Do you have a story about a time when you used packet analysis to solve a problem on your network? If so, I want to hear that story. E-Mail me at chris@chrissanders.org and your story could be featured on this site or even in the next edition of Practical Packet Analysis.

I’ve just announced my second online training event. This event will be happening on Wednesday, May 27th at 2 PM EST.

Course Description:

This is an introductory level packet analysis course with a focus on practical usage. The goal of this course will be to give you exactly what you need to jump deep into your network with Wireshark and begin getting value out of these skills immediatley. This course will use completely new files and scenarios and will not repeat any real-world scenarios taught in my book or in my previous trainings.

Prerequisites:

In order to understand what is going on in this course you will need to have a decent level of experience troubleshooting networks and client/server communications. You won’t be expected to know how individual protocols look on the wire (I’ll teach you that) but you will be expected to know what DHCP/DNS/SMTP/ETC are used for. 

The course will be administered using Citrix Go2Meeting which will transmit live audio and video from my computer. Because of this, some form of broadband Internet connection is recommended. I’ve used this format before and it seemed to work really well as all users were able to connect and listen/watch successfully.

Who Should Attend:

If you troubleshoot or maintain a network on a daily basis then this course will provide immediate value to you. Packet Analysis is one of the hottest growing skill sets amongst IT staff in the world and is an absolute requirement to troubleshoot certain problems that may be faced. If you want to save yourself time, save your organization money, or make yourself more marketable by increasing your skill set, then this is the course for you.

Cost:

The early registration cost for this course is $100 USD. This pricing is valid until May 5th. After May 5th, the cost goes up to $150 USD. If you work for a non-profit or in education, please e-mail me for a discounted rate. The course is limited to a set number of participants so that I can get to all questions that may be asked, so your best bet is to get in early.

Curriculum:

Hour 1 – Intro, Theory, and Getting Your Feet Wet

• How Packet Analysis Can Help You
• “War Stories”
• How a Packet Sniffer Works
• Getting and Installing Wireshark
• Sniffer Placement on Your Network
• Walkthrough of Wiresharks Features Using Real Trace Files

Hour 2 – Protocols and Performance with Real World Case Scenarios

• Analyzing Common Protocols When They Work and When They Don’t
• Troubleshooting Network Performance Problems
• Steps for Creating a Network Baseline
• The 7 Deadly Sins of the Network

Hour 3 – Security, Wireless, and More Real World Scenarios

• Analyzing Common Network Attacks
• Wireless Packet Analysis
• Additional Tools and Resources
• Q&A

Registration:

In order to sign up for this course, please fill out the registration form below. At some point after registering, you should receive an e-mail from me with payment details.

As always, if you  have any questions regarding this training please e-mail me.

When you are capturing a lot of traffic the size of your capture files can grow really quickly. When this happens you are really going to have a hard time getting anything done when trying to sort through the file. There are a couple of things you can to do prevent this from happening.

Use an Effective Capture Filter

Capture filters are great when you know what you are looking for. If you ONLY want SMTP traffic, you can capture only that traffic. If you ONLY want to see HTTP POSTs, then you can capture only that traffic. If you aren’t sure what you are looking for then its bests to stick to capturing everything and using display filters, but when you have an eye on your target then capture filters are a great way to cut through the weeds. You will find this especially beneficial when capturing packets from a busy server or network segment.

Some of the things you can filter based upon include:

• Specific Protocols
• A Particular IP/MAC Address
• Incoming/Outgoing Traffic Only

Split the Capture File as It’s Being Captured

Wireshark has some really great flexibility in allowing you to split a capture file as its being created. You can access this by selecting Capture from the main drop-down menu and selection Options, or by pressing Ctrl+K.

You have a couple of options here and they all become available to you when you place a check mark next to the Use Multiple Files box. There are two primary sections which I’ve creatively labeled the Multiple File and Stop Capture sections.

The multiple file section lets you specify a point at which a new file is created, either by reaching a certain size limit or at a certain time interval. I find that I typically use the size option for typical uses, but specifying a time interval for the packet capture can become very useful when you are trying to pinpoint when a certain event is happening. In this scenario you could start the capture at 12:00 and place and set the multiple file option to create the next file every 1 hour which should create a nice clean display of capture files by the hour.

