Wireshark for Network Forensics. An Essential Guide for IT and Cloud Professionals

Table of Contents
About the Authors
About the Contributor
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Wireshark Primer
	Introduction
	Get Me Started!
		macOS
		Linux
			Red Hat and Alike
			Ubuntu and Debian Derivatives
				Allowing Non-root User to Capture Packets
		Windows Install
		The First Capture
		Understanding a Packet
			Capture Filters
			Display Filters
			Pcap vs. Pcapng
		Data Representation
	Big Picture: I/O Graphs
	Big Picture: TCP Stream Graphs
		Time Sequence (Stevens)
		Time Sequence (tcptrace)
		Throughput
		Round Trip Time
		Window Scaling
	Bigger Picture: Following a Packet Stream
		Biggest Picture: Flow Graphs
		CloudShark: The Floating Shark
			Get Me Started!
			Feature Parity with Wireshark
			CloudShark API
			CloudShark API Interaction with Curl
			Auto Upload to CloudShark (Raspberry Pi, Linux, MacOSx)
	Summary
Chapter 2: Packet Capture and Analysis
	Sourcing Traffic for Capture
		Setting Up Port Mirroring
		Remote Port Mirroring
		Other Mirroring Options
			TAP
			Hub
		Capture Point Placement
	OS-Native Traffic Capture Tools
		UNIX, Linux, BSD, and macOS
		Windows
	Wireshark-Based Traffic Capture
		CLI-Based Capture with Dumpcap or Tshark
		GUI-Based Capture with Wireshark
			Capturing Traffic from Multiple Interfaces
			Stopping Capture
	Capture Modes and Configurations
		Promiscuous Mode
			Vlan Tag Is Not Seen in Captured Frames
			Monitor Mode
	Remote Packet Capture with Extcap
		Remote Capture with Sshdump
			Requirements
		Mobile Device Traffic Capture
		Android Devices
			Using Native Androiddump Utility
		Using Third-Party Android App and Sshdump
	Capture Filtering
		Capture Filter Deep Dive
			Understanding BPF: What Goes Behind the Capture Filters
		High Volume Packet Analysis
			When the Packet Characteristics Are Known
			When the Packet Encapsulations Is Unknown
		Advanced Filters and Deep Packet Filter
	Summary
	References for This Chapter
Chapter 3: Capturing Secured Application Traffic for Analysis
	Evolution of Application Security
	Capturing and Analyzing HTTPS
		Basics of HTTPS
		Capturing and Filtering HTTPS Traffic
			HTTPS Traffic – Capture Filter
		Analyzing HTTPS Traffic
			Client Hello Message
			Server Hello Message
			Decrypting TLS Traffic Using Wireshark
				Collecting the SSL Key
				Decrypting the HTTPS Traffic
		HTTPS Filters for Analysis
			HTTP2 Statistics Using Wireshark
	Capturing and Analyzing QUIC Traffic
		Basics of QUIC
		Capturing and Filtering QUIC Traffic
			QUIC Traffic – Capture Filter
		Analyzing QUIC Traffic
			QUIC Header
			QUIC Initial Message – TLS Client Hello
			QUIC Initial Message – TLS Server Hello
			QUIC Handshake Message – TLS Server Hello
			QUIC Protected Payload
		Decrypting QUIC/TLS Traffic
		QUIC Filters for Analysis
	Capturing and Analyzing Secure DNS
		Basics of DNS
	Secure DNS
	Summary
	References for This Chapter
Chapter 4: Capturing Wireless Traffic for Analysis
	Basics of Radio Waves and Spectrum
		Basics of Wireless LAN Technology
			Wireless LAN Channels
			Wireless LAN Topologies
				Basic Service Set
				Extended Service Set
				Mesh Basic Service Set
			Wireless LAN Encryption Protocols
	Setting Up 802.11 Radio Tap
		Wireless Capture Using Native Wireshark Tool
		Wireless Capture Using AirPort Utility
		Wireless Capture Using Diagnostic Tool
	Wireless Operational Aspects – Packet Capture and Analysis
		802.11 Frame Types and Format
		Wireless Network Discovery
		Wireless LAN Endpoint Onboarding
			Probing Phase
			Authentication Phase
