Developing even a simple understanding of BPF will help you focus what you are
looking at down to data that is relevant. When we start looking at packet captures,
you will see how complex a job it can be to do packet analysis because there are just
so many frames that contain a lot of detail to look over.
Wireshark
When you have your packet capture file, you will probably want to do some analysis.
One of the best tools for that is Wireshark. Of course, Wireshark can also capture
packets itself and generate pcap files if you want to store the capture for later analysis
or for analysis by someone else. The major advantage to Wireshark, though, is pro‐
viding a way to really dig deep into the contents of the packet. Rather than spending
time walking through what Wireshark looks like or how we can use Wireshark for
capturing packets, let’s jump into breaking apart a packet using Wireshark.
Figure 2-4
shows the IP and TCP headers from an HTTP packet.
Figure 2-4. Header fields in Wireshark
You can see from just this image that Wireshark provides far more details than we
were getting from
tcpdump
. This is one area where GUIs have a significant advantage.
There is just more room here and a better way to present the amount of data in each
of these headers. Each field in the header is presented on its own line so it’s clear what
is happening. You’ll also see here that some of the fields can be broken out even more.
The flags field, for example, can be broken open to see the details. This is because the
flags field is really a series of bits, so if you want, you can open that field by clicking
the arrow (or triangle) and you will be able to see the value of each of the bits. Of
course, you can also see what is set just by looking at the line we have presented by
Wireshark because it has done the work for us. For this frame, the Don’t Fragment bit
is set.
Another advantage to using a tool like Wireshark is that we can more easily get to the
contents of the packet. By finding a frame that we are interested in because it’s part of
a conversation that we think has some value, we just need to select Follow TCP
Stream. What we will get, in addition to only the frames that are part of that conver‐
