IT Trenches » packet capture

Wireshark Book – Coffee & a Quickie

Troy Tate — Mon, 29 Mar 2010 14:14:39 +0000

Laura Chappell, my favorite Bitgirl, has released a new book about the Wireshark packet capture and analysis tool. My book is on it’s way. I can’t wait to dive right in and learn some new tricks. However, in the meantime, you and I can both get a coffee and a quickie look at the new book and some features inside. Check it out. There are six quick videos of about 15 minutes or less that barely touch what you can do with Wireshark guided by Laura’s book. Grab a cup of java and enjoy!

Thanks for reading – and a tip of the hat to Laura – “enjoy life a bit at a time”.

Broadcast traffic told me the network was contaminated

Troy Tate — Fri, 18 Dec 2009 20:33:46 +0000

If you don’t know what’s broadcasting on your network, you don’t know your network! I recently discovered a rogue network cross-connection on a network. The cross connect was from an unmanaged internet connection to a private LAN. The way I discovered this was using Wireshark and listening for all traffic not from the private LAN IP range. I used a capture filter of “not 172.16.88.0/24″. This showed all non-IP traffic and especially all broadcast traffic on the network. Lo and behold, a device was doing broadcasts on a network starting with 221.x.x.x. Hmmm… a device is either misconfigured or there is a cross-connect that no one knows about or isn’t telling anyone about. The Wireshark screen is shown below highlighting just one example ARP packet showing the traffic in question.

The display filter I have in the box removes spanning tree protocol (STP) and AppleTalk ZIP broadcasts.

This is definitely unexpected and unwelcome traffic. I asked the person to immediately find and remove this rogue connection.

So, I recommend every now and then putting up Wireshark and listening to broadcasts on your network. It’s talking to you!

Has your network told you anything interesting lately? Tell me and other ITKE readers about it. Thanks for reading and let’s be good network citizens!

Free Training – Laura Chappell presents: Wireshark 201 Jumpstart – Filtering on the Good, the Bad, the Ugly

Troy Tate — Thu, 15 Oct 2009 18:44:42 +0000

Laura Chappel, the BitGirl, is at it again with another in her series of Wireshark Jumpstart webinars. The next one is called Wireshark Jumpstart 201: Filtering on the Good, the Bad, the Ugly. It will be held on October 27 – 10:00am-11:00am PDT (GMT-7). If you manage networks or want to manage a network, a good understanding of protocol and packet analysis will help you immensely with your career.

Some things you will learn in this webinar:

Using the Default Capture and Display Filters
Creating a Few Hot Capture Filters
Filtering Tips and Tricks for Troubleshooting
Filtering Tips and Tricks for Security

Even if you are very familiar with Wireshark or other packet capture and protocol decode tools, Laura’s seminars are well worth attending. You might even find out a little tidbit here or there because Repetition is one of the keys of learning. Unfortunately I will not be able to attend this webinar since I will be on a golf vacation in North Carolina. So, if you attend this event, please come back and share with me and other IT Trenches readers what you learned and how valuable the webinar was for you.

Thanks for reading and let’s continue to be good network citizens!

Where do TCP resets come from?

Troy Tate — Wed, 30 Sep 2009 13:06:36 +0000

I recently came across an excellent article on the topic of TCP resets. TCP is a connection-oriented protocol as opposed to the connectionless nature of UDP. So, if there are TCP resets on your network, this is not a bad thing and is just inherent in the protocol. Without TCP resets, a host could have a lot of partial connections established which are in the wait state awaiting further transmissions. This can exhaust the number of available sockets and cause the host to become unresponsive. This is what happened several years back with the TCP SYN flood and LAND denial of service attacks. Another reset type includes the ACK/RST. This is where a client attempts to connect to a service that is not available on that destination host.

If you manage a network and have taken packet captures to work on a problem and have seen RST packets or if you need to do this at some point in your career, you need to understand the purpose and source of the RST packets. Take a few minutes, read this excellent article that is the best explanation that I have seen on this topic. You will become better informed and better able to understand the nature of the network beast.

Where do resets come from? (No, the stork does not bring them.)

Thanks for reading and let’s continue to be good network citizens.

Using Wireshark to analyze a bot infected host

Troy Tate — Fri, 24 Jul 2009 18:03:34 +0000

My favorite Bitgirl (Laura Chappell) is at it again in this 15 minute presentation. She came across a host on a network that appears to be infected with some bot application. Take a few minutes and watch and learn! Maybe you will see something you can use or better understand some odd behavior on your local network.

Analyze a BOT infected host using Wireshark Tutorial

Beware – there is a trick question in the presentation. Think hard… you probably know the right answer!

Thanks for reading & let’s continue to be good network citizens.

Wireshark quickstart tutorial – learn to capture network traffic

Troy Tate — Mon, 20 Jul 2009 18:36:55 +0000

There are more upcoming sessions in the Laura Chappell seminar series called Wireshark 101Jumpstart tutorials. Check out the schedule at Chappell University website. Some of the things you will learn include:

Wireshark elements and capabilities
Tapping into the wired or wireless network
Capturing and filtering basics
Graphing basics

If you cannot attend the seminar, you can still register and download the seminar notes and gain access to the trace files used in the session. If you manage a network, you should learn this stuff! Be sure to register and attend early. The sessions are limited to 1000 viewers and these fill up FAST!

See my entry

Repetition is one of the keys of learning

for a how attending one of these seminars helped address an issue I was having with using Wireshark.

Thanks for reading and lets continue to be good network citizens!