			Association Phase
			802.1X Exchange Phase
		Wireless LAN Data Exchange
			Decrypting 802.11 Data Frame Payload
				Generating the WPA-PSK Key
		Wireless LAN Statistics Using Wireshark
	Summary
	References for This Chapter
Chapter 5: Multimedia Packet Capture and Analysis
	Multimedia Applications and Protocols
		Multimedia on the Web
		Multimedia Streaming
			Streaming Transport
			Stream Encoding Format
		Real-Time Multimedia
			Signaling
				SIP
				SDP
				SIP over TLS (SIPS)
				H.323
			Media Transport
				RTP
				RTCP
				SRTP and SRTCP
				WebRTC
		How Can Wireshark Help
	Multimedia File Extraction from HTTP Capture
	Streaming RTP Video Captures
	Real-Time Media Captures and Analysis
		Decrypting Signaling (SIP over TLS)
		Decrypting Secure RTP
			Extract the SRTP Encryption Key from SDP
			Filter SRTP-only Packets
			Feed the Key and SRTP Packets to Libsrtp
			Convert Text Format to pcap and Add the Missing UDP Header
				Explanation of Options Used Previously
					For SRTP Decode
					For text2pcap
		Telephony and Video Analysis
			Wireshark Optimization for VoIP
			QoS and Network Issues
			Analyzing VoIP Streams and Graph
				Call Flow and I/O Graph
				RTP Stream Analysis
					RTP Statistics, Packet Loss, Delay, and Jitter Analysis
					Replaying RTP Payload
	Summary
	References for This Chapter
Chapter 6: Cloud and Cloud-Native Traffic Capture
	Evolution of Virtualization and Cloud
		Basics of Virtualization
		Hypervisor – Definition and Types
		Virtualization – Virtual Machines and Containers
			Virtual Machines
			Containers
	Traffic Capture in AWS Environment
		VPC Traffic Mirroring
	Traffic Capture in GCP Environment
	Traffic Capture in Docker Environment
	Traffic Capture in Kubernetes Environment
	Summary
	References for This Chapter
Chapter 7: Bluetooth Packet Capture and Analysis
	Introduction to Bluetooth
		Communication Models
		Radio and Data Transfer
		Bluetooth Protocol Stack
		Controller Operations
			Radio and Baseband Processing
			Link Management Protocol (LMP)
		HCI
		Host Layer Operation
			L2CAP
		Application Profile–Specific Protocols
			SDP
			Telephony Control
			Audio/Video Control and Transport
			RFCOMM
			Other Adopted Protocols
	Tools for Bluetooth Capture
	Linux
	Windows
	macOS
	Bluetooth Packet Filtering and Troubleshooting
		Controller-to-Host Communication
		Pairing and Bonding
		Paired Device Discovery and Data Transfer
	Summary
	References for This Chapter
Chapter 8: Network Analysis and Forensics
	Network Attack Classification
		Packet Poisoning and Spoofing Attacks
			DHCP Spoofing
			DNS Spoofing and Poisoning
			Prevention of Spoofing Attacks
		Network Scan and Discovery Attacks
			ARP and ICMP Ping Sweeps
			UDP Port Scan
			TCP Port Scan
			OS Fingerprinting
			Preventing Port Scan Attacks
		Brute-Force Attacks
			Preventing Brute-Force Attacks
		DoS (Denial-of-Service) Attacks
			Preventing DDoS Attacks
		Malware Attacks
			Prevention of Malware Attacks
	Wireshark Tweaks for Forensics
		Autoresolving Geolocation
		Changing the Column Display
		Frequently Used Wireshark Tricks in Forensics
			Find Exact Packets One at a Time
			Contains Operator
			Following a TCP Stream
	Wireshark Forensic Analysis Approach
		Wireshark DDoS Analysis
		Wireshark Malware Analysis
	Summary
	References for This Chapter
Chapter 9: Understanding and Implementing Wireshark Dissectors
	Protocol Dissectors
		Post and Chain Dissectors
	Creating Your Own Wireshark Dissectors
		Wireshark Generic Dissector (WSGD)
		Lua Dissectors
		C Dissectors
	Creating Your Own Packet
	Summary
	References for This Chapter
Index