Friday, December 23, 2011

Wireshark As A Teaching Tool

Wireshark, the most popular (and free) protocol analyzer, can be a great tool to gain familiarity in analyzing packets. The main Wireshark window is separated into three frames. The top frame is a list of all the packets Wireshark captured, showing the timestamp, source IP, destination IP, protocol and information about the packet (such as the source and destination port, the type of packet, the sequence and acknowledgement numbers, and so forth) The second frame shows the protocol headers in order, with expandable fields and the last frame is the actual packet data. If you're not familiar with the headers of a packet and the header charts aren't making sense yet, you can click on each field of the headers (Ethernet, IP, TCP, ICMP or whatever) and Wireshark highlights the field in the packet data frame for you.
This makes it very easy to see where the Ethernet header begins and ends, which parts are the IP header, TCP header, and so forth.
As you step through each field, you'll begin to become familiar with the layout of each header. With time you'll start to easily find the IP header (usually beginning with 45 00, the embedded protocol field (06 for TCP, 01 for ICMP, 11 (hex) for UDP) and so forth. This will especially be helpful for fields that don't fit neatly on byte boundaries, such as the flags field in the IP header (reserved, don't fragment, and more fragments bits) and the TCP flags bits (SYN, FIN, ACK, RST, and so forth).
Try capturing different types of traffic using the capture filters and step through each field. Some traffic will have other headers that Wireshark will display for you, such as DNS traffic. Within the Domain Name  System header, you'll be able to clearly see fields like the type of query, the transaction ID number, and the type and number of answers received from the name server.
Wireshark can analyze hundreds of protocols, is laid out very intuitively, and is a great aid to learn the inner secrets of packets. 

Monday, December 19, 2011

Book Recommendation

I'm reading a new book on packet analysis that would be good for someone new to network security (or just networking). It's by Chris Sanders and it's called "Practical Packet Analysis: Using Wireshark To Solve Real-World Problems". The first chapter on "Packet Analysis and Network Basics" would be especially helpful to someone just starting out, as it's one the clearest, easiest to understand summaries of protocols and the TCP\IP stack I've read. It's also not a terribly expensive book. I picked up my copy for about $30. If you're looking for some informative reading on packet analysis over the holidays, I'd recommend this one.

Wednesday, December 14, 2011

Network Security Tool list

Fyodor, author of nmap, maintains the excellent site, which lists the top 125 network security tools as determined by online survey. The 2011 results are posted, and there are no surprises (to me, anyways) in the top ten. This is a great site to peruse and find a new tool to do an old job better, or address a new need.

Blog Archive