Learn Wireshark: A definitive guide to expertly

analyzing protocols and troubleshooting networks

using Wireshark Lisa Bock download

https://textbookfull.com/product/learn-wireshark-a-definitive-
guide-to-expertly-analyzing-protocols-and-troubleshooting-
networks-using-wireshark-lisa-bock/

Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!

Network Analysis Using Wireshark 2 Cookbook: Practical

recipes to analyze and secure your network using
Wireshark 2, 2nd Edition Nagendra Kumar Nainar

https://textbookfull.com/product/network-analysis-using-
wireshark-2-cookbook-practical-recipes-to-analyze-and-secure-
your-network-using-wireshark-2-2nd-edition-nagendra-kumar-nainar/

Practical Packet Analysis Using Wireshark to Solve Real

World Network Proble 3rd Edition Safari

https://textbookfull.com/product/practical-packet-analysis-using-
wireshark-to-solve-real-world-network-proble-3rd-edition-safari/

A Guide to Software Managing Maintaining and

Troubleshooting Jean Andrews

https://textbookfull.com/product/a-guide-to-software-managing-
maintaining-and-troubleshooting-jean-andrews/

Learn Data Science Using SAS Studio: A Quick-Start

Guide Engy Fouda

https://textbookfull.com/product/learn-data-science-using-sas-
studio-a-quick-start-guide-engy-fouda/
Troubleshooting Electronic Circuits: A Guide to
Learning Analog Electronics 1st Edition Ronald Quan

https://textbookfull.com/product/troubleshooting-electronic-
circuits-a-guide-to-learning-analog-electronics-1st-edition-
ronald-quan/

Sociometrics And Human Relationships Analyzing Social

Networks To Manage Brands Predict Trends And Improve
Organizational Performance Peter A. Gloor

https://textbookfull.com/product/sociometrics-and-human-
relationships-analyzing-social-networks-to-manage-brands-predict-
trends-and-improve-organizational-performance-peter-a-gloor/

Programming Mathematics Using MATLAB 1st Edition Lisa

A. Oberbroeckling

https://textbookfull.com/product/programming-mathematics-using-
matlab-1st-edition-lisa-a-oberbroeckling/

Programming Mathematics Using MATLAB 1st Edition

Oberbroeckling Lisa A

https://textbookfull.com/product/programming-mathematics-using-
matlab-1st-edition-oberbroeckling-lisa-a/

Programming Mathematics Using MATLAB 1st Edition

Oberbroeckling Lisa A

https://textbookfull.com/product/programming-mathematics-using-
matlab-1st-edition-oberbroeckling-lisa-a-2/
Learn Wireshark
Second Edition

A definitive guide to expertly analyzing protocols and

troubleshooting networks using Wireshark

Lisa Bock

BIRMINGHAM—MUMBAI
Learn Wireshark
Second Edition
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without warranty,
either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors,
will be held liable for any damages caused or alleged to have been caused directly or indirectly by
this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing
cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Prachi Sawant
Content Development Editor: Romy Dias
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Project Coordinator: Ashwin Dinesh Kharwa
Proofreader: Safis Editing
Indexer: Sejal Dsilva
Production Designer: Roshan Kawale
Marketing Coordinator: Sanjana Gupta

First Published: August 2019

Second Edition: June 2022

Production reference: 1010722

Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.

ISBN 978-1-80323-167-9
www.packt.com
To all dreamers, know that there isn't always a clear path to achieving your dream.
In addition to celebrating and rejoicing each milestone, there will be times of
great sorrow and despair along the way. Nonetheless, keep moving toward your
dream while being authentic, harmonious, and true to yourself. One day you'll
see a sign, and you'll say to yourself with a smile, "I have arrived."
 Contributors
About the author
Lisa Bock is an experienced author with a demonstrated history of working in the
e-learning industry. She is a security ambassador with a broad range of IT skills and
knowledge, including Cisco security, CyberOps, Wireshark, biometrics, ethical hacking,
and the IoT. Lisa is an author for LinkedIn Learning and an award-winning speaker who
has presented at several national conferences. She holds an MS in computer information
systems/information assurance from UMGC. Lisa was an associate professor in the IT
department at Pennsylvania College of Technology (Williamsport, PA) from 2003 until
her retirement in 2020. She is involved with various volunteer activities, and she and her
husband, Mike, enjoy bike riding, watching movies, and traveling.

I want to thank my friends and family for their ongoing support. I am

also grateful to the entire Packt team, who work very hard to create an
exceptional product. Finally, I'd like to thank my students, who push me to
deliver the very best educational content.
About the reviewer
Nick Parlow is a Fujitsu Fellow and Distinguished Engineer, and has been an escalation
engineer for Fujitsu in the UK for nearly 20 years, specializing in messaging technologies
and networks. He has fixed stuff for central government, the Ministry of Defence, and
his local school. He has master's degrees in network engineering from Sheffield Hallam
University and software engineering from the University of Northumbria.
Nick is a Microsoft Certified Trainer and holds many other credentials, but is most proud
of being a Raspberry Pi Certified Educator and Code Club volunteer. When he's not
working, writing books, reviewing books, soldering things, or taking blurry photos of the
night sky, he likes to play with chainsaws.

I'd like to thank the author, Lisa Bock, and the team at Packt for giving me
the opportunity to do something that has been wholly enjoyable – reviewing
this great book. Most thanks, however, go to my long-suffering family and
colleagues for giving me the time and support to do so. Thank you, Chris,
Bryn, Jon, Caroline, Craig, and everybody else. You're brilliant.
 Table of Contents
Preface

Part 1 Traffic Capture Overview

1
Appreciating Traffic Analysis
Reviewing packet analysis 4 Identifying where to
Exploring early packet sniffers  5 use packet analysis 17
Evaluating devices that Analyzing traffic on a LAN 17
use packet analysis 6
Capturing network traffic 7 Outlining when to
use packet analysis 19
Recognizing who benefits Troubleshooting latency issues 19
from using packet analysis 8 Testing IoT devices 20
Assisting developers 8 Monitoring for threats 20
Helping network administrators Baselining the network 21
monitor the network 9
Educating students on protocols 12 Getting to know Wireshark 22
Alerting security analysts to threats 13 Summary  23
Arming hackers with information 14 Questions24

2
Using Wireshark
Examining the Finding information 34
Wireshark interface 28
Understanding the phases of
Streamlining the interface 28
packet analysis 34
Discovering keyboard shortcuts 31
Gathering network traffic 34
Recognizing the Wireshark authors  32
Decoding the raw bits 37
viii Table of Contents

Displaying the captured data 38 Dissecting protocols 44

Analyzing the packet capture 41
Summary 45
Using CLI tools with Wireshark 42 Questions46
Exploring tshark 42

3
Installing Wireshark
Discovering support for Beginning the installation 58
different OSes 50 Choosing components 58
Using Wireshark on Windows 50 Creating shortcuts and selecting
Running Wireshark on Unix  50 an install location 62
Installing Wireshark on macOS 51 Capturing packets and completing
the installation 63
Deploying Wireshark on Linux 51
Working with Wireshark Reviewing available resources 65
on other systems 52
Viewing news and help topics 65
Comparing different Evaluating download options 67
capture engines 54
Summary69
Understanding libpcap 54
Questions69
Examining WinPcap 54
Grasping Npcap 55 Further reading 71

Performing a standard
Windows installation 58

4
Exploring the Wireshark Interface
Opening the Wireshark Printing packets and closing Wireshark 82
welcome screen 74
Discovering the Edit menu 84
Selecting a file 74
Copying items and finding packets 84
Capturing traffic 75
Marking or ignoring packets 88
Exploring the File menu 76 Setting a time reference 89
Opening a file, closing, and saving 77 Personalizing your work area 90
Exporting packets, bytes, and objects 78
Exploring the View menu 91
 Table of Contents ix

Enhancing the interface 91 Refreshing the view 98

Formatting time and name resolution 93
Modifying the display 96
Summary101
Questions101

Part 2 Getting Started with Wireshark

5
Tapping into the Data Stream
Reviewing network Comparing conversations and
architectures108 endpoints119
Comparing different types of networks 108
Realizing the importance
Exploring various types of media 110 of baselining 123
Learning various Planning the baseline 123
capture methods 113 Capturing traffic 123
Providing input 114 Analyzing the captured traffic 124
Directing output 114 Saving the baselines 125
Selecting options 116
Summary126
Tapping into the stream 118 Questions 127

6
Personalizing the Interface
Personalizing the layout  130 Adding, editing, and deleting columns 141
Altering the appearance 130 Refining the font and colors 145
Changing the layout 132
Adding comments 148
Creating a tailored Attaching comments to files 148
configuration profile 136 Entering packet comments 148
Customizing a profile 136 Viewing and saving comments 149
Crafting buttons 139
Summary 150
Adjusting columns, Questions 151
font, and colors 141
x Table of Contents

