Oct 15 2009   6:44PM GMT

Free Training - Laura Chappell presents: Wireshark 201 Jumpstart - Filtering on the Good, the Bad, the Ugly

Posted by: Troy Tate
network analysis, protocol analysis, packet analysis, packet capture, training, education, wireshark, ethereal, tcp/ip, trace files, Networking, tools, Monitoring, reporting, IT education, performance monitoring, troubleshooting, howto, Metrics, analysis, Laura Chappell

Laura Chappel, the BitGirl, is at it again with another in her series of Wireshark Jumpstart webinars. The next one is called Wireshark Jumpstart 201: Filtering on the Good, the Bad, the Ugly. It will be held on October 27 - 10:00am-11:00am PDT (GMT-7). If you manage networks or want to manage a network, a good understanding of protocol and packet analysis will help you immensely with your career.

Some things you will learn in this webinar:

• Using the Default Capture and Display Filters
• Creating a Few Hot Capture Filters
• Filtering Tips and Tricks for Troubleshooting
• Filtering Tips and Tricks for Security

Even if you are very familiar with Wireshark or other packet capture and protocol decode tools, Laura’s seminars are well worth attending. You might even find out a little tidbit here or there because Repetition is one of the keys of learning. Unfortunately I will not be able to attend this webinar since I will be on a golf vacation in North Carolina. So, if you attend this event, please come back and share with me and other IT Trenches readers what you learned and how valuable the webinar was for you.

Thanks for reading and let’s continue to be good network citizens!

Jul 24 2009   6:03PM GMT

Using Wireshark to analyze a bot infected host

Posted by: Troy Tate
wireshark, ethereal, network analysis, bot, data capture, tutorial, education, Laura Chappell, information security, packet analysis, packet capture, network security, Security

My favorite Bitgirl (Laura Chappell) is at it again in this 15 minute presentation. She came across a host on a network that appears to be infected with some bot application. Take a few minutes and watch and learn! Maybe you will see something you can use or better understand some odd behavior on your local network.

Analyze a BOT infected host using Wireshark Tutorial

Beware - there is a trick question in the presentation. Think hard… you probably know the right answer!

Thanks for reading & let’s continue to be good network citizens.

Jul 20 2009   6:36PM GMT

Wireshark quickstart tutorial - learn to capture network traffic

Posted by: Troy Tate
network analysis, protocol analysis, packet analysis, packet capture, training, education, wireshark, ethereal, tcp/ip, trace files, Networking, tools, Monitoring, reporting, IT education, performance monitoring, troubleshooting, howto, Metrics, analysis, Laura Chappell

There are more upcoming sessions in the Laura Chappell seminar series called Wireshark 101Jumpstart tutorials. Check out the schedule at Chappell University website. Some of the things you will learn include:

• Wireshark elements and capabilities
  
• Tapping into the wired or wireless network
  
• Capturing and filtering basics
  
• Graphing basics

If you cannot attend the seminar, you can still register and download the seminar notes and gain access to the trace files used in the session. If you manage a network, you should learn this stuff! Be sure to register and attend early. The sessions are limited to 1000 viewers and these fill up FAST!

See my entry

Repetition is one of the keys of learning

for a how attending one of these seminars helped address an issue I was having with using Wireshark.

Thanks for reading and lets continue to be good network citizens!

May 26 2009   7:34PM GMT

Repetition is one of the keys of learning

Posted by: Troy Tate
network analysis, protocol analysis, packet analysis, packet capture, training, education, wireshark, ethereal, tcp/ip, trace files, Networking, tools, Monitoring, reporting, IT education, performance monitoring, troubleshooting, howto, Metrics, analysis, Laura Chappell

I recently posted an update about Laura Chappell’s Chappell University Online seminars. I attended one of these seminars today. What a great experience! I always try to attend Laura’s events and always pickup a tidbit that makes my life as a network manager easier. She gives you information about tools you can use to fight the battle of “the network is down”. Most of the time the network is behaving as designed. It’s poorly written applications or too high user expectations that create issues. So, if you want be the expert on fighting the network is “bad” syndrome - check out Laura’s presentations - I did and I learned something new… Continued »

May 21 2009   12:57PM GMT

Master key tasks for network troubleshooting - Chappell University Online Seminars

Posted by: Troy Tate
network analysis, protocol analysis, packet analysis, packet capture, training, education, wireshark, ethereal, tcp/ip, trace files, Networking, tools, Monitoring, reporting, IT education, performance monitoring, troubleshooting, howto, Metrics, analysis

I’m a huge fan of Laura Chappell. She has a great sense of humor and is a great educator about all things packet oriented. Previous posts about Laura have included:

Is protocol analysis or network management your thing?

