Wireshark for Network Forensics: An Essential Guide for IT and Cloud Professionals

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

With the advent of emerging and complex technologies, traffic capture and analysis play an integral part in the overall IT operation. This book outlines the rich set of advanced features and capabilities of the Wireshark tool, considered by many to be the de-facto Swiss army knife for IT operational activities involving traffic analysis. This open-source tool is available as CLI or GUI. It is designed to capture using different modes, and to leverage the community developed and integrated features, such as filter-based analysis or traffic flow graph view.   

You'll start by reviewing the basics of Wireshark, and then examine the details of capturing and analyzing secured application traffic such as SecureDNS, HTTPS, and IPSec. You'll then look closely at the control plane and data plane capture, and study the analysis of wireless technology traffic such as 802.11, which is the common access technology currently used, along with Bluetooth. You'll also learn ways to identify network attacks, malware, covert communications, perform security incident post mortems, and ways to prevent the same. 

The book further explains the capture and analysis of secure multimedia traffic, which constitutes around 70% of all overall internet traffic. Wireshark for Network Forensics provides a unique look at cloud and cloud-native architecture-based traffic capture in Kubernetes, Docker-based, AWS, and GCP environments. 

What You'll Learn

  • Review Wireshark analysis and network forensics
  • Study traffic capture and its analytics from mobile devices
  • Analyze various access technology and cloud traffic
  • Write your own dissector for any new or proprietary packet formats
  • Capture secured application traffic for analysis

Who This Book Is For

IT Professionals, Cloud Architects, Infrastructure Administrators, and Network/Cloud Operators

Author(s): Nagendra Kumar Nainar, Ashish Panda
Edition: 1
Publisher: Apress
Year: 2022

Language: English
Pages: 290
City: Berkeley
Tags: Wireshark; Wireshark Decryption; Cloud Wireshark Capture; Cloudnative Wireshark Capture; Wireshark Capture Filter

