Practical Packet Analysis

Packet Analysis and Network Basics

Packet Analysis and Packet Sniffers

Packet analysis, often referred to as packet sniffing or protocol analysis, describes the process of capturing and interpreting live data as it flows across a network in order to better understand what is happening on that network. Packet analysis is typically performed by a packet sniffer, a tool used to capture raw network data going across the wire.

How Packet Sniffers Work

  • Collection
    • First, the packet sniffer collects raw binary data from the wire. Typically this is done by switching the selected network interface into promiscuous mode. In this mode, the network card can listen to all traffic on a network segment, not only the traffic that is addressed to it.
  • Conversion
    • Next, the captured binary data is converted into a readable form. This is as far as most advanced command line packet sniffers can go. At this point, the network data can be interpreted only on a very basic level, leaving the majority of the analysis to the end user.
  • Analysis
    • Finally, the packet sniffer conducts an analysis of the captured and converted data. The sniffer verifies the protocol of the captured network data based on the information extracted and begins its analysis of that protocol’s specific features.

The Sever-Layer OSI Model

Please Do Not Throw Sausage Pizza Away

Application layer (layer 7)

The topmost layer of the OSI model provides a means for users to access network resources. This is the only layer typically seen by end users, as it provides the interface that is the base for all of their network activities.

Presentation layer (layer 6)

This layer transforms the data it receives into a format that can be read by the application layer. The data encoding and decoding done here depends on the application layer protocol that is sending or receiving the data. The presentation layer also handles several forms of encryption and decryption used to secure data.

Session layer (layer 5)

This layer manages the dialogue, or session, between two computers. It establishes, manages, and terminates this connection among all communicating devices. The session layer is also responsible for establishing whether a connection is duplex (two-way) or half-duplex (one-way) and for gracefully closing a connection between hosts rather than dropping it abruptly.

Transport layer (layer 4)

The primary purpose of the transport layer is to provide reliable data transport services to lower layers. Through flow control, segmentation/desegmentation, and error control, the transport layer makes sure data gets from point to point error-free. Because ensuring reliable data transportation can be extremely cumbersome, the OSI model devotes an entire layer to it. The transport layer utilizes both connection-oriented and connectionless protocols. Certain firewalls and proxy servers operate at this layer.

Network layer (layer 3)

This layer, one of the most complex of the OSI layers, is responsible for routing data between physical networks. It sees to the logical addressing of network hosts (for example, through an IP address). It also handles splitting data streams into smaller fragments and, in some cases, error detection. Routers operate at this layer.
This layer provides a means of transporting data across a physical network. Its primary purpose is to provide an addressing scheme that can be used to identify physical devices (for example, MAC addresses). Bridges and switches are physical devices that operate at the data link layer.

Physical layer (layer 1)

The layer at the bottom of the OSI model is the physical medium through which network data is transferred. This layer defines the physical and electrical nature of all hardware used, including voltages, hubs, network adapters, repeaters, and cabling specifications. The physical layer establishes and terminates connections, provides a means of sharing communication resources, and converts signals from digital to analog and vice versa.

Typical Protocols Used at Each Layer of the OSI Model

Application (layer 7)
Presentation (layer 6)
Session (layer 5)
Transport (layer 4)
Network (layer 3)
Data link (layer 2)
Ethernet, Token Ring, FDDI, AppleTalk
Physical (layer 1)
wired, wireless

Data Flow Through the OSI Model

A graphical representation of encapsulation of data between client and server

Network Hardware


Because hubs can generate a lot of unnecessary network traffic and are capable of operating only in half-duplex mode (they cannot send and receive data at the same time), you won't typically see them used in most modern or high-density networks; switches are used instead (discussed in the next section).
A hub is no more than a repeating device that operates on the physical layer of the OSI model. It takes packets sent from one port and transmits (repeats) them to every other port on the device, and it's up to the receiving device to accept or reject each packet based on the destination MAC address.
The best alternatives to hubs in production and high-density networks are switches, which are full-duplex devices that can send and receive data synchronously.


Like a hub, a switch is designed to repeat packets. However, unlike a hub, rather than broadcasting data to every port, a switch sends data to only the computer for which the data is intended. Switches store the layer 2 address of every connected device in a CAM table, which acts as a kind of traffic cop. When a packet is transmitted, the switch reads the layer 2 header information in the packet and, using the CAM table as reference, determines to which port(s) to send the packet. Switches send packets only to specific ports, thus greatly reducing network traffic.


