Wireshark & Ethereal Network Protocol Analyzer Too
Institution
Wireshark & Ethereal Network Protocol Analyzer Too
Wireshark & Ethereal Network Protocol Analyzer Toolkit provides complete information and step-by-step Instructions for analyzing protocols and network traffic on Windows, Unix or Mac OS X networks. First, readers will learn about the types of sniffers available today and see the benefits of using E...
Wireshark & Ethereal Network Protocol Analyzer Too
All documents for this subject (1)
Seller
Follow
RobertCuong
Content preview
,Chapter 1. Introducing Network Analysis
SOLUTIONS IN THIS CHAPTER
What is Network Analysis and Sniffing?
Who Uses Network Analysis?
How Does it Work?
Detecting Sniffers
Protecting Against Sniffers
Network Analysis and Policy
Summary
Solutions Fast Track
Frequently Asked Questions
Introduction
“Why is the network slow?” “Why can’t I access my e-mail?” “Why can’t I get to the shared
drive?” “Why is my computer acting strange?” If you are a systems administrator, network
engineer, or security engineer you have heard these questions countless times. Thus begins the
tedious and sometimes painful journey of troubleshooting. You start by trying to replicate the
problem from your computer, but you can’t connect to the local network or the Internet either.
What should you do? Go to each of the servers and make sure they are up and functioning? Check
that your router is functioning? Check each computer for a malfunctioning network card?
Now consider this scenario. You go to your main network switch or border router and configure
one of the unused ports for port mirroring. You plug in your laptop, fire up your network analyzer,
and see thousands of Transmission Control Protocol (TCP) packets (destined for port 25) with
various Internet Protocol (IP) addresses. You investigate and learn that there is a virus on the
network that spreads through e-mail, and immediately apply access filters to block these packets
from entering or exiting your network. Thankfully, you were able to contain the problem relatively
quickly because of your knowledge and use of your network analyzer.
What Is Network Analysis and Sniffing?
Network analysis (also known as traffic analysis, protocol analysis, sniffing, packet analysis,
eavesdropping, and so on) is the process of capturing network traffic and inspecting it closely to
determine what is happening on the network. A network analyzer decodes the data packets of
common protocols and displays the network traffic in readable format. A sniffer is a program that
,monitors data traveling over a network. Unauthorized sniffers are dangerous to network security
because they are difficult to detect and can be inserted almost anywhere, which makes them a
favorite weapon of hackers.
A network analyzer can be a standalone hardware device with specialized software, or software
that is installed on a desktop or laptop computer. The differences between network analyzers
depend on features such as the number of supported protocols it can decode, the user interface,
and its graphing and statistical capabilities. Other differences include inference capabilities (e.g.,
expert analysis features) and the quality of packet decodes. Although several network analyzers
decode the same protocols, some will work better than others for your environment.
NOTE
The “Sniffer™” trademark, (owned by Network General) refers to the Sniffer product line. In the
computer industry, “sniffer” refers to a program that captures and analyzes network traffic.
Figure 1.1 shows the Wireshark Network Analyzer display windows. A typical network analyzer
displays captured traffic in three panes:
Summary. This pane displays a one-line summary of the capture. Fields include the date,
time, source address, destination address, and the name and information about the highest-
layer protocol.
Detail. This pane provides all of the details (in a tree-like structure) for each of the layers
contained inside the captured packet.
Data. This pane displays the raw captured data in both hexadecimal and text format.
, Figure 1.1. Network Analyzer Display
A network analyzer is a combination of hardware and software. Although there are differences in
each product, a network analyzer is composed of five basic parts:
Hardware. Most network analyzers are software-based and work with standard operating
systems (OSes) and network interface cards (NICs). However, some hardware network
analyzers offer additional benefits such as analyzing hardware faults (e.g., cyclic
redundancy check (CRC) errors, voltage problems, cable problems, jitter, jabber,
negotiation errors, and so on). Some network analyzers only support Ethernet or wireless
adapters, while others support multiple adapters and allow users to customize their
configurations. Depending on the situation, you may also need a hub or a cable tap to
connect to the existing cable.
Capture Driver. This is the part of the network analyzer that is responsible for capturing
raw network traffic from the cable. It filters out the traffic that you want to keep and stores
the captured data in a buffer. This is the core of a network analyzer—you cannot capture
data without it.
Buffer. This component stores the captured data. Data can be stored in a buffer until it is
full, or in a rotation method (e.g., a “round robin”) where the newest data replaces the
oldest data. Buffers can be disk-based or memory-based.
Real-time Analysis. This feature analyzes the data as it comes off the cable. Some network
analyzers use it to find network performance issues, and network intrusion detection
systems (IDSes) use it to look for signs of intruder activity.
Decode. This component displays the contents (with descriptions) of the network traffic so
that it is readable. Decodes are specific to each protocol, thus network analyzers vary in
the number of decodes they currently support. However, new decodes are constantly being
added to network analyzers.
NOTE
Jitter is the term that is used to describe the random variation of signal timing (e.g.,
electromagnetic interference and crosstalk with other signals can cause jitter). Jabber is the
term that is used to describe when a device is improperly handling electrical signals, thus
affecting the rest of the network (e.g., faulty NICs can cause jabber).
Who Uses Network Analysis?
System administrators, network engineers, security engineers, system operators, and programmers
all use network analyzers, which are invaluable tools for diagnosing and troubleshooting network
problems, system configuration issues, and application difficulties. Historically, network analyzers
were dedicated hardware devices that were expensive and difficult to use. However, new advances
in technology have allowed for the development of software-based network analyzers, which make
it more convenient and affordable for administrators to effectively troubleshoot a network. It also
brings the capability of network analysis.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller RobertCuong. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $3.99. You're not tied to anything after your purchase.
