Packet Capture an Art or Skill?

ComputadoraComputadora Member Posts: 69 ■■□□□□□□□□
I guess what I'm trying to say is packet capture more like something very few people can do, and when I mean do, I mean like do well and really know their stuff, or is it a skill somebody can pick up and be some what good at it? And what books do you guys recommend to read to learn packet capture? I was considering the Wireshark Certified Analyst book. I'm talking about not just learning the commands to use for tcpdump or button to click on wireshark, I'm talking about understanding raw packets, like ASCII and hex and that sort of stuff.

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Paul posted a few of the books we're working with here: GCIA Preparation Musings | InfoSiege

    The Wireshark book is a great one to start with. There are several others that really delve into the protocols, and there are always the RFCs.

    This is something that really comes with practice. Check out as many sample captures as you can. Capture and analyze your own traffic too. Start with basic protocols like ARP and work your way up. Here are some sites that host sample captures (I'm hoping to start creating some in the next month or two): SampleCaptures - The Wireshark Wiki

    https://www.openpacket.org/

    Packet Captures - Packet Life

    The hex to ASCII conversion isn't a big deal; it's just basic substitution: ASCII Codes - Table of ascii characters and symbols Aside from that, you're just going to have to learn the structure of the different frames, packets, and segments. i.e. What fields are in the header, what are the offsets, what values can be present, and what do the values mean. It seems like a lot, but it becomes manageable over time. I haven't really focused my studies on it, but I've picked up a ton by just capturing random traffic and reviewing it over the last couple years.

    It becomes more of an art when you have to think critically and connect the dots. Everything mentioned previously is essentially just memorization. You can memorize every detail of the RFCs and simultaneously be completely dumbfounded when presented with GBs of information to sort through. You'll definitely become good with practice, but you need to be able to think critically to be great.
  • ComputadoraComputadora Member Posts: 69 ■■□□□□□□□□
    Thanks for the reply. I'll work hard at it and try my best to at least be able to detect normal packets vs suspicious packets vs malicious packets.
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    +1 what dynamic said
    I bring nothing useful to the table...
Sign In or Register to comment.