how to find web server in wireshark
Can you filter for all packets that comprise the TLS handshake ssl.handshake. On Sept. 24, 2020, links from malspam pushing Dridex didnt return an Office document. What's the cheapest way to buy out a sibling's share of our parents house if I have no cash and want to pay less than the appraised value? wireshark windows - how to remote capture/analyze from a tshark or similar install? When in capture option I select remote interface and enter my remote ip show me error.code(10061). 2023 LifeSavvy Media. In the interfaces, choose a particular Ethernet adapter and note down its IP, and click the start button of the selected adapter. Locate and resolve the source of packet loss. Specify the name of the remote computer. It does not work with the client certificate, nor the Certificate Authority (CA) certificate. The next step in finding the web server engine is to analyze the configuration files that are being used. This is wrong, as the MS-SQL-Protocol in use does SSL/TLS inside the protocol itself not on the outer most layer, which is quite common. Why are players required to record the moves in World Championship Classical games? Applications using OpenSSL could use a GDB or a LD_PRELOAD trick to extract the secrets. isn't the name of the server in the URL http://www.sbb.ch equal to www.sbb.ch? Could a subterranean river or aquifer generate enough continuous momentum to power a waterwheel for the purpose of producing electricity? Wireshark provides a number of tools that can help you analyze the logs. However, by using the tools that Wireshark provides, you can easily identify the web server engine These names are often used interchangeably which can lead to some confusion: A configuration that uses the SSL protocol (SSLv2/SSLv3) is insecure. For more information about TSharks command line options, check out its manual page. You cannot directly filter TLS protocols while capturing. The same applies to any other connection that you are using to connect to any service, whether it be on your LAN, over the LAN, or across the WAN. Click the Capture Options link in Wireshark, then select Remote from the Interface box. Make sure the port "value" is set to 1433 and then set "Current" to SSL: Click OK and when you return to the packets you'll see they're now interpreted in more detail: Finally, if you look at the detail pane for one of the packets (I suggest using the server hello, not the client hello, in case protocol was adjusted) you'll see the TLS version quite clearly: To subscribe to this RSS feed, copy and paste this URL into your RSS reader. How do I escape a single quote in SQL Server? Click start. Figure 19 shows how to get there in our second pcap for 151.236.219[.]181. This will result in five pcap files: Open 2020-06-03-Dridex-infection-traffic.pcap in Wireshark, and use a basic web filter as described in this previous tutorial about Wireshark filters. Imported from https://wiki.wireshark.org/TLS on 2020-08-11 23:26:41 UTC, Embedding decryption secrets in a pcapng file, https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9144, https://gitlab.com/wireshark/wireshark/-/tree/master/test/captures, https://github.com/neykov/extract-tls-secrets, page 19 of Peter Wu's SSL/TLS Decryption SharkFest'18 EU presentation, https://gist.github.com/Lekensteyn/f64ba6d6d2c6229d6ec444647979ea24, https://github.com/quicwg/base-drafts/wiki/Tools#wireshark, https://en.wikipedia.org/wiki/Transport_Layer_Security, https://sharkfesteurope.wireshark.org/assets/presentations16eu/07.pdf, https://lekensteyn.nl/files/wireshark-ssl-tls-decryption-secrets-sharkfest18eu.pdf, https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19us.pdf, Keyless SSL: The Nitty Gritty Technical Details. If the null hypothesis is never really true, is there a point to using a statistical test without a priori power analysis? This will bring up the Capture Interfaces window, as shown below in Figure 4. Analyzing a packet capture file PCAP is a matter of thinking about the problem logically, reasoning what information you are looking for, and then constructing search filters to suit your requirements. In Wireshark, go to Edit -> Preferences -> Protocols -> TLS, and change the (Pre)-Master-Secret log filename preference to the path from step 2. If I apply the filter "tcp.len>1 && tcp.port==1433 && tcp.stream eq 0", this doesn't show any packets even when I invoke a database connection between server and client. 