Network trace analysis tricks III - How can I comment on packets in a network trace
After you get familiar with using protocol analysis tools like Network Monitor or Wireshark, you’ll get to the most important stage in network trace analysis: How can I comment on packets sent or received in a network trace? Was it normal to see that packet being sent or received? What packet should I have seen after this one under normal circumstances? You can increase the number of such questions very quickly…
As you can imagine, you have to know the mechanics of each protocol that you’re dealing with in a network trace. There are so many network protocols that it makes it unlikely that you can be familiar with all of them. But at least you should be able to comment on general network protocols and application layer protocols that you’re mostly dealing with.
The following are the most important general network protocols (most of them run at lower layers) that you need to be familiar with:
- Ethernet
- ARP
- IPv4 / IPv6
- ICMPv4 / ICMPv6
- TCP
- UDP
- DNS
- NBNS
- DHCP
The following general application layer protocols are the ones that you’ll come across very oftenly in network traces:
- HTTP
- FTP
- SSL / TLS
- NetBT
- SMB (v2/v3)
- DFS
- DCERPC
- LDAP
- Kerberos
- SIP
- RTP / RTCP
- PPTP
- L2TP / IPSec
- TDS
- RDP
There are also many Microsoft specific application layer protocols that typically run over DCERPC and provide remote services (like Eventlog remoting, printing, DCOM, WMI, DHCP management protocol, DNS management protocol, certificate services management protocol, AD management protocols, Exchange protocols so on and so forth) you might see in network traces.
As mentioned above, there’re so many of them J As a Microsoft support engineer, I come across most of them when analyzing network traces but one could hardly master all such protocols. You become more familiar with some of them over time based on the problems you deal with. But I should definitely state that it’s a must to know about the general network procotols. (especially ARP/IP/TCP/ICMP/UDP)
There’re so many references in the internet so you shouldn’t have any problems in finding out information on a given protocol (unless it’s a proprietary protocol). Also another way of getting familiar with such protocols is to fiddle with them as much as possible. For example, when I want to learn what is going on behind the scenes when I take a specific action in an application/services, I collect a network trace and try to decode the activity taking place on the wire. That also helps you understand how a certain application makes it way through the network even you don’t know much about that application.
Having said that, let me share some links for more detailed information on protocols:
=> You can find detailed information on Microsoft protocols at the following link:
https://msdn.microsoft.com/en-us/library/cc216513(v=prot.10).aspx Windows Communication Protocols (MCPP)
=> Other standard protocols:
- You might want to check RFCs for the other standard protocols. Please see below a few examples:
https://www.faqs.org/rfcs/rfc826.html An Ethernet Address Resolution Protocol
https://www.faqs.org/rfcs/rfc791.html Internet Protocol (IPv4)
https://www.faqs.org/rfcs/rfc2460.html Internet Protocol, Version 6 (IPv6) Specification
https://www.faqs.org/rfcs/rfc793.html Transmission Control Protocol
https://www.faqs.org/rfcs/rfc2616.html Hypertext Transfer Protocol -- HTTP/1.1
https://www.faqs.org/rfcs/rfc959.html File Transfer Protocol
https://www.faqs.org/rfcs/rfc1541.html Dynamic Host Configuration Protocol
https://www.faqs.org/rfcs/rfc1034.html DOMAIN NAMES - CONCEPTS AND FACILITIES
https://www.faqs.org/rfcs/rfc2251.html Lightweight Directory Access Protocol (v3)
https://www.faqs.org/rfcs/rfc1510.html The Kerberos Network Authentication Service (V5)
…
Hope this helps
Thanks,
Murat