7
Using Display and Capture Filters
Filtering network traffic 154 Understanding the
Analyzing traffic 154 expression builder 168
Comparing the filters' files 156 Building an expression 170

Comprehending display filters 159 Discovering shortcuts

Editing display filters 160 and handy filters 172
Using bookmarks 161 Embracing filter shortcuts 172
Applying useful filters 175
Creating capture filters 162
Modifying capture filters 164 Summary 177
Bookmarking a filter 168 Questions 177
Further reading 179

8
Outlining the OSI Model
An overview of the OSI model 182 Traveling over the Physical layer 197
Developing the framework 182
Exploring the
Using the framework 183
encapsulation process 198
Discovering the purpose Viewing the data 199
of each layer, the protocols, Identifying the segment 199
and the PDUs 183 Characterizing the packet 200
Evaluating the Application layer 185 Forming the frame 200
Dissecting the Presentation layer 186
Demonstrating frame
Learning about the Session layer 188
formation in Wireshark 201
Appreciating the Transport layer 190
Examining the network bindings 202
Explaining the Network layer 193
Examining the Data Link layer 196 Summary203
Questions203
 Table of Contents xi

Part 3 The Internet Suite TCP/IP

9
Decoding TCP and UDP
Reviewing the transport layer 210 Dissecting the window size 229
Describing TCP 211 Viewing additional header values 232

Establishing and maintaining a Understanding UDP 234

connection211
Studying a single UDP frame 235
Exploring a single TCP frame 214
Discovering the four-field
Examining the 11-field TCP
UDP header 236
header219
Analyzing the UDP header fields 236
Exploring TCP ports 220
Sequencing bytes 222 Summary 237
Acknowledging data 225 Questions238
Following the flags 228
Further reading 239

10
Managing TCP Connections
Dissecting the Permitting SACK 257
three-way handshake 242 Using timestamps 259
Isolating a single stream 243
Understanding TCP
Identifying the handshake packets 248
protocol preferences 260
Learning TCP options 252 Modifying TCP preferences 262
Grasping the EOL option 254
Tearing down a connection 264
Using NOP 254
Defining the MSS 255
Summary266
Scaling the WS 256 Questions266
Further reading 268
xii Table of Contents

11
Analyzing IPv4 and IPv6
Reviewing the network layer 270 Editing protocol preferences 287
Understanding the purpose of IP 271 Reviewing IPv4 preferences 287
Adjusting preferences for IPv6 290
Outlining IPv4 272
Dissecting the IPv4 header 273 Discovering tunneling protocols291
Modifying options for IPv4 282 Summary292
Exploring IPv6 282 Questions293
Navigating the IPv6 header fields 283 Further reading 295

12
Discovering ICMP
Understanding the purpose of Providing information using ICMPv6 312
ICMP298
Evaluating type and code values315
Understanding the ICMP header 299
Reviewing ICMP type and code values 315
Investigating the data payload 302
Defining ICMPv6 type and code values 317
Dissecting ICMP and ICMPv6 305
Configuring firewall rules 318
Reviewing ICMP 305
Acting maliciously 318
Outlining ICMPv6 306
Allowing only necessary types 323
Sending ICMP messages 307
Summary324
Reporting errors on the network 308
Issuing query messages 311
Questions324
Further reading 326

Part 4 Deep Packet Analysis of

Common Protocols
13
Diving into DNS
Recognizing the Mapping an IP address 330
purpose of DNS  330 Types of DNS servers 333
 Table of Contents xiii

Transporting DNS 335 Evaluating queries and

responses 345
Comparing types
Caching a response 346
and classes of RRs 336
Calculating response times 347
Breaking down DNS types  336
Testing using nslookup 351
Examining the RR structure 337
Securing DNS 353
Reviewing the DNS packet 338 Summary 354
Examining the header  339
Questions 354
Dissecting the packet structure 343
Outlining the query section 344
Further reading 356

14
Examining DHCP
Recognizing the purpose of Understanding DHCP messages 375
DHCP  360 Comparing DHCP options 376
Configuring the client's IP address 361
Following a DHCP example  377
Using a DHCP relay agent 361
Releasing an IP address 377
Working with IPv6 addresses 363
Broadcasting a discover packet 379
Addressing security issues 365
Delivering an offer  380
Stepping through Requesting an IP address 382
the DORA process 366 Acknowledging the offer 383
Moving through DHCP states 366
Summary384
Obtaining an IP address 367
Leasing an IP address 370 Questions 385
Further reading 387
Dissecting a DHCP header 372
Examining DHCP field values 373

15
Decoding HTTP
Describing HTTP 390 Keeping track of the connection394
Dissecting a web page 390 Evaluating connection types  395
Understanding HTTP versions 393 Maintaining state with cookies  396
Recognizing HTTP methods 394
Comparing request and
response messages  398
xiv Table of Contents

Viewing an HTTP request 398 Responding to the client 407

Responding to the client 400 Ending the conversation 412

Following an HTTP stream 402 Summary  412

Beginning the conversation 405 Questions413
Requesting data  406 Further reading 414

16
Understanding ARP
Understanding the role and Reversing ARP 427
purpose of ARP 418 Evaluating InARP 428
Resolving MAC addresses 419 Issuing a gratuitous ARP 430
Investigating an ARP cache 421 Working on behalf of ARP 430
Replacing ARP with NDP in IPv6 423
Comparing ARP attacks and
Exploring ARP headers defense methods 432
and fields 423 Comparing ARP attacks and tools 432
Identifying a standard ARP Defending against ARP attacks 435
request/reply  423
Summary436
Breaking down the ARP header fields 425
Questions 437
Examining different types Further reading 438
of ARP 427

Part 5 Working with Packet Captures

17
Determining Network Latency Issues
Analyzing latency issues 442 Common transmission errors 450
Grasping latency, throughput, and
Discovering expert information 454
packet loss 442
Viewing the column headers 456
Learning the importance of time values446
Assessing the severity 457
Understanding coloring rules 447 Organizing the information 458
Exploring the
Summary461
Intelligent Scrollbar 449
Questions462
 Table of Contents xv

18
Subsetting, Saving, and Exporting Captures
Discovering ways Recognizing ways to
to subset traffic 466 export components 477
Dissecting by an IP address 467 Selecting specified packets 478
Narrowing down by conversations 470 Exporting various objects 480
Minimizing by port number 471
Breaking down by protocol 472
Identifying why and how
to add comments 482
Subsetting by stream 473
Providing file and packet comments 482
Understanding options Saving and viewing comments 484
to save a file 474
Using Save as 476
Summary 487
Questions 487

19
Discovering I/O and Stream Graphs
Discovering the Statistics menu 492 Comparing TCP stream graphs 506
Viewing general information 493 Using time sequence graphs  506
Assessing protocol effectiveness 494 Determining throughput  512
Graphing capture issues 497 Assessing Round Trip Time 514
Evaluating window scaling  515
Creating I/O graphs 499
Examining errors 500 Summary 517
Graphing duplicate ACKs 501 Questions 517
Modifying the settings 502
Exploring other options 504

20
Using CloudShark for Packet Analysis
Discovering CloudShark 522 Outlining the various
Modifying the preferences 523 filters and graphs 532
Uploading captures 525 Displaying data using filters 533
Working with capture files 526 Viewing data using graphs 534
xvi Table of Contents

Evaluating the different Locating sample captures 544

analysis tools 537 Examining captures 544
Following the stream and viewing Finding more captures 546
conversations 538
Viewing packet lengths and Summary 546
VoIP activity 540 Questions 547
Exploring HTTP analysis Further reading 548
and wireless traffic  541
Monitoring possible threats 542
Assessments
Index
Other Books You May Enjoy
 Preface
In the early 2000s, a coworker introduced me to Ethereal, the precursor to Wireshark.
I remember looking at the screen as my laptop gobbled up traffic and thinking, "I don't
know what this is, but I want to know!" Over the next few years, I immersed myself in
learning as much as possible about packet analysis using Wireshark. I attended training,
watched videos, and read books that helped me compile and curate my knowledge and
respect for what the packets tell us.
I have taught network and security courses and presented at conferences about the many
benefits of using Wireshark. In this second edition of Learn Wireshark, I want to share my
knowledge with you. Each chapter has multiple opportunities for a hands-on approach.
Using the examples, you will make sense of the data and understand what the packets
are telling you. I'll outline how to conduct a detailed search, follow the data stream, and
identify endpoints so that you can troubleshoot latency issues and actively recognize
network attacks. Join me on this journey, and you'll soon realize that the ability to
understand what's happening on the network is a superpower!

Who this book is for

This book is for network administrators, security analysts, students, teachers, and anyone
interested in learning about packet analysis using Wireshark. Basic knowledge of network
fundamentals, devices, and protocols, along with an understanding of different topologies,
will be beneficial as you move through the material.