A router is an advanced network device with a much higher level of functionality than a switch or a hub. Routers operate at layer 3 of the OSI model, where they are responsible for forwarding packets between two or more networks. The process used by routers to direct the flow of traffic among networks is called routing. Several types of routing protocols dictate how different types of packets are routed to other networks. Routers commonly use layer 3 addresses (such as IP addresses) to uniquely identify devices on a network.

Traffic Classification

Broadcast Traffic

A broadcast packet is a packet that's sent to all ports on a network segment, regardless of whether a given port is a hub or switch.
There are layer 2 and layer 3 forms of broadcast traffic. On layer 2, the MAC address ff:ff:ff:ff:ff:ff is the reserved broadcast address, and any traffic sent to this address is broadcast to the entire network segment. Layer 3 also has a specific broadcast address, but it varies based on the network address range in use. The highest possible IP address in an IP network range is reserved for use as the broadcast address. For example, if your computer has an address of and a subnet mask, then is the broadcast address.
The extent to which broadcast packets can travel is called the broadcast domain, which is the network segment where any computer can directly transmit to another computer without going through a router. In larger networks with multiple hubs or switches connected via different media, broadcast packets transmitted from one switch reach all the ports on all the other switches on the network, as the packets are repeated from switch to switch. Figure 1-11 shows an example of two broadcast domains on a small network. Because each broadcast domain extends until it reaches the router, broadcast packets circulate only within this specified broadcast domain.

Multicast Traffic

Multicast is a means of transmitting a packet from a single source to multiple destinations simultaneously.
The goal of multicasting is to use as little bandwidth as possible. The optimization of this traffic lies in that a stream of data is replicated fewer times along its path to its destination. The exact handling of multicast traffic is highly dependent on its implementation in individual protocols.
The primary method of implementing multicast traffic is via an addressing scheme that joins the packet recipients to a multicast group. This is how IP multicast works. This addressing scheme ensures that the packets cannot be transmitted to computers to which the packets are not destined. In fact, IP devotes an entire range of addresses to multicast. If you see an IP address in the to range, it is most likely handling multicast traffic because these ranges are reserved for that purpose.

Unicast Traffic

A unicast packet is transmitted from one computer directly to another.
The details of how unicast functions are dependent on the protocol using it. For example, consider a device that wishes to communicate with a web server. This is a one-to-one connection, so this communication process would begin with the client device transmitting a packet to only the web server.

ARP Cache Poisoning

The ARP Process

All devices on a network communicate with each other on layer 3 using IP addresses. Because switches operate on layer 2 of the OSI model, they are cognizant of only layer 2 MAC addresses, so devices must be able to include this information in packets they construct. When a MAC address is not known, it must be obtained using the known layer 3 IP addresses so traffic can be forwarded to the appropriate device. This translation process is done through the layer 2 protocol ARP.
The ARP process, for computers connected to Ethernet networks, begins when one computer wishes to communicate with another. The transmitting computer first checks its ARP cache to see whether it already has the MAC address associated with the IP address of the destination computer. If it does not, it sends an ARP request to the data link layer broadcast address ff:ff:ff:ff:ff:ff. This broadcast packet is received by every computer on that particular Ethernet segment. The packet basically asks, "Which machine owns the IP address? Tell me your MAC."
Devices without the destination computer's IP address simply discard this ARP request. The destination machine replies to the packet with its MAC address via an ARP reply. At this point, the original transmitting computer now has the data link layer addressing information it needs to communicate with the remote computer, and it stores that information in its ARP cache for fast retrieval.

How ARP Cache Poisoning Works

ARP cache poisoning, sometimes called ARP spoofing, is an advanced form of tapping into the wire on a switched network. It works by sending ARP messages to an Ethernet switch or router with fake MAC (layer 2) addresses in order to intercept the traffic of another computer.
ARP cache poisoning lets you intercept the traffic of your target computer.
This technique is commonly used by attackers to send falsely addressed packets to client systems in order to intercept certain traffic or cause denialof- service (DoS) attacks on a target. However, it can also be a legitimate way to capture the packets of a target machine on a switched network.

Wireshark Capture Filters

Capture filters are applied during the packet-capturing process to limit the packets delivered to the analyst from the start. One primary reason for using a capture filter is performance. If you know that you do not need to analyze a particular form of traffic, you can simply filter it out with a capture filter and save the processing power that would typically be used in capturing those packets. In Wireshark, go to "Capture -> Options" where you can choose an interface and specify the capture filter:
Wireshark capture filter

Capture/BPF Syntax

Hostname and Addressing Filters

Port Filters

Protocol Filters

Protocol Field Filters

Sample Capture Filter Expressions

Wireshark Display Filters

Advanced Wireshark Features


Practical Packet Analysis, 3rd Edition
Practical Packet Analysis, 3rd Edition