//---------------------------------------------------------//
//----------    wireshark meetup presentation    ----------//
//----------    Jan. 2, 2011 - Bob Carnaghi      ----------//
//----------     http://linux.meetup.com/85      ----------//
//---------------------------------------------------------//

http://www.wireshark.org/

//----------//
practical packet analysis by Chris Sanders
    free pdf download of v1 (http://doc.hackbbs.org/Docs_HackAngel/Ebooks by Authors/Chris Sanders - Practical Packet Analysis.pdf)
    v2 released June 2011
    


//----------//
http://en.wikipedia.org/wiki/Wireshark
For example, an alternative is to run `tcpdump`, or the `dumpcap` utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. To make near real time analysis, each captured file may be merged by `mergecap` into growing file processed by Wireshark.

//----------//
nice three-part intro how-to (Mike Lively wireshark site:youtube.com)
    http://www.youtube.com/watch?v=NHLTa29iovU
    http://www.youtube.com/watch?v=7ezGTP99xSw
    http://www.youtube.com/watch?v=2R1DRnu5CxQ

//----------//
www.wiresharku.com (the bit girl)
    http://www.youtube.com/watch?v=fTmlnQE917k
    http://www.youtube.com/watch?v=pRyq5Fk5rL0

//----------//
three-part series, indian guy, pretty good
    http://www.youtube.com/watch?v=pk4OfsxxB4g
    http://www.youtube.com/watch?v=nQyWWWDl_5c
    http://www.youtube.com/watch?v=zwXqzZIHBDQ

notes from this guy:
<video #1: intro>
options (per interface)
    multiple files
    uncheck enable network name resolution

capture traffic on a particular port
    capture filter (interface options)

<video #2: analyze capture>
    three sections of interface
    color scheme of packets
    summary of capture file: statistics/summary
        byte section (data transferred during capture)
        prepare a (display) filter: predefined or custom (built up)
            statistics/summary, captured & displayed count different
        rt click on specific packet {apply as filter | prepare filter | etc.}
            can save filtered packets
        custom columns 
            in data section of window, rt. click on specific info, "apply as column", sort on the new column
        information composite
            analyze/expert info composite
            check out the tabs for errors, warnings, notes, chats, details

<video #3>
    enabled protocols: dissectors
    analyze/enabled protocols (disabling prevents higher protocols from being shown)
    analyze http traffic
        statistics/http/load distribution (etc.)
            packet counter (very important!)
    click on specific packet, rt click, follow tcp stream
        check out options in the window
    destinations
        statistics/ip destination
        check out options in window
    protocol hierarchy
        statistics/protocol hierarchy
        check out the options in the window

    when reporting:
        note filters used
        keep separate copies of the original capture and those  analyzed
        use screenshots, etc.
        write detailed analysis of issue, how identified, etc. as proof of the issue
        consider generating md5 hash of the original file



//----------//
netfort technology (find out what's happening on the network, "languardian")
    http://www.youtube.com/watch?v=8Lfh2k4favc

//----------//
http://en.wikipedia.org/wiki/Port_mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches.
Network Engineers or Administrators use port mirroring to analyze and debug data or diagnose errors on a network. It helps the administrator keep a close eye on network performance and will alert him when problems occur. It can be used to mirror either inbound or outbound traffic on single or multiple interfaces.

//----------//
http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links



//----------//
filters (filter tutorial: http://openmaniak.com/wireshark_filters.php)
    dhcp filter: (ip.addr eq 0.0.0.0 or ip.addr eq 255.255.255.255) and (udp.port eq 67 and udp.port eq 68)
        (ip.addr eq 0.0.0.0 or ip.addr eq 255.255.255.255) and (udp.port eq 67 and udp.port eq 68) and eth.addr == c4:46:19:5f:c4:7f

//----------//
osi layers:
    physical
    data link
    network
    transport
    session
    presentation
    application


//----------//
lots of http tools, especially w/wireshark
www.httprecipes.com

//-------------------------------------------------------//
//---------- intro video ----------//
http://wiresharkdownloads.riverbed.com/video/wireshark/introduction-to-wireshark/
    www.wireshark.org/docs


//-------------------------------------------------------//
//---------- installation ----------//

