Wireshark, the most popular (and free) protocol analyzer, can be a great tool to gain familiarity in analyzing packets. The main Wireshark window is separated into three frames. The top frame is a list of all the packets Wireshark captured, showing the timestamp, source IP, destination IP, protocol and information about the packet (such as the source and destination port, the type of packet, the sequence and acknowledgement numbers, and so forth) The second frame shows the protocol headers in order, with expandable fields and the last frame is the actual packet data. If you're not familiar with the headers of a packet and the header charts aren't making sense yet, you can click on each field of the headers (Ethernet, IP, TCP, ICMP or whatever) and Wireshark highlights the field in the packet data frame for you.
This makes it very easy to see where the Ethernet header begins and ends, which parts are the IP header, TCP header, and so forth.
As you step through each field, you'll begin to become familiar with the layout of each header. With time you'll start to easily find the IP header (usually beginning with 45 00, the embedded protocol field (06 for TCP, 01 for ICMP, 11 (hex) for UDP) and so forth. This will especially be helpful for fields that don't fit neatly on byte boundaries, such as the flags field in the IP header (reserved, don't fragment, and more fragments bits) and the TCP flags bits (SYN, FIN, ACK, RST, and so forth).
Try capturing different types of traffic using the capture filters and step through each field. Some traffic will have other headers that Wireshark will display for you, such as DNS traffic. Within the Domain Name System header, you'll be able to clearly see fields like the type of query, the transaction ID number, and the type and number of answers received from the name server.
Wireshark can analyze hundreds of protocols, is laid out very intuitively, and is a great aid to learn the inner secrets of packets.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
No comments:
Post a Comment