Wireshark Certified Network Analyst
Boot Camp Course A three-day hands-on lab/lecture course focusing on the key areas of the Wireshark Certified Network Analyst Exam.
Instructor: Laura Chappell, Founder of Wireshark University
Presented in conjunction
with Sharkfest 2013
June 19-21, 2013
9:00am – 5:00pm PST
Contents WCNA Boot Camp Course Overview ......................................................................................................... 1
Date, Time, and Location .......................................................................................................................... 1
What is Included in the WCNA Boot Camp? ............................................................................................. 1
Who Should Attend ................................................................................................................................... 1
Recommended Prerequisite Knowledge/Capabilities .............................................................................. 1
Bring-Your-Own-Laptop (BYOL) Requirements ......................................................................................... 2
WCNA Boot Camp Preparation ................................................................................................................. 2
About the Wireshark Certified Network Analyst™ Program .................................................................... 3
Why Should I Pursue the Wireshark Certified Network Analyst Certification? ........................................ 3
How Do I Earn the Wireshark Certified Network Analyst Status? ............................................................ 3
WCNA Boot Camp Course Estimated Daily Schedule ............................................................................... 4
Day One (June 19, 2013): Key Topics in Sections 1-11.......................................................................... 4
Day Two (June 20, 2013) : Key Topics in Sections 12-22 ...................................................................... 4
Day Three (June 21, 2013) : Key Topics in Sections 23-33 .................................................................... 4
Am I Ready for the WCNA Boot Camp? .................................................................................................... 5
Prerequisite Tasks ................................................................................................................................. 5
Prerequisite Quiz ................................................................................................................................... 5
Answer Key ............................................................................................................................................. 10
Appendix A: Wireshark Certified Network Analyst Exam Objectives (Test WCNA102.1) ...................... 12
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 1
WCNA Boot Camp Course Overview
This three-day boot camp class focuses on the key areas covered in the most current version of the Wireshark Certified Network Analyst Exam (WCNA102.1). Students will review these key areas through labs, lecture, and sample open-grading exams.
The WCNA Boot Camp Course releases at Sharkfest 2013.
Date, Time, and Location
Date: June 19-21, 2013 Time: 9:00am – 5:00pm PST Location: Clark Kerr Campus, UC Berkeley
What is Included in the WCNA Boot Camp?
All WCNA Boot Camp students will receive the following items upon arrival the first day of class:
WCNA Boot Camp Student Manual (includes labs and quizzes)
WCNA Boot Camp USB (containing trace files and supplemental resources)
All Access Pass One-Year Subscription Voucher (a $699 value)
WCNA Exam Voucher (a $299 value)
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study
Guide (a $99 value)
Labs and lectures led by Laura Chappell, Founder of Wireshark University
Who Should Attend
This three-day course is designed for network professionals interested in obtaining the Wireshark Certified Network Analyst designation.
Recommended Prerequisite Knowledge/Capabilities
Students should have a strong working knowledge of interconnecting device functionality (switch, router, NAT, for example) and be comfortable with the elements of the TCP/IP protocol suite (ARP, TCP, UDP, IP, DHCP, ICMP, for example). In addition, students should already be familiar with the Wireshark interface and basic methods used to capture and filter traffic.
Students should review Am I Ready for the WCNA Boot Camp? on page 5 and be able to easily complete the tasks listed as well as correctly answer all the questions without the use of reference materials.
In addition, students must review and complete the Bring Your Own Laptop Format Requirements section below and complete the steps outlined in WCNA Boot Camp Preparation.
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 2
Bring-Your-Own-Laptop (BYOL) Requirements
Students attending this WCNA Boot Camp are required to bring their own laptops that are properly configured. There will not be time in class to help you configure your laptop, so ensure your system is installed and configured as described below prior to coming to class.
