Presentation is loading. Please wait.

Presentation is loading. Please wait.

EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL CHAPPELLU.COM WIRESHARKTRAINING.COM.

Published byAlexander Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL CHAPPELLU.COM WIRESHARKTRAINING.COM."— Presentation transcript:

1 EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL LAURA@CHAPPELLU.COM CHAPPELLU.COM WIRESHARKTRAINING.COM LAURA@CHAPPELLU.COM ®

2 2 Wireshark Techniques Wireshark Functionality and Resources The “Golden Rules” of Wireshark Analysis Key Tasks Everyone Should Learn –Capturing Wired/Wireless Traffic –Custom Profiles –Top Capture Filters –Top Display Filters –Custom Coloring Rules –Finding Problems Using Graphs –Using the Wireshark Expert

3 SECTION 1: WIRESHARK FUNCTIONALITY OVERVIEW

4 4 Capturing Traffic Network Capture FiltersWinPcap – AirPcap - libpcap Capture Engine

5 5 Opening Trace Files Drive Wiretap Library

6 6 Processing Packets Capture Engine Wiretap Library Core Engine Dissectors – Plugins – Display FiltersGTK

7 7 Help? Problems? Websitewww.wireshark.org Wiki Pagewiki.wireshark.org FAQwww.wireshark.org/faq.html WinPcapwww.winpcap.org Mailing Listswww.wireshark.org/lists.html Bug Trackerbugs.wireshark.org/bugzilla Q&Aask.wireshark.org

8 8 General Analyst Resources www.wiresharktraining.com - Tips www.chappellU.com – info@ (me) www.iana.org – Protocol Numbers www.ietf.org – the RFCs www.wiresharkbook.com – videos/traces www.pcapr.net – lots of trace files ask.wireshark.org – got questions?

9 SECTION 2: THE “GOLDEN RULES” OF WIRESHARK ANALYSIS

10 10 Golden Rules The Golden Rules Capture as close to the complaining user/device as possible Know how to capture the packets before you need to (e.g., spanning vs. tapping and WLAN capture options) Use capture filters sparingly/display filters liberally Customize Wireshark (profiles, coloring rules, filters) Build a HOT trace file library The packets never lie – but they will not tell why something is happening

11 SECTION 3: THE KEY TASKS EVERYONE SHOULD MASTER

12 12 Let’s Go Live Now Capturing Wired/Wireless Traffic Using Profiles Hot Capture Filters Hot Display Filters Using Coloring Rules Finding Problems Using Graphs Using the Wireshark Expert

13 13 Wireless Traffic Capture You must have a promiscuous and monitor mode adapter Check out AirPcap Adapters (www.cacetech.com)

14 14 WLAN OS/Driver Issues Display Filter Capture Filter Promiscuous Mode Monitor Mode (rfmon mode) Signal http://wiki.wireshark.org/CaptureSetup/WLAN Promiscuous Mode = Monitor Mode Promiscuous Mode = Monitor Mode

15 Port Spanning or Mirroring Visibility Span port #3 to port #1 port #1 port #3

16 16 Full Duplex Links iTap GigaBit Copper Dual Port Aggregator 10/100BaseT Dual Port Aggregator Tap 10/100BaseT Port Aggregator Tap Visibility Server

17 17 Using Profiles Custom preferences, capture/display filters and coloring rules Sample: WLAN Profile

18 18 Capture Filters Network Capture Filters WinPcap – AirPcap - LibPcap Capture Engine

19 19 Hot Capture Filters host 10.2.1.3 port 67 (TCP or UDP) tcp port 80 ether host 00:08:15:00:08:15 (my MAC) not ether host 00:08:15:00:08:15 (not me) wlan host 00:2A:4B:23:36:2A

20 20 Hot Display Filters ip.addr == 10.2.0.0/16 !ip.addr == 10.2.0.0/16 (don’t use !=) tcp.analysis.flags wlan.fc.type_subtype ==8 (beacons only) http.response.code > 399 (HTTP errors) tcp.options contains 01:01:01:01 (ASA issue) ftp.response.arg == "Login incorrect."

21 21 Using Coloring Rules Consider disabling Checksum Errors Consider disabling Checksum Errors

22 22 Finding Problems with Graphs IO Graph – click on dips Advanced IO Graph – count tcp.analysis.retransmissions, etc. TCP Time/Sequence Graph RTT Graph – client’s perspective Oh… and use Endpoint Statistics to determine top talkers

23 23 Graph Delays and Errors

24 24 Always Check the Expert

25 WRAP-UP LAURA@CHAPPELLU.COM

Download ppt "EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL EFFECTIVELY TEACHING WITH WIRESHARK LAURA CHAPPELL CHAPPELLU.COM WIRESHARKTRAINING.COM."

Similar presentations

Wireshark in a nutshell What is Wireshark and how can it help me? Marco S. Zuppone & the precious review of Tim Lloyd.

Wireshark in a nutshell What is Wireshark and how can it help me? Marco S. Zuppone & the precious review of Tim Lloyd.
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, 2009 1:30 pm –

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty.

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty.
1 SIP-based VoIP Lab. 2 Step 1: Connect Your PC to The Network Get your laptop connected to the campus WLAN. –Run ipconfig to show your own IP address.

1 SIP-based VoIP Lab. 2 Step 1: Connect Your PC to The Network Get your laptop connected to the campus WLAN. –Run ipconfig to show your own IP address.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST.
Troubleshooting.

Troubleshooting.
TSS Academy Troubleshooting with.

TSS Academy Troubleshooting with.
© 2006, The Technology Firm WWW.THETECHFIRM.COM Ethereal The Technology Firm.

© 2006, The Technology Firm Ethereal The Technology Firm.
MIS 5212.001 Week 11 Site:

MIS Week 11 Site:
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Drinking straight from the network hose. So What is WireShark? Packet sniffer/protocol analyzer Open Source Network Tool Latest version of the ethereal.

Drinking straight from the network hose. So What is WireShark? Packet sniffer/protocol analyzer Open Source Network Tool Latest version of the ethereal.
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.

Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.

1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.
University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,
CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)

CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
Laptops, Notebooks, & Tablets, Oh My! Kathleen Hamby M.S. CBPA Governors State University.

Laptops, Notebooks, & Tablets, Oh My! Kathleen Hamby M.S. CBPA Governors State University.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google