It’s important to note that you can specify both of these criteria and in this case, a new file will be created when EITHER condition is met. In this top section you can also specify a maximum number of files to be created (don’t underestimate the value of this, I’ve accidentally filled up a hard drive on many occasions) and specify a ring buffer. A ring buffer uses a set number of files, and after the last file has been written it will begin overwriting the first file and cycling back through.

The stop capture section of this area is very straightforward and allows you to stop a capture after it reaches a certain point, either at a certain number of packets captured, a certain size limit, or a particular time interval. This comes in handy when you want to start a capture and run off to lunch or take a call.

Ensure You Are Capturing in the Best Location

One of the most overlooked parts of the packet analysis process is ensuring you are properly tapped into the network and getting the packets you need. Although the typical concern is whether or not you are getting enough packets, there are some cases in which you may be capturing TOO MUCH information. If you are having trouble weeding through a large capture file then you need to ask yourself if you really need to be where you are at. If it is a client/server issue, do you really need to capture from the server or would capturing from the client yield the traffic you need? If you are analyzing a slow network link, do you really need to be inside the router or would you be best suited to tap the outside interface of the router and get away from the internal networks broadcast domain?

Working with larger capture files is a real quick way to bog down your system and further complicate what may already be a long drawn out process. Using these techniques you should be able to keep tabs on your capture file size and make your analysis process quite a bit more efficient.

I’ve already written quite a bit about getting on the wire as it pertains to packet analysis. Half the battle when you are capturing packets is placing the sniffer computer so that it captures the packets you need. The advent of switched networks makes this a bit harder on us as traffic is now directed and not free-flowing across every port on a network. In a post a few months ago I outlined three methods for getting on the wire. Those three methods were ARP Cache Poisoning, Hubbing Out, and Port Mirroring. One other technique which I had not previously used, but have now grown to love is using a network tap.

A tap is basically a hardware device that you can place on the wire to intercept the right packets.

The tap has at least three ports. These are inbound and outbound ports and a monitor port.

Say you wanted to intercept all network traffic entering your router. Typically, you would have a single cable going from a switch to your router. In order to insert the tap into the mix, you would unplug the current cable from the router and plug it into the inbound port on the tap. You would add an additional cable from the outbound port of the tap into the port on your router. Lastly, you would place a cable into the monitor port that leads to your analysis machine. The analysis machine will then capture all traffic flowing between the switch port and the router.

The great thing about doing this as opposed to hubbing out is that you aren’t using an old school hub that could cause dropped packets and limits you to half-duplex communication. This is also advantageous over ARP cache poisoning because it doesn’t generate any extra traffic on the wire, which is something you typically want to avoid doing…especially in security scenarios.  If your layer three switches typically have a very high processor utilization, you could also consider this over port mirroring. The tap adds no extra traffic or latency to the traffic on the wire and is completely undetectable.

That all being said I recommend the Barracuda network tap. They run about $130 and have an added benefit of having TWO monitor ports. One port monitors all inbound traffic and the other monitors all outbound traffic rather than having a single port for both, which can add some flexibility in your analysis. The Barracuda tap also allows for the use of a nine volt battery in situations where a power outlet isn’t handy or you just want to capture some packets quickly.

You can get the Barracuda network tap from http://www.barracudanetworks.com/tap/.

Although we are a couple of months into 2009 now, I’ve just launched the graphical redesign of the site. If you view the site via RSS you may want to stop by to check it out. I’ve merged a couple of pages and added some new ones and hope to start delivering some more new content soon. Also, I will be adding, modifying, deleting some post categories so be aware of that. Keep checking back often for new stuff!

Laura Chappell, one of the packet analysis world’s best, has just announced Chappell University. Here is her official statement from her newsletter:

“Chappell University (www.chappellU.com) is open for registration today. Subscription-level service will be open soon – I’ll let you know. Chappell University is an affordable, on-demand, online training system to maintain and enhance IT skills in the area of analysis, troubleshooting and security. Last night I uploaded two lab workbooks with over 100 lab exercises using Wireshark to spot network problems, security breaches, and analyze normal and abnormal TCP/IP communications. I’ve recoreded video answers to all the lab exercises. In addition, I’ve uploaded my trace file respository and you’ll see me uploading additional WLAN, VoIP, bot-infections, application, etc., trace files each quarter. Check out the new YouTube Channel for Chappell University at www.youtube.com/chappellU and the video “Ethical Hacking with NetScanTools Pro: Tutorial on ARP Scanning to Discover All Local Hosts” (even those hidden behind firewall applications). “

If you haven’t had the pleasure of experiencing Laura’s training on-site, or via Wireshark University, I would highly reccommend both. As I said, she is one of the best in the field.

