Acknowledgments -- Introduction -- Why This Book? -- Concepts and Approach -- How to Use This Book -- About the Sample Capture Files -- The Rural Technology Fund -- Contacting Me -- 1: Packet Analysis and Network Basics -- Packet Analysis and Packet Sniffers -- Evaluating a Packet Sniffer -- How Packet Sniffers Work -- How Computers Communicate -- Protocols -- The Seven-Layer OSI Model -- Data Encapsulation -- Network Hardware -- Traffic Classifications -- Broadcast Traffic -- Multicast Traffic -- Unicast Traffic -- Final Thoughts -- 2: Tapping into the Wire -- Living Promiscuously -- Sniffing Around Hubs -- Sniffing in a Switched Environment -- Port Mirroring -- Hubbing Out -- Using a Tap -- ARP Cache Poisoning -- Sniffing in a Routed Environment -- Sniffer Placement in Practice -- 3: Introduction to Wireshark -- A Brief History of Wireshark -- The Benefits of Wireshark -- Installing Wireshark -- Installing on Microsoft Windows Systems -- Installing on Linux Systems -- Installing on Mac OS X Systems -- Wireshark Fundamentals -- Your First Packet Capture -- Wireshark's Main Window -- Wireshark Preferences -- Packet Color Coding -- 4: Working with Captured Packets -- Working with Capture Files -- Saving and Exporting Capture Files -- Merging Capture Files -- Working with Packets -- Finding Packets -- Marking Packets -- Printing Packets -- Setting Time Display Formats and References -- Time Display Formats -- Packet Time Referencing -- Setting Capture Options -- Capture Settings -- Capture File(s) Settings -- Stop Capture Settings -- Display Options -- Name Resolution Settings -- Using Filters -- Capture Filters -- Display Filters -- Saving Filters -- 5: Advanced Wireshark Features -- Network Endpoints and Conversations -- Viewing Endpoints -- Viewing Network Conversations -- Troubleshooting with the Endpoints and Conversations Windows.

Protocol Hierarchy Statistics -- Name Resolution -- Enabling Name Resolution -- Potential Drawbacks to Name Resolution -- Protocol Dissection -- Changing the Dissector -- Viewing Dissector Source Code -- Following TCP Streams -- Packet Lengths -- Graphing -- Viewing IO Graphs -- Round-Trip Time Graphing -- Flow Graphing -- Expert Information -- 6: Common Lower-Layer Protocols -- Address Resolution Protocol -- The ARP Header -- Packet 1: ARP Request -- Packet 2: ARP Response -- Gratuitous ARP -- Internet Protocol -- IP Addresses -- The IPv4 Header -- Time to Live -- IP Fragmentation -- Transmission Control Protocol -- The TCP Header -- TCP Ports -- The TCP Three-Way Handshake -- TCP Teardown -- TCP Resets -- User Datagram Protocol -- The UDP Header -- Internet Control Message Protocol -- The ICMP Header -- ICMP Types and Messages -- Echo Requests and Responses -- Traceroute -- 7: Common Upper-Layer Protocols -- Dynamic Host Configuration Protocol -- The DHCP Packet Structure -- The DHCP Renewal Process -- DHCP In-Lease Renewal -- DHCP Options and Message Types -- Domain Name System -- The DNS Packet Structure -- A Simple DNS Query -- DNS Question Types -- DNS Recursion -- DNS Zone Transfers -- Hypertext Transfer Protocol -- Browsing with HTTP -- Posting Data with HTTP -- Final Thoughts -- 8: Basic Real-World Scenarios -- Social Networking at the Packet Level -- Capturing Twitter Traffic -- Capturing Facebook Traffic -- Comparing Twitter vs. Facebook Methods -- Capturing ESPN.com Traffic -- Using the Conversations Window -- Using the Protocol Hierarchy Statistics Window -- Viewing DNS Traffic -- Viewing HTTP Requests -- Real-World Problems -- No Internet Access: Configuration Problems -- No Internet Access: Unwanted Redirection -- No Internet Access: Upstream Problems -- Inconsistent Printer -- Stranded in a Branch Office -- Ticked-Off Developer.

Final Thoughts -- 9: Fighting a Slow Network -- TCP Error-Recovery Features -- TCP Retransmissions -- TCP Duplicate Acknowledgments and Fast Retransmissions -- TCP Flow Control -- Adjusting the Window Size -- Halting Data Flow with a Zero Window Notification -- The TCP Sliding Window in Practice -- Learning from TCP Error-Control and Flow-Control Packets -- Locating the Source of High Latency -- Normal Communications -- Slow Communications-Wire Latency -- Slow Communications-Client Latency -- Slow Communications-Server Latency -- Latency Locating Framework -- Network Baselining -- Site Baseline -- Host Baseline -- Application Baseline -- Additional Notes on Baselines -- Final Thoughts -- 10: Packet Analysis for Security -- Reconnaissance -- SYN Scan -- Operating System Fingerprinting -- Exploitation -- Operation Aurora -- ARP Cache Poisoning -- Remote-Access Trojan -- Final Thoughts -- 11: Wireless Packet Analysis -- Physical Considerations -- Sniffing One Channel at a Time -- Wireless Signal Interference -- Detecting and Analyzing Signal Interference -- Wireless Card Modes -- Sniffing Wirelessly in Windows -- Configuring AirPcap -- Capturing Traffic with AirPcap -- Sniffing Wirelessly in Linux -- 802.11 Packet Structure -- Adding Wireless-Specific Columns to the Packet List Pane -- Wireless-Specific Filters -- Filtering Traffic for a Specific BSS ID -- Filtering Specific Wireless Packet Types -- Filtering a Specific Frequency -- Wireless Security -- Successful WEP Authentication -- Failed WEP Authentication -- Successful WPA Authentication -- Failed WPA Authentication -- Final Thoughts -- Further Reading -- Packet Analysis Tools -- tcpdump and Windump -- Cain & Abel -- Scapy -- Netdude -- Colasoft Packet Builder -- CloudShark -- pcapr -- NetworkMiner -- Tcpreplay -- ngrep -- libpcap -- hping -- Domain Dossier -- Perl and Python.

Packet Analysis Resources -- Wireshark Home Page -- SANS Security Intrusion Detection In-Depth Course -- Chris Sanders Blog -- Packetstan Blog -- Wireshark University -- IANA -- TCP/IP Illustrated (Addison-Wesley) -- The TCP/IP Guide (No Starch Press).