Network analysis is the process of listening in on the network traffic (wired or wireless) and deciphering the traffic. You may be using network analysis to spot the reason for lousy network performance (Chapter 29) or identify evidence of breached hosts (network forensics) (Chapter 32).

Before we go any further, there is a legal issue that must be addressed (Chapter 1) and I'll just make the assumption that a few weeks/years in prison isn't on your "Things to Do Before I Die" list. So... let's avoid a cavity search, shall we? Check with your local laws AND company policies before you capture your first packet. When in doubt, just back away from the keyboard, take a nice coffee break or call a friend to 'talk you down' from the ledge of illegal wiretapping. If you do decide to listen in on traffic, find out that your actions are illegal, get thrown in prison for an undeterminable length of time - please be sure to write. We'll miss you.

Network analysis can also be (make that 'should also be') used to understand how an application works, and what its impact will be on the network, before it is rolled out. The operative word is before. Network analysis can show you exactly what the traffic rates will be in packets per second and bytes per second. You can estimate the hit on your WAN links or your switches/routers along the path. I've seen too many lousy stinkin' applications out there so do your application analysis homework (Case Study: Chapter 8).

Network analysis also offers you the opportunity to optimize network traffic - to find the 1970s plaid pants in the back of the closet of your network traffic. It pains me to make this comment, but... do you really need that old IPX/SAP traffic cruising around your network? Are there any redirections happening because the default gateway setting isn't set properly (Chapter 18)? Are DNS queries going out to your branch office in Monkey's Eyebrow, Arizona (yes - there really is a city named Monkey's Eyebrow in Arizona). Cleaning up the garbage on the network is like tuning up your car - it's a boring project that no one thinks about until you sputter off the side of that dirt road at 2:35am during a thunderstorm (somewhere near Monkey's Eyebrow, Arizona perhaps).

Watching that network traffic also helps spot unusual activity - such as that host that keeps ARPing up a storm on the network or those IRC communications that have crept up between the accounting department and some servers in... Enumclaw, Washington (another real city - I've even been to Enumclaw) (Chapter 32). How can you identify unusual traffic? That's where your basline comes into play... wait! You do have a baseline, right? (Chapter 28)

As you are starting out, network analysis can be your best teacher - allowing you to see the traffic that you're studying. Catch all the traffic you can as you browse websites, FTP to a server, pick up your email or run Nmap against your son's computer (Chapter 31).

Laura Chappell
Author, Wireshark Network Analysis
ISBN 978-1-893939-99-8

Read "Wireshark 101 Article"

Watch the "Coffee and a Quickie" videos