318 Chapter 7 • Introducing Wireshark: Network Protocol Analyzer
|7.||Introducing Wireshark: Network Protocol Analyzer • Chapter 7||319|
The last step of network troubleshooting is verifying that the problem has been resolved. Make sure that the fix for this problem did not create any new problems or that the problem you solved is not indicative of a deeper underlying problem. Part of this step of the process includes documenting the steps taken to resolve the problem, which will assist in future troubleshooting efforts. If you have not solved the problem, you must repeat the process from the beginning.The flowchart in Figure 7.8 depicts the network troubleshooting process:
Verify that the
Introducing Wireshark: Network Protocol Analyzer • Chapter 7 321
06:07:08:09:0a:0b to 00:01:02:03:04:05 192.168.1.2 is at 06:07:08:09:0a:0b
Knowing that ARP traffic is a necessary precursor to normal network traffic, Ethereal can be used to check for the presence of this traffic on the network.There are several conditions of ARP that indicate specific problems. If there is no ARP traffic from the system on the network, either you are not capturing the traffic correctly or there are driver or OS issues preventing network communi-cation. If the system is issuing ARP requests but there is no response from the host, it may not be on the network. Make sure that the system is on the correct LAN; it is no longer as easy as plugging into the correct network jack. If the system is receiving ARP requests and sending IP traffic out on the network, but not receiving a response that you have verified with your sniffer, there may be a firewall or driver issue with the system.
If your Wireshark capture shows that the client is sending a SYN packet, but no response is received from the server, the server is not processing the packet. It could be that a firewall between the two hosts is blocking the packet or that the server itself has a firewall running on it
Scenario 2: SYN immediate response RST
Scenario 3: SYN SYN+ACK ACK
Detecting Internet Relay Chat Activity
Besides the policy implications of chat rooms, IRC is frequented by hackers and used as a command and control mechanism. IRC normally uses TCP port 6667. If you set Wireshark to detect traffic with destination port 6667, you will see IRC traffic that looks like the following:
NOTICE AUTH :*** Looking up your hostname...
Local client to IRC server
NOTICE AUTH :*** Found your hostname