Books
31 October 2020

Wireshark Workbook

By admin@labtinker.net

With Winter evenings drawing in (in the Northern hemisphere), another lockdown on the cards (everywhere but New Zeland and China), Netflix running out and the liver needing a rest why not augment your familiarity with every networker’s tool of choice: Wireshark? This is a tool I’m sure everyone who’s worked in IT has used at some time in their career to a greater or lesser extent. I myself have dabbled and always had the feeling that I was scratching the surface. It was with this in mind that I bought this book:

Figure 1 – Labtastic packeteering.

The book is divided into sixteen labs and you can download the associated capture files and then attempt to answer the questions the author asks you. Some are easy, some are head-scratchers, and some you think you’ve answered correctly but you won’t have. Detailed explanations are given for each answer with extra information and tips often thrown in. You can probably do a lab in 30-40 minutes though it’ll take longer if you want to do justice to the answers. The point is it can be dipped into and out of quite easily…(I bought it about three or four months ago and am still working through it)

Two things I learnt amongst many:

First thing: you can download objects like jpg files from a capture. I did not know this. Never been to that menu…know it now.   

Second thing: The TCP wireshark preference ‘Allow subdissector to reassemble TCP streams’  is something you want to be familiar with as it alters how your trace is presented and the order in which certain packets appear in it.

For example, if your trace contains a file downloaded over HTTP; the HTTP 200 response to the download request will come when the file download has completed (with this option ticked) allowing you to get a timing of how long the download took. With this option unticked, you will see the http response come at its ‘true’ time in the trace.

Imagine casually asking someone poring over a trace, “Are allowing the subdissector to reassemble TCP streams?” If they answer and give their reasons then just nod sagely; they’ve probably read the book. If not, take off your glasses (I’m playing to stereotypes here) and polish them while casually explaining the importance of this option. Then put your glasses back on to watch that gleam of admiration and wonder grow in their eyes.

The book’s physical format is a little unwieldly  (close to A4 – a UK reference but think big) and it is a bit pricey.