sharkfest '08 | foothill college | march 31 - april 2, 2008 t1-1: i’ve downloaded...
TRANSCRIPT
![Page 1: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/1.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
T1-1: I’ve downloaded Wireshark… Now what?
Monday, March 31, 2008 – 10:30am – 12:00pm
Betty DuBoisPrincipal Consultant | DuBois Training & Consulting, LLC
SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008
![Page 2: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/2.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Agenda
Data Capture Capture methods
Caveats Capture options Capture filters
Data Analysis Statistics
Summary Information Protocol hierarchy Conversations Endpoints IO Graphing (basic only –
Advanced are covered T2-9 on Tuesday)
Expert – (need to come to my class T2-6 on Tuesday for this)
Basic display filtering Reassembly Coloring rules
![Page 3: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/3.jpg)
Data Capture – How do I get the data?
Capture methods Wired Wireless
![Page 4: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/4.jpg)
Data Capture – How do I get the data?
Capture Caveats Wired
Hubs Taps Mirrors/Monitors/SPANs
Wireless Promiscuous AirPcap
![Page 5: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/5.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Capture - Options
![Page 6: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/6.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Capture – Focus with Filters
Syntax: Protocol Direction Host(s) Value
Logical Operations Other expression
Protocol ether, fddi, ip, arp, rarp, decnet, lat,
sca, moprc, mopdl, tcp and udp. Direction
src, dst, src and dst, src or dst Logical Operations
not, and, or
Example: tcp dst 10.1.1.1 80 and tcp dst
10.2.2.2 3128
![Page 7: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/7.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis
Don’ts Don’t get caught in the vortex! Don’t start by scrolling through the packets
Do’s Use Statistics to baseline your environment Use Statistics to determine where your focus should
be Use Graphing to support your hypothesis in those
finger pointing meetings
![Page 8: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/8.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>Summary
![Page 9: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/9.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>Protocol Hierarchy
![Page 10: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/10.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>Conversations
![Page 11: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/11.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>End Points
![Page 12: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/12.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>IO Graphing
![Page 13: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/13.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Basic Display Filters
When in doubt, right-click.
Find the fields you are interested in first, then build your filters with a right-click.
![Page 14: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/14.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Basic Display Filters
Filter Bar The Filter bar will change colors to signify if your syntax is
correct. Green is correct Red is incorrect Yellow is questionable
The Filter dropdown willlet you chose your 10 most recent filters.
![Page 15: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/15.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis - Reassembly
Follow the Streams – Favorite feature in Wireshark
![Page 16: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/16.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Coloring Rules
Colors help you focus on specific protocols, and/or to spot errors quickly.
![Page 17: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/17.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Coloring Rules
Rules to live by: Color rules are read like an ACL, first rule to apply wins. Rule sets can be shared among friends with Import/Export Use an empty
rule set if you normally use a complex rule set, but commonly turn off your colors. Your files will load faster.
![Page 18: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/18.jpg)
Q & A
Questions?????
![Page 19: SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty](https://reader031.vdocument.in/reader031/viewer/2022032523/56649d825503460f94a68678/html5/thumbnails/19.jpg)
Thanks For Coming!
Enjoy the rest of the conference.