The students must bring a laptop with the most recent version of Wireshark 1.8.x installed (available at www.wireshark.org). We will not be using Wireshark 1.9.x unless specifically denoted in advance of the course. Students may use any OS version on their laptop, but Laura Chappell will be using and displaying Wireshark installed on Windows 7.
A functional USB port is required to access WCNA Boot Camp trace files and other supplemental materials that will be available via USB stick.
Prior to class, you must follow the steps defined in WCNA Boot Camp Preparation on page 2 to return your Default profile to its original state before the start of class.
In summary, before you arrive at the WCNA Boot Camp, you must:
Confirm that the latest version of Wireshark 1.8.x is installed and functional on your laptop. Confirm that you can launch Wireshark and open a trace file. Ensure you have a working USB port on your laptop. Read and follow the instructions in WCNA Boot Camp Preparation.
It is critical that you work through the WCNA Boot Camp Preparation steps before class so that you arrive with a properly configured Wireshark system.
WCNA Boot Camp Preparation
Your Wireshark system should contain a Default profile that is in its original state. Follow the steps below to clean up any changes you may have made to the Default profile:
1. Launch Wireshark. 2. Select Help | About Wireshark | Folders. 3. Open your Personal Configuration folder. 4. Delete (or move any files) in this folder. Do not delete a profiles directory, if one exists. A clean
personal configuration folder is shown below.
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 3
About the Wireshark Certified Network Analyst™ Program
The Wireshark Certified Network Analyst Exam is a globally-available, proctored exam to meet the secure and widely available delivery requirements desired by candidates. The Exam is available online or at Kryterion Testing Centers worldwide.
Visit www.wiresharktraining.com/certification for additional information on the Wireshark Certified Network Analyst program. Questions regarding your Wireshark Certified Network Analyst status may be directed to [email protected].
Why Should I Pursue the Wireshark Certified Network Analyst Certification?
Successful completion of the Wireshark Certified Network Analyst Exam indicates you have the knowledge required to capture network traffic, analyze the results, and identify various anomalies related to performance or security issues.
How Do I Earn the Wireshark Certified Network Analyst Status?
To earn the Wireshark Certified Network Analyst status, you must pass a single exam—the WCNA-102x exam. Register for the proctored Wireshark Certified Network Analyst Exam online at www.webassessor.com/pai. (PAI represents the Protocol Analysis Institute, the parent company of Wireshark University and Chappell University). For more information on the Exam registration process, visit www.wiresharktraining.com/certification.
Upon completion of the Wireshark Certified Network Analyst Exam, an individual will receive a pass/fail score. Candidates who successfully pass the Wireshark Certified Network Analyst Exam will receive their Wireshark Certified Network Analyst Welcome Kit package that contains the candidate’s certificate and details on maintaining Wireshark Certified Network Analyst status. For more information on the Wireshark Certified Network Analyst program, visit www.wiresharktraining.com/certification.
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 4
WCNA Boot Camp Course Estimated Daily Schedule1
The following daily schedule indicates which sections are covered each day.