What this book covers

Chapter 1, Appreciating Traffic Analysis, describes the countless places and reasons to
conduct packet analysis. In addition, we'll cover the many benefits of using Wireshark, an
open source protocol analyzer that includes many rich features.
Chapter 2, Using Wireshark, starts with an overview of the beginnings of today's
Wireshark. We'll examine the interface and review the phases of packet analysis. Finally,
we'll cover the built-in tools, with a closer look at tshark (or terminal-based Wireshark),
a lightweight alternative to Wireshark.
xviii Preface

Chapter 3, Installing Wireshark, illustrates how Wireshark provides support for different
operating systems. We'll compare the different capture engines, such as WinPCap,
LibPcap, and Npcap, walk through a standard Windows installation, and then review the
resources available at https://www.wireshark.org/.
Chapter 4, Exploring the Wireshark Interface, provides a deeper dive into some of the
common elements of Wireshark to improve your workflow. We'll investigate the welcome
screen and common menu choices, such as File, Edit, and View, so that you can easily
navigate the interface during an analysis.
Chapter 5, Tapping into the Data Stream, starts with a comparison of the different network
architectures and then moves on to the various capture options. You'll discover the
conversations and endpoints you'll see when tapping into the stream, and then learn about
the importance of baselining network traffic.
Chapter 6, Personalizing the Interface, helps you to realize all the ways you can customize
the many aspects of the interface. You'll learn how to personalize the layout and general
appearance, create a tailored configuration profile, adjust the columns, font, and color, and
create buttons.
Chapter 7, Using Display and Capture Filters, helps you to make examining a packet
capture less overwhelming. We'll take a look at how to narrow your scope by filtering
network traffic. We'll compare and contrast display and capture filters, discover the
shortcuts used to build filters, and conclude with a review of the expression builder.
Chapter 8, Outlining the OSI Model, provides an overview of the Open Systems
Interconnection (OSI) model, a seven-layer framework that outlines how the OS prepares
data for transport on the network. We'll review the purpose, protocols, and Protocol Data
Units (PDUs) of each layer, explore the encapsulation process, and demonstrate the frame
formation in Wireshark.
Chapter 9, Decoding TCP and UDP, is a deep dive into two of the key protocols in the
transport layer – the Transmission Control Protocol (TCP) and the User Datagram
Protocol (UDP). We'll review the purpose of the transport layer and then evaluate the
header and field values of both the TCP and the UDP.
Chapter 10, Managing TCP Connections, begins by examining the three-way handshake.
We'll discover the TCP options, get a better understanding of the TCP protocol
preferences, and then conclude with an overview of the TCP teardown process.
Chapter 11, Analyzing IPv4 and IPv6, provides a breakdown of the purpose of the Internet
Protocol (IP). We'll outline IPv4 and the header fields and then explore the streamlined
header of IPv6. We'll summarize with a discussion of the protocol preferences and see
how IPv4 and IPv6 can coexist by using tunneling protocols.
 Preface xix

Chapter 12, Discovering ICMP, details the purpose of the Internet Control Message
Protocol (ICMP). We'll dissect ICMP and ICMPv6, compare query and error messages,
and discuss the ICMP type and code values. We'll cover how ICMP can be used in
malicious ways and outline the importance of configuring firewall rules.
Chapter 13, Diving into DNS, outlines the significance of the Domain Name System
(DNS). You'll learn how DNS works when resolving a hostname to an IP address. We'll
compare the different types of records, step through a query and response, review the
DNS header, and calculate the DNS response time using Wireshark.
Chapter 14, Examining DHCP, begins by explaining the need for the Dynamic Host
Configuration Protocol (DHCP). We'll then outline the DORA process – Discover Offer
Request Acknowledge. We'll dissect a DHCP header and review all the field values, flags,
and port numbers, and then finish by stepping through a DHCP example.
Chapter 15, Decoding HTTP, highlights the Hypertext Transfer Protocol (HTTP),
an application layer protocol used when browsing the web. We'll learn the details of
HTTP, explore common methods of transport, and dissect the header and fields. We'll
then compare request and response messages, and then summarize by following an
HTTP stream.
Chapter 16, Understanding ARP, takes a closer look at the Address Resolution Protocol
(ARP), which is a significant protocol in delivering data. We'll outline the role and
purpose of ARP, explore the header and fields, describe the different types of ARP, and
take a brief look at ARP attacks.
Chapter 17, Determining Network Latency Issues, outlines how even a beginner can
diagnose network problems. We'll explore coloring rules and the Intelligent Scrollbar, and
then conclude with an overview of the expert information, which divides the alerts into
categories and guides you through a more targeted evaluation.
Chapter 18, Subsetting, Saving, and Exporting Captures, helps you to explore the many
different ways in which to break down a packet capture into smaller files for analysis. We'll
cover the different options when saving a file, discover ways to export components such as
objects, session keys, and packet bytes, and then outline why and how to add comments.
Chapter 19, Discovering I/O and Stream Graphs, begins by covering the many ways the
statistics menu can help us when analyzing a capture file. We'll create basic I/O graphs to
help visualize network issues and summarize by comparing how the different TCP stream
graphs provide a visual representation of the streams.
xx Preface

Chapter 20, Using CloudShark for Packet Analysis, covers CloudShark, an online
application that is similar to Wireshark. You'll learn how to filter traffic and generate
graphs. We'll then review how you can share captures with colleagues and outline where
you can find sample captures so that you can continue improving your skills.

To get the most out of this book

To prepare for working with Wireshark, download and install the latest version on your
system. Detailed instructions are listed in Chapter 3, Installing Wireshark.
To get the most out of each chapter, when there is a reference to a packet capture,
download the files so that you can follow along with the lessons.
In addition to this, practice your skills on your own and, in particular, review the common
protocols in the TCP/IP suite so that you can deepen your knowledge and become more
proficient in packet analysis.

Download the example code files

All Wireshark capture files are referenced within the book. Download the appropriate
capture files from the online repositories so that you can follow along with the lessons.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in
this book. You can download it here: https://packt.link/iF8Fj.

Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names,
filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles.
Here is an example: "To write to a file, use -w, then the filename and path."
Any command-line input or output is written as follows:

C:\Program Files\Wireshark>tshark -i "ethernet 2" -w Test-

Tshark.pcap -a duration:10
 Preface xxi

Bold: Indicates a new term, an important word, or words that you see onscreen. For
instance, words in menus or dialog boxes appear in bold. Here is an example: "Once
you're in CloudShark, select the Export | Download File drop-down menu."

Tips or Important Notes

Appear like this.

Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us
at [email protected] and mention the book title in the subject of
your message.
Errata: Although we have taken every care to ensure the accuracy of our content,
mistakes do happen. If you have found a mistake in this book, we would be grateful if
you would report this to us. Please visit www.packtpub.com/support/errata
and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet,
we would be grateful if you would provide us with the location address or website name.
Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise
in and you are interested in either writing or contributing to a book, please visit
authors.packtpub.com.

Share Your Thoughts

Once you've read Learn Wireshark - Second Edition, we'd love to hear your thoughts!
Please click here to go straight to the Amazon review page for this book and share
your feedback.
Your review is important to us and the tech community and will help us make sure we're
delivering excellent quality content.
 Part 1
Traffic Capture
Overview

In this section, we’ll outline the value of traffic analysis, learn about the evolution of
Wireshark, and step through the phases of packet analysis. We’ll then discuss some of
the command-line interface tools, outline how to download and install Wireshark, and
explore the interface along with commonly accessed menu choices.
The following chapters will be covered under this section:

• Chapter 1, Appreciating Traffic Analysis

• Chapter 2, Using Wireshark
• Chapter 3, Installing Wireshark
• Chapter 4, Exploring the Wireshark Interface
 1
Appreciating Traffic
Analysis
Today's networks are complex, and many times, when faced with issues, the only way you
can solve the problem is if you can see the problem. For that very reason, packet analysis,
using tools such as Wireshark, has been around for many years. In addition to manually
conducting packet analysis using Wireshark, today's devices incorporate the ability to
pull data from the network and examine its contents. This function helps the network
administrator to troubleshoot, test, baseline, and monitor the network for threats.
This chapter will help you to recognize the many benefits of using Wireshark for packet
analysis. You'll learn about its history as an exceptional open source software product,
which includes many rich features. You'll discover how various groups can benefit from
using packet analysis, such as network administrators, students, and security analysts. In
addition, we'll cover the many places in which to conduct packet analysis, including on
a Local Area Network (LAN), on a host, or in the real world. Finally, you'll learn how
Wireshark has the ability to decode hundreds of different protocols and is constantly
being improved, making it the optimal tool for monitoring the network.
4 Appreciating Traffic Analysis

In this chapter, we will address all of this by covering the following topics:

• Reviewing packet analysis

• Recognizing who benefits from using packet analysis
• Identifying where to use packet analysis
• Outlining when to use packet analysis
• Getting to know Wireshark

Reviewing packet analysis

Packet analysis examines packets to understand the characteristics and structure of
the traffic flow, either during a live capture or by using a previously captured file. The
analyst can complete packet analysis by either studying one packet at a time or as a
complete capture.
When monitoring the network for analysis, we capture traffic using specialized software
such as Wireshark or tshark. Once the data is captured and we save the file, the software
stores the data in a file that is commonly called a packet capture or PCAP file.
Packet analysis benefits many groups, including the following:

• Network administrators: Use packet analysis to gain information about current

network conditions.
• Security analysts: Use packet analysis to determine whether there is anything
unusual or suspicious about the traffic when carrying out a forensic investigation.
• Students: Use packet analysis as a learning tool to better understand the workings
of different protocols.
• Hackers: Use packet analysis to sniff network traffic while conducting footprinting
and reconnaissance in order to gain valuable information about the network.