Table of Contents
About the Authors
About the Contributor
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Wireshark Primer
Introduction
Get Me Started!
macOS
Linux
Red Hat and Alike
Ubuntu and Debian Derivatives
Allowing Non-root User to Capture Packets
Windows Install
The First Capture
Understanding a Packet
Capture Filters
Display Filters
Pcap vs. Pcapng
Data Representation
Big Picture: I/O Graphs
Big Picture: TCP Stream Graphs
Time Sequence (Stevens)
Time Sequence (tcptrace)
Throughput
Round Trip Time
Window Scaling
Bigger Picture: Following a Packet Stream
Biggest Picture: Flow Graphs
CloudShark: The Floating Shark
Get Me Started!
Feature Parity with Wireshark
CloudShark API
CloudShark API Interaction with Curl
Auto Upload to CloudShark (Raspberry Pi, Linux, MacOSx)
Summary
Chapter 2: Packet Capture and Analysis
Sourcing Traffic for Capture
Setting Up Port Mirroring
Remote Port Mirroring
Other Mirroring Options
TAP
Hub
Capture Point Placement
OS-Native Traffic Capture Tools
UNIX, Linux, BSD, and macOS
Windows
Wireshark-Based Traffic Capture
CLI-Based Capture with Dumpcap or Tshark
GUI-Based Capture with Wireshark
Capturing Traffic from Multiple Interfaces
Stopping Capture
Capture Modes and Configurations
Promiscuous Mode
Vlan Tag Is Not Seen in Captured Frames
Monitor Mode
Remote Packet Capture with Extcap
Remote Capture with Sshdump
Requirements
Mobile Device Traffic Capture
Android Devices
Using Native Androiddump Utility
Using Third-Party Android App and Sshdump
Capture Filtering
Capture Filter Deep Dive
Understanding BPF: What Goes Behind the Capture Filters
High Volume Packet Analysis
When the Packet Characteristics Are Known
When the Packet Encapsulations Is Unknown
Advanced Filters and Deep Packet Filter
Summary
References for This Chapter
Chapter 3: Capturing Secured Application Traffic for Analysis
Evolution of Application Security
Capturing and Analyzing HTTPS
Basics of HTTPS
Capturing and Filtering HTTPS Traffic
HTTPS Traffic – Capture Filter
Analyzing HTTPS Traffic
Client Hello Message
Server Hello Message
Decrypting TLS Traffic Using Wireshark
Collecting the SSL Key
Decrypting the HTTPS Traffic
HTTPS Filters for Analysis
HTTP2 Statistics Using Wireshark
Capturing and Analyzing QUIC Traffic
Basics of QUIC
Capturing and Filtering QUIC Traffic
QUIC Traffic – Capture Filter
Analyzing QUIC Traffic
QUIC Header
QUIC Initial Message – TLS Client Hello
QUIC Initial Message – TLS Server Hello
QUIC Handshake Message – TLS Server Hello
QUIC Protected Payload
Decrypting QUIC/TLS Traffic
QUIC Filters for Analysis
Capturing and Analyzing Secure DNS
Basics of DNS
Secure DNS
Summary
References for This Chapter
Chapter 4: Capturing Wireless Traffic for Analysis
Basics of Radio Waves and Spectrum
Basics of Wireless LAN Technology
Wireless LAN Channels
Wireless LAN Topologies
Basic Service Set
Extended Service Set
Mesh Basic Service Set
Wireless LAN Encryption Protocols
Setting Up 802.11 Radio Tap
Wireless Capture Using Native Wireshark Tool
Wireless Capture Using AirPort Utility
Wireless Capture Using Diagnostic Tool
Wireless Operational Aspects – Packet Capture and Analysis
802.11 Frame Types and Format
Wireless Network Discovery
Wireless LAN Endpoint Onboarding
Probing Phase
Authentication Phase
Association Phase
802.1X Exchange Phase
Wireless LAN Data Exchange
Decrypting 802.11 Data Frame Payload
Generating the WPA-PSK Key
Wireless LAN Statistics Using Wireshark
Summary
References for This Chapter
Chapter 5: Multimedia Packet Capture and Analysis
Multimedia Applications and Protocols
Multimedia on the Web
Multimedia Streaming
Streaming Transport
Stream Encoding Format
Real-Time Multimedia
Signaling
SIP
SDP
SIP over TLS (SIPS)
H.323
Media Transport
RTP
RTCP
SRTP and SRTCP
WebRTC
How Can Wireshark Help
Multimedia File Extraction from HTTP Capture
Streaming RTP Video Captures
Real-Time Media Captures and Analysis
Decrypting Signaling (SIP over TLS)
Decrypting Secure RTP
Extract the SRTP Encryption Key from SDP
Filter SRTP-only Packets
Feed the Key and SRTP Packets to Libsrtp
Convert Text Format to pcap and Add the Missing UDP Header
Explanation of Options Used Previously
For SRTP Decode
For text2pcap
Telephony and Video Analysis
Wireshark Optimization for VoIP
QoS and Network Issues
Analyzing VoIP Streams and Graph
Call Flow and I/O Graph
RTP Stream Analysis
RTP Statistics, Packet Loss, Delay, and Jitter Analysis
Replaying RTP Payload
Summary
References for This Chapter
Chapter 6: Cloud and Cloud-Native Traffic Capture
Evolution of Virtualization and Cloud
Basics of Virtualization
Hypervisor – Definition and Types
Virtualization – Virtual Machines and Containers
Virtual Machines
Containers
Traffic Capture in AWS Environment
VPC Traffic Mirroring
Traffic Capture in GCP Environment
Traffic Capture in Docker Environment
Traffic Capture in Kubernetes Environment
Summary
References for This Chapter
Chapter 7: Bluetooth Packet Capture and Analysis
Introduction to Bluetooth
Communication Models
Radio and Data Transfer
Bluetooth Protocol Stack
Controller Operations
Radio and Baseband Processing
Link Management Protocol (LMP)
HCI
Host Layer Operation
L2CAP
Application Profile–Specific Protocols
SDP
Telephony Control
Audio/Video Control and Transport
RFCOMM
Other Adopted Protocols
Tools for Bluetooth Capture
Linux
Windows
macOS
Bluetooth Packet Filtering and Troubleshooting
Controller-to-Host Communication
Pairing and Bonding
Paired Device Discovery and Data Transfer
Summary
References for This Chapter
Chapter 8: Network Analysis and Forensics
Network Attack Classification
Packet Poisoning and Spoofing Attacks
DHCP Spoofing
DNS Spoofing and Poisoning
Prevention of Spoofing Attacks
Network Scan and Discovery Attacks
ARP and ICMP Ping Sweeps
UDP Port Scan
TCP Port Scan
OS Fingerprinting
Preventing Port Scan Attacks
Brute-Force Attacks
Preventing Brute-Force Attacks
DoS (Denial-of-Service) Attacks
Preventing DDoS Attacks
Malware Attacks
Prevention of Malware Attacks
Wireshark Tweaks for Forensics
Autoresolving Geolocation
Changing the Column Display
Frequently Used Wireshark Tricks in Forensics
Find Exact Packets One at a Time
Contains Operator
Following a TCP Stream
Wireshark Forensic Analysis Approach
Wireshark DDoS Analysis
Wireshark Malware Analysis
Summary
References for This Chapter
Chapter 9: Understanding and Implementing Wireshark Dissectors
Protocol Dissectors
Post and Chain Dissectors
Creating Your Own Wireshark Dissectors
Wireshark Generic Dissector (WSGD)
Lua Dissectors
C Dissectors
Creating Your Own Packet
Summary
References for This Chapter
Index