Day One (June 19, 2013): Key Topics in Sections 1-11 Section 1: Network Analysis Overview
Section 2: Introduction to Wireshark
Section 3: Capture Traffic
Section 4: Create and Apply Capture Filters
Section 5: Define Global and Personal Preferences
Section 6: Colorize Traffic
Section 7: Define Time Values and Interpret Summaries
Section 8: Interpret Basic Trace File Statistics
Section 9: Create and Apply Display Filters
Section 10: Follow Streams and Reassemble Data
Section 11: Customize Wireshark Profiles
Day Two (June 20, 2013) : Key Topics in Sections 12-22 Section 12: Annotate, Save, Export and Print Packets
Section 13: Use Wireshark’s Expert System
Section 14: TCP/IP Analysis Overview
Section 15: Analyze Domain Name System (DNS) Traffic
Section 16: Analyze Address Resolution Protocol (ARP) Traffic
Section 17: Analyze Internet Protocol (IPv4/IPv6) Traffic
Section 18: Analyze Internet Control Message Protocol (ICMPv4/ICMPv6) Traffic
Section 19: Analyze User Datagram Protocol (UDP) Traffic
Section 20: Analyze Transmission Control Protocol (TCP) Traffic
Section 21: Graph IO Rates and TCP Trends
Section 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6) Traffic
Day Three (June 21, 2013) : Key Topics in Sections 23-33 Section 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic
Section 24: Analyze File Transfer Protocol (FTP) Traffic
Section 25: Analyze Email Traffic
Section 26: Introduction to 802.11 (WLAN) Analysis
Section 27: Voice over IP (VoIP) Analysis Fundamentals
Section 28: Baseline “Normal” Traffic Patterns
Section 29: Find the Top Causes of Performance Problems
Section 30: Network Forensics Overview
Section 31: Detect Scanning and Discovery Processes
Section 32: Analyze Suspect Traffic
Section 33: Effective Use of Command-Line Tools
For a complete list of Wireshark Certified Network Analyst Exam Objectives, see Appendix A.
1 Estimated daily schedule; actual schedule may vary.
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 5
Am I Ready for the WCNA Boot Camp?
To ensure you get the most out of the WCNA Boot Camp, you should be comfortable with the following Wireshark tasks and correctly answer all quiz questions without using reference materials. The Answer Key is located on page 10. If you cannot quickly complete the tasks or you need to reach for reference materials to answer quiz questions, you may need a bit more practice and study time before registering for the WCNA Boot Camp.
Prerequisite Tasks
Task 1: Determine on which interfaces Wireshark can capture traffic.
Task 2: Apply a capture filter for traffic to or from a specific port number.
Task 3: Successfully open a trace file.
Task 4: Determine how many packets are in a trace file.
Task 5: Expand individual areas or entire subtrees in the Packet Details pane.
Task 6: Resize and sort columns in the Packet List pane.
Task 7: Identify all active TCP conversations in a trace file.
Task 8: Create an IO Graph.
Task 9: Apply a display filter for traffic to or from a specific IP address.
Task 10: Save a filtered set of packets to a new file.
Prerequisite Quiz
Q-1. Wireshark relies on the WinPcap driver when running on a Windows host.
True
False
Q-2. The TCP handshake consists of SYN, SYN/ACK and ACK packets.
True
False
Q-3. The Wireshark IO Graph can be used to view the packets-per-second rate of traffic.
True
False
Q-4. The filter ip.addr == 10.10.10.10 can be used as a capture filter.
True
False
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 6
Q-5. The packet shown above would be forwarded out all switch ports.
True
False
Q-6. Based on the image above, Wireshark has captured 216 packets.
True
False
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 7
Q-7. Promiscuous mode must be enabled when using Wireshark to capture traffic between other
hosts on a network.
True
False
Q-8. The IP address notation 10.6.0.0/16 refers to all hosts whose IP address begins with 10.6.
True
False
Q-9. The Wireshark Packet Details pane displays individual header fields and values if Wireshark has
a dissector for those headers.
True
False
Q-10. Wireshark Capture Filters can be applied to saved trace files.
True
False
Q-11. The packet shown above should not be forwarded by routers.
True
False
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 8
Q-12. DNS can be used to discover the IP address of a host.
True
False
Q-13. Ethernet headers are stripped off and reapplied by routers during the forwarding process.
True
False
Q-14. You cannot alter the format of the Time column in Wireshark’s Packet List pane.
True
False
Q-15. Wireshark’s default trace file format appends .cap to the end of the file name.
True
False
Q-16. The filter icmp.type==3 can be used as a capture filter or display filter.
True
False
Q-17. The image above depicts the first packet of a TCP handshake.
True
False
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 9
Q-18. Multicasts are used to communicate with a group of hosts.
True
False
Q-19. UDP is a connection-oriented transport protocol.
True
False
Q-20. You can purchase Wireshark through www.wireshark.org.