We use packet analysis in many places, including on a LAN, on a host, or in the real world.
Additionally, we use packet analysis when troubleshooting latency issues, testing Internet
of Things (IoT) devices, and as a tool when baselining the network.
Today, packet analysis using Wireshark is a valuable skill. However, analyzing packets has
been around in the networking world for many years. As early as the 1990s, various tools
enabled analysts to carry out packet analysis on the network to troubleshoot errors and to
monitor server behavior. In the next section, we'll examine some of the early tools used to
monitor network activity.
 Reviewing packet analysis 5

Exploring early packet sniffers

Packet analysis has been around in some form for over 20 years, as a diagnostic tool, to
observe data and other information traveling across the network. Packet analysis is also
referred to as sniffing. The term refers to early packet sniffers, which sniffed or captured
traffic as it traveled across the network. In the 1990s, Novell, a software company,
developed the Novell LANalyzer, which had a graphical UI and dashboard to examine
network traffic. Concurrently, Microsoft introduced its Network Monitor.
Over the last 20 years, there have been many other packet analyzers and tools to sniff
traffic, including the following:

Table 1.1 – Packet analyzers and tools

Most packet analyzers work in a similar manner. They capture data and then decode the
raw bits in the field values according to the appropriate Request for Comment (RFC) or
other specifications. Once done, the data is presented in a meaningful fashion.
Packet analysis tools range in appearance and functionality, as follows:

• They provide simple text-based analysis, such as terminal-based

Wireshark (tshark).
• They deliver a rich graphical UI with advanced artificial intelligence (AI)-based
expert systems that guide the analyst through a more targeted evaluation.

In the next section, we'll take a look at the various devices that use packet analysis today.
6 Appreciating Traffic Analysis

Evaluating devices that use packet analysis

Packet analysis and traffic sniffing are used by many devices on the network, including
routers, switches, and firewall appliances. As data flows across the network, the devices
gather and interpret the packet's raw bits and examine the field values in each packet to
decide on what action should be taken.
Devices examine network traffic in the following manner:

• A router captures the traffic and examines the IP header to determine where to
send the traffic, as part of the routing process.
• An IDS examines the traffic and alerts the network administrator if there is any
unusual or suspicious behavior.
• A firewall monitors all traffic and will drop any packets that are not in line with
the Access Control List (ACL).

For example, when data passes through a firewall, the device examines the traffic and
determines whether to allow or deny the packets according to the ACL.

Using an ACL
When using a firewall, an ACL governs the type of traffic that is allowed on the network.
For example, an ACL has the following entries:

• Allow outbound SYN packets. The destination port is 80.

• Allow inbound SYN-ACK packets. The source port is 80.

To decide whether to allow or deny a packet, the firewall must check each header as it
passes through the device. It will determine variables such as IP addresses, Transmission
Control Protocol (TCP) flags, and port numbers that are in use. If the packet does not
meet the ACL entry, the firewall will drop the packet. As shown in the following diagram,
an inbound SYN packet with a destination port of 80 is blocked because it does not match
the rule:
Random documents with unrelated
content Scribd suggests to you:
evening prayers—that old and beautiful "Heil dir, Maria, Mutter
Gottes".... Oh, that time—that time.... [He weeps] Oh, damn it! I am
crying, I think!—Come to the Blue Dove to-night, Jacob There you'll
find Rhine wine and merry maidens! Jorghen will be there, too. He's
a man you should know.
JACOB. [Coldly and shrewdly] I—shall—come.
ERIC.Thank you, friend! [Rising] Really, the place has a look of
pawn-shop.
JACOB. [Sharply] That was just what I had in mind before.
ERIC.Well, then we agree to that extent at least. Until to-night, then!
Do you know Agda?
JACOB. [Brusquely] No!
ERIC.[Haughtily, giving him two fingers to shake, JACOB pretending
not to notice it] Farewell!—What became of those two little
pawnbrokers?

JACOB does not answer.

ERIC.[Arrogantly] Good-bye, then, Baruch!—Have you read the Book

of Baruch?

Going toward the background, he jingles the altar vessels as he

passes them.

"The ring of gold, and rattling dice,

And wine brings light to tipsy eyes.
But in the night that light must lack,
To wenches leads each crooked track."
That's a good one, isn't it? I made it myself!

[He goes out through the rear door.

HERMAN ISRAEL. [Enters from the right] Are you alone?

JACOB. Yes, father.
ISRAEL. I heard somebody speaking.
JACOB. That was the Heir Apparent.
ISRAEL. What did he want?
JACOB. I don't think he has the slightest idea of what he wants.
ISRAEL. Is he your friend?
JACOB. Yes, so he calls himself, but I am not his. Because he thinks
that he is honouring me with his friendship, he flatters himself with
the belief that I return it.
ISRAEL. You are frightfully wise for a young man of your age.
JACOB. Why, it's an axiom in the art of living, that you must not be
the friend of your enemy.
ISRAEL. Can he be made useful?
JACOB. Running errands, perhaps, provided you keep him
wholesomely ignorant of the matter at stake. Otherwise I don't think
I ever saw an heir apparent more useless than this one.
ISRAEL. Do you hate him?
JACOB. No, I pity him too much for that. He is more unfortunate than
he deserves. That he will end badly, seems pretty certain. It seems
clear to himself, too, and to such an extent that he appears anxious
to hasten the catastrophe.
ISRAEL. Listen, my son. I have long noticed that I can keep no
secrets from you, and so I think it is better for me to tell you
everything. Sit down and give me your attention while I walk back
and forth.... I can think only when I am walking....
JACOB. Talk away, father. I am thinking all the time.
ISRAEL. You have probably guessed that some great event is
preparing under the surface You have probably noticed that our free
city of Luebeck is fighting for its rights here in the North. I speak of
rights, because we have the right of the pioneer who has broken
new roads—roads of trade in this case—to demand compensation
and profit from the country on which he has spent his energy. We
have taught these people to employ their natural products and to
exchange them with profit; and we have set Sweden free. Having
used us, they wish now to cast us aside. That's always the way: use
—and cast aside! But there are greater and more powerful interests
than those of trade that should compel the North to join hands with
the free cities. The Emperor and the Pope are one. Our free cities
made themselves independent first of the Emperor and then of the
Pope. Now, when this country has been helped by us and its great
King to do the same, we must, willy-nilly, remain allies against the
common enemy. And until quite recently we did stick together. Then
an evil spirit seemed to take possession of this Vasa. Whether misled
by pride or fatigue, he wishes now to enter a path that must lead us
all to disaster.
JACOB.Wait a little.—All of us, you say? You had better say "us of
Luebeck," for the Swedes will gain by entering that path.
ISRAEL. Are you on their side?
JACOB. No, I am not. But I can perfectly well see where their
advantage lies. And I beg you, father, don't try to fight against Vasa,
for he is guided by the hand of the Lord! Have you not recognised
that already?
ISRAEL.I wonder how I could be such a fool as to give my confidence
to one still in his nonage!
JACOB. It won't hurt you to have your plans discussed from another
point of view than your own while there is still time to correct them.
And you know, of course, that you can rely on me. Go on, now!
ISRAEL. No, I can't now.
JACOB. The pen won't write when its point has been broken. If you
will not get angry, I can tell you a little more myself.
MARCUS. [Enters] The one you have been waiting for is outside, sir.
JACOB. I suppose it is John Andersson.
ISRAEL. Let him wait. [Motions MARCUS out of the room; then to
Jacob] Do you know him, too?
JACOB. I have never seen him, but now I can figure out who he is.
ISRAEL. [Astounded] You can figure it out, you say?
JACOB. I merely add one thing to another. Now, when the
Dalecarlians have been squelched, a new beginning will have to be
made with the good folk of Småland.
ISRAEL. Of Småland, you say?
JACOB. Yes, I understand that this John Andersson is from Småland. I
don't think his name is John Andersson, however, but—[in a lower
voice] Nils Dacke![4]
ISRAEL. Have you been spying?
JACOB. No, I merely listen, and look, and add together.
ISRAEL. Well, you have made a false calculation this time.
JACOB. Thus you tell me that there are two persons concerned in the
matter, and that Nils Dacke is the silent partner who will not appear
until the war has begun.
ISRAEL. I am afraid of you.
JACOB. You shouldn't be, father. I dare not do anything wrong,
because then I am always made to suffer.
ISRAEL. Do you think I am doing anything wrong?
JACOB.You are more likely than I to do so, because, like Prince Eric,
you believe in nothing.
ISRAEL. And such a thing I must hear from my own child!
JACOB. It is better than to hear it from other people's children—later
on.
MARCUS. [Enters] Two Dalecarlians ask to see you.
ISRAEL. Tell them to wait.

