Packet Analysis with Wireshark

Monday, Jan 2 2012

Some months ago I wanted to remind myself of how the Web works. In addition to Computer Networking I went through the second edition of Practical Packet Analysis, by Chris Sanders.

Notwithstanding the general-sounding title, Practical Packet Analysis is very much about Wireshark, which is a GUI tool to analyse network traffic, released under the GPL version 2. On a Fedora Linux machine, running Wireshark is very easy, you just start it up and it does its magic; no configuration required except adding yourself to the wireshark group.

There is a big advantage to working through this book together with a more academic tome such as Kurose and Ross. In theory books, each layer is presented neatly separated from the other, but Wirehsark shows you the the data just as it passes through the wire. This means that you see ARP requests interleaved with TCP handshakes and HTTP and DNS requests. With DHCP thrown into the mix, the number of packets that are exchanged to establish a simple connection in a local network can be quite overwhelming.

Then you start having fun tracking the TCP sequence numbers’ regular increase, and notice that those same numbers really are missing from UDP packets. You do not need to capture live traffic all the time, as the book is full of exercises are based on recorded captures that are downloadable from the book website.

The chapter on wireless networks was a the only slightly disappointing part; it is only a very high level overview of wireless network protocols; one gets the feeling that the topic is very large, since wireless networks need to contend with reliability and security issues that are more complicated than wired ones, but that little of it is covered.

This hiccup is more than made up for by the chapter where you are encouraged to investigate the behaviour of a trojan that downloads itself, takes screenshots of the user’s desktop and uploads them to some shady server. It’s a great exercise to be forced to think about why that particular TCP conversations looks suspicious and, and you even get to use a hex editor (I have used Emacs’ Hexl mode).

Practical packet analysis is an excellent way to refresh your knowledge of the TCP/IP stack. It is a relatively short read for a tech book, and each chapter contains hands on activities which are fun but relatively simple, so you can have some good time reading this book.