The most common task involved in Network Forensics is analyzing network traffic. Such analysis is commonly done using a packet analyzer; a tool that captures network traffic, decodes the raw data, and analyzes each packet based on the protocols within it. In this section we first look at “pcap files,” files containing network traffic, and then look at some of the most commonly used packet analyzers starting with Wireshark and tcpdump.
“pcap” or packet capture, is the term used to represent the means of capturing network traffic. Such data can then be stored to a file (often using the “.pcap” file extension) for later analysis. Analysis is accomplished using a packet analyzer, as mentioned above, which will first analyze the raw captured packets, interpreting them and determining the values of various fields based on the specific protocols contained within each packet.
More information on pcap can be found at: http://en.wikipedia.org/wiki/Pcap
Wireshark is the most well-known and easy to use packet analyzer. It, along with much documentation, videos, and other resources, can be found at http://www.wireshark.org/. The best way to learn Wireshark is simply to use it so I encourage you to download it, install it, and start capturing traffic. A couple small notes are in order. First, when you install Wireshark make sure you install the pcap driver (called WinPcap if you are using Windows) or else you won’t be able to capture any traffic. Second, if you are plan on capturing traffic other than your computer’s traffic, make sure you have permission to do so.
The purpose of this lab is to provide a quick hands-on introduction to what can be done with Wireshark. Wireshark has an incredible amount of features and we won’t cover most of them. The point of this lab is to introduce you to Wireshark so that you can play around with it further on your own.
 If you have multiple capture interfaces and are unsure which interface you should be using click on the capture pull-down bar and then select “Interfaces.” This window will show you how many packets are passing through each interface. Browse to a website and see which interface shows a large number of packets going over it. That is the correct interface for this initial lab.
 If you aren’t sure how to start a capture, there are a few ways. The easiest way would be to press the “Start a new live capture” button which is located on the header toolbar on the main Wireshark window.
Further information on this module can be found at the following links.
You must Sign-In to post a comment.