Needle in the Haystack

If multiple hosts talk through a device, it is likely a router. Switches are transparent, but
you must assume that clients go through switches to reach a router.
Once you learn what is "normal," consider building a filter to remove this normal traffic
from view. What is left after filtering out the good traffic may be one or more shiny
needles.
When you start, it's tough and a bit frustrating, but practice and persistence will make
you accomplish amazing things.
Don't get discouraged if things seem a bit overwhelming at the beginningyou'll
improve fast and it's going to be a ton of fun!"
switches make network analysis a bit more challenging. Those challenges can be
overcome using taps or redirection methods
The following lists some of the analysis tasks that can be performed using
Wireshark:
Find the top talkers on the network
Identify the protocols and applications in use
Determine the average packets per second rate and bytes per second rate of an
application or all network
traffic on a link
List all hosts communicating
Learn the packet lengths used by a data transfer application
Recognize the most common connection problems
Spot delays between client requests due to slow processing
Locate misconfigured hosts
Detect network or host congestion that is slowing down file transfers
Identify asynchronous traffic prioritization
Graph HTTP flows to examine website referrals rates
Identify unusual scanning traffic on the network
Quickly identify HTTP error responses indicating client and server problems
Quickly identify VoIP error responses indicating client, server or global errors
Build graphs to compare traffic behavior
Graph application throughput and compare to overall link traffic seen
Identify applications that do not encrypt traffic
Play back VoIP conversations to hear the effects of various network problems on
network traffic
Perform passive operating system and application use detection
Spot unusual protocols and unrecognized port number usage on the network
Examine the startup process of hosts and applications on the network
Identify average and unacceptable service response times (SRT)
Graph intervals of periodic packet generation applications or protocols

When a packet is sent to the MAC address of the router, that router examines the checksum to ensure the
packet is valid.
If the checksum
is invalid, the packet is dropped. If the checksum is valid, the router strips off the MAC header (such as the
Ethernet header) and examines the IP header to identify the "age" (in Time to Live) and destination of the
packet. If the packet is too "old" (Time to Live value of 1), the router discards the packet and sends an ICMP
Time to Live Exceeded message back to the sender.
If the packet is not too old, the router consults its routing tables to determine if the destination IP network is
known. If the router is directly connected to the target network, it can send the packet on to the target. The
router decrements the IP header Time to Live value and then creates and applies a new MAC header to the
packet before forwarding it
If the target is not on a locally connected network, the router forwards the packet to the next-hop router that
it learned about when consulting its routing tables.
Routers may contain rules that block or permit packets based on the addressing information. Many routers
provide firewall capabilities and can block/permit traffic based on other characteristics.

Automatically Save Packets to One or More Files

When you need to capture a large amount of traffic, consider capturing to a file set and possibly using a ring
buffer. File sets are opened and manipulated with File | File Set.
Capture filters consist of identifiers and qualifiers.

Identifiers

The identifier is the element for which you are filtering. In a capture filter for traffic to or from port 53, "53" is
the identifier. The identifier can be a decimal or hexadecimal number or an ASCII string.

Qualifiers

There are three qualifiers used in capture filters:

Type
Dir
Proto

If a client doesn't know of a route to the host or network and does not have a gateway (router) to get
off the local network, it won't send any packets to the remote target. Some hosts will send ICMP
Router Solicitation messages to locate a router. Hopefully a local router is configured to send out
ICMP Router Advertisements so the client can discover the router.

Window Size :Every TCP segment (except those exchanged during connection establishment) includes a valid
Sequence Number field, an ACK Number or Acknowledgment field, and a Window Size field
(containing the window advertisement).
These sizes represent the amount of space the sender of the segment has reserved for storing
incoming data the peer sends.
The Window Size field in each TCP header indicates the amount of empty space, in bytes,
remaining in the receive buffer.
Do not worry about FIN or RST packets with Window 0 values.
Sliding Windows
Each endpoint of a TCP connection is capable of sending and receiving data. The amount of data
sent or received on a connection is maintained by a set of window structures. For each active
connection, each TCP endpoint maintains a send window structure and a receive window structure.