True
False
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 10
Answer Key
A-1. True. Wireshark relies on the WinPcap driver when running on a Windows host.
A-2. True. The TCP handshake consists of SYN, SYN/ACK and ACK packets. This is referred to as the
three-way handshake.
A-3. True. The packet shown would be forwarded out all switch ports because it is addressed to the
Ethernet broadcast address (0xff:ff:ff:ff:ff:ff).
A-4. True. The Wireshark IO Graph can be used to view the packets-per-second rate of traffic. The IO
Graph can also be configured to display bits per second and bytes per second.
A-5. False. The filter ip.addr == 10.10.10.10 is a display filter. The proper capture filter would
be host 10.10.10.10.
A-6. False. Based on the Status Bar in the image shown, Wireshark has captured 12,716 packets.
A-7. True. Promiscuous mode enables Wireshark to capture traffic that is destined to other hardware
addresses, not just the local hardware address.
A-8. True. This is a CIDR IP address notation. The term 10.6.0.0/16 refers to all hosts whose IP
address begins with 10.6.
A-9. True. The Wireshark Packet Details pane displays individual header fields and values if Wireshark
has a dissector for those headers.
A-10. False. Wireshark Capture Filters can only be applied during the capture process, not to saved
trace files.
A-11. True. The packet shown has a Time-to-Live value of 1. Routers cannot forward the packet on as it
is “expired”.
A-12. True. DNS queries can be sent to discover the IP address of a host.
A-13. True. Ethernet headers are stripped off and reapplied by routers during the forwarding process.
A-14. False. You can alter the format of the Time column in Wireshark’s Packet List pane by selecting
View | Time Display Format.
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 11
A-15. False. Wireshark’s default trace file format appends .pcapng to the end of the file name. Prior to
version 1.8.x, Wireshark appended .pcap to the file names.
A-16. False. The filter icmp.type==3 is a display filter.
A-17. False. The image does not depict the first packet of a TCP handshake which would have only the
SYN bit set.
A-18. True. Multicasts are used to communicate with a group of hosts.
A-19. False. UDP is a connectionless transport protocol. TCP is a connection-oriented transport
protocol.
A-20. False. Wireshark is open source and free.
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 12
Appendix A: Wireshark Certified Network Analyst Exam Objectives
(Test WCNA102.1)
Key Area The icon marks key topics to study in preparation for the Exam.
Section 1: Network Analysis Overview Define the Purpose of Network Analysis
List Troubleshooting Tasks for the Network Analyst List Security Tasks for the Network Analyst List Optimization Tasks for the Network Analyst List Application Analysis Tasks for the Network Analyst Define Legal Issues of Listening to Network Traffic Overcome the "Needle in the Haystack " Issue Understand General Network Traffic Flows Review a Checklist of Analysis Tasks
Section 2: Introduction to Wireshark Describe Wireshark's Purpose Know How to Obtain the Latest Version of Wireshark Compare Wireshark Release and Development Versions Report a Wireshark Bug or Submit an Enhancement
Capture Packets on Wired or Wireless Networks Open Various Trace File Types Describe How Wireshark Processes Packets Define the Elements of the Start Page Identify the Nine GUI Elements Navigate Wireshark’s Main Menu Use the Main Toolbar for Efficiency Focus Faster with the Filter Toolbar Make the Wireless Toolbar Visible
Access Options through Right-Click Functionality Define the Functions of the Menus and Toolbars
Section 3: Capture Traffic Know Where to Tap Into the Network Know When to Run Wireshark Locally Capture Traffic on Switched Networks
