When asked for advice on how to be a proficient protocol analyst, I give 2 pieces of advice;
- Practice looking for patterns. In most cases, you are looking for patterns, or a break in the pattern. Don’t worry about memorizing the RFC’s or learning about every protocol. It is easier to focus on whatever protocol you are working on at that time.
- Learn your display filters in whatever your protocol analyzer you use. The correct display filter will make the patterns jump out at you.
I caution analysts about going capture filter crazy. Unless you know exactly what you are capturing, I typically try to leave the capture filter as ‘open’ as possible. My concern when troubleshooting is that due to the very nature of the unknowns when troubleshooting, you may inadvertently filter out valuable packets.
I great example is you may decide to use a capture filter for a web server ip address when capturing from the client. In this scenario you would miss any packets from the router or other devices along the way if they send the client an ICMP error packet or if the client communicates with other servers.
In this example, I show you that the ip.addr display filter can be used for a subnet. You are probably familiar with this filter when filtering on a single device. What do you do if you need to filter on more than one host? The typical approach is to combine the ip.addr filter with an or. For example ip.addr==192.168.1.1 or ip.addr== 192.168.1.2 is one way to capture from two hosts.
Now let’s take this a step further. What would you do if you wanted to capture from all addresses on a server farm or client subnet? I’ll make this a touch more realistic and add that you don’t know the all the IP addresses on the other subnet. This is where the subnet/mask option comes in.
You can simply use that format with the ip.addr == or ip.addr eq display filter. If I wanted to display the IP addresses from the 192.168.1.1 to 192.168.1.254, my filter would be ip.addr == 192.168.1.0/24 or ip.addr eq 192.168.1.0/24. The mask does not need to match your local subnet mask since it is used to define the range. If you wanted to display all the packet from 192.168.1.1 – 192.168.1.14, my display filter would be ip.addr == 192.168.1.0/28.