC address (your Wireshark system) on the same port and shut down that port. Your only option would be to use a tap with your Wireshark system to keep from advertising your presence on the network.” Refer to Avoid Detection. [54] There was a big change to the checksum calculations when Wireshark 1.6 was released—UDP and TCP checksum calculations were disabled thereby getting rid of some of the false positives experienced in previous versions of Wireshark. IP checksum validation is still enabled, however—be aware that you may experience false positives because of this one setting (see Set Your IPv4 Protocol Preferences). [55] If you are capturing on a network to which Cisco Cable Modem Termination System (CMTS) Data Over Cable Service Interface Specification (DOCSIS) packets are being forwarded, you can change the link layer type value to DOCSIS. This setting is saved with the trace file. [56] ICMP is one of the rare filters that use the same syntax for capture filters and display filters by chance. [57] This is not a mistake, the capture filter for IPv6 traffic is simply ip6. [58] As of Wireshark 1.6, Length is now a default column in the Packet List pane. Why? I haven’t the faintest idea—apparently there are numerous folks who think this information is important enough to have as a default column. I typically right click on this column and hide it. [59] Bug 6077, Rearranging Columns in Preferences, indicates a problem with drag and drop rearranging in Preferences. A workaround is to drag and drop the columns directly in the Packet List pane after creating the column in Preferences. [60] The Apply as Column feature was not available prior to Wireshark v1.3 (Development Release) and Wireshark v1.4 (Stable Release). This feature should be used whenever you find yourself scrolling packet-bypacket through a trace file to examine individual fields. [61] As of Wireshark 1.8 your new coloring rules are placed at the top of the list by default. This is a welcome change! [62] You cannot tell the coloring difference because this book is printed in grey scale—why not open up Preferences | Colors and look for yourself? [63] Even though Wireshark shows this as the active setting, when you set Time Reference packets it alters the actual setting to Seconds Since Beginning of Capture. You always need to reset it to Seconds Since Previous Displayed Packet. [64] I grab browsing sessions to www.espn.com because that site has so many interdependencies to content providers and advertisers. You can compare the browsing sessions over six years in http-espn2007.pcapng, http-espn2010.pcapng, http-espn2011.pcapng and http-espn2012.pcapng. [65] Your version of Wireshark must support GeoIP. Check the “Compiled with” section under Help | About Wireshark—look for “with GeoIP”. [66] All field and protocol names were in lowercase until VoIP filters were added. Some VoIP-related filters use uppercase and lowercase definitions. Use the auto-complete feature to help with VoIP filters. [67] Note that Wireshark does not recognize dhcp as a display filter. DHCP is based on BOOTP and Wireshark recognizes bootp as the filter to display all DHCP traffic. [68] Filtering for tcp.analysis.retransmission also displays fast retransmissions.

[69] Although some of the online documentation states that “Wireshark needs to be built with libpcre in order to be able to use the matches operator” that is not the case anymore. Glib provides GRegex support. GRegex is a wrapper around the Perl Compatible Regular Expressions (PCRE) library by Philip Hazel. GLib supports libraries and applications written in C. Glib support is shown using Help | About Wireshark—for example “Compiled (64-bit) with GTK+ 2.22.1, with GLib 2.26.1…” [70] Be aware of the file size you are working with when capturing video streams for reassembly. For example, a 5-minute YouTube video generates a 44 MB trace file. Recent versions of Wireshark have included major improvements for dealing with larger trace files, but you still need to be aware that a larger trace file takes longer to load, longer to apply display filters, longer to reassemble data streams, etc. It is possible to fill an entire hard drive if you leave a Wireshark system capturing unattended. [71] You can learn more about World IPv6 Day at www.worldipv6day.org. [72] In this file we can also determine the type of camera used—a Canon EOS 5D. [73] Wireshark is not a password cracking tool—you need to provide the key in order to decrypt WLAN or SSL communications. [74] Several profiles are available in the Download section at www.wiresharkbook.com. [75] You must have Track Number of Bytes in Flight enabled in Preferences | Protocols | TCP in order to use this column value. [76] As of Wireshark 1.8, Fast Retransmissions and Retransmissions are both listed under the Notes section. [77] Note that in some situations Zero Window Probe packets are interpreted as Keep Alive packets because they match a keepalive packet format. [78] Note that Wireshark does not have an Expert notification for decreasing window sizes. This Window Update only pertains to increases in the sender’s window size value. It is only triggered on packets that do not have any data. If a host increases their window size while sending a data packet, Wireshark will miss that as a Window Update packet. [79] This Expert warning was added within 24 hours of a presentation I made at Sharkfest 2010—thanks developers! [80] ALWAYS watch TCP handshakes. This