Table of Contents for
Mastering Wireshark 2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Mastering Wireshark 2 by Andrew Crouthamel Published by Packt Publishing, 2018
  1. Mastering Wireshark 2
  2. Title Page
  3. Copyright and Credits
  4. Mastering Wireshark 2
  5. Packt Upsell
  6. Why subscribe?
  7. PacktPub.com
  8. Contributor
  9. About the author
  10. Packt is searching for authors like you
  11. Table of Contents
  12. Preface
  13. Who this book is for
  14. What this book covers
  15. To get the most out of this book
  16. Download the color images
  17. Conventions used
  18. Get in touch
  19. Reviews
  20. Installing Wireshark 2
  21. Installation and setup
  22. Installing Wireshark on Windows
  23. Installing Wireshark on macOS
  24. Installing Wireshark on Linux
  25. Summary
  26. Getting Started with Wireshark
  27. What's new in Wireshark 2?
  28. Capturing traffic
  29. How to capture traffic
  30. Saving and exporting packets
  31. Annotating and printing packets
  32. Remote capture setup
  33. Prerequisites
  34. Remote capture usage
  35. Summary
  36. Filtering Traffic
  37. Berkeley Packet Filter (BPF) syntax
  38. Capturing filters
  39. Displaying filters
  40. Following streams
  41. Advanced filtering
  42. Summary
  43. Customizing Wireshark
  44. Preferences
  45. Appearance
  46. Layout
  47. Columns
  48. Fonts and colors
  49. Capture
  50. Filter buttons
  51. Name resolution
  52. Protocols
  53. Statistics
  54. Advanced
  55. Profiles
  56. Colorizing traffic
  57. Examples of colorizing traffic
  58. Example 1
  59. Example 2
  60. Summary
  61. Statistics
  62. TCP/IP overview
  63. Time values and summaries
  64. Trace file statistics
  65. Resolved addresses
  66. Protocol hierarchy
  67. Conversations
  68. Endpoints
  69. Packet lengths
  70. I/O graph
  71. Load distribution
  72. DNS statistics
  73. Flow graph
  74. Expert system usage
  75. Summary
  76. Introductory Analysis
  77. DNS analysis
  78. An example for DNS request failure
  79. ARP analysis
  80. An example for ARP request failure
  81. IPv4 and IPv6 analysis
  82. ICMP analysis
  83. Using traceroute
  84. Summary
  85. Network Protocol Analysis
  86. UDP analysis
  87. TCP analysis I
  88. TCP analysis II
  89. Graph I/O rates and TCP trends
  90. Throughput
  91. I/O graph
  92. Summary
  93. Application Protocol Analysis I
  94. DHCP analysis
  95. HTTP analysis I
  96. HTTP analysis II
  97. FTP analysis
  98. Summary
  99. Application Protocol Analysis II
  100. Email analysis
  101. POP and SMTP
  102. 802.11 analysis
  103. VoIP analysis
  104. VoIP playback
  105. Summary
  106. Command-Line Tools
  107. Running Wireshark from a command line
  108. Running tshark
  109. Running tcpdump
  110. Running dumpcap
  111. Summary
  112. A Troubleshooting Scenario
  113. Wireshark plugins
  114. Lua programming
  115. Determining where to capture
  116. Capturing scenario traffic
  117. Diagnosing scenario traffic
  118. Summary
  119. Other Books You May Enjoy
  120. Leave a review - let other readers know what you think

TCP analysis II

In this section, we will take a look at filtering on many different TCP header fields, and what kind of issues we could see based on some of the fields that we look at.

So, what we can see in the following screenshot is a packet capture of the websites that were opened:

You can see we still have the TCP column enabled, so we can go down and find a TCP packet, and we'll see the field information again:

As with many of the other protocols that we've looked at, we can right-click on any of the fields and apply them as a filter. What we may want to do is expand the Flags, and look for anything that has the urgent bit set:

The urgent bit is not often used. The only one that we can think of is using Telnet, and what it does is it prioritizes the packets, basically. So what we can do is right-click on Urgent bit, and we'll go to Apply a Filter | Selected:

And we'll see that the filter's created, but it's based on 0. So we'll change it to 1:

Now, we will see whether there are any packets that have the urgent bits set. We see that there are none, which is good. Another thing we can do is delete the filter back to tcp.flags, and if we press Enter on that, it now filters based on every single packet that has flags enabled:

As you can see, we have a lot of packets that have flags enabled. So in this packet that capture may not be very useful. Depending on the type of traffic that you are seeing, that may be helpful to see what has flags and what doesn't. Here, it has too many packets that have flags to make that a useful filter. What we could do though is customize that and look for anything that has a reset. Usually, a reset is either at the end of a good connection, as explained, or it's indicative of a failure. What we'll do is we'll change our display filter so that it is tcp.flags.reset == 1:

You can see we have quite a few packets that have resets. We can take a look at one of these, and look at the traffic surrounding the reset to see whether that's indicative of a problem. So, let's choose one packet and right-click on it and go to Follow | TCP Stream:

Close this, and we see it looks like some sort of a certificate transfer:

We have a three-way handshake; we have a client and server hello—it looks like it was a TLS negotiation. Then there are some packets of application data. Furthermore, the system sent a FIN, ACK, so we finalized the connection. That was an implicit termination, which was then followed up with an explicit termination, the reset. So this is actually fine. The system said: "I'm done with this connection, and then we'll reset and totally terminate this connection". So that's actually fine, but you can see how that's useful to be able to pull out everything that is a reset.

What we could also do is take a look at window size, and for that we will enter tcp.window_size < 50 and press Enter:

We see that we have quite a number of packets that have a window size of less than 50. Usually, a small window size is an indication of a problem. On a reset packet, it's not necessarily a problem because we're terminating a connection anyway, but if you see window sizes that are of a small value on standard data transfer packets, that's a problem. That's some sort of buffer problem in your linear devices in the network stack on, on one of the two. Additionally, Wireshark has some analysis filters that we can use, and we'll show one that is window size related. For that we will enter tcp.analysis.zero_window. If we press Enter on that, you'll see the following screenshot:

This is actually all of the packets that have a window size of 0, which is a problem. So these are potential issues. These are acknowledgments from the system to a variety of different servers out there, with the system declaring that it has no buffer space available. It's received buffer's full and it sends a zero window response back to the servers out there, saying: "please slow down". So this is a potential issue on the system.

Another interesting one that we could do is take a look at the header length. As you know, the TCP header can fluctuate in size, let's right-click on Header Length and go to Prepare a Filter | Selected:

We didn't use Apply as Filter here; that way, it doesn't apply it right away.

In the filter tab, we will enter tcp.hdr_len > 20, and here we go:

You can see that the first header length that pops up has 32 bytes. So, here's a good example of finding packets that have Options in them.

If we scroll down, we can see that the Header Length is larger than the standard 20 because it has Options built into it somewhere. Here, you can see this packet has Selective Acknowledgments and window scaling. You could also do a similar thing by filtering on Options, so right-click on Options and go to Prepare a Filter | Selected:

We prepare a filter and enter tcp.options. So here's every packet with options that are enabled within them: