Packet Capture
-
Hey is anyone able to take a look through some captures with me?
Thanks
-
Going to need more info.
What are the captures of? What ware you looking for in them?
Steve
-
@stephenw10 would just be great to go over some, also for education so I can learn how to really deep dive into packet analysis, like reading payloads etc.
Can't actually find any solid videos online
-
Use Wireshark to examine the captures. Go through them, comparing what you see with what you know or can look up. Until you have a specific issue, it's hard to tell you what to do.
BTW, there are some Wireshark videos on YouTube.
-
@jknott Yea im just looking to try to identify things like what is NATted traffic vs what is not NATted traffic. What is traffic that is actually traffic, like having a heavy or no payload etc.
I cant find any videos that go over this sort of depth. Only things like source and destination addresses etc.
Thanks
-
I don't think you'll learn that from packet captures. You have to understand what you're looking at. For example, other than address & port, there's no difference with NAT. What do you mean by "heavy" payload? If large transfer, then you're looking at how many packets, etc.. What you're looking at with packet captures is largely just the contents. You can check addresses and port numbers, see what the contents are, etc., but that requires understanding what the various things are, which means you need an understanding of things like IP, TCP, UDP, etc.. When you use Wireshark, you can expand the frames to understand what they are.
For example, here I told Wireshark to filter on ICMP6:
I then expanded one frame to show it's contents:
By going through this, I can see what the frame contains, what it's doing and more. However, I still need an understanding of what I'm looking at. On one occasion, I had a problem with IPv6. By examining the DHCPv6 packets, I was able to identify the problem as coming from my ISP and was even able to identify, by host name, the failing piece of equipment at my ISP. However, I would not have been able to do that without a good background on TCP/IP networking.
To actually capture packets, you can use Wireshark or Packet Capture, which is included with pfsense. I have used both many, many times. Those videos may show you how to capture frames on your network, but you still have to understand what you're looking at, to make use of it. For example, you were asking about NAT. There is nothing in a frame that say NAT is involved. By comparing packets from either side of NAT you will see the addresses and port numbers have changed, but nothing else different that's relevant.
-