is when we want to see packets on both sides of a router. This type of problem is plaguing the IT industry right now. Watch your TCP SYN and SYN/ACK packets carefully. [81] Task offloading (aka checksum offloading) can throw you off here. If all packets sent from your Wireshark system are listed with invalid checksums, it is likely that your network interface card and driver use checksum offloading and Wireshark has captured packets before the checksums (IP, UDP or TCP) have been applied. [82] Applications and, in some cases, users can overwrite this default port value. For example, our client could use CORPFS1:89 to indicate that it will use port 89 to connect to the FTP server. [83] To view your ARP cache, type arp –a at the command-line. [84] To view your route tables, at the command prompt type route print. [85] You will see mDNS traffic if you have Apple products on your network—mDNS is used as part of Bonjour, or zero configuration networking. [86] Bot-infected hosts may receive DNS responses with a high number of Answer RRs. For more information on this evidence, refer to Name Resolution Process Vulnerabilities. [87] Wireshark colorizes the display filter area yellow because of the != operator that often does not provide the expected results. In this case, however, the operator works fine. Try it out on dns-errors-partial.pcapng. [88] You know the kind—the person who complains when the network is doing fine—the person who whines about their keyboard suddenly seeming “more sensitive” today. There are uses for these people—we use them as guinea pigs in our troubleshooting procedures. They are willing to stop work to focus on a problem—it is within their comfort zone. [89] Some texts state that ARP packets are not routed because they are broadcasts. This is incorrect. An ARP reply packet is not a broadcast, but it cannot be routed. ARP packets have no IP header and this prevents ARP packets from being routed. [90] Refer to RFC 3168, The Addition of Explicit Congestion Notification (ECN).

[91] Just as in IPv4 where a host can use 0.0.0.0 as a source address before a local address has been assigned, we can use :: on an IPv6 network before we have initialized an IPv6 address. [92] RFC 4291 explains Modified EUI (Extended Unique Identifier)-64 format used to complete the IPv6 address. [93] RFC 4941, “Privacy Extensions for Stateless Address Autoconfiguration in IPv6,” defines how an IPv6 client can create an address based on a random interface identifier. The Privacy Extensions feature may make troubleshooting a bit more difficult, but this feature offers a security enhancement by changing the interface identifier over time to make it “more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node.” [94] Not all automated tools can recalculate header checksums. BitTwiste, for example, can recalculate checksums for non-fragmented IPv4, ICMP, TCP, and UDP packets only. [95] Unfortunately, not enough malicious folks out there read and follow the recommendations of this April Fools’ Day RFC. If they did, life would be so much easier—true? [96] The Initial Sequence Number should be randomized to prevent Sequence Number Prediction Attacks as defined in RFC 1948, Defending against Sequence Number Attacks. As an example, Microsoft Server 2003 uses an RC4-based random number generator initialized with a 2048-bit random key upon system startup. [97] The Sequence Number field is a 4-byte field—without Relative Sequence Numbering enabled, the Sequence Number can be long and difficult to deal with. [98] This includes the original ACK and two duplicate ACKs (as noted by Wireshark’s Expert system). [99] When teaching TCP communications, I often refer to the “child in the grocery store” who whines “Mom… Mom… Mom…” This is similar to what we see when a TCP receiver doesn’t see the expected sequence number. It will whine and complain about that missing sequence number to push for a retransmission. [100] It is easy to think of this as the “phantom byte”—a byte that does not actually reside in a packet, but causes the sequence number value to increment by 1. [101] As of Wireshark 1.6.5, we don’t have an Expert warning for this condition. We do, however, have an Expert warning on four NOPs in a row (a likely indication that a device along the path has replaced a TCP option with padding). [102] IO Graphs look at all the traffic in the trace file regardless of direction whereas some other graphs (such as Round Trip Time graphs and Throughput graphs) look at traffic flowing in one way only. [103] This display filter depicts numerous TCP issues including Retransmissions, Fast Retransmissions, Previous Segment Lost, Zero Window, Full Window and Duplicate ACKs. [104] At this time you cannot define other colors on the Wireshark IO Graphs, but that would be a great addition someday. Visit wiki.wireshark.org/WishList to see ideas that have been submitted for future Wireshark enhancements. [105] What? Pink? Not only is it almost impossible to see, but it’s just plain ugly! Let’s hope we get some improvements in the color options here soon! [106] When you use tcp.analysis.retransmission as a display filter or in the Advanced IO Graphs calculation, both regular and fast retransmissions are filtered or plotted. [107] As this book is printed in black and white, we cannot accurately show the colorization of this advanced IO Graph. We have, however, included an image of this advanced IO Graph on the back cover of this