MARCUS goes out.

JACOB. They'll pay for it with their heads.

ISRAEL. Who are they, then?
JACOB.Anders Persson of Rankhyttan and Mons Nilsson of Aspeboda,
who have tried in vain to get an audience with the King, and who
are now moved by their futile anger to turn to you for revenge.
ISRAEL. So you know that, too?
JACOB.Without wishing to show you any disrespect, father—how can
a man of your age believe that secrets exist?
ISRAEL. Time has run away from me. I don't know any longer where
I stand.
JACOB. Now you speak the truth! And I don't think that you estimate
the results of your venture correctly.
ISRAEL. That will appear in due time. But now you must go, for even
if you know of my venture, you must not become involved in it.
JACOB. I shall obey, but you must listen to me.
ISRAEL. No, you must listen to me! Tell Marcus that I shall expect my
visitors in the hall of state. You stay here with David and pack all
valuables into boxes ready to be sent southward.
JACOB. Father!
ISRAEL. Silence!
JACOB. One word: don't rely on me if you should do anything wrong!
ISRAEL.There is one thing you may rely on; that, having power of life
and death in this house, I shall see that every traitor is tried and
executed, whether he be my own son or no. First comes my country,
then my family; but first and last—my Arty! [He puts his hand on his
sword] And now—go!
 Curtain.

SECOND SCENE

A large room in the Blue Dove Inn. Wainscotted walls, with

tankards and jugs ranged along the shelf above the panels.
Benches fastened to the walls and covered with cushions and
draperies. In the background, a corner-stand with potted
flowers and bird-cages. Sconces containing wax candles are
hung on the walls; candelabra stand on a table that also
contains bowls of fruit, beakers, goblets, tumblers, dice,
playing-cards, and a lute.
It is night. PRINCE ERIC and JORGHEN PERSSON are seated at the
table. They are looking pale and tired, and have ceased
drinking.

ERIC. You want to go to sleep, Jorghen, and I prefer to dream while

still awake. To go to bed is to me like dying: to be swathed in linen
sheets and stretch out in a long bed like a coffin. And then the
corpse has the trouble of washing itself and reading its own burial
service.
JORGHEN. Are you afraid of death, Prince?
ERIC. As the children are afraid of going to bed, and I am sure I'll cry
like a child when my turn comes. If I only knew what death is!
JORGHEN.Some call it a sleep, and others an awakening, but no one
knows anything with certainty.
ERIC.How could we possibly know anything of that other life, when
we know so little of this one?
JORGHEN. Yes, what is life?
ERIC. One large madhouse, it seems to me! Think of my sane and
shrewd and sensible father—doesn't he act like a madman? He rids
the country of foreigners and takes the heads of those that helped
him. He rids the country of foreigners only to drag in a lot of others,
like Peutinger and Norman,[5] whom he puts above the lords of the
realm and all other authorities. He is mad, of course!—He rids the
Church of human inventions only to demand the acceptance of new
inventions at the penalty of death. This liberator is the greatest
tyrant that ever lived, and yet this tyrant is the greatest liberator
that ever lived! This evening, you know, he wanted to prohibit me
from coming here; and when I insisted on going all the same, he
threw his Hungarian war-hammer after me, as if he had been the
god Thor chasing the trolls. He came within an inch of killing me,
just as it is said—which you may not have heard—that he killed my
mother.
JORGHEN. [Becoming attentive] No, I never heard of that.
ERIC. That's what they say. And I can understand it. There is
greatness in it. To feel raised above all human considerations; to kill
whatever stands in the way? and trample everything else....
Sometimes, you know, when I see him coming in his big, soft hat
and his blue cloak, using his boar-spear in place of a stick, I think he
is Odin himself. When he is angry, the people say that they can hear
him from the top story down to the cellars, and that the sound of it
is like thunder. But I am not afraid of him, and that's why he hates
me. At the same time he has a great deal of respect for me.
[JORGHEN smiles sceptically] Yes, you may smile! That's only because
you have no respect for anything; not, even for yourself.
JORGHEN. That least of all.
ERIC. Are you really such a beast?
JORGHEN. That's what every one thinks me, so I suppose I must
believe it.
ERIC.[Returning to his previous idea] And.... There is a thought that
pursues me.... He looks like old Odin, I said: Odin who has returned
to despoil the temples of the Christians just as they once robbed his
temples.... You should have seen them weighing and counting
church treasures at Herman Israel's yesterday. It was ghastly!... And
do you know, he is lucky in everything he undertakes. There is
favourable wind whenever he goes sailing; the fish bite whenever he
goes fishing; he wins whenever he gambles. They say that he was
born with a caul....
JORGHEN. A most unusual man.
ERIC. Do you know young Jacob, the son of Herman Israel? He
promised to come here to-night. Rather precocious, perhaps, but
with sensible ideas on certain subjects—and I think I admire some of
his qualities because I lack them myself.
JORGHEN. Is that so?
ERIC. Otherwise he is probably a perfect rascal like his father.
JORGHEN. Then I shall be pleased to make his acquaintance.
ERIC. Because he is a rascal?—Ha-ha!
JORGHEN. In spite of it!
AGDA. [Enters from the left] Did you call me, Prince?
ERIC. No, but you are always welcome. Sit down here.
AGDA. The honour is too great for me.
ERIC. Of course, it is!
AGDA. And so I leave—to save my honour.
ERIC. Dare you sting, you gnat?
AGDA. That's your fancy only. I am too sensible and humble to hurt
the feelings of a great lord like yourself, my Prince.
ERIC. Very good! Very good, indeed! Come here and talk to me a
little more.
AGDA. If your lordship commands, I must talk, of course, but....
ERIC. Give me the love that I have begged for so long!
AGDA. What one does not have one cannot give away.
ERIC. Alas!
AGDA. Not loving your lordship, I cannot give you any love.
ERIC. Diantre!—Give me your favour, then!
AGDA. Favours are not given away, but sold.
ERIC. Listen to that! It is as if I heard my wise Jacob himself
philosophising. [To JORGHEN] Did you ever hear anything like it?
JORGHEN. All wenches learn that kind of patter from their lovers.
ERIC. Don't talk like that! This girl has won my heart.
JORGHEN. And some one else has won hers.
ERIC. How do you know?
JORGHEN. You can hear it at once, even though the proofs be not
visible.
ERIC. Do you believe in love?
JORGHEN. In its existence, yes, but not in its duration.
ERIC. Do you know how a woman's love is to be won?
JORGHEN. All that's necessary is to be "the right one." If you are not,
your case is hopeless.
ERIC. That's a riddle.
JORGHEN. One of the greatest.
ERIC. Who do you think can be my rival?
JORGHEN. Some clerk, or pikeman, or rich horsemonger.
ERIC.And I who am not afraid of tossing my handkerchief to the
proud virgin-queen that rules Britannia!
JORGHEN. Yet it's true.
ERIC. Perhaps Agda is too modest—and does not dare to believe in
the sincerity of my feelings?
JORGHEN. I don't believe anything of the kind.

A noise is heard outside the door in the rear.

