Jump to content

Internet Protocol Analysis/Packet Analyzers

From Wikiversity

This lesson concludes the introduction to Internet protocol analysis by looking at packet analyzers in general and the open source packet analyzer Wireshark in particular. Activities include installing Wireshark and using it to capture network traffic.

Readings

[edit | edit source]
  1. Wikipedia: Packet analyzer
  2. Wikipedia: Promiscuous mode
  3. Wikipedia: Port mirroring
  4. Wikipedia: Wireshark
  5. Wikipedia: pcap

Multimedia

[edit | edit source]
  1. YouTube: Getting Started with Wireshark
  2. YouTube: Intro to using Wireshark - CCNA Network Fundamentals
  3. YouTube: Port Mirroring - CompTIA Network+ N10-005: 1.4
  4. YouTube: Using Wireshark and Cisco Port Mirroring

Activities

[edit | edit source]
  1. Install Wireshark.
  2. Review Wireshark: User's Guide.
  3. Use Wireshark to capture network traffic.
  4. Use Wireshark to filter displayed traffic.
  5. Use Wireshark to filter captured traffic.
  6. Consider situations in which a packet analyzer might be used to troubleshoot network traffic.

Lesson Summary

[edit | edit source]
  • A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.[1]
  • Packet analyzers can be software or hardware-based.[2]
  • Network interface controllers (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.[3]
  • Promiscuous mode is a network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[4]
  • Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.[5]
  • Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.[6]
  • Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.[7]
  • Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.[8]
  • Tcpdump is a command line-based packet analyzer available on most Unix-like operating systems.[9]
  • As a security precaution, it is best to separate packet capture activities from packet analysis activities. Packet capture activities must be run with special privileges, but packet analysis does not require special privileges.[10]
  • Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap (Unix/Linux) or WinPcap (Windows).[11]

Key Terms

[edit | edit source]
broadcast
Transmit a message to all recipients simultaneously.[12]
broadcast domain
A logical division of a computer network in which all nodes can reach each other by broadcast at the data link layer.[13]
collision domain
A section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet.[14]
data stream
A sequence of digitally encoded coherent signals (data packets) used to transmit or receive information.[15]
encryption
The process of encoding messages (or information) in such a way that eavesdroppers cannot read it, but that authorized parties can.[16]
Ethereal
The original name of the Wireshark packet analyzer, renamed due to trademark issues.[17]
hub
A multiport repeater that links devices and works at the physical layer of the OSI model.[18]
Intrusion Detection System (IDS)
A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.[19]
libpcap
A packet capture library used on Unix-like systems.[20]
multicast
Transmit a message to a group of destination computers simultaneously with a single transmission from the source.[21]
Network Interface Controller (NIC)
A computer hardware component that connects a computer to a computer network.[22]
packet analyzer
A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.[23]
port mirroring
Used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.[24]
promiscuous mode
A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[25]
reverse engineering
The process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.[26]
router
A device that forwards data packets between computer networks and works at the network layer of the OSI model.[27]
sniffer
Another term for packet analyzer.[28]
switch
A multiport bridge that links network segments or devices and works at the data link layer of the OSI model.[29]
tcpdump
A command line-based packet analyzer available on most Unix-like operating systems.[30]
tshark[31]
Tool to Dump and analyze network traffic from Wireshark
unicast
Transmit a message to a single destination identified by a unique address.[32]
Virtual LAN (VLAN)
A concept of partitioning a physical network so that distinct broadcast domains are created.[33]
WinPcap
A packet capture library used on Windows systems.[34]
Wireshark
A free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.[35]

Review Questions

[edit | edit source]
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a _____.
    A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a packet analyzer.
  2. Packet analyzers can be _____ (hardware/software/both) based.
    Packet analyzers can be software or hardware-based.
  3. Network interface cards (NICs) normally drop frames that are not _____ or _____, and do not have the NIC as the _____ MAC address..
    Network interface cards (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.
  4. A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as _____ mode.
    A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as promiscuous mode.
  5. Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on _____ settings.
    Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.
  6. The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as _____.
    The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as port mirroring.
  7. An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is _____.
    An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is Wireshark.
  8. Wireshark was originally named _____, but was renamed in May 2006 due to trademark issues.
    Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.
  9. A command line-based packet analyzer available on most Unix-like operating systems is _____.
    A command line-based packet analyzer available on most Unix-like operating systems is tcpdump.
  10. Packet _____ activities must be run with special privileges, but packet _____ activities do not require special privileges.
    Packet capture activities must be run with special privileges, but packet analysis activities do not require special privileges.
  11. Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as _____ or _____.
    Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap or WinPcap.

Assessments

[edit | edit source]

See also

[edit | edit source]

References

[edit | edit source]
Type classification: this is a lesson resource.
Completion status: this resource is considered to be complete.