book. In the example on the back cover we altered the Y axis scale and the style for Graph 2 and Graph 4. [108] The tcptrace graph provides more information than the Stevens graph, so we recommend it over the Stevens graph. In this book we focus on the tcptrace graph. [109] The DHCP server does not necessarily provide all three timers. The DHCP client can calculate the Renewal Time and Rebind Time based on the Lease Time. [110] No one ever said geeks can spell, right? In RFC 1945, “HTTP/1.0,” the term “Referer” is misspelled throughout. We have opted to stay with the misspelling—Wireshark also uses the misspelling. [111] TLS is the successor to Secure Socket Layer (SSL). In this chapter we will refer to the protocols based on Wireshark’s usage. Wireshark uses TLS in the Protocol column, but refers to the port setting as SSL/TLS and enables you to set a decryption key in the SSL protocol setting.

[112] When analyzing standard HTTP communications, we recommend you disable the “Allow subdissector to reassemble TCP streams” to see the HTTP requests and responses in the Packet List Info column. [113] You can get information about MetaGeek spectrum analysis products at www.metageek.net. Visit www.metageek.net/wiresharkbook for something special. [114] This will provide you with the actual 802.11 header, but no information obtained by the local capturing interface. It is the least desirable option to use. [115] Since Riverbed purchased CACE Technologies at the end of 2010, I expect this document to be moved to the Riverbed website, www.riverbed.com, at some point. [116] The only exception to this is the "Null" Data frame which carries no data at all and does not cross onto the wired network as they are typically used to carry information to other WLAN stations. [117] This is considered a very unusual condition, but the 802.11 specifications acknowledge that “the transmission of any beacon may be delayed due to a medium busy condition.” Such a long delay, however, would indicate a major problem that could indicate RF interference or a malfunctioning AP. [118] This is the maximum frame size before encryption. In reality, however, you will likely see smaller packets due to the fact that your data traffic has to bridge to an Ethernet network and, in the case of TCP, an MSS value is defined during the handshake. [119] Hmmm…. This is an interesting display filter. Why would you ever use this? Prior to Wireshark 1.8 you would either be capturing WLAN traffic or some other type of traffic, but most likely you wouldn’t have a mix of both traffic types. Since Wireshark 1.8 and later supports capturing on multiple interfaces (see page 125), you can capture on both wired and wireless interfaces simultaneously making this filter quite useful. [120] When the Retry bit is set, it indicates that the frame is an 802.11 retransmission. This is a MAC-layer retransmission—additional retransmissions may occur at the transport layer (as in the case of TCP retransmissions, for example) or at the application layer. To spot retransmissions more easily, consider setting a coloring rule to highlight 802.11 packets that have this bit set (wlan.fc.retry==1). [121] If this coloring rule is moved above the channel coloring rules you will not be able to detect which channel you are experiencing retries on without opening the packets. You can either combine the channel and retry coloring rules (for example you could create a coloring rule with an orange background and green foreground for radiotap.channel.freq==2412 && wlan.fc.retry==1) or you could add a frequency/channel column to the Packet List pane. [122] At one of the Chappell Summit events, we brought along 6 microwave ovens, loads of uncooked popcorn bags and a 50 foot long VGA cable. We popped the corn and used a Wi-Spy adapter and Chanalyzer to evaluate the RF activity as I moved further and further away from the microwaves. It was a great demonstration of how varied microwave interference can be—some of the devices are just plain evil! Mark’s case study is additional proof of that. [123] Wireshark cannot decrypt and play back secure VoIP traffic. [124] This calculation is based on a VoIP call traversing an Ethernet network and takes into account the Ethernet header overhead (18 bytes), the 20 byte IP header and 8 byte UDP header. [125] This is a quick way to save an RTP stream while still working in the trace. Mark the stream from this window and later select File | Export Specified Packets and choose Marked packets. [126] You can view this code in anonsvn.wireshark.org/viewvc/. Select the desired trunk directory and click on the gtk directory to locate the rtp_player.c file. [127] Note that almost all Wireshark display filters use lowercase characters for the field names. A few of the SIP fields, however, use some uppercase characters. [128] This great display filter tip was submitted by Martin Mathieson, one of the core Wireshark developers, that he uses as “the first sign of a crash or that I’d managed to overload a server :).” Nice tip, Martin! [129] Since many network interface cards and adapters are in promiscuous mode by default, this scan may have a high rate of false positives making it unreliable as an analyzer detection method. [130] Capture your own traffic when you run discovery or testing tools. Save the trace files as baselines of how these applications look on the network so you recognize their patterns when a third-party uses these tools against you.