565), Improving the copy in the close modal and post notices - 2023 edition, New blog post from our CEO Prashanth: Community is the future of AI. Introduction to SIEM (security information and event management), Best practices for endpoint security: 5 trends you cant afford to ignore, Exploiting built-in network protocols for DDoS attacks, Open source IDS: Snort or Suricata? This tutorial reviewed how to identify Dridex activity from a pcap with Dridex network traffic. Connect and share knowledge within a single location that is structured and easy to search. Thank you. In this dialog, use the Add new keyfile button to select a file. What should I do? This C2 traffic communicates directly with an IP address, so there are no domain names associated with it. WebThis file can subsequently be configured in Wireshark (#Using the (Pre)-Master Secret). So Joe A going to Joe B never comes near your PC, so you can't see it. Click on the Start button to The certificate issuer data is key to identifying a Dridex infection, since these patterns appear unique to Dridex. In this video, we learn how to use the http.time filter in Wireshark to quickly identify slow application response time from web servers. You will be prompted for a password if necessary. Such automatically generated content does not reflect the views or opinions of Alibaba Cloud. Join 425,000 subscribers and get a daily digest of news, geek trivia, and our feature articles. Once you have, run the tshark -i # command, replacing # with the number of the interface you want to capture on. Wireshark is a very useful tool for information security professionals and is thought of by many as the de facto standard in network packet and protocol analysis. Is it possible to catch packets going through a router on the router itself this way, or is that something impossible? How did you figure out that TLS 1.1 is 0x0302 and TLS 1.2 is 0x0303? Learn and experience the power of Alibaba Cloud. By using Wireshark, we will see what data we can find on the network relating to any network communications. How can I decode SQL Server traffic with wireshark? Unexpected uint64 behaviour 0xFFFF'FFFF'FFFF'FFFF - 1 = 0? The master secret enables TLS decryption in Wireshark and can be supplied via the Key Log File. I think that the answer is what you started with - it will tell you TLS is there, but won't parse the details as it would with a native TLS session. Use the following filter in Wireshark to look at the certificate issuer data for HTTPS traffic over these two IP addresses: tls.handshake.type eq 11 and (ip.addr eq 185.86.148.68 or ip.addr eq 212.95.153.36). This malware first appeared in 2014 and has been active ever since. Scroll down near the end before the last HTTP GET request for favicon.ico. Since 2011, Chris has written over 2,000 articles that have been read more than one billion times---and that's just here at How-To Geek. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Not uncommon for low end routers. [updated 2021], NSA report: Indicators of compromise on personal networks, Securing the home office: Printer security risks (and mitigations), Cost of non-compliance: 8 largest data breach fines and penalties, How to find weak passwords in your organizations Active Directory, Monitoring business communication tools like Slack for data infiltration risks, Networking fundamentals (for network security professionals), How your home network can be hacked and how to prevent it. The following TCP protocol preferences are also required to enable TLS decryption: Starting with Wireshark 3.0, a new RSA Keys dialog can be found at Edit -> Preferences -> RSA Keys. For this, I have used the CentOS machine acting as an HTTP web server It can help with an investigation into a fault and is a brilliant starting point: the PCAP results that you get on your network can tell you a lot about what is happening around you, especially if you have reasons to be suspicious about any strange activity. http If youve captured a number of different packets, but you want to see only the http-based traffic, you can apply this display filter, and Wireshark will show you only those packets. http.response.code == 404 If youre having trouble loading certain web pages, this filter might be useful. Our example will show you how to reveal a plain-text password being transmitted over your network via Telnet, which will be intercepted by Wireshark. Start wireshark from the command line. See the part that says User Access Verification Password:? Copy the n-largest files from a certain directory to the current one. Initial infection activity also includes the malicious file loading an installer for Dridex. You should revisit your server configuration. Dridex is the name for a family of information-stealing malware that has also been described as a banking Trojan. Not wireshark, but for me the Microsoft Message Analyzer worked great for that. In this article, we will discuss how to use Wireshark to find the web server engine. The -i option specifies the interface, while the -k option tells Wireshark to start capturing immediately. What is SSH Agent Forwarding and How Do You Use It? Basically this is very similar to wireshark with the exception that some specific MS protocols have better parser and visualisation support than wireshark itself and obviously it would only run under windows ;-). Click Start after selecting the interface to start the remote capture. Check it out here - http://bit.ly/wiresharkintro--------------- Trace File Analysis Services -----------------------Got packet problems that you need help digging into?https://www.packetpioneer.com/contact Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? Subject data verifies the identity of the website. https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19us.pdf SharkFest'19 US presentation by Peter Wu describing TLS decryption and use of embedded decryption secrets (https://youtu.be/Ha4SLHceF6w). Once on the GitHub page, click on each of the ZIP archive entries, and download them as shown in Figures 10 and 11. Use Ctrl-C when you want to stop the capture. Why are players required to record the moves in World Championship Classical games? This will allow you to see the protocols that are being used and the order in which they are being used. Select the TCP port you are using You can check and find the proper one via $ ip link. If the null hypothesis is never really true, is there a point to using a statistical test without a priori power analysis? Whats the Difference Between a DOS and DDoS Attack? However, values for the country name and city or locality often match. Tags: Dridex, pcap, Wireshark, Wireshark Tutorial, This post is also available in: In the above example, Vu is the 2-letter country code for Vanuatu, and Port Vila is the capital city of Vanuatu. Figure 12 shows the first example opened in Wireshark using our basic web filter. Some applications (such as email) use a single port for both unencrypted and encrypted sessions. These patterns differ from many other malware families, but they are somewhat similar to certificate issuer data from HTTPS C2 Qakbot network traffic. Learn how to utilize Wireshark as a first-response task to quickly and efficiently discover the source of poor performance. Nonetheless wireshark as mentioned above would be sufficient to validate encryption and applied certificates on the wire itself. Data from this digital certificate is used to establish an HTTPS connection. You need to decode the TDS stream and it is not obvious (to me at least) how to do this in wireshark. Do it only on your very private machine and clear you history after then via $ history -c. Thanks for contributing an answer to Server Fault! This will allow you to see the logs that are being generated. By analyzing the network traffic, you can get an idea of what type of web server engine is being used. The two available methods are: Key log file using per-session secrets (#Usingthe (Pre)-Master Secret). Wireshark provides a number of tools that can help you analyze the protocols. Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark version 3.x. BTW: try to improve your acceptance rate. How do the interferometers on the drag-free satellite LISA receive power without altering their geodesic trajectory? @infmo if the router can run tcpdump directly then yes it should be possible. The protocol version is SSLv3, (D)TLS 1.0-1.2. RSA keys list: opens a dialog to configure RSA private keys for decryption. Alternatively, select a TLS packet in the packet list, right-click on the TLS layer in the packet details view and open the Protocol preferences menu. By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. To get to the traffic requires a connection to a router or good switch or hub somewhere in the middle of their connection. Wireshark provides a number of tools that can help you analyze the network traffic. Very nice command! https://gitlab.com/wireshark/wireshark/-/tree/master/test/captures - The test suite contains various TLS traces. You can use the Follow TCP Stream tool to view the headers that are being sent and received. Open the Protocols tree and select TLS. ]44: Open 2020-10-07-Dridex-infection-traffic.pcap in Wireshark and use a basic web filter, as shown in Figure 23. The next step in finding the web server engine is to analyze the headers that are being sent and received. I just use this filter in Wireshark to find TLS 1.0 traffic: (Ignore this answer, which I'm leaving for historical data, and read my other answer, which explains what's actually going on), Update after an example packet was added to the question -. Our Telnet example was very basic as it did not require any conversions or decryption, but again, the same principles would apply. The Once you have identified the web server engine, you can then use the appropriate tools to further analyze the traffic and gain more insight into the network. The IP alone doesn't tell anything, because there might be multiple sites on the same host. Wireshark is cool - but in this case MNM is 'better'. After applying the filter, select the first frame, go to the frame details section and work your way to a list of lines that start with the term RDNSequence item as done in our first four examples. ]uk are in the same TCP stream. Using Wireshark, I am trying to determine the version of SSL/TLS that You can enable this setting by opening the preferences window from Edit -> Preferences, clicking the Name Resolution panel and clicking the Enable Network Name Resolution check box. Example: Some other protocols are derived from TLS. Malware authors often use random, default or fake values in these fields for self-signed certificates. Dridex infection traffic consists of two parts: Initial infection activity occurs when a victim downloads a malicious file from an email link. You can't find the ssl handshake in Wireshark using the ssl filter as the TDS protocol uses SSL/TLS internally using SChannel(Windows internal implementation of SSL/TLS). We recommend you review this pcap in a non-Windows environment like BSD, Linux or macOS if at all possible. Work-from-home network traffic spikes: Are your employees vulnerable? The certificate issuer data follows the same pattern as our first two examples. QUIC is an in-development protocol that uses TLS for its encryption, Wireshark's status can be tracked at https://github.com/quicwg/base-drafts/wiki/Tools#wireshark. ]3: Certificate issuer data for Dridex HTTPS C2 traffic on 188.250.8[. Chris has written for The New York Timesand Reader's Digest, been interviewed as a technology expert on TV stations like Miami's NBC 6, and had his work covered by news outlets like the BBC. How does DTLS use a CBC cipher if the application data is not reliable over UDP? Episode about a group who book passage on a space ship controlled by an AI, who turns out to be a human who can't leave his ship? ]25: Certificate issuer data for Dridex HTTPS C2 traffic on 85.211.162[. Varonis debuts Check the issuer data for both IP addresses, and you should find the data listed below. Whilst this may theoretically answer the question. You can use the Protocol Hierarchy tool to view the protocols that are being used. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. To ensure that unnecessary keys are not leaked, you can use the inject-tls-secrets.py script from https://gist.github.com/Lekensteyn/f64ba6d6d2c6229d6ec444647979ea24 to filter the key log file and add the required secrets to a capture file. Set environment variable SSLKEYLOGFILE to the absolute path of a writable file. Can corresponding author withdraw a paper after it has accepted without permission/acceptance of first author. Finding the web server engine in Wireshark can be a daunting task. really cool the scripting stuff for each protocol step but well. You can use a file descriptor to connect to and receive the packets by ssh and pipe it to wireshark locally: wireshark -i <(ssh root@firewall tcpdump -s 0 -U -n -w - -i eth0 not port 22). Note the RDNSequence items for HTTPS traffic to 185.86.148[. You can use the Follow TCP Stream tool to view the configuration files that are being used. Wireshark will automatically start collecting packets. Launch a new web browser then navigate to the website youd like to examine the status codes of. To see the HTTP packets only, enter HTTP in the Filter text field towards the top-left. Then, under the main menu, click on the start icon (the first icon) to start capturing packets. Where does the version of Hamapil that is different from the Gemara come from? This feature is only available on Windows at the moment Wiresharks official documentation recommends that Linux users use an SSH tunnel. Allow subdissector to reassemble TCP streams. Connect and share knowledge within a single location that is structured and easy to search. The handshake must include the ClientKeyExchange handshake message. I have a more or less interesting problem which could be solved this way. You can also use the Follow UDP Stream tool to view the data that is being sent and received. By analyzing the configuration files, you can get an idea of what type of web server engine is being used. Furthermore, HTTPS C2 traffic for malware does not involve a web browser, so the encrypted traffic works without any errors or warnings. You will find the end of a long string of ASCII characters that is converted to a blob and sent to the victim as Ref_Sep24-2020.zip, as shown in Figure 17. (Adding a new answer which should be definitive, leaving the old around as it's useful debug for how we got here. A quick Google search indicates truepenesonga[. This includes Python. Create a file start-fx.cmd with: For Linux, you open a terminal then start the browser with: For macos, you open a terminal then start the browser with: Change the SSLKEYLOGFILE path as needed, and replace firefox with chrome for Google Chrome. You must have access to port 2002 on the remote system to connect, so you may need to open this port in a firewall. id-at-organizationName=Whensean Imegdtc SICAV, id-at-commonName=arashrinwearc.Ourontizes.ly, id-at-stateOrProvinceName=Anourd Thiolaved Thersile5 Fteda8, id-at-organizationName=Wemadd Hixchac GmBH, id-at-commonName=heardbellith.Icanwepeh.nagoya, id-at-stateOrProvinceName=Listth Thearere8 berponedt tithsalet, id-at-commonName=Atid7brere.Speso_misetr.stada, id-at-stateOrProvinceName=Cepli thade0 ithentha temsorer, id-at-commonName=Onshthonese.vyrda-npeces.post. This can be done by using a network sniffer such as Wireshark. For example, if you see a lot of HTTP requests and responses, then it is likely that the web server engine is Apache. The first step in finding a web server in a Wireshark capture pcap is to identify the Finding the IP Address of the Web Server. If youre using Linux or another UNIX-like system, youll probably find Wireshark in its 2 - From the menu, go to Edit > Preferences. It returned a ZIP archive for the infection chain shown in Figure 7. Browse other questions tagged, Start here for a quick overview of the site, Detailed answers to any questions you might have, Discuss the workings and policies of this site. Thats the plain text from the login prompt in our earlier step that we saw in Telnet. So by itself Wireshark will not parse it as TLS: In order to change this, right-click on one of the packets and select "Decode As". Thanks for contributing an answer to Stack Overflow! All three HTTP GET requests to adv.epostoday[. So, the best I can tell you is this. WebOpen Wireshark Click on " Capture > Interfaces ". Warning: Some of the pcaps used for this tutorial contain Windows-based malware. Create a copy of Wiresharks shortcut, right-click it, go into its Properties window and change the command line arguments. TShark acts like Wireshark, printing the traffic it captures to the terminal. In order to detect the operating system of a web server using Wireshark, you will need to capture the network traffic from the web server. What is endpoint protection and security? Not generally used. *, and the 0x0X indicates the TLS version - 0x01 for TLS 1.0, 0x02 for TLS 1.1, and 0x03 for TLS 1.2. Lets investigate further. This is a pretty good example of what you can find when passwords are being transmitted in plain text, which is why Telnet is no longer as popular as it used to be. The very first step for us is to open Wireshark and tell it which interface to start monitoring. Does the order of validations and MAC with clear text matter? If you have no root access via ssh on your host being sniffed to, like on a raspberrypi, and for good reason you don't want to enable it or you simply can't do it, for whatever reason, there is a slightly different approach of @ctaglia (alternative to answer to that from @Dan). (CVE-2021-3449), Image of minimal degree representation of quasisimple group unique up to conjugacy. Enter the address of the remote system and 2002 as the port . You may see fewer filter options, depending on yourfirewallproduct. Certificate information can be viewed from HTTPS traffic in Wireshark. Using Wireshark, I am trying to determine the version of SSL/TLS that is being used with the encryption of data between a client workstation and another workstation on the same LAN running SQL Server. The only advantage of the RSA private key is that it needs to be configured only once in Wireshark to enable decryption, subject to the above limitations. Graeme is an IT professional with a special interest in computer forensics and computer security. By analyzing the protocols, you can get an idea of what type of web server engine is being used. Fortunately, Wireshark provides a number of tools that can help you identify the web server engine that is being used. How is TDS authentication data protected? Chris Hoffman is Editor-in-Chief of How-To Geek. Verify that the location from step 2 is created. Soft, Hard, and Mixed Resets Explained, Steam's Desktop Client Just Got a Big Update, The Kubuntu Focus Ir14 Has Lots of Storage, This ASUS Tiny PC is Great for Your Office, Windows 10 Won't Get Any More Major Updates, Razer's New Headset Has a High-Quality Mic, NZXT Capsule Mini and Mini Boom Arm Review, Audeze Filter Bluetooth Speakerphone Review, Reebok Floatride Energy 5 Review: Daily running shoes big on stability, Kizik Roamer Review: My New Go-To Sneakers, LEGO Star Wars UCS X-Wing Starfighter (75355) Review: You'll Want This Starship, Mophie Powerstation Pro AC Review: An AC Outlet Powerhouse, 5 Killer Tricks to Get the Most Out of Wireshark, How to Identify Network Abuse with Wireshark, WordTsar Is Reviving the 80s WordStar Writing Experience, Intel CPUs Might Give up the i After 14 Years, Windows 11 Has More Widgets Improvements on the Way. WebLearn to use wireshark to find the IP address of a website. Open a website, for example https://www.wireshark.org/. The initial malicious file can be a Microsoft Office document with a malicious macro, or it could be a Windows executable (EXE) disguised as some sort of document. The dsb suffix stands for Decryption Secrets Block (DSB) and is part of the pcapng specification. I can capture the packets using wireshark, but I can't decode the stream into anything intelligible. The RSA private key only works in a limited number of cases. Select Scenario (I chose Local Network Interfaces) Enter a session filter expression like *address == 10.1.2.129 to filter only traffic to your sql server. Use infected as the password to extract pcaps from these ZIP archives. Exactly which display filter should I apply? If your switch isn't inteligent enough you can also put a small hub inbetween the switch/host-to-capture connection. The protocol version is SSLv3, (D)TLS 1.0-1.2. Now, I've seen varying reports as to whether Wireshark can properly parse TDS packets with encoded TLS. What do hollow blue circles with a dot mean on the World Map? The only exception is HTTPS traffic to truepenesonga[. In order to analyze TCP, you first need to launch Wireshark and follow the steps given below: From the menu bar, select capture -> options -> interfaces. When prompted for credentials, specify your user name in either user@domain.com or AzureAD\user@domain.com format. and another workstation on the same LAN running SQL Server. For a walkthrough for Apache HTTP Server using this libsslkeylog.so library, see. You can use the File -> Open option in Wireshark to open the capture file later. By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. Information Security Stack Exchange is a question and answer site for information security professionals. 69. Checking through the domains, there is one non-Microsoft domain using HTTPS traffic that might be tied to the initial infection activity: Once again, the focus will be on post-infection Dridex C2 traffic. On connecting to the server, I am getting a series of packets with Info "Ignored Unknown Record". Figure 4: The Capture Interfaces dialog in Wireshark. ;). PolarProxy from Netresec is a transparent SSL/TLS proxy created for incident responders and malware researchers that is primarily designed to intercept and decrypt TLS encrypted traffic from malware. Locate the Remote Packet Capture Protocol service in the list and start it. This item in the WireShark bug database suggests that maybe this isn't possible in SQL Server 2005 or newer. Well focus on the following two sections: Issuer data reveals the CA that issued the digital certificate. id-at-commonName=Ateei7thapom.statonrc.loan, id-at-stateOrProvinceName=Sshopedts Inccofrew, id-at-commonName=avothelyop.thedai9neasysb.author, id-at-organizationName=Icccodiso Icloneedb Oyj, our previous Wireshark tutorial about customizing the column display, HTTPS C2 traffic from recent IcedID malware infections. When you enable this option, youll see domain names instead of IP addresses whenever possible. Since Wireshark 3.0, the TLS dissector has been renamed from SSL to TLS. This command will give you the numbers of your network interfaces. You connect a physical link from your listening host to that port/hub and then you can see all the traffic crossing the device. It is used most commonly in web browsers, but can be used with any protocol that uses TCP as the transport layer. O.K. Look for replies from the DNS server with your client IP as the destination. rev2023.5.1.43405. But the question is, how did they prove that it was encrypted? See also SampleCaptures#SSL_with_decryption_keys. The first step in finding the web server engine is to analyze the packets that are being sent and received. Weve already covered basic usage of Wireshark, so be sure to read our original article for an introduction to this powerful network analysis tool. The PKCS#12 key is a binary file, but the PEM format is a text file which looks like this: The deprecated RSA keys list dialog may be removed at some point. Most of them allow to access its developer mode pressing the F12 key. This is where Wiresharks remote capture feature comes in. And a comment therein states that Microsoft Message Analyzer is the newer equivalent of that tool. Select a particular one or more moons orbitting around a double planet system. X.509 certificates for authentication are sometimes also called SSL Certificates. These scripts can be exported by using the export HTTP objects function, as shown in Figure 18. Self-signed certificates are locally generated and not issued by any certificate authority. Getting Started with Wireshark (Intro Course) - http://bit.ly/wiresharkprotocolsFoundational TCP with Wireshark - http://bit.ly/wiresharktcpMastering TCP with Wireshark - http://bit.ly/mastertcpTroubleshooting Slow Networks with Wireshark - http://bit.ly/wiresharktshootVisualizing Network Traffic with Wireshark - http://bit.ly/wiresharkgraphs- Essential TCP/IP Book for AnalystsTCP/IP Illustrated, Volume 1: The Protocols (2nd Edition) https://amzn.to/32l6Czg------------------------ Books for Wireshark Beginners ------------------https://amzn.to/3jeu349 - Practical Packet Analysis (Chris Sanders)https://amzn.to/3gnhtgZ - Wireshark 101: Essential Skills (Laura Chappell)https://amzn.to/2CVavSR - Learn Wireshark (Lisa Bock)-------------------LIVE WIRESHARK TRAINING ------------------------Open enrollment Wireshark Course - Network Analysis Fundamentals - Two Days Remote via Zoom.