Internet Protocol Analysis/Packet Analyzers

This lesson concludes the introduction to Internet protocol analysis by looking at packet analyzers in general and the open source packet analyzer Wireshark in particular. Activities include installing Wireshark and using it to capture network traffic.

Readings

 * 1)  Packet analyzer
 * 2)  Promiscuous mode
 * 3)  Port mirroring
 * 4)  Wireshark
 * 5)  pcap

Multimedia

 * 1) YouTube: Getting Started with Wireshark
 * 2) YouTube: Intro to using Wireshark - CCNA Network Fundamentals
 * 3) YouTube: Port Mirroring - CompTIA Network+ N10-005: 1.4
 * 4) YouTube: Using Wireshark and Cisco Port Mirroring

Activities

 * 1)  Install Wireshark.
 * 2) Review Wireshark: User's Guide.
 * 3) Use Wireshark to  capture network traffic.
 * 4) Use Wireshark to  filter displayed traffic.
 * 5) Use Wireshark to  filter captured traffic.
 * 6) Consider situations in which a packet analyzer might be used to troubleshoot network traffic.

Lesson Summary

 * A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.
 * Packet analyzers can be software or hardware-based.
 * Network interface controllers (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.
 * Promiscuous mode is a network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.
 * Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.
 * Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.
 * Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.
 * Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.
 * Tcpdump is a command line-based packet analyzer available on most Unix-like operating systems.
 * As a security precaution, it is best to separate packet capture activities from packet analysis activities. Packet capture activities must be run with special privileges, but packet analysis does not require special privileges.
 * Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap (Unix/Linux) or WinPcap (Windows).

Key Terms

 * broadcast
 * Transmit a message to all recipients simultaneously.


 * broadcast domain
 * A logical division of a computer network in which all nodes can reach each other by broadcast at the data link layer.


 * collision domain
 * A section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet.


 * data stream
 * A sequence of digitally encoded coherent signals (data packets) used to transmit or receive information.


 * encryption
 * The process of encoding messages (or information) in such a way that eavesdroppers cannot read it, but that authorized parties can.


 * Ethereal
 * The original name of the Wireshark packet analyzer, renamed due to trademark issues.


 * hub
 * A multiport repeater that links devices and works at the physical layer of the OSI model.


 * Intrusion Detection System (IDS)
 * A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.


 * libpcap
 * A packet capture library used on Unix-like systems.


 * multicast
 * Transmit a message to a group of destination computers simultaneously with a single transmission from the source.


 * Network Interface Controller (NIC)
 * A computer hardware component that connects a computer to a computer network.


 * packet analyzer
 * A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.


 * port mirroring
 * Used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.


 * promiscuous mode
 * A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.


 * reverse engineering
 * The process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.


 * router
 * A device that forwards data packets between computer networks and works at the network layer of the OSI model.


 * sniffer
 * Another term for packet analyzer.


 * switch
 * A multiport bridge that links network segments or devices and works at the data link layer of the OSI model.


 * tcpdump
 * A command line-based packet analyzer available on most Unix-like operating systems.


 * tshark
 * Tool to Dump and analyze network traffic from Wireshark


 * unicast
 * Transmit a message to a single destination identified by a unique address.


 * Virtual LAN (VLAN)
 * A concept of partitioning a physical network so that distinct broadcast domains are created.


 * WinPcap
 * A packet capture library used on Windows systems.


 * Wireshark
 * A free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

Assessments

 * /Lesson Flashcards/
 * /Terms Flashcards/
 * /Quiz/