Documente Academic
Documente Profesional
Documente Cultură
If multiple hosts talk through a device, it is likely a router. Switches are transparent, but
you must assume that clients go through switches to reach a router.
Once you learn what is "normal," consider building a filter to remove this normal traffic
from view. What is left after filtering out the good traffic may be one or more shiny
needles.
When you start, it's tough and a bit frustrating, but practice and persistence will make
you accomplish amazing things.
Don't get discouraged if things seem a bit overwhelming at the beginningyou'll
improve fast and it's going to be a ton of fun!"
switches make network analysis a bit more challenging. Those challenges can be
overcome using taps or redirection methods
The following lists some of the analysis tasks that can be performed using
Wireshark:
Find the top talkers on the network
Identify the protocols and applications in use
Determine the average packets per second rate and bytes per second rate of an
application or all network
traffic on a link
List all hosts communicating
Learn the packet lengths used by a data transfer application
Recognize the most common connection problems
Spot delays between client requests due to slow processing
Locate misconfigured hosts
Detect network or host congestion that is slowing down file transfers
Identify asynchronous traffic prioritization
Graph HTTP flows to examine website referrals rates
Identify unusual scanning traffic on the network
Quickly identify HTTP error responses indicating client and server problems
Quickly identify VoIP error responses indicating client, server or global errors
Build graphs to compare traffic behavior
Graph application throughput and compare to overall link traffic seen
Identify applications that do not encrypt traffic
Play back VoIP conversations to hear the effects of various network problems on
network traffic
Perform passive operating system and application use detection
Spot unusual protocols and unrecognized port number usage on the network
Examine the startup process of hosts and applications on the network
Identify average and unacceptable service response times (SRT)
Graph intervals of periodic packet generation applications or protocols
When a packet is sent to the MAC address of the router, that router examines the checksum to ensure the
packet is valid.
If the checksum
is invalid, the packet is dropped. If the checksum is valid, the router strips off the MAC header (such as the
Ethernet header) and examines the IP header to identify the "age" (in Time to Live) and destination of the
packet. If the packet is too "old" (Time to Live value of 1), the router discards the packet and sends an ICMP
Time to Live Exceeded message back to the sender.
If the packet is not too old, the router consults its routing tables to determine if the destination IP network is
known. If the router is directly connected to the target network, it can send the packet on to the target. The
router decrements the IP header Time to Live value and then creates and applies a new MAC header to the
packet before forwarding it
If the target is not on a locally connected network, the router forwards the packet to the next-hop router that
it learned about when consulting its routing tables.
Routers may contain rules that block or permit packets based on the addressing information. Many routers
provide firewall capabilities and can block/permit traffic based on other characteristics.
Identifiers
The identifier is the element for which you are filtering. In a capture filter for traffic to or from port 53, "53" is
the identifier. The identifier can be a decimal or hexadecimal number or an ASCII string.
Qualifiers
If a client doesn't know of a route to the host or network and does not have a gateway (router) to get
off the local network, it won't send any packets to the remote target. Some hosts will send ICMP
Router Solicitation messages to locate a router. Hopefully a local router is configured to send out
ICMP Router Advertisements so the client can discover the router.
Window Size :Every TCP segment (except those exchanged during connection establishment) includes a valid
Sequence Number field, an ACK Number or Acknowledgment field, and a Window Size field
(containing the window advertisement).
These sizes represent the amount of space the sender of the segment has reserved for storing
incoming data the peer sends.
The Window Size field in each TCP header indicates the amount of empty space, in bytes,
remaining in the receive buffer.
Do not worry about FIN or RST packets with Window 0 values.
Sliding Windows
Each endpoint of a TCP connection is capable of sending and receiving data. The amount of data
sent or received on a connection is maintained by a set of window structures. For each active
connection, each TCP endpoint maintains a send window structure and a receive window structure.
Typically, this window structure is kept at both the sender and the receiver.
At the sender, it keeps track of what packets can be released, what packets
are awaiting ACKs, and what packets cannot yet be sent. At the receiver, it
keeps track of what packets have already been received and acknowledged,
what packets are
expected (and how much memory has been allocated to hold them), and
which packets, even if received, will not be kept because of limited memory.
Although the window structure is convenient for keeping track of data as it
flows between sender and receiver, it does not provide guidance as to how
large the window should be, or what happens if the receiver or network
cannot handle the senders data rate
Keep Alive
TCP SYN, FIN and RST flags must be set to 0 (off) on Keep Alive packets.
SIP
1xx: Provisional request received, continuing to process the request.
2xx: Success the action was successfully received, understood, and accepted.
3xx: Redirection further action needs to be taken in order to complete the request.
4xx: Client Error the request contains bad syntax or cannot be fulfilled at this
server.
5xx: Server Error the server failed to fulfill an apparently valid request.
6xx: Global Failure the request cannot be fulfilled at any server
Request Failure
400: Bad Request
401: Unauthorized
402: Payment Required
403: Forbidden
404: Not Found
405: Method Not Allowed
406: Not Acceptable
407: Proxy Authentication Required
408: Request Timeout
409: Conflict
410: Gone
412: Conditional Request Failed [RFC 3903]
413: Request Entity Too Large
414: Request-URI Too Long
415: Unsupported Media Type
416: Unsupported URI Scheme
417: Unknown Resource-Priority [RFC4412]
420: Bad Extension
421: Extension Required
422: Session Interval Too Small [RFC4028]
423: Interval Too Brief
424: Bad Location Information [RFC 6442]
428: Use Identity Header [RFC 4474]
429: Provide Referrer Identity [RFC 3892]
430: Flow Failed [RFC 5626]
433: Anonymity Disallowed [RFC 5079]
436: Bad Identity-Info [RFC 4474]
437: Unsupported Certificate [RFC 4474]
438: Invalid Identity Header [RFC 4474]
439: First Hop Lacks Outbound Support [RFC 5626]
440: Max-Breadth Exceeded [RFC 5393]
469: Bad Info Package [RFC 6086]
470: Consent Needed [RFC 5360]
480: Temporarily Unavailable
481: Call/Transaction Does Not Exist
482: Loop Detected
483: Too Many Hops
484: Address Incomplete
485: Ambiguous
486: Busy Here
487: Request Terminated
488: Not Acceptable Here
489: Bad Event [RFC 6665]
491: Request Pending
493: Undecipherable
494: Security Agreement Required [RFC 3329]
5xx Server Failure
500: Server Internal Error
501: Not Implemented
502: Bad Gateway
503: Service Unavailable
504: Server Time-out
505: Version Not Supported
513: Message Too Large
580: Precondition Failure [RFC 3312]
6xx Global Failures
600:
603:
604:
606:
Busy Everywhere
Decline
Does Not Exist Anywhere
Not Acceptable
HTTP
1xx:
2xx:
3xx:
4xx:
5xx: