You need to have a good understanding of tcp/ip itself and the protocols that run on it. A very good introduction is tcpip illustrated: http://www.amazon.com/exec/obidos/tg/detail/-/0201633469/qid=1032614292/sr=8 -1/ref=sr_8_1/102-1097914-6536962?v=glance&s=books&n=507846
SANS offers various courses that cover this as well. The basic security certification course (GSEC) has some introductory material on tcpip. The firewall course has in depth coverage of tcp; the first volume of the firewall course is really well written and practical in terms of understanding tcpip and how to look at packet dumps. In the SANS course, they use tcpdump or windump rather than ethereal because (as they explain), tcpdump is not as glitzy as some of the more sophisticated sniffers out there, and therefore you have to actually use your brain more to pick apart and understand what is coming across the wire, thereby enhancing your learning and understanding of the protocols. The course manuals are available at the SANS GIAC website. Good luck Fred ----- Original Message ----- From: "Teodorski, Chris" <[EMAIL PROTECTED]> To: "Security-Basics (E-mail)" <[EMAIL PROTECTED]> Sent: Friday, September 20, 2002 11:40 AM Subject: help learning to read tcpdumps and network captures > > > Can anyone point me to a good resource to learn how to read these? I have been running ethereal.....and I'm trying to make sense of what I have in my capture. > > To try and learn, I used an easy one....I caputured FTP traffic, since I knew it would be in clear text.......okay....so I see how that works, but now I want a better understanding..... > > Any suggestions? > > Thanks, > > Chris >
