Chappell University | Wireshark 101 Book

Wireshark 101:

Essential Skills for Network Analysis

This book is based on the most common questions posed by Wireshark users and over 20 years of experience analyzing networks and teaching analysis skills.

Check out the Table of Contents in the Preview Pages section below to view the numerous skills and labs contained in this title. Jump directly to a skill you wish to master, or follow along from start to end to gradually enhance your Wireshark network analysis capabilities.

The Wireshark 101 course is available in the All Access Pass as well.

All Access Pass

Who is this book for?

This book is written for beginner analysts and includes 46 step-by-step labs to walk you through many of the essential skills contained herein. This book provides an ideal starting point whether you are interested in analyzing traffic to learn how an application works, you need to troubleshoot slow network performance, or determine whether a machine is infected with malware. Learning to capture and analyze communications with Wireshark will help you really understand how TCP/IP networks function.

As the most popular network analyzer tool in the world, the time you spend honing your skills with Wireshark will pay off when you read technical specs, marketing materials, security briefings, and more. This book can also be used by current analysts who need to practice the skills contained in this book. In essence, this book is for anyone who really wants to know what's happening on their network.

“Laura Chappell is one of the leading experts on Wireshark! She makes learning the utility/tool an easy thing in this easy step by step guide to learning the basics of Wireshark! The labs are short and sweet and have great value and some interesting captures! I would recommend any security professional to have this on their shelves (It won't stay there long!) and use the best practices to solve network issues and security threats!”

- T.R.

Book Supplements

All Supplements (400 MB)

Click here to download the supplements for the First Edition of this book.

Page Samples

Table of Contents

Index

Sort column contents for min/max/alpha values

Sample lab focused on importing custom profile

Detect when Wireshark can't keep up during capture

Quick Reference: Display Filter Area

Graph application bandwidth using tcp.port and udp.port

Use Tshark to export field values and statistics from trace files

101 Supplements

Book Details

Paperback ISBN: 978-1893939752
Page Count: 408
Kindle ASIN: B06XRXLSB9

Teaching Wireshark? Learn about the Student Manual version.
Go to Info for Educators.

Purchasing Options

This book is available through Amazon and any bookstore that orders through the Ingram Book Distribution system. New titles and editions may not be available through all global amazon sites immediately.

Bulk purchases (over 50 books) can be ordered directly from Chappell University. For bulk purchases, please contact us.

Errata

LAB 10 - The chappellu.com/nothere.html page really isn't available as we've moved the site and are using HTTPS now. Try going to packet-level.com/nothere.html. We are keeping that site running under HTTP and you'll get your 404 error message for Lab 10 on that site.

PAGE 155 (Thanks to Patrick for catching this one.)

On page 155 of this second edition, I addressed the dangers of using the http filter rather than tcp.port==80. The http filter won't show you the TCP handshake, ACKs, teardown, etc. I always want to see these things.

In the book, I referred to the different number of packets that you would see in these cases:

TCP reassembly disabled: 12 packets match the http filter
TCP reassembly enabled: 85 packets matche the http filter

The second result is now outdated as changes have been made to the HTTP dissector. Wireshark used to only show packets that contain an HTTP request or response code - it would ignore the data packets seen when an object is uploaded/downloaded. This is why we would only see 85 packets with the http filter. Now, Wireshark recognizes that when an object upload/download requires multiple packets, those packets can still be considered part of the HTTP communication and they are displayed with the http filter.

If you want to avoid this confusion completely, just use the tcp.port==x filter format for TCP-based applications.

Page 195
Step 4 and Step 5 of the book mention and depict the Filter Expressions area within the preferences file.

Wireshark now places the filter expression button settings into a file called dfilter_buttons.

If you created your profile with Wireshark v3 or later, look inside the dfilter_buttons file. If you created your profile with an earlier version of Wireshark, look inside the preferences file for the Filter Expressions area, as shown in the book.

Legal Stuff

You agree to indemnify and hold Protocol Analysis Institute and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand, including reasonable attorneys' fees, made by any third party due to or arising out of your use of the included trace files, your violation of the TOS, or your violation of any rights of another.

NO COMMERCIAL REUSE

You may not reproduce, duplicate, copy, sell, trade, resell or exploit for any commercial purposes, any of the trace files available on this site.