Packet Analysis

tags : Networking, Network Programming, TCP&UDP, Security, Reverse Engineering

Tools §

• wireshark
• dhcpdump
• tcpdump
  • A workshop on strace & tcpdump
  • tcpdump is amazing
  • https://my.f5.com/manage/s/article/K2289
  • tcpdump isn’t stateful. It reads fragments one at a time, prints them, and forgets about them.
  • To see packet data, use -X and -XX
• tshark
  • Tshark’s live output looks a lot nicer to me and easier to understand compared to tcpdump. But if I’m just writing a pcap file it doesn’t matter.
  • Also tshark can be used to extract specific fields that you can then log or manipulate with the usual sed/awk/grep utilities to analyze in specific scenarios.
• ngrep
• tcpflow
  • Reassembles the complete contents of a TCP connection by paying attention to sequence numbers.
• nethogs
• iperf
• nprobe, ntopng

Comments §

tshark+tcpdump §

• TCP tries really hard to avoid fragmentation, by setting the DF flag and reducing the MSS when it sees a PTB error.
• Of course that sometimes fails, so if you still have TCP fragmented segments, the next best thing is to filter by source/destination address, saving to a PCAP file, then run tshark on that file with the “-2” flag which does packet reassembly.

Learning resources §

Basics §

• What is a Protocol? (Deepdive) - YouTube
• 26: Packet Capture 101 | Learn Wireshark @ SF22US - YouTube
• Wireshark Sharkfest 2014 Session B1 ArtofPacketAnalysis - YouTube
• 22: The Life of a Packet, The art of the trace file synchronization
  • netdev day 2: moving away from “as fast as possible” in networking code
• 19 - How I Learned to Stop Worrying and Love the PCAP | Learn Wireshark - YouTube
• 01 - Network Troubleshooting from Scratch | Learn Wireshark @ SF22US - YouTube
• SF18EU - 01: Back to the Basics (Hansang Bae) - YouTube

Tactical §

• SF21VEU - 04 Automate your Analysis: tshark, the Swiss army knife (André Luyer) - YouTube
• 09 - Looking For “Packets” in all the “Right” Places | Learn Wireshark - YouTube
• 06 - Wireshark in use on LTE and 5G networks | Learn Wireshark! - YouTube
• SF21VEU - 03 Chasing application performance w/ Wireshark (Matthias Kaiser) - YouTube

TLS §

• 17: Visualizing and Decrypting TLS 1.3 | Learn Wireshark @ SF22US - YouTube
• Intercepting Go TLS Connections with Wireshark

Wireshark §

• Wireshark Masterclass - YouTube 🌟
• SF18EU - 04: Back to the Trenches (Hansang Bae) - YouTube (2018)
  • 10 Back to the Packet Trenches | Learn Wireshark - YouTube (2022)
• 23 - Wireshark and WiFi: capture techniques & challenges - YouTube
• 24: 10 Tools I use that Compliment Wireshark | Learn Wireshark @ SF22US - YouTube

TCP §

• 10: Understanding TCP Throughput | Learn Wireshark @ SF22US (Kary Rogers) - YouTube (2022)
  • SF18ASIA: 18 - Understanding Throughput & TCP Windows (Kary Rogers) - YouTube (2018)
• SF21VEU - 11 How long is a packet? And does it really matter? (Dr. Stephen Donnelly)
• 19: Understanding TCP Conversation Completeness | Learn Wireshark @ SF22US - YouTube
• 20: TCP SACK Overview and Impact on Performance | Learn Wireshark @ SF22US - YouTube (2023)
  • 21 - TCP SACK overview & impact on performance | Learn Wireshark - YouTube (2022)

DNS §

• 01 Analyzing DNS from the Server Perspective using Wireshark - YouTube

UDP/QUIC §

• 07 - Intro to QUIC - The TCP Killer? | Learn Wireshark - YouTube