Repetition is one of the keys of learning

Troy Tate — Tue, 26 May 2009 19:34:32 +0000

I recently posted an update about Laura Chappell’s Chappell University Online seminars. I attended one of these seminars today. What a great experience! I always try to attend Laura’s events and always pickup a tidbit that makes my life as a network manager easier. She gives you information about tools you can use to fight the battle of “the network is down”. Most of the time the network is behaving as designed. It’s poorly written applications or too high user expectations that create issues. So, if you want be the expert on fighting the network is “bad” syndrome – check out Laura’s presentations – I did and I learned something new…

There are many options in Wireshark that go unused or require some understanding and practice to use. Laura is great about going under the covers and revealing exactly what you need to use and how to use it. I have used ethereal (Wireshark’s predecessor) and Wireshark for several years now. It is only with continued education by Laura on the features that I am gaining a better understanding of this network analysis tool and the ins and outs of using it. For example, the Statistics – TCP Stream Graph – Round Trip Time Graph option. I thought my copy of Wireshark was flawed as I never received any results in the graph. Today, Laura’s online seminar showed me that I was likely reversing the results and ending up with an empty result set. Now I know! You can almost always learn something new about something old. Just keep digging! Thanks Laura for the tip.

In case you have missed any previous postings about Laura, here’s a few for you to check out.

Is protocol analysis or network management your thing?

ARP as a network auditing tool

Did you see this? – Latest Laura Chappell Newsletter

Did you see this? – the viral bitgirl

Thanks for reading & let’s continue to be good network citizens.

Master key tasks for network troubleshooting – Chappell University Online Seminars

Troy Tate — Thu, 21 May 2009 12:57:02 +0000

I’m a huge fan of Laura Chappell. She has a great sense of humor and is a great educator about all things packet oriented. Previous posts about Laura have included:

Is protocol analysis or network management your thing?

ARP as a network auditing tool

Did you see this? – Latest Laura Chappell Newsletter

Did you see this? – the viral bitgirl

She has now started a new online seminar series. Some of the presentation are free and others are accessible for a fee of $99. If you cannot get away for education, then this is an excellent alternative and you can gain a great amount of knowledge from this packet analysis expert. I recommend that you visit Chappell Online University and sign up for the free Wireshark Jumpstart: Master Key Tasks for Network Troubleshooting seminar to get a feel for the seminars.

Thanks for reading and let’s continue to be good network citizens!

Doing Microsoft packet analysis? – Microsoft releases Network Monitor 3.3

Troy Tate — Wed, 29 Apr 2009 12:11:02 +0000

If you do packet capture or analysis in a Microsoft environment, then you are probably already familiar with Microsoft Network Monitor. If not, please read my real-world use of it for PROTOCOL analysis vs protocol analysis (with a small p). Microsoft has updated Network Monitor to v3.3. The announcement of its release can be found on the Technet blog. Some of the new features listed are:

· Ability to capture WWAN (mobile broadband) and Tunnel traffic on Windows 7.

· Full Hyper-V support on Windows Server 2008

· Right-click-add-to-alias: Right-click a frame in the Frame Summary window with an IPv4, IPv6 or MAC address to add that address as a new alias. This is one of those little things that simplifies your work-flow.

· Right-click-go-to-definition: Have you ever wondered where and how the protocols fields you see in the Frame Details are defined in our in-built parsers? Wonder no more. Introducing right-click-go-to-definition: right-click a field in the Frame Details window and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.

· Autoscroll: Another one of those little, but priceless things … auto-scroll. See the most recent traffic as it comes in. In a live capture, click the AutoScroll button on the main toolbar to have the Frame Summary window automatically scroll down to display the most recent frames as they come in. Click Autoscroll again to freeze the view in its present location.

Several other new features are described in the Technet blog. If you capture packets on a Microsoft network, then you should get this upgraded version to add to your toolbox.

Thanks for reading and let’s continue to be good network citizens.

Is protocol analysis or network management your thing?

Troy Tate — Thu, 19 Feb 2009 13:47:09 +0000

Laura Chappell (the Viral Bitgirl) has announced that Sharkfest 09 registration is open and all registered attendees get a FREE AIRPCAP ADAPTER (US $198)! Sharkfest is the Developer/User Conference for Wireshark and it is sponsored by CACE Technologies and Wireshark University. Laura will be there with new, hot (or cool, if you prefer) topics, trace files, case studies and hands-on labs. Register today at Sharkfest.09 to get your free AirPcap adapter. [Dates: June 16-18, 2009-registration and BBQ on June 15th]

Laura has also announced that Chappell University is open for registration. Subscription-level service will be open soon. Chappell University is an affordable, on-demand, online training system to maintain and enhance IT skills in the area of analysis, troubleshooting and security. Some of the content includes two lab workbooks with over 100 lab exercises using Wireshark to spot network problems, security breaches, and analyze normal and abnormal TCP/IP communications. There are video answers to all the lab exercises. In addition, there’s an extensive trace file respository and additional WLAN, VoIP, bot-infections, application, etc., trace files will be added each quarter. Check out the new YouTube Channel for Chappell University and the video “Ethical Hacking with NetScanTools Pro: Tutorial on ARP Scanning to Discover All Local Hosts” (even those hidden behind firewall applications).

If you have never experienced training presented by Laura, this is your chance to get very in-depth, easy to understand technical training. Sure, some of the stuff may cost a little, but she has tons of free stuff out there also. The paid content is definitely worth it. I have her Master Library (pre-dates the new Chappell University) and I still refer to the content occasionally to refresh my skills in network analysis.

Thanks for reading and let’s continue to be good network citizens!