--> yum search wireshark
Loaded plugins: langpacks, presto, refresh-packagekit
Adding en_US to language list
============================ Matched: wireshark ============================
wireshark-devel.i686 : Development headers and libraries for wireshark
wireshark-devel.x86_64 : Development headers and libraries for wireshark
wireshark-gnome.x86_64 : Gnome desktop integration for wireshark and
                       : wireshark-usermode
wireshark.i686 : Network traffic analyzer
wireshark.x86_64 : Network traffic analyzer
pcapdiff.noarch : Compares packet captures, detects forged, dropped or
                : mangled packets
samba4-pidl.x86_64 : Perl IDL compiler
ulogd-pcap.x86_64 : PCAP output plugin for ulogd
06:45:08

//--------------------//
--> yum -y install wireshark wireshark-gnome


//--------------------//
--> rpm -qi wireshark
Name        : wireshark                    Relocations: (not relocatable)
Version     : 1.4.10                            Vendor: Fedora Project
Release     : 1.fc14                        Build Date: Wed 02 Nov 2011 03:08:13 AM CDT
Install Date: Thu 29 Dec 2011 05:43:50 AM CST      Build Host: x86-14.phx2.fedoraproject.org
Group       : Applications/Internet         Source RPM: wireshark-1.4.10-1.fc14.src.rpm
Size        : 58841237                         License: GPL+
Signature   : RSA/SHA256, Wed 02 Nov 2011 08:03:57 AM CDT, Key ID 421caddb97a1071f
Packager    : Fedora Project
URL         : http://www.wireshark.org/
Summary     : Network traffic analyzer
Description :
Wireshark is a network traffic analyzer for Unix-ish operating systems.

This package lays base for libpcap, a packet capture and filtering
library, contains command-line utilities, contains plugins and
documentation for wireshark. A graphical user interface is packaged
separately to GTK+ package.


//--------------------//
--> rpm -qi wireshark-gnome
Name        : wireshark-gnome              Relocations: (not relocatable)
Version     : 1.4.10                            Vendor: Fedora Project
Release     : 1.fc14                        Build Date: Wed 02 Nov 2011 03:08:13 AM CDT
Install Date: Thu 29 Dec 2011 06:45:32 AM CST      Build Host: x86-14.phx2.fedoraproject.org
Group       : Applications/Internet         Source RPM: wireshark-1.4.10-1.fc14.src.rpm
Size        : 2282742                          License: GPL+
Signature   : RSA/SHA256, Wed 02 Nov 2011 08:00:46 AM CDT, Key ID 421caddb97a1071f
Packager    : Fedora Project
URL         : http://www.wireshark.org/
Summary     : Gnome desktop integration for wireshark and wireshark-usermode
Description :
Contains wireshark for Gnome 2 and desktop integration file


//-------------------------------------------------------//
//---------- tips & tricks ----------//
Edit -> Find
    interface is obvious, fill in the blanks
    CTRL + N - go to next packet in result set
    CTRL + B - go to previous packet in result set

general:
    CTRL + M - mark a packet
    CTRL + SHIFT + N - move to next marked packet
    CTRL + SHIFT + B - move to previous marked packet
    note more mark options under the edit menu

File - Save as
    Note the numerous options available: Displayed, Marked, etc.

View -> Time Display Format
    note that the timestamp that is applied to the packet is assigned by the OS which hosted the capture
    Edit -> Set Time Reference (make the current packet the base time reference)

Filters
    Capture & Display Filters
    Capture Filter - Capture -> Options
    Display Filter - Filter text box above the Packet List pane, or use the Expression Filter Dialog Box (on toolbar)





//-------------------------------------------------------//
//---------- packet captures ----------//

ping-traceroute.pcap
    shows dns, icmp, & traceroute traffic

sync1.pcap
    shows dns query & response
    shows icmp (ping) traffic
    shows nfs traffic (via rsync)

dhcp-failure.pcap
    shows several dhcp requests, shows laptop w/no response-ack

dhcp-failure2.pcap
    fewer packets, transaction a little clearer

svc_success.pcap
    http transaction
    dhcp transaction

//---------------------------------------------------------//
//---------- additional (examples from book) ----------//
Ch. 6 - DHCP
Fragmented Packets
Anatomy of a Slow Download
Slow Route
Sniffing Wirelessly in Linux