Use a Test Access Port (TAP) on Full-Duplex Networks Define When to Set up Port Spanning/Port Mirroring on a Switch Analyze Routed Networks
Analyze Wireless Networks Define Options for Capturing at Two Locations Simultaneously (Dual Captures) Identify the Most Appropriate Capture Interface Capture on Multiple Adapters Simultaneously Capture Traffic Remotely
Automatically Save Packets to One or More Files Optimize Wireshark to Avoid Dropping Packets Conserve Memory with Command-Line Capture
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 13
Section 4: Create and Apply Capture Filters Describe the Purpose of Capture Filters Build and Apply a Capture Filter to an Interface
Filter by a Protocol
Create MAC/IP Address or Host Name Capture Filters
Capture One Application’s Traffic Only
Use Operators to Combine Capture Filters Create Capture Filters to Look for Byte Values Manually Edit the Capture Filters File Share Capture Filters with Others
Section 5: Define Global and Personal Preferences Find Your Configuration Folders
Set Global and Personal Configurations
Customize Your User Interface Settings
Define Your Capture Preferences
Define How Wireshark Automatically Resolves IP and MAC Names Plot IP Addresses on a World Map with GeoIP Resolve Port Numbers (Transport Name Resolution) Resolve SNMP Information Configure Filter Expressions Configure Statistics Settings
Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings Configure Protocol Settings with Right-Click
Section 6: Colorize Traffic Use Colors to Differentiate Traffic Disable One or More Coloring Rules Share and Manage Coloring Rules Identify Why a Packet is a Certain Color Create a “Butt Ugly” Coloring Rule for HTTP Errors
Color Conversations to Distinguish Them
Temporarily Mark Packets of Interest
Section 7: Define Time Values and Interpret Summaries Use Time to Identify Network Problems
Understand How Wireshark Measures Packet Time
Choose the Ideal Time Display Format
Identify Delays with Time Values Create Additional Time Columns Measure Packet Arrival Times with a Time Reference Identify Client, Server and Path Delays Calculate End-to-End Path Delays Locate Slow Server Responses Spot Overloaded Clients View a Summary of Traffic Rates, Packet Sizes and Overall Bytes Transferred
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 14
Section 8: Interpret Basic Trace File Statistics Launch Wireshark Statistics
Identify Network Protocols and Applications
Identify the Most Active Conversations List Endpoints and Map Them on the Earth Spot Suspicious Targets with GeoIP
List Conversations or Endpoints for Specific Traffic Types Evaluate Packet Lengths List All IPv4/IPv6 Addresses in the Traffic List All Destinations in the Traffic List UDP and TCP Usage Analyze UDP Multicast Streams
Graph the Flow of Traffic Gather Your HTTP Statistics Examine All WLAN Statistics
Section 9: Create and Apply Display Filters Understand the Purpose of Display Filters Create Display Filters Using Auto-Complete Apply Saved Display Filters Use Expressions for Filter Assistance Make Display Filters Quickly Using Right-Click Filtering
Filter on Conversations and Endpoints
Understand Display Filter Syntax
Combine Display Filters with Comparison Operators Alter Display Filter Meaning with Parentheses Filter on the Existence of a Field Filter on Specific Bytes in a Packet Find Key Words in Upper or Lower Case Use Display Filter Macros for Complex Filtering
Avoid Common Display Filter Mistakes Manually Edit the dfilters File
Section 10: Follow Streams and Reassemble Data Follow and Reassemble UDP Conversations
Follow and Reassemble TCP Conversations
Follow and Reassemble SSL Conversations Identify Common File Types
Section 11: Customize Wireshark Profiles Customize Wireshark with Profiles Create a New Profile Share Profiles Create a Troubleshooting Profile
