a-7: have wireshark will travel...a-7: have wireshark – will travel wednesday june 15, 2011....
TRANSCRIPT
![Page 1: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/1.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm
Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge Transfer SHARKFEST ‘11 Stanford University June 13-16, 2011
![Page 2: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/2.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Agenda
![Page 3: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/3.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Wireshark Configuration
• Column configuration
– No, Source, Destination, Protocol, Info, Size, Cummulative Bytes
– Delta Time Displayed, Relative Time, Absolute Time
– others, depending on the task (SMB handles...)
• TCP decode settings
– No stream reassembly by default
– Relative Sequence numbers, Track bytes in flight
• Color settings
– Set to indicate interesting stuff
![Page 4: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/4.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
At the customer site... It‘s an adventure.
![Page 5: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/5.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
At the customer site...
• Strange expectations
– „Capture? Can‘t you just add a route to fix it?“
• „Problematic“ network diagrams (if any, and if you can call it a diagram at all)
• Determining capture points
– „We have no idea where THAT server is...“
• Fun with corporate security
– „We installed fingerprint readers just this morning. It‘s a little difficult to get inside the datacenter.“
– „Hi, meet our IT risk officer“
![Page 6: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/6.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Network Diagram? Here you go...
![Page 7: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/7.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Preparing captures
• Wonderful network devices from the early to late 1990s
– „Oh, cute, a 10MBit hub...“ (in 2007)
• TAP trouble
– CRC errors caused by Aggregation TAP
– No link on analyzer ports while production works fine (fiber optical tap)
• Inline capture trouble
– Or: where NOT to place Reset buttons on a capture device
![Page 8: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/8.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Preparing captures
• Customer admins and the challenge to configure SPAN ports
– „SPAN port? What is a SPAN port???“
– „I have neither IP nor login for THAT switch“
• Fun with switches
– 3COM: SPAN port vs. STP
– D-LINK: 1-to-23 SPAN option
– D-LINK: running in factory default configuration
• Bogus problem reports
– „My printer takes ages to print a page“
![Page 9: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/9.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Next up...
![Page 10: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/10.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Lost without a Trace A couple of projects of which I don‘t have the
trace files anymore...
![Page 11: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/11.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
The lazy network admin
• Customer had several offices, one showing slow loading times for CAD drawings
![Page 12: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/12.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
The random traffic spike
• Diagrams showed massive random traffic spikes on ALL internal interfaces at the same time
![Page 13: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/13.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
The unfortunate server move
• Customer moved a DB server to another location, and users started complaining
– „I tried FTP, it runs perfectly fine...“
![Page 14: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/14.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Network bad, admin worse
• Two remote hospital buildings, connected through a 100MBit radio link.
• Most Users losing connectivity every now and then, at the same time, on both sides
![Page 15: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/15.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Case files with trace files Anonymized, of course.
![Page 16: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/16.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Firewall trouble
• Customer calls, saying he‘s being attacked
• Firewall blocks tons of valid connections
– Attacks appearantly stop at night
• Network capture under stress
• Sorry, no network diagram
• Lets take a look...
![Page 17: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/17.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Network takedown
• Customer calls, saying he‘s being attacked
– No, it‘s not the same customer.
– No, no network diagram either, sorry
• Okay, lets see...
![Page 18: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/18.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
The slow fast download
• Customer has very slow download speeds from a very fast filer to user locations
– Of course, going from 1GBit to 100MBit, but the resulting speed was about 5MBit/s
![Page 19: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/19.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
The network brake
• WAN clients experiencing times of very slow network communication
![Page 20: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/20.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
The home network job
• My dad calls, telling me he can‘t access one particular website, while all others work fine...
![Page 21: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/21.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Lessons learned
• Always test the equipment before going out into the field
– Even if it worked fine yesterday
• Diplomacy skills are a big advantage
• Document, document, document
– You‘ll need it to help you remember why that trace was captured and how
• Double-check your findings before talking about them
– It helps to have skilled coworkers asking questions
![Page 22: A-7: Have Wireshark Will Travel...A-7: Have Wireshark – Will Travel Wednesday June 15, 2011. 1:15pm – 2:45pm Jasper Bongertz Senior Consultant | Fast Lane Institute for Knowledge](https://reader033.vdocument.in/reader033/viewer/2022060222/5f078b047e708231d41d8123/html5/thumbnails/22.jpg)
SHARKFEST ‘11 | Stanford University | June 13–16, 2011
Questions?