DDOONN’’TT JJUUSSTT SSTTAARREE PPRR AACCTTIICCAALL AATT CCAAPPTTUURREEDD Download the capture files used in this book from PPAACCKKEETTSS.. www.nostarch.com/packet.htm PPAACCKKEE TT AANNAALLYYSSIISS AANNAALLYYZZEE TTHHEEMM.. U S I N G W I R E S H A R K T O S O L V E R E A L - W O R L D PP N E T W O R K P R O B L E M S RR It’s easy enough to install Wireshark and begin capturing • Graph traffic patterns to visualize the data flowing packets off the wire—or from the air. But how do you across your network AA interpret those packets once you’ve captured them? And CC C H R I S S A N D E R S • Use advanced Wireshark features to understand how can those packets help you to better understand confusing packets TT what’s going on under the hood of your network? II • Build statistics and reports to help you better explain CC Practical Packet Analysis shows how to use Wireshark technical network information to non-technical users to capture and then analyze packets as you take an in- AA depth look at real-world packet analysis and network Because net-centric computing requires a deep under- LL troubleshooting. The way the pros do it. standing of network communication at the packet level, PP Practical Packet Analysis is a must have for any network Wireshark (derived from the Ethereal project), has technician, administrator, or engineer troubleshooting AA become the world’s most popular network sniffing appli- network problems of any kind. CC cation. But while Wireshark comes with documentation, KK there’s not a whole lot of information to show you how ABOUT THE AUTHOR to use it in real-world scenarios. Practical Packet Analysis EE Chris Sanders is the network administrator for the shows you how to: TT Graves County Schools in Kentucky, where he • Use packet analysis to tackle common network manages more than 1,800 workstations, 20 servers, AA problems, such as loss of connectivity, slow networks, and a user base of nearly 5,000. His website, NN malware infections, and more ChrisSanders.org, offers tutorials, guides, and technical commentary, including the very popular AA • Build customized capture and display filters Packet School 101. He is also a staff writer for LL • Tap into live network communication WindowsNetworking.com and WindowsDevCenter.com. YY He uses Wireshark for packet analysis almost daily. SS II SS TTEECCHHNNIICCAALL RREEVVIIEEWW BBYY GGEERRAALLDD CCOOMMBBSS,, CCRREEAATTOORR OOFF WWIIRREESSHHAARRKK S A N D E THE FINEST IN GEEK ENTERTAINMENT™ $39.95 ($49.95 CDN) R S ® www.nostarch.com NETWORKINSHELVE IN: This b o o k u“sIe sL RAeYpK FoLveArT—.”a durable binding that won’t snap shut. G/SECURITY ® Printed on recycled paper PRACTICAL PACKET ANALYSIS PRACTICAL PACKET ANALYSIS Using Wireshark to Solve Real-World Network Problems by Chris Sanders ® San Francisco PRACTICAL PACKET ANALYSIS. Copyright © 2007 by Chris Sanders. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. Printed on recycled paper in the United States of America 11 10 09 08 07 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-149-2 ISBN-13: 978-1-59327-149-7 Publisher: William Pollock Production Editor: Christina Samuell Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Gerald Combs Copyeditor: Megan Dunchak Compositor: Riley Hoffman Proofreader: Elizabeth Campbell Indexer: Nancy Guenther For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com Library of Congress Cataloging-in-Publication Data Sanders, Chris, 1986- Practical packet analysis : using Wireshark to solve real-world network problems / Chris Sanders. p. cm. ISBN-13: 978-1-59327-149-7 ISBN-10: 1-59327-149-2 1. Computer network protocols. 2. Packet switching (Data transmission) I. Title. TK5105.55.S265 2007 004.6'6--dc22 2007013453 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. This book is dedicated to my parents, who bought thefirstcomputerIeverprogrammed. B R I E F C O N T E N T S Acknowledgments..........................................................................................................xv Introduction.................................................................................................................xvii Chapter 1: Packet Analysis and Network Basics.................................................................1 Chapter 2: Tapping into the Wire...................................................................................15 Chapter 3: Introduction to Wireshark...............................................................................27 Chapter 4: Working with Captured Packets......................................................................39 Chapter 5: Advanced Wireshark Features........................................................................51 Chapter 6: Common Protocols........................................................................................61 Chapter 7: Basic Case Scenarios....................................................................................77 Chapter 8: Fighting a Slow Network...............................................................................99 Chapter 9: Security-based Analysis...............................................................................121 Chapter 10: Sniffing into Thin Air..................................................................................135 Chapter 11: Further Reading........................................................................................151 Afterword...................................................................................................................154 Index.........................................................................................................................155