This pod is the follow-up to both “Introduction to Network Analysis” and “Advanced Network Analysis,” released by podbooks.com.
I had to write this book after teaching some advanced filtering in a number of hands-on courses - - it is so addictive! Just get ready - you can build filters that will drill down to the most important and interesting packets crossing your network.
This book focuses on the packet filtering techniques that I have used over the years to identify misbehaving applications, identify misconfigured devices, locate the source of excessive ‘network snooping’ and test network firewalls. This book will take you through packet formats and offsets, address filters, protocol filters and the really hot pattern filters. You don’t need to be a rocket scientist to identify the unusual traffic on your network -- you just need this book!
Analyzers Used in this Book
Over the years, I have used numerous analyzer products -- from the early DOS-based analyzers that required manual decoding of the up-to-date protocols to the most recent graphical analyzers that illustrate the network traffic in methods too numerous to mention.
I’ve used good analyzers.
I’ve used bad analyzers.
I’ve used really lousy analyzers.
I hope you select an analyzer that can do all of the tasks shown in this book. The analyzers that I used during the writing of this book are Network Associates’ Sniffer and WildPackets EtherPeek. Both analyzers offer a wide range of features and are relatively easy to operate.
Who Should Read This Book
This book is designed to support anyone who wants to work in networking with a focus on troubleshooting, otimization and security.
Chapter 1, “Packet Filtering and Offsets,” explains the basis for packet filtering. This chapter is absolutely required reading as you start out. It contains details on the two basic requirements for good packet filtering: packet offsets and values. This chapter includes the offset values for Ethernet II frame structures, IPv4 headers, TCP headers, and UDP headers. This chapter also includes my ‘Must Have’ filter list!
Chapter 2, “Address Filtering” covers packet filtering techniques based on source and destination hardware and network -layer address. In this chapter, you learn when to apply each type of address filter and why you’d use the ‘exclude’ feature offered by most analyzers.
Chapter 3, “Protocol Filtering,” introduces the Protocol ID Field (PID) found in any decent header structure. You’ll learn what protocol filters are included with the analyzers used in this book and what you should do when your analyzer doesn’t have the protocol filter you want pre-built.
Chapter 4, “Pattern Filtering” is the meat of this book. This is the section that I hope you will spend most of your time reading and working with. Pattern filters enable you to catch packets based on a single bit value, a string of bits, an entire byte or more -- you only need to know the values of interest. In this chapter, you’ll learn how to build filters to capture all sorts of interesting network traffic patterns. The chapter test will take a bit of time, so settle yourself down in a comfortable chair and have a beer!
Appendix A, “Answers to Chapter Tests” provides the clear, concise answers to all the end-of-chapter tests in this book.
Appendix B, “Hex-Decimal-Binary Conversion Chart” is used in Chapter 4 and as a later reference when you are moving between various numbering styles. Consider getting Hex Workshop (www.bpsoft.com) and using their Base Converter tool -- it’s great!
Appendix C, “Importing and Exporting Sniffer Filters,” gives step-by-step instructions on how to move filters around from one Sniffer to another.
Appendix D, “Importing and Exporting EtherPeek Filters” gives the step-by-step instructions for making quality margaritas. Just kidding - I wonder if anyone really reads these intros.... This appendix obviously gives the instructions for moving EtherPeek filters around from one system to another.