[131] The High Technology Crime Investigation Association (HTCIA) is a global membership group open to security professionals and law enforcement agents. Visit www.htcia.org for numerous forensic resources. [132] In the most recent security tools survey conducted by Fyodor, Wireshark ranked #1 in security tools. For details, see SecTools.org. [133] Nmap: Network Scanning, written by Gordon “Fyodor” Lyon (the creator of Nmap), is the most comprehensive guide to using Nmap—a must read for any IT professional (ISBN: 978-0-9799587-1-7). Find out more about this great book at nmap.org/book. [134] Most people assume TCP scans are only used to discover active services. In fact, however, TCP scans may be used to simply discover active targets as well. [135] This really differentiates Wireshark from specialized port scanning detectors or intrusion detection tools, such as Snort or Suricata, which are designed to detect such scans. [136] Null scans, FIN scans and Xmas scans do not work against Microsoft hosts because they do not precisely follow RFC 793, Transmission Control Protocol. This RFC specifies how hosts should respond to “half-open connections and other anomalies.” [137] Window scanning examines the TCP window size field in a RST response from a target. Some hosts respond with a window size field value of zero if the port is closed and a non-zero window size field value if the port is open. The windows scan technique does not work on all devices as TCP/IP stacks get updated to provide more consistent responses whether the port is open or closed. [138] The Packet List pane view is split into two pieces for clarity. Two additional columns were set up in Preferences—the Source MAC column lists the unresolved source MAC addresses and the Dest MAC column lists the unresolved destination MAC addresses. [139] Note that Wireshark’s tcp.segment.overlap.conflict display filter can detect TCP segments that have overlapping offsets, but contain different data. Consider creating a “butt ugly” coloring rule to call your attention to this and other malicious packets. [140] Some TCP implementations have been observed sending data with the second packet of the TCP handshake—the SYN/ACK packet. This behavior is not explicitly prohibited by TCP specifications, but it is unusual. [141] Emerging Threats (formerly Bleeding Snort and Bleeding Threats) is an open source project providing free access to Suricata and Snort rules. This rule is contained in rules.emergingthreats.net/open-nogpl/snort2.9.0/emerging-all.rules. [142] Suricata is an open source IDS and IPS engine funded in part by the U.S. Navy Space and Naval Warfare Systems Command and Department of Homeland Security Directorate of Science and Technology. Obtain a copy of Suricata from www.openinfosecfoundation.org/index.php/downloads. [143] How will you know what is “suspect” if you don’t know what is “normal?” I hate to beat a dead server, but… you really do need to create those baselines mentioned in Chapter 28. [144] You can use hyphens or colons to separate the bytes of the MAC address. [145] Wireshark bug 2234 prevents us from using read filters (aka display filters) when writing to a file. There has been a lot of discussion on this issue dealing with requiring escalated privileges and security concerns. To get in to the mud pit with the developers, visit bugs.wireshark.org and search for “2234.” Refer to Dealing with Bug 2234 on page 837. [146] See the note about bug 2234 on the –R parameter on the previous page. [147] See bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234 for the conversation discussing this bug. [148] For an example of when you might want to use the –S parameter to time-shift trace files, refer to Compare Traffic Trends in IO Graphs. [149] Go a bit further with this trace file. Is this really just a boring old spam message? What are the names of the .pif files being sent? Do some research and you’ll see they are related to a worm. Your virus detection tool may not like this file at all because it contains the signatures that match a worm.