Practical Packet Analysis

1. Packet Analysis Unveils Network Truths

All network problems stem from the packet level, where even the prettiest looking applications can reveal their horrible implementations, and seemingly trustworthy protocols can prove malicious.

Beyond the Surface. Packet analysis, or "sniffing," is the art of capturing and interpreting live network data to understand what's really happening. It's like a network detective's toolkit, allowing you to bypass misleading interfaces and get to the raw truth of data flow. This technique is invaluable for understanding network characteristics, identifying bandwidth hogs, detecting malicious activity, and finding bloated applications.

Essential for Troubleshooting. Whether you're a network technician, administrator, or security analyst, packet analysis empowers you to solve problems by examining the fundamental units of network communication. It allows you to identify connectivity issues, DNS problems, slow speeds, and malware infections. By understanding the language of packets, you can diagnose and resolve issues that would otherwise remain hidden.

Choosing the Right Tool. Selecting a packet sniffer involves considering supported protocols, user-friendliness, cost, program support, and operating system compatibility. While commercial options offer fancy reporting, free tools like Wireshark provide robust analysis capabilities and are supported by active communities. The key is to choose a tool that fits your expertise and the specific needs of your network environment.

2. Strategic Sniffer Placement is Key

The challenge with sniffer placement is that a large variety of networking hardware is used to connect devices.

Tapping into the Wire. Effective packet analysis hinges on strategically positioning your packet sniffer to capture the relevant data. This process, known as "tapping the network," requires understanding how different networking devices—hubs, switches, and routers—handle traffic. Simply plugging into a random port won't cut it.

Navigating Switched Networks. In switched environments, where traffic is directed only to intended recipients, you need techniques like port mirroring (copying traffic from one port to another), hubbing out (segmenting the target device with a hub), using a network tap (a hardware device for intercepting traffic), or ARP cache poisoning (redirecting traffic by manipulating ARP tables). Each method has its pros and cons, depending on your access, the switch's capabilities, and the need for stealth.

Routed Environments. In routed environments, where data traverses multiple networks, sniffer placement becomes even more critical. You may need to analyze traffic on both sides of a router to get the full picture. Network maps are invaluable for visualizing the network and determining optimal sniffer placement.

3. Wireshark: Your Indispensable Analysis Tool

It’s the dedication of Gerald and the hundreds of other developers that makes Wireshark such a great analysis platform.

A Packet Analysis Powerhouse. Wireshark is a free, open-source packet analyzer that has become the industry standard. Its benefits include support for a vast range of protocols (over 850), a user-friendly GUI, and a vibrant community providing support and updates. Wireshark runs on all major operating systems, making it a versatile tool for any network professional.

Key Features. Wireshark's main window is divided into three panes: the Packet List (showing captured packets), the Packet Details (displaying hierarchical information about a selected packet), and the Packet Bytes (showing the raw, unprocessed data). Customization options, such as color coding and time display formats, enhance usability.

Getting Started. To capture packets, select Capture > Interfaces, choose the desired interface, and click Start. Wireshark will begin capturing data, which you can then analyze using its various features. Understanding the main window and customizing preferences are essential first steps in mastering Wireshark.

4. Filters: Precision Tools for Packet Selection

Simply stated, a filter is an expression that defines criteria for the inclusion or exclusion of packets.

Two Types of Filters. Filters are essential for focusing on specific traffic within a capture. Capture filters, applied during the capture process, use Berkeley Packet Filter (BPF) syntax to select only the packets you need, improving performance. Display filters, applied to existing captures, allow you to hide unwanted packets or show desired packets based on specified expressions.

BPF Syntax. Capture filters use BPF syntax, which involves combining qualifiers (type, direction, protocol) with identifiers (names or numbers) to create expressions. Logical operators (AND, OR, NOT) can combine primitives for more complex filtering. Examples include:

• host 172.16.16.149 (captures traffic associated with a specific host)
• port 8080 (captures traffic on port 8080)
• icmp[0] == 3 (captures ICMP destination unreachable messages)

Display Filter Syntax. Display filters use a different syntax, offering more flexibility for analyzing captured data. Comparison operators (==, !=, >, <, >=, <=) and logical operators (and, or, xor, not) can be combined to create powerful expressions. Examples include:

• ip.addr==192.168.0.1 (displays packets with a specific IP address)
• frame.len <= 128 (displays packets less than 128 bytes)
• tcp.flags.syn==1 (displays TCP packets with the SYN flag set)

5. Advanced Features for Deep Dive Analysis

This chapter introduces Wireshark.

Endpoints and Conversations. The Endpoints window (Statistics > Endpoints) displays statistics for each network endpoint, including addresses, packets, and bytes transmitted/received. The Conversations window (Statistics > Conversations) shows communication between endpoints, divided by protocol. These windows are crucial for identifying top talkers and troubleshooting network issues.

Protocol Hierarchy Statistics. The Protocol Hierarchy Statistics window (Statistics > Protocol Hierarchy) provides a breakdown of protocol distribution in a capture file, allowing you to benchmark network activity and identify anomalies. This is a great way to get a snapshot of the type of activity occurring on a network.

Name Resolution. Name resolution converts alphanumeric addresses into more recognizable names, making capture files more readable. Wireshark supports MAC, network, and transport name resolution. However, name resolution can fail, generate additional traffic, and require processing overhead.