Typically, this window structure is kept at both the sender and the receiver.
At the sender, it keeps track of what packets can be released, what packets
are awaiting ACKs, and what packets cannot yet be sent. At the receiver, it
keeps track of what packets have already been received and acknowledged,
what packets are
expected (and how much memory has been allocated to hold them), and
which packets, even if received, will not be kept because of limited memory.
Although the window structure is convenient for keeping track of data as it
flows between sender and receiver, it does not provide guidance as to how
large the window should be, or what happens if the receiver or network
cannot handle the senders data rate

Zero Windows and Persist timer

If an acknowledgment (containing a window update) is lost, we could end up
with both sides waiting for the other: the receiver waiting to receive data
(because it provided the sender with a nonzero window and expects to see
incoming data) and the sender waiting to receive the window update
allowing it to send. To prevent this form of deadlock from occurring, the
sender uses a persist timer to query the receiver periodically, to find out if
the window size has increased. The persist timer triggers the transmission of
window probes. Window probes are segments that force the receiver to
provide an ACK, which also necessarily contains a Window Size field.
The maximum window advertisement is 65,535 bytes unless the Window
Scale TCP option is used. In that case, the maximum window advertisement
can be much larger (about 1GB).

ECN :- Explicit congestion Window

The senders actual (usable) window W is then written
as the minimum of the receivers advertised window awnd and the
congestion window:

Keep Alive
TCP SYN, FIN and RST flags must be set to 0 (off) on Keep Alive packets.

SIP
1xx: Provisional request received, continuing to process the request.
2xx: Success the action was successfully received, understood, and accepted.
3xx: Redirection further action needs to be taken in order to complete the request.
4xx: Client Error the request contains bad syntax or cannot be fulfilled at this
server.
5xx: Server Error the server failed to fulfill an apparently valid request.
6xx: Global Failure the request cannot be fulfilled at any server
Request Failure
400: Bad Request
401: Unauthorized
402: Payment Required
403: Forbidden
404: Not Found
405: Method Not Allowed
406: Not Acceptable
407: Proxy Authentication Required
408: Request Timeout
409: Conflict

410: Gone
412: Conditional Request Failed [RFC 3903]
413: Request Entity Too Large
414: Request-URI Too Long
415: Unsupported Media Type
416: Unsupported URI Scheme
417: Unknown Resource-Priority [RFC4412]
420: Bad Extension
421: Extension Required
422: Session Interval Too Small [RFC4028]
423: Interval Too Brief
424: Bad Location Information [RFC 6442]
428: Use Identity Header [RFC 4474]
429: Provide Referrer Identity [RFC 3892]
430: Flow Failed [RFC 5626]
433: Anonymity Disallowed [RFC 5079]
436: Bad Identity-Info [RFC 4474]
437: Unsupported Certificate [RFC 4474]
438: Invalid Identity Header [RFC 4474]
439: First Hop Lacks Outbound Support [RFC 5626]
440: Max-Breadth Exceeded [RFC 5393]
469: Bad Info Package [RFC 6086]
470: Consent Needed [RFC 5360]
480: Temporarily Unavailable
481: Call/Transaction Does Not Exist
482: Loop Detected
483: Too Many Hops
484: Address Incomplete
485: Ambiguous
486: Busy Here
487: Request Terminated
488: Not Acceptable Here
489: Bad Event [RFC 6665]
491: Request Pending
493: Undecipherable
494: Security Agreement Required [RFC 3329]
5xx Server Failure
500: Server Internal Error
501: Not Implemented
502: Bad Gateway
503: Service Unavailable
504: Server Time-out
505: Version Not Supported
513: Message Too Large
580: Precondition Failure [RFC 3312]
6xx Global Failures

600:
603:
604:
606:

Busy Everywhere
Decline
Does Not Exist Anywhere
Not Acceptable

HTTP
1xx:
2xx:
3xx:
4xx:
5xx:

InformationalRequest received, continuing process

SuccessThe action was successfully received, understood, and accepted
RedirectionFurther action must be taken in order to complete the request
Client ErrorThe request contains bad syntax or cannot be fulfilled
Server ErrorThe server failed to fulfill an apparently valid request