ARP as a network auditing tool

Did you see this? - Latest Laura Chappell Newsletter

Did you see this? - the viral bitgirl

She has now started a new online seminar series. Some of the presentation are free and others are accessible for a fee of $99. If you cannot get away for education, then this is an excellent alternative and you can gain a great amount of knowledge from this packet analysis expert. I recommend that you visit Chappell Online University and sign up for the free Wireshark Jumpstart: Master Key Tasks for Network Troubleshooting seminar to get a feel for the seminars.

Thanks for reading and let’s continue to be good network citizens!

Feb 19 2009   1:47PM GMT

Is protocol analysis or network management your thing?

Posted by: Troy Tate
network analysis, protocol analysis, packet analysis, packet capture, training, education, wireshark, ethereal, tcp/ip, trace files

Laura Chappell (the Viral Bitgirl) has announced that Sharkfest 09 registration is open and all registered attendees get a FREE AIRPCAP ADAPTER (US $198)! Sharkfest is the Developer/User Conference for Wireshark and it is sponsored by CACE Technologies and Wireshark University. Laura will be there with new, hot (or cool, if you prefer) topics, trace files, case studies and hands-on labs. Register today at Sharkfest.09 to get your free AirPcap adapter. [Dates: June 16-18, 2009-registration and BBQ on June 15th]

Laura has also announced that Chappell University is open for registration. Subscription-level service will be open soon. Chappell University is an affordable, on-demand, online training system to maintain and enhance IT skills in the area of analysis, troubleshooting and security. Some of the content includes two lab workbooks with over 100 lab exercises using Wireshark to spot network problems, security breaches, and analyze normal and abnormal TCP/IP communications. There are video answers to all the lab exercises. In addition, there’s an extensive trace file respository and additional WLAN, VoIP, bot-infections, application, etc., trace files will be added each quarter. Check out the new YouTube Channel for Chappell University and the video “Ethical Hacking with NetScanTools Pro: Tutorial on ARP Scanning to Discover All Local Hosts” (even those hidden behind firewall applications).

If you have never experienced training presented by Laura, this is your chance to get very in-depth, easy to understand technical training. Sure, some of the stuff may cost a little, but she has tons of free stuff out there also. The paid content is definitely worth it. I have her Master Library (pre-dates the new Chappell University) and I still refer to the content occasionally to refresh my skills in network analysis.

Thanks for reading and let’s continue to be good network citizens!

Jan 9 2009   4:38PM GMT

PROTOCOL analysis vs protocol analysis (with a small p)

Posted by: Troy Tate
protocol analysis, SMTP, tcp, network monitor, wireshark, Microsoft, Microsoft Exchange, patches, OSI model

Recently we had an issue at a site where outbound messages larger than 1MB were backing up in the outbound message queue. The messages were tagged with a 421 4.4.2 Connection dropped error. This was a puzzling issue since the smart relay host was on the local LAN, and in fact, on the same switch as the Exchange server.  We checked the switch ports and NICs for errors. None were found. We knew messages were successfully coming inbound through this site because the smart relay host was processing hundreds of them per hour (we use regional hubs and this is one of our hub sites).

We first contacted the vendor for the smart relay host appliance and opened a support ticket. No real issues were identified at first review. Since the errors were being reported at the Exchange server, we contacted Microsoft and opened a support ticket. We spent hours testing and changing configuration to another regional smart relay host which seemed to get the messages delivered successfully, but we were still not able to find out what was causing the conversations with the local smart relay host to timeout.

So, we went into deeper debug mode since the application and server event logs did not shed any light on the issue. The Microsoft engineer enabled protocol logging on this particular send connector. The protocol logs did give a little more information on the situation. A snippet is shown below.

2009-01-08T22:36:19.495Z,SendConn,08CB3FF87FA34699,16,exchsvr:20709,relayhost:25,>,RCPT TO:<someone