Create a Corporate Profile Create a WLAN Profile Create a VoIP Profile Create a Security Profile
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 15
Section 12: Annotate, Save, Export and Print Packets Annotate a Packet or an Entire Trace File
Save Filtered, Marked and Ranges of Packets Export Packet Contents for Use in Other Programs Export SSL Keys Save Conversations, Endpoints, I/O Graphs and Flow Graph Information Export Packet Bytes
Section 13: Use Wireshark’s Expert System Launch Expert Info Quickly Colorize Expert Info Elements
Filter on TCP Expert Information Elements
Define TCP Expert Information
Section 14: TCP/IP Analysis Overview Define Basic TCP/IP Functionality
Follow the Multistep Resolution Process
Define Port Number Resolution
Define Network Name Resolution
Define Route Resolution for a Local Target
Define Local MAC Address Resolution for a Target
Define Route Resolution for a Remote Target
Define Local MAC Address Resolution for a Gateway
Section 15: Analyze Domain Name System (DNS) Traffic Define the Purpose of DNS
Analyze Normal DNS Queries/Responses
Analyze DNS Problems Dissect the DNS Packet Structure
Filter on the DNS/MDNS Traffic
Section 16: Analyze Address Resolution Protocol (ARP) Traffic Define the Purpose of ARP Traffic
Analyze Normal ARP Requests/Responses
Analyze Gratuitous ARP
Analyze ARP Problems Dissect the ARP Packet Structure
Filter on ARP Traffic
Section 17: Analyze Internet Protocol (IPv4/IPv6) Traffic Define the Purpose of IP
Analyze Normal IPv4 Traffic
Analyze IPv4 Problems Dissect the IPv4 Packet Structure
Filter on IPv4/IPv6 Traffic Sanitize IPv4 Addresses in a Trace File
Set Your IP Protocol Preferences
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 16
Section 18: Analyze Internet Control Message Protocol
(ICMPv4/ICMPv6) Traffic Define the Purpose of ICMP
Analyze Normal ICMP Traffic
Analyze ICMP Problems Dissect the ICMP Packet Structure
Filter on ICMP and ICMPv6 Traffic
Section 19: Analyze User Datagram Protocol (UDP) Traffic Define the Purpose of UDP
Analyze Normal UDP Traffic
Analyze UDP Problems Dissect the UDP Packet Structure
Filter on UDP Traffic
Section 20: Analyze Transmission Control Protocol (TCP) Traffic Define the Purpose of TCP
Analyze Normal TCP Communications
Define the Establishment of TCP Connections
Define How TCP-based Services Are Refused Define How TCP Connections are Terminated
Track TCP Packet Sequencing
Define How TCP Recovers from Packet Loss
Improve Packet Loss Recovery with Selective Acknowledgments
Define TCP Flow Control
Analyze TCP Problems Dissect the TCP Packet Structure
Filter on TCP Traffic
Set TCP Protocol Parameters
Section 21: Graph IO Rates and TCP Trends Use Graphs to View Trends
Generate Basic I/O Graphs Filter I/O Graphs
Generate Advanced I/O Graphs
Compare Traffic Trends in I/O Graphs
Graph Round Trip Time
Graph Throughput Rates Graph TCP Sequence Numbers over Time
Interpret TCP Window Size Issues
Interpret Packet Loss, Duplicate ACKs and Retransmissions
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 17
Section 22: Analyze Dynamic Host Configuration Protocol
(DHCPv4/DHCPv6) Traffic Define the Purpose of DHCP
Analyze Normal DHCP Traffic
Analyze DHCP Problems Dissect the DHCP Packet Structure
Filter on DHCPv4/DHCPv6 Traffic Display BOOTP-DHCP Statistics
Section 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic Define the Purpose of HTTP
Analyze Normal HTTP Communications
Analyze HTTP Problems Dissect HTTP Packet Structures
Filter on HTTP or HTTPS Traffic Export HTTP Objects
Display HTTP Statistics
Graph HTTP Traffic Flows Set HTTP Preferences
Analyze HTTPS Communications Analyze SSL/TLS Handshake Analyze TLS Encrypted Alerts Decrypt HTTPS Traffic Export SSL Keys
Section 24: Analyze File Transfer Protocol (FTP) Traffic Define the Purpose of FTP