PRINCE JOHAN [Enters] I hope my dear brother will pardon my

intrusion at this late hour, but I have been sent by our father out of
fond concern for my dear brother's....
ERIC.Be quick and brief, Jöns, or sit down and use a beaker as
punctuation mark! The sum of it is: the old man wants me to come
home and go to bed. Reply: the Heir Apparent decides for himself
when he is to sleep.
JOHAN. I shall not convey such a reply, especially as my dear
brother's disobedience may have serious results in this case.
ERIC. Won't you sit down and drink a goblet, Duke?
JOHAN. Thank you, Prince, but I don't wish to cause my father
sorrow.
ERIC. How dreadfully serious that sounds!
JOHAN. It is serious. Our father has new and greater worries to face
because disturbances have been reported from the southern
provinces, especially from Småland.... And as it is possible that the
King may have to leave his capital, he looks to the Heir Apparent for
assistance in the administration of the government.
ERIC. Half of which is nothing but lies, of course—and then there are
such a lot of people governing already. Go in peace, my brother. I
shall come when I come.
JOHAN.My duty is done, and all I regret is being unable to gain more
of my brother's ear; of his heart I possess no part at all! [He goes
out.
ERIC. [To JORGHEN] Can you make anything out of that boy?
JORGHEN. I can't.
ERIC. I wonder if he believes in his own preachings?
JORGHEN. That is just the worst of it. Ordinary rascals like you and
me, who don't believe in anything, can't get words of that kind over
their lips; and for that reason we can never deceive anybody.
ERIC. You are a beast, Jorghen.
JORGHEN. Of course, I am.
ERIC. Is there nothing good in you at all?
JORGHEN. Not a trace! And besides—what is good? [Pause] My
mother was always saying that I should end on the gallows. Do you
think one's destiny is predetermined?
ERIC.That's what Master Dionysius asserts—the Calvinist who uses
Holy Writ to prove that the dispensation of grace is not at all
dependent on man.
JORGHEN. Come on with the gallows then! That's the grace dispensed
to me.
ERIC. That fellow Jacob says always that I was born to misfortune,
and that's what father says, too, when he gets angry. What do you
think my end will be?
JORGHEN. Was it not Saint Augustine who said that he who has been
coined into a groat can never become a ducat?
ERIC. That's right. But I don't think we have drunk enough to make
us start any theological disputes. Here we have been disputing for a
lifetime now, and every prophet has been fighting all the rest. Luther
has refuted Augustine, Calvin has refuted Luther, Zwingli has refuted
Calvin, and John of Leyden has refuted all of them. So we know now
just where we stand!
JORGHEN. Yes, it's nothing but humbug, and if it were not for that
kind of humbug, I should never have been born.
ERIC. What do you mean?
JORGHEN. Oh, you know perfectly well that my father was a monk
who went off and got married when they closed the monasteries. It
means that I'm a product of perjury and incest, as my father broke
his oath and established an illicit relationship like any unclean sheep.
ERIC. You are a beast, Jorghen!
JORGHEN. Have I ever denied it?
ERIC. No, but there are limits....
JORGHEN. Where?
ERIC.Here and there! A certain innate sense of propriety generally
suggests the—approximate limits.
JORGHEN. Are you dreaming again, you dreamer?
ERIC. Take care! There are limits even to friendship....
JORGHEN. No, mine is limitless!

JACOB is shown into the room by AGDA, whose hand he presses.

ERIC.[Rising] There you are at last, Jacob! You have kept me waiting
a long time, and just now I was longing for you.
JACOB. Pardon me, Prince, but my thoughts were so heavy that I did
not wish to bring them into a merry gathering.
ERIC. Yes, we are devilishly merry, Jorghen and I! This is Jorghen
Persson, you see—my secretary, and a very enlightened and clever
man, but a perfect rascal otherwise, as you can judge from his
horrible looks and treacherous eyes.
JORGHEN. At your service, my dear sir!
ERIC. Sit down and philosophise with us, Jacob. Of course, I
promised you pretty maidens, but we have only one here, and she is
engaged.
JACOB. [Startled] What do you mean by—engaged?
ERIC.That she has bestowed her heart on somebody, so that you
may save yourself the trouble of searching her bosom for it.
JACOB. Are you talking of Agda?
ERIC. Do you know Agda the Chaste, who has told us that she would
sell her favours, but never give them away?
AGDA. My God, I never, never meant anything of the kind!
JACOB. No, she cannot possibly have meant it that way.
ERIC. She has said it.
JACOB. It must be a lie.
ERIC. [His hand on his sword-hilt] The devil, you say!
JORGHEN. A tavern brawl of the finest water! The words have been
given almost correctly, but they were not understood as they were
meant.
ERIC. Do you dare to takes sides against me, you rascal?
JORGHEN. Listen, friends....
ERIC. With a hussy against your master....
JACOB. She's no hussy!
AGDA. Thank you, Jacob! Please tell them everything....
ERIC.Oh, there is something to tell, then? Well, well! [To JORGHEN]
And you must needs appear as the defender of innocence!

He makes a lunge at JORGHEN, who barely manages to get out

of the way.

JORGHEN.Why the deuce must you always come poking after me

when somebody else has made a fool of himself? Stop it, damn you!
ERIC. [To JACOB] So this is my rival! Ha-ha-ha! A fellow like you!
Ventre-saint-gris!
 He loses all control of himself and finally sinks on a chair, seized
with an epileptic fit.

JACOB. Once you honoured me with your friendship, Prince, for which
I could only give you pity in return. As I did not wish to be false, I
asked you to let me go....
ERIC. [Leaping to his feet] Go to the devil!
JACOB. Yes, I am going, but first you must hear what I and Agda
have in common—something you can never understand, as you
understand nothing but hatred, and for that reason never can win
love....
ERIC.Diantre! And I who can have the virgin-queen, the proud
maiden of Britannia, at my feet any time I care ha-ha, ha-ha!
JACOB. King David had five hundred proud maidens, but for
happiness he turned to his humble servant's only wife....
ERIC. Must I hear more of that sort of thing?
JACOB. A great deal more!
ERIC. [Rushing at JACOB] Die, then!

The guard enters by the rear door.

CAPTAIN OF THE GUARD [An old, white-bearded man]. Your sword, if

you please, Prince Eric!
ERIC. What is this?
CAPTAIN. [Handing ERIC a document] The King's order. You are under
arrest....
ERIC. Go to the devil, old Stenbock!
CAPTAIN. That's not a princely answer to a royal command!
ERIC. Yes, talk away!
CAPTAIN. [Goes up to ERIC and forests the sword out of his hand;
then he turns him over to the guard] Away with him! And put him in
the tower! That's order number one! [ERIC is led toward the door]
Then comes number two—Mr. Secretary! [To the guard] Put on the
handcuffs! And then—to the Green Vault with him! To-morrow at
cockcrow—ten strokes of the rod!
JORGHEN. [As he is seized by the guard] Must I be spanked because
he won't go to bed?
ERIC. Do you dare to lay hands on the Heir Apparent? 'Sdeath!
CAPTAIN. God is still alive, and so is the King!—March on!——

ERIC and JORGHEN are led out by the guard.

CAPTAIN. [To AGDA] And now you'll close your drink-shop. That's the
final word. And as there is no question about it, you need not make
any answer.

He goes out after the guard and the prisoners.

JACOB. Always this titanic hand that is never seen and always felt!
Now it has been thrust out of a cloud to alter our humble fates. The
liberator of the country has descended during the darkness of night
to set my little bird free.—Will you take flight with me?
AGDA. Yes, with you—and far away!
JACOB. But where?
AGDA. The world is wide!
JACOB. Come, then!
Curtain.
[1] A subterranean vault in the Royal Palace at Stockholm used by
the thrifty King Gustavus for the storing of gold and silver and
other valuables. Compare the warning of Nils Söderby to Mons
Nilsson's wife in the first act: "Look out for the silver—the King is
coming."
[2] The first wife of Gustavus was the Princess Catherine of Saxe-
Lauenburg, whom he married in 1531, and who died in 1535. She
was of a very peculiar temperament and caused much trouble
between the King and his relatives by her reckless talk. Prince Eric
was born in 1533.
[3] This is an excellent illustration of the freedom taken by
Strindberg in regard to the actual chronology of the historical
facts he is using. Eric was little more than a year old when his
mother died. Strindberg knew perfectly well what he was doing,
his reason being that the motive ascribed to Eric's hatred of his
father strengthens the dramatic quality of the play in a very high
degree.
[4] A peasant chieftain, who headed the most dangerous rebellion
Gustavus had to contend with during his entire reign. The
southern province of Småland had for years been the scene of
peasant disturbances when, in 1541, Dacke took command of the
scattered flocks and merged them into an army which defied the
King's troops for nearly two years. Dacke was as able as he was
ambitious. He was in communication with the German Emperor
and other foreign enemies of Gustavus, and on one occasion the
latter had actually to enter into negotiations with the rebel. In
accordance with his invariable custom, Gustavus did not rely on
hired soldiery, but turned to the people of the other provinces,
explaining and appealing to them with such success that a
sufficient army was raised and Dacke beaten and killed in 1543.
[5] In his effort to reorganise the country and its administration
on a businesslike basis, Gustavus turned first to Swedes like
Olavus Petri and Laurentius Andreæ, his first chancellor. But these
were as independent of mind as he was himself, and there was
not a sufficient number of them. Then Gustavus turned to
Germany, whence a host of adventurers as well as able, honest
men swarmed into the country. The two best known and most
trusted of these foreigners were Georg Norman, who rendered
valuable services in organising the civil administration, and Conrad
von Pyhy, said to be a plain charlatan named Peutinger, who was
made Chancellor of the Realm.
 ACT III
The King's study. The background consists almost wholly of
large windows, some of which have panes of stained glass.
Several of the windows are open, and through these may be
seen trees in the first green of spring. Mast tops with flying
flags, and church spires are visible above the tops of the trees.
Beneath the windows are benches set in the walls. Their seats
are covered by many-coloured cushions.
At the right, a huge open fireplace, richly decorated. The
recently adopted national coat of arms appears on the
mantelpiece. A door on the same side leads to the waiting-
room.
A chair of state with canopy occupies the centre of the left wall.
In front of it stands a long oak table covered with green cloth.
On the table are a folio Bible, an inkstand, candlesticks, a war-
hammer, and a number of other things. A door on the same
side, nearer the background, leads to the royal apartments.
The floor is covered with animal skins and rugs.
The walls display paintings of Old Testament subjects. The most
conspicuous of these represents "The Lord appearing unto
Abraham in the plains of Mamre." The picture of Abraham bears
a strong resemblance to the King.
An Arabian water-bottle of clay and a silver cup stand on a small
cabinet.
Near the door at the right hang a long and wide blue cloak and
a big black felt hat. A short boar-spear is leaned against the
wall.
The KING, lost in thought, stands by one of the open windows
where the full sunlight pours over him. He has on a black dress
 of Spanish cut, with yellow linings that show in the seams and
through a number of slits. Over his shoulders is thrown a short
cloak trimmed with sable. His hair is blond, and his tremendous
beard, reaching almost to his waist, is still lighter in colour.
The QUEEN enters from the left. She wears a yellow dress with
black trimmings.

