Episode Details

Back to Episodes
Course 6 - Network Traffic Analysis for Incident Response | Episode 2: Wireshark Features and Comprehensive Protocol Dissection

Course 6 - Network Traffic Analysis for Incident Response | Episode 2: Wireshark Features and Comprehensive Protocol Dissection

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about:
  • Transitioning from theoretical networking concepts to hands-on traffic analysis.
  • Using Wireshark to capture, dissect, filter, and understand live network traffic.
  • Identifying how common protocols appear in real packet captures, including their structure and behavior.
  • Recognizing how different protocols handle communication, reliability, and security.
Wireshark: Introduction & Core Features
  • What Wireshark Is:
    • A free, GUI-based network traffic analyzer (formerly Ethereal).
    • Supports live packet capture and loading .cap / .pcap files.
  • Key Features Covered:
    • Capture Management:
      • Start live captures with options like promiscuous mode.
      • Load and inspect previously saved capture files.
    • File Handling & Exporting:
      • Merge capture files (if timestamps align).
      • Import packets from hex dumps.
      • Export selected packets or full dissections in text, CSV, JSON, XML.
      • Export TLS session keys for decrypting certain encrypted traffic.
    • UI Navigation:
      • Color-coded packet list (e.g., green = TCP/HTTP, red = errors/retransmissions).
      • Three-pane layout: Packet list → Protocol dissection → Raw hex/ASCII.
    • Analysis Tools:
      • Display filters for precise inspection (e.g., tcp.port == 80).
      • Follow TCP/HTTP Stream to trace entire conversations.
      • Decode As to reinterpret traffic running on uncommon ports.
Protocol Dissection: What You’ll See in Wireshark 1. IP (IPv4/IPv6)
  • View IP headers, including TTL (Time To Live) as hop count.
  • Look at IPv6 structures and tunneling protocols such as:
    • 6to4
    • 6in4
  • Learn how IPv6 packets travel across IPv4 networks.
2. TCP (Transmission Control Protocol)
  • Understand reliability and session management.
  • Observe:
    • The 3-way handshake: SYN → SYN-ACK → ACK
    • Connection teardown: FIN/FIN-ACK or RST
    • Flags, sequence numbers, acknowledgments, and retransmissions.
3. UDP (User Datagram Protocol)
  • Minimal, fast, connectionless protocol.
  • No handshake, no retransmission.
  • Used in scenarios requiring speed over reliability.
4. ICMP (Internet Control Message Protocol)
  • Used for error reporting and diagnostic tools like:
    • Ping (Echo Request/Reply – Type 8/Type 0)
    • Traceroute
  • Note: While essential, ICMP must be carefully controlled on networks.
5. ARP (Address Resolution Protocol)
  • Maps IP → MAC inside local networks.
  • Stateless nature allows ARP poisoning, a common man-in-the-middle technique.
Higher-Level / Application Protocols in Wireshark 1. DNS (Domain Name System)
  • Seen mostly over UDP.
  • Analyze queries, recursion, multiple responses (A, MX, etc.).
2. HTTP (Hypertext Transfer Protocol)
  • Review request lines, headers (User-Agent, Host, URI) and response codes.
  • HTTP is common in analysis due to high traffic volume.
  • Also widely monitored because attackers often misuse it for hidden communications.
3. FTP (File Transfer Protocol)
  • A clear-text protocol:
    • Credentials and transfers visible in packet captures.
  • Highlights the need for secure alternatives (FTPS / SFTP).
4. IRC (Internet Relay Chat)
  • Simple text-based protocol.
  • Multi-user cha
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us