TABLE OF CONTENTS Now that you have learned how Wireshark works and how to use it, you are armed and ready to read real network packet captures. In this chapter we discuss real-world packet captures and traffic that you could be seeing on your network. You will learn how to read the captures, what to look for, and how to identify various types of network traffic. The Honeynet Project at http://project.honeynet.org provided some of the packet capture data in this chapter, which we have included on the accompanying CD-ROM in the /captures directory. The Honeynet Project Web site includes a great challenge called Scan of the Month that will exercise your capture analysis abilities.
Network scanning is used to identify available network resources. Also known as discovery or enumeration, network scanning can be used to discover available hosts, ports, or resources on the network. Once a vulnerable resource is detected, it can be exploited, and the device can be compromised. Sometimes, an actual intruder is behind the scanning, and sometimes it is a result of worm activity. In this section we focus on active intruder scanning, and worm activity is covered in a later section. Security professionals also use network scanning to assist in securing and auditing the network. In this section we use Scan1.log, which contains several different types of scans and was provided by the Honeynet Research Alliance as part of the Honeynet Project s Scan of the Month challenge. ...