KING. [Kissing her brow] Good morrow, my rose!

QUEEN. A splendid morning!
KING. The first spring day after a long winter.
QUEEN. Is my King in a gracious mood to-day?
KING.My graciousness is not dependent on weather or wind.—Go on
now! Is it a question of Eric?
QUEEN. It is.
KING. Well, he has my good grace once more after having slept
himself sober in the tower. And Jorghen comes next, I suppose?
QUEEN. Yes.
KING. He, on the other hand, will not have my good grace until he
reforms.
QUEEN. But....
KING. He is bad through and through, and he is spoiling Eric.
Whatever may be the cause of his badness, I cannot dispose of it,
but I can check the effects. Have you any more protégés of the
same kind?
QUEEN. I won't say anything more now.
KING. Then we can talk of something else. How is my mother-in-law?
QUEEN. Oh, you know.
KING. And Johan? Where is Johan?
QUEEN. He is not far away.
KING. I wish he were still nearer—nearer to me—so near that he
could succeed me when the time comes.
QUEEN.It is not right to think like that, and still less to talk like that,
when a higher Providence has already decided in favour of Prince
Eric.
KING. Well, I can't tell whether it was vanity that fooled me into
looking for a foreign princess or wisdom that kept me away from the
homes of our Swedish nobility—one hardly ever knows what one is
doing.
QUEEN. That's true.
KING. But the feet that I became the brother-in-law of the Danish
king helped the country to get peace, and so nobody has any right
to complain.
QUEEN. The country first!
KING. The country first and last. That's why Eric must be married.
QUEEN. Do you really think he has any hopes with the English queen.
KING. I don't know, but we must find out—that is, without risking the
honour of the country. It is not impossible. We have had a British
princess on the throne before.
QUEEN. Who was that?
KING.Don't you know that Queen Philippa was a daughter of King
Henry IV?[1]
QUEEN. No, I didn't know that.
KING.Then I suppose you don't know, either, that the Folkungs were
among your ancestors, and that you are also descended from King
Waldemar, the Conqueror of Denmark?[2]
QUEEN. No, no! I thought the bloody tale of the Folkungs was ended
long ago.
KING.Let us hope it is! But your maternal ancestor was nevertheless
a daughter of Eric Ploughpenny of Denmark and had a son with her
brother-in-law, King Waldemar of Sweden, the son of Earl Birger....
QUEEN. Why do you tell me all these dreadful stories?
KING. I thought it might amuse you to know that you have royal
blood in your veins, while I have peasant blood. You are too modest,
Margaret, and I wish to see you exalted—so high that that fool Eric
will be forced to respect you.
QUEEN. To have sprung from a crime should make one more modest.
KING. Well, that's enough about that. Was there anything else?

The QUEEN hesitates.

KING. You are thinking of Anders Persson and Mons Nilsson, but I
won't let you talk of them.

The QUEEN kneels before him.

KING. Please, get up! [As she remains on her knees] Then I must
leave you. [He goes out to the left.

PRINCE ERIC enters from the right; he is pale and unkempt, and
his face retains evidence of the night's carouse.
The QUEEN rises, frightened.

ERIC. Did I scare you?

QUEEN. Not exactly.
ERIC.I can take myself out of the way. I was only looking for a glass
of water.

He goes to the water-bottle, fills a cup full of water and gulps it

down; then another, and still another.

QUEEN. Are you sick?

ERIC. [Impertinently] Only a little leaky.
QUEEN. What do you mean?
ERIC.Well, dry, if you please. The more wine you drink, the dryer
gets your throat. The wetter, the dryer—that's madness, like
everything else.
QUEEN. Why do you hate me?
ERIC. [Cynically] Because I am not allowed to love you. [In the
meantime he continues to pour down one glass of water after the
other] You must not be in love with your step-mother and yet you
must love her: that's madness, too.
QUEEN. Why do you call me stepmother?
ERIC. Because that's the word, and that's what you are. Is that clear?
If it is, then that isn't madness at least.
QUEEN. You have the tongue of a viper.
ERIC. And the reason, too.
QUEEN, But no heart!
ERIC. What could I do with it? Throw it at the feet of the women to
be defiled by them?—My heart lies buried in my mother's coffin in
the vault of the Upsala cathedral. I was only four years old when it
was put there, but there it lies with her, and they tell me there was a
hole in her head as if she had been struck by the hammer of Thor—
which I did not see, however. When I asked to see my mother for
the last time at the burial, they had already screwed on the coffin
lid. Well, there lies my heart—the only one I ever had What have
you to do with my entrails, for that matter? Or with my feelings?—
Look out for my reason; that's all! I grasp your thoughts before you
have squeezed them out of yourself. I understand perfectly that you
would like to see the crown placed on the red hair of that red devil
whom you call son, and whom I must needs call brother. He insists
that he has more ancestors than I, and that he is descended from
Danish kings. If that's so, he has a lot of fine relatives. Eric
Ploughpenny had his head cut off. Abel killed his brother and was
killed in turn. Christoffer was poisoned. Eric the Blinking was stuck
like a pig.—I have no elegant relatives like those, but if heredity
counts, I must keep an eye on my dear brother.
QUEEN. Nobody can talk of anything but blood and poison to-day.
The sun must have risen on the wrong side this fine morning!
ERIC. The sun is a deceiver; don't trust it. Blood will be shed in this
place before nightfall. Eric and Abel were the names of those elegant
relatives; not Cain and Abel! And that time it was Abel who killed
Cain—no, Eric, I mean! That's a fine omen to start with! Eric was
killed! Poor Eric!
QUEEN. Alas, alas!
ERIC. But it is of no use to take any stock in superstition, as I
entered this vale of misery with my fist full of blood.
QUEEN. Now you do scare me!
ERIC. [Laughing] That's more than Jorghen would believe—that I
could scare anybody.
QUEEN. What blood is to be shed here to-day?
ERIC. I am not sure, but it is said that those Dalecarlians will have
their heads cut off.
QUEEN. Can it not be prevented?
ERIC.If it is to be, it cannot be prevented, but must come as thunder
must come after lightning. And besides, what does it matter? Heads
are dropping off here like ripe apples.

The KING enters reading a document. The QUEEN meets him with
a supplicating look.

KING. [Hotly] If you have any faith in me at all, Margaret, cease your
efforts to judge in matters of state. I have been investigating for two
years without being able to make up my mind. How can you, then,
hope to grasp this matter?—Go in to the children now. I have a word
to say to Eric!

The QUEEN goes out.

KING. If you could see yourself as you are now, Eric, you would
despise yourself!
ERIC. So I do anyhow!
KING.Nothing but talk! If you did despise yourself, you would change
your ways.
ERIC. I cannot make myself over.
KING. Have you ever tried?
ERIC. I have.
KING. Then your bad company must counteract your good intentions.
ERIC.
Jorghen is no worse than anybody else, but he has the merit of
knowing himself no better than the rest.
KING. Do you bear in mind that you are to be king some time?
ERIC. Once I am king, the old slips will be forgotten.
KING.There you are mistaken again. I am still paying for old slips.
However, if you are not willing to obey me as a son, you must obey
me as a subordinate.
ERIC. The Heir Apparent is no subject!
KING. That's why I used the word "subordinate." And all are
subordinate to the King.
ERIC. Must I obey blindly?
KING. As long as you are blind, you must obey blindly. When you get
your sight, you will obey with open eyes. But obey you must!—Wait
only till you have begun to command, and you will soon see how
much more difficult that is, and how much more burdensome.
ERIC. [Pertly] Pooh!
KING.[Angrily] Idiot!—Go and wash the dirt off yourself, and see that
your hair is combed. And rinse that filthy mouth of yours first of all,
so that you don't stink up my rooms. Go now—or I'll give you a
week in the tower to sober up. And if that should not be enough, I'll
take off your ears, so that you can never wear a crown. Are those
words plain enough?
ERIC. The law of succession....
KING.
I make laws of that kind to suit myself! Do you understand
now?—That's all!—Away!

PRINCE ERIC goes out.

COURTIER. [Enters from the right] Herman Israel, Councillor of

Luebeck!
KING. Let him come.

The COURTIER goes out. HERMAN ISRAEL enters shortly afterward.

KING. [Meets him and shakes his hand; then he puts his arm about
his neck and leads him across the floor in that manner] Good day,
my dear old friend, and welcome! Sit down, sit down! [He seats
himself on the chair of state, and ISRAEL sits down across the table]
So you have just come from Dalecarlia?
ISRAEL. That's where I was lately.
KING. I was there, too, as you know, to straighten out the mess left
after the False Sture and the fight about the bells, but you stayed on
when I left.—Did you keep an eye on Master Olavus Petri? What sort
of a man has he turned out? Can I trust him?
ISRAEL.Absolutely! He is not only the most faithful, but the cleverest
negotiator I have seen.
KING.
Really, Herman? I am glad to hear that. Do you really think so,
Herman? Well, you know the old affair between him and me, and
how that was settled. But it was settled!—So much for that. Let us
talk of our affairs now.
ISRAEL.As you say. But let us keep our words as well as actions
under control.
KING.[Playing with the war-hammer] All right! Control yours as much
as you please.
ISRAEL.[Pointing at the hammer] For the sake of old friendship and
good faith, can't we put that away?
KING.Ha-ha! With pleasure, if you are afraid of it, Herman!—Go on
now! But cut it short!
ISRAEL.Then I'll start at the end. The country's debt to Luebeck has
been paid, and we are about to part.
KING. That sounds like writing! However, we shall part as friends.
ISRAEL. As allies rather....
KING.So that's what you are aiming at, Israel?—No, I have had
enough of dependence.
ISRAEL. Listen, your Highness, or Majesty, or whatever I am to call
you....
KING. Call me Gustav, as you used to do when I called you father.
ISRAEL.Well, my son, there are many things that drive us apart—
many, indeed—but there is one thing that keeps us together: our
common, legitimate opposition to the Emperor....
KING. Right you are! And that's the reason why we can rely on each
other without any written treaties.
ISRAEL. You forget one thing, my son: that I am a merchant....
KING. And I the customer. Have you been paid?
ISRAEL.Paid? Yes.... But there are things that cannot be paid in
money....
KING. It is for me to speak of the gratitude I owe you and the free
city of Luebeck ever since the day I first came to you—a young man
who thought himself deserted by God, and who knew himself
deserted by all humanity. Be satisfied to find my gratitude expressed
in the friendly feelings I harbour and show toward you. A debt like
that cannot be paid in money, and still less in treaties.—Why do you
want any treaties? In order to tie me and the country for a future of
uncertain duration?—Don't force me to become ungrateful, Herman!
On my soul, I have enough as it is to burden me—far too much!
ISRAEL. What is weighing on you, my son?
KING. This.... Oh, will you believe me, Herman, old friend, that
lawyer form a decision or pass a judgment without having turned to
the Eternal and Almighty Lord for advice? When, after fasting,
prayer, and meditation, I have got the answer from above that I was
asking for, then I strike gladly, even if it be my own heart-roots that
must be cut off. But you remember Master John.... John, the old
friend of my youth, who assisted me in that first bout with Christian?
He changed heart and incited the Dalecarlians to rise against me.
His head had to fall, and it did fall! [Rising] Since that day my peace
is gone. My nearest and dearest don't look at me in the same way
they used to do. My own wife, my beloved Margaret.... She turns
away from me when I want to kiss her pure brow, and can you
imagine? Yesterday, at the dinner-table, she kept looking at my hand
as if she had seen blood on it!—I don't regret what I did. I have no
right to regret it. I was right—by God, I was right! But nevertheless
—my peace is gone!
ISRAEL.[Pensively] Those feelings are an honour to your heart, my
son, and I must admit that I didn't think you quite as sensitive....
KING. Never mind! It was not meant as a boast. But now I find
myself in the same situation again. Tell me, Herman, what you think
of Anders Persson and Mons Nilsson.
ISRAEL.[Disturbed] Will my opinion have any influence on their fate,
or have you already made up your mind?
KING. I am still in doubts, as you ought to know.
ISRAEL. Then I must ask permission to remain silent.
KING. Are you my friend?
ISRAEL.Yes, up to a certain point. But you must not trust me too far,
as I am not my own master and have no right to give away what is
not mine.
KING. Fie on such astuteness!
ISRAEL. You should get some of it yourself!
KING. I'll try.—First of all you must give me a final receipt for the
country's paid-up debt.
ISRAEL.I don't carry such documents with me, and the receipt has to
be signed by the Council in regular session.
KING. [Smiting the table with the hammer] Herman!
ISRAEL. Please put that thing away!
KING. I can see that you wish to lead me where I don't want to go.
You have some purpose in mind that I can't make out. Speak out,
old man, or you'll have me in a rage! You want to coax me into
signing some kind of paper. What is it?
ISRAEL. Nothing but a treaty providing for mutual friendship and
mutual trade. That's all!
KING. And that I will never sign! I know all about Luebeck's
friendship as well as its trade. Talk of something else!
ISRAEL. I have nothing else to talk of. Why don't you believe me?
KING. Because you lie!
ISRAEL. Because you are unfortunate enough to think that I lie, you
will never know the truth.
KING. Yes, unfortunate, indeed—as unfortunate as a man can be, for
I have not a single friend.
ISRAEL. It hurts me to hear you talk like that, Gustav, and—and it
makes me sad to see that your greatness and your exalted office
have brought you so little true happiness. I shall say nothing more
about gratitude, because the idea of it is too vague in human minds,
but I have loved you like a son ever since that hour when the Lord
of Hosts put your fate in my hands. I have followed your brilliant
course as if it had been my own. I have joyed over your successes,
and I have sorrowed over your sorrows.... Frequently my duties
toward my own people have kept me from lending you a helping
hand. Frequently, too, your own hardness has stood between us. But
now, when I behold you so deeply crushed, and when you have
treated me with a confidence that I may well call filial, I shall forget
for a moment that I am your enemy—which I must be as a man of
Luebeck, while as Herman Israel I am your friend. I shall forget that
I am a merchant, and—[Pause] I hope that I may never regret it—
[Pause] and—and.... Do you know John Andersson?
KING. I don't.
ISRAEL.But I do, and I know Anders Persson and Mons Nilsson, too!
They called on me yesterday, and—to-morrow the southern
provinces will rise in rebellion!
KING. So that's what was coming? Oh! Who is John Andersson?
ISRAEL. Hard to tell. But back of his face appears another one that
looks like the devil's own. Have you heard the name of Dacke?
KING. Yes, but only in a sort of dream. Dacke?—Dacke?—It sounds
like the cawing of a jackdaw.—Who is he?
ISRAEL. Nobody knows. It is the name of one invisible, whom all
know and none have seen. But that name has been seen on a letter
signed by—the Emperor.
KING. The Emperor?
ISRAEL. The Emperor of the Holy Roman and German Empire!
KING. Fairy-tales!
ISRAEL. You won't believe me? Investigate!
KING.I believe you and I thank you!—You say that Anders Persson
and Mons Nilsson have been plotting with the rebels right here in my
own city?
ISRAEL. As surely as I have ears to hear with.
KING. My God! My God!—Then I know what to do with them! Two
years of struggle with myself and my conscience, and at last I know
what to do with them! At last!
COURTIER. [Bringing in JACOB ISRAEL] Jacob Israel of Luebeck!
KING. Who dares to disturb me?
JACOB. [Throwing himself at the KING'S feet without noticing his
father] My noble King, an humble youth has ventured to disturb you
because your life is at stake!
KING. Speak up! What more? Who are you?
JACOB. I am Jacob Israel, your Highness.
KING, [to ISRAEL] It's your Jacob, is it not?

JACOB is thunderstruck at the sight of his father.

ISRAEL. It's my boy.

KING. What do you want? Speak quickly, or away with you!

JACOB does not answer.

KING.Who is after my life? If you mean John Andersson or Dacke, I

know it already.—For the sake of your good intention and your
youth, but particularly for the sake of your father, I shall forgive you.
ISRAEL.But I have no right to forgive so quickly.—You came here to
accuse your father? Answer me yes or no.
JACOB. Yes!
ISRAEL. Go then, and take my curse with you!
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com