Wireshark Kung Fu: - PowerPoint Presentation

Slide1

Wireshark Kung Fu:Becoming a Network Analyst Guru

Laura ChappellAuthorWireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guidewiresharkbook.com

SESSION CODE: SIA336

Required SlideSlide2

Conquer Your Network

with WiresharkSkills to master includeLocal/remote capture tips

Locate most active interfaceUse rpcapd.exe for remote captureWLAN graphingGraphing beacon rate

Graphing 802.11 retransmissions

VoIP playback

Look for jitter, packet loss and errorsSlide3

Conquer Your Network

with WiresharkSkills to master includeMalware detection

Have a baseline readyKnow scanning/discovery signsColorize questionable trafficApplication analysisWhat is the process?Command-line statistical reporting

Using Tshark effectivelySlide4

Wireshark Demonstration

[The slide set has more details for you as I go into Wireshark demonstrations now.]DEMOSlide5

Remote Capture

with Rpcapd.exeSlide6

Graphing WLAN Retries

(wlan.fc.retry==1) && (wlan.sa==00:24:b2:1f:27:f9)Slide7

Try Application Analysis Yourself!

Launch First Instance of WiresharkClear DNS and browsing cache (ipconfig /flushdns)Start capturehttp://sharepoint.microsoft.com/

?wax=offStop captureLaunch Second Instance of WiresharkClear DNS and browsing cache (ipconfig /flushdns)

Start capture

http://sharepoint.microsoft.com/

?wax=on

Stop capture

Capture on your local host while running Wireshark and connecting to the site.Slide8

Compare Conversations (Time Values)Slide9

VoIP Analysis and Playback

Telephony | VoIP Calls | [select call] | Player | Decode [Check conversation(s)] | PlaySlide10

Malicious Traffic Detection

BASELINE FIRSTSlide11

Tshark Command-Line Statistics

From Wireshark Network AnalysisSlide12

Tshark Command-Line

tshark –i 3 -qz conv,eth -z conv,ip –z conv,tcp

-i 3

Capture on the 3

rd

interface listed by

tshark -D

-qz

conv,eth

Don’t show packets (

-q

), but capture Ethernet conversation statistics

-z

conv,ip

Only use

-q

once. Capture IP conversation statistics

-z

conv,tcp

Only use

-q

once. Capture TCP conversation statisticsSlide13

Related Content

Required Slide

Speakers,

please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session.

WSV303 Death of a Network: Identify the Hidden Cause of Lousy Network Performance

SIA335 Death of Security: Breached Hosts/Stolen Data/IP Espionage

SIA332 (Panel) Securing the Cloud: Expert Panel

Online Videos: www.wiresharkbook.comSlide14

Resources

Required Slide

www.microsoft.com/teched

Sessions On-Demand & Community

Microsoft Certification & Training Resources

Resources for IT Professionals

Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet

http://microsoft.com/msdn

LearningSlide15

Complete an evaluation on

CommNet

and

enter to win!

Required SlideSlide16

Sign up for Tech·Ed 2011 and save $500

starting June 8 – June 31sthttp://northamerica.msteched.com/registration

 You can also register at the

North

America 2011

kiosk

located at

registration

Join us in Atlanta next year

Slide17

©

2010 Microsoft

Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide18

Required Slide