Analyze Normal FTP Communications Analyze Passive Mode Connections Analyze Active Mode Connections
Analyze FTP Problems Dissect the FTP Packet Structure
Filter on FTP Traffic
Reassemble FTP Traffic
Section 25: Analyze Email Traffic Analyze Normal POP Communications Analyze POP Problems Dissect the POP Packet Structure
Filter on POP Traffic
Analyze Normal SMTP Communication Analyze SMTP Problems Dissect the SMTP Packet Structure
Filter on SMTP Traffic
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 18
Section 26: Introduction to 802.11 (WLAN) Analysis Analyze Signal Strength and Interference
Capture WLAN Traffic
Compare Monitor Mode and Promiscuous Mode Set up WLAN Decryption Prepend a Radiotap or PPI Header Compare Signal Strength and Signal-to-Noise Ratios
Describe 802.11 Traffic Basics
Analyzed Normal 802.11 Communications Dissect Basic 802.11 Frame Elements Filter on WLAN Traffic Analyze Frame Control Types and Subtypes Customize Wireshark for WLAN Analysis
Section 27: Voice over IP (VoIP) Analysis Fundamentals Define VoIP Traffic Flows Analyze Session Bandwidth and RTP Port Definition Analyze VoIP Problems
Examine SIP Traffic
Examine RTP Traffic Play Back VoIP Conversations Decipher RTP Player Marker Definitions Create a VoIP Profile
Filter on VoIP Traffic
Section 28: Baseline “Normal” Traffic Patterns Define the Importance of Baselining Baseline Broadcast and Multicast Types and Rates Baseline Protocols and Applications
Baseline Boot up Sequences Baseline Login/Logout Sequences
Baseline Traffic during Idle Time Baseline Application Launch Sequences and Key Tasks
Baseline Web Browsing Sessions
Baseline Name Resolution Sessions Baseline Throughput Tests Baseline Wireless Connectivity Baseline VoIP Communications
Section 29: Find the Top Causes of Performance Problems Troubleshoot Performance Problems
Identify High Latency Times Point to Slow Processing Times Find the Location of Packet Loss Watch Signs of Misconfigurations
Analyze Traffic Redirections Watch for Small Payload Sizes
Look for Congestion Identify Application Faults
Note Any Name Resolution Faults
Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 19
Section 30: Network Forensics Overview Compare Host to Network Forensics Gather Evidence Avoid Detection Handle Evidence Properly
Recognize Unusual Traffic Patterns
Color Unusual Traffic Patterns
Section 31: Detect Scanning and Discovery Processes Define the Purpose of Discovery and Reconnaissance
Detect ARP Scans (aka ARP Sweeps) Detect ICMP Ping Sweeps
Detect Various Types of TCP Port Scans
Detect UDP Port Scans
Detect IP Protocol Scans Define Idle Scans
Know Your ICMP Types and Codes Analyze Traceroute Path Discovery Detect Dynamic Router Discovery Define Application Mapping Processes Use Wireshark for Passive OS Fingerprinting
Detect Active OS Fingerprinting Identify Spoofed Addresses and Scans
Section 32: Analyze Suspect Traffic Identify Vulnerabilities in the TCP/IP Resolution Processes Find Maliciously Malformed Packets Identify Invalid or Dark Destination Addresses Differentiate between Flooding or Standard Denial of Service Traffic Find Clear Text Passwords and Data
Identify Phone Home Behavior
Catch Unusual Protocols and Applications Locate Route Redirection Using ICMP Catch ARP Poisoning Catch IP Fragmentation and Overwriting Spot TCP Splicing
Watch Other Unusual TCP Traffic Identify Password Cracking Attempts Build Filters and Coloring Rules from IDS Rules
Section 33: Effective Use of Command-Line Tools Define the Purpose of Command-Line Tools Use Wireshark.exe (Command-Line Launch)
Capture Traffic with Tshark List Trace File Details with Capinfos
Edit Trace Files with Editcap
Merge Trace Files with Mergecap Convert Text with Text2pcap Capture Traffic with Dumpcap Define Rawshark