In the past when folks had asked me if I was aware of any type of packet capture file repository in the Internet, I had pointed them towards OpenPacket.org. The site never really seemed to take off, and I just saw this post on Bejtlich’s TaoSecurity blog. That being the case, I will now be recommending Pcapr from Mu Dynamics. I’ve just now been made aware of it, but it already seems to have quite a bit of good content. I hope to contribute some files from my lab to it as well.

Will you be at Sharkfest 2009? I will be!

Official Press Release -

JOIN US FOR SHARKFEST ‘09

Wireshark® Developer and User Conference

June 15 – 18, 2009

Stanford University | Palo Alto, California

SHARKFEST is an educational event that offers in-depth instruction over the course of 3 days to the benefit of anyone wishing to enhance their skill set with, and optimize the effective use of, the world’s most popular network and packet analyzer, Wireshark.

The SHARKFEST‘09 session schedule, rapidly taking shape, includes many topics geared for new, seasoned, and expert Wireshark users alike, including:

· Ask the Experts: One-on-One with Core Developers

· Wireshark Saves the WLAN!

· Getting Your Code into Wireshark Releases

· Analyzing VoIP with Wireshark

· Using Wireshark to Determine Properly-Functioning TCP Connections

· CACE Pilot + Wireshark Integrated Analysis

· How Protocols Work

· Advanced TCP Analysis & Troubleshooting in Enterprise Networks

Space is limited and due to a full house last year, early registration is strongly encouraged. Single registration for all 3 days is $695.00 USD. Details including conference hotels, group discounts and the conference schedule can be found at http://www.cacetech.com/sharkfest.09/. Every paid registration will receive a FREE AirPcap Classic Adapter (SRP $198USD) and so much more!

The date has been set for my first ever online Wireshark training. This will be held live on Thursday, December 11th at 2 PM Central Standard Time. The training will be taught via Go2Meeting and the slides and capture files used will be made available after the presentation. The cost for attending is $150. The only prerequisite is a basic knowledge of computer networking and an interest in the subject. Here is a breakdown of the curriculum:

Hour 1

Benefits of Packet Analysis
How a Packet Sniffer Works
Installing Wireshark
The OSI Model
Types of Traffic on the Wire
Analyzer Placement on the Cabling System
Basic Wireshark Features
Advanced Wireshark Features
Wireshark Statistics

Hour 2

Display/Capture Filters
Common Protocols (TCP, HTTP, DNS, DHCP, ARP, TELNET, FTP, POP, SMTP, etc)
Troubleshooting Performance Problems
Network Baselines
Wireless Packet Analysis

Hour 3

Additional Wireshark Tools and Resources
Useful Websites and Other Learning Resources
Q&A

I already have quite a few people signed up and will be limiting the number of attendees so that I can answer as many questions during the Q&A as I can without leaving anybody out. If you are interested, e-mail me at chris@chrissanders.org and reference the class. Payment is accepted via check (must have it very soon so it can clear in time for the training) or PayPal (info will be provided when you e-mail me).

I’ve had quite a bit of demand for some online Wireshark training opportunities. In response to this, I’m hosting my first ever Practical Packet Analysis course online. I haven’t set an exact date yet but I am looking at December 5th, in the afternoon. The training will be between 2-3 hours and will cover things including Wireshark analyzer placement on your cabling system, performing a network baseline, and troubleshooting network latency. I will be limiting this course to around 25 people and the cost will be $150/person. If you are interested, please e-mail at chris@chrissanders.org immediately. If this goes well, I will be hosting some more advanced and targeted sessions in the future.

**Update – I’ve already filled up several spots so e-mail quickly if you are interested**

**UPDATE – Date and time has been announced for this. Please see THIS post**