6. Lower-Layer Protocols: The Foundation of Communication

In order to understand the functionality of IPv4, you need to know how traffic flows between networks.

ARP: Resolving Physical Addresses. The Address Resolution Protocol (ARP) translates IP addresses to MAC addresses, enabling communication on a local network segment. ARP requests are broadcast to find the MAC address associated with a specific IP, while ARP responses provide the mapping. Gratuitous ARP packets update ARP caches when IP addresses change.

IP: Routing Data Between Networks. The Internet Protocol (IP) is responsible for routing data between networks. IPv4 addresses are 32-bit addresses written in dotted-quad notation. IP packets include a Time to Live (TTL) field to prevent routing loops and a header checksum for error detection.

TCP: Reliable Data Delivery. The Transmission Control Protocol (TCP) provides reliable, connection-oriented data transport. TCP uses a three-way handshake (SYN, SYN/ACK, ACK) to establish connections and a four-way teardown (FIN/ACK, ACK, FIN/ACK, ACK) to gracefully end them. TCP also employs sequence numbers, acknowledgment numbers, and a sliding window mechanism for flow control and error recovery.

7. Upper-Layer Protocols: Application-Level Insights

The beauty of working with an open source application is that if you are confused as to why something is occurring, you can look at the source code and find out the exact reason.

DHCP: Automatic IP Configuration. The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses and other network parameters to clients. The DORA process (Discover, Offer, Request, Acknowledgment) is used to obtain an IP address. DHCP options provide additional configuration information, such as DNS server addresses and default gateway.

DNS: Translating Names to Addresses. The Domain Name System (DNS) translates domain names (e.g., www.google.com) to IP addresses. DNS queries are sent to DNS servers, which respond with the requested information. DNS recursion allows servers to query other servers on behalf of clients. Zone transfers replicate DNS data between servers.

HTTP: Delivering Web Content. The Hypertext Transfer Protocol (HTTP) is used to deliver web content. HTTP uses request methods (e.g., GET, POST) to interact with web servers. HTTP response codes indicate the status of requests. Following TCP streams in Wireshark allows you to view HTTP conversations in a readable format.

8. Basic Real-World Scenarios: Troubleshooting in Action

There is no better way to determine the placement of your packet sniffer than to be able to visualize a network.

Social Networking at the Packet Level. Analyzing traffic from Twitter and Facebook reveals different approaches to authentication and messaging. Twitter uses HTTPS for login but sends direct messages in plaintext. Facebook also uses HTTPS for login and AJAX for messaging.

Capturing ESPN.com Traffic. Analyzing traffic from ESPN.com demonstrates how a single web page can involve multiple connections and protocols. The Conversations and Protocol Hierarchy Statistics windows provide insights into the traffic distribution.

Real-World Problems. Common network problems include no Internet access due to configuration problems, unwanted redirection due to hosts file entries, and upstream problems with remote servers. Packet analysis can help pinpoint the source of these issues.

9. Combating Network Sluggishness: TCP's Role

TCP’s error-recovery features are our best tools for locating, diagnosing, and eventually repairing high latency on a network.

TCP Error Recovery. TCP's error-recovery features are essential for diagnosing network latency. TCP uses retransmissions to recover from packet loss, with the retransmission timer (RTO) determining when to resend packets. Duplicate ACKs signal out-of-order packets, triggering fast retransmissions.

TCP Flow Control. TCP implements a sliding-window mechanism to prevent packet loss. The receive window, advertised by the data recipient, controls the flow of data. Adjusting the window size and using zero window notifications help manage congestion.

Locating Latency Sources. High latency can stem from wire latency (network devices), client latency (client processing), or server latency (server processing). Analyzing the TCP handshake and initial data packets can help pinpoint the source.

10. Packet Analysis Fortifies Network Security

This book is dedicated to God, my parents, and everyone who has ever shown faith in me.

Reconnaissance. Attackers often begin by scanning for open ports and running services. TCP SYN scans are a common technique for identifying open ports. Operating system fingerprinting, both passive and active, helps attackers determine the target's operating system.

Exploitation. Exploitation involves leveraging vulnerabilities to gain access to a system. Operation Aurora exploited an Internet Explorer vulnerability to gain remote control of targeted machines. ARP cache poisoning can redirect traffic for man-in-the-middle attacks.

Remote Access Trojans. Remote Access Trojans (RATs) allow attackers to remotely administer compromised machines. Analyzing traffic from RATs can reveal command structures and data exfiltration techniques.

11. Wireless Networks: A Unique Analysis Landscape

This book was made possible through the direct and indirect contributions of a great number of people.

Physical Considerations. Wireless packet analysis differs from wired analysis due to the shared wireless spectrum. You can only sniff one channel at a time, and wireless signal interference can affect data integrity. Spectrum analyzers, like MetaGeek's Wi-Spy, can help detect interference.

Wireless Card Modes. Wireless NICs operate in different modes: managed, ad hoc, master, and monitor. Monitor mode is essential for capturing wireless packets. Tools like AirPcap overcome Windows limitations on wireless packet capture.

802.11 Packet Structure. Wireless packets include an 802.11 header with information about the packet and transmission medium. Wireless-specific filters, such as wlan.bssid and radiotap.channel.freq, help isolate traffic. Wireless security protocols, like WEP and WPA, encrypt data transmitted over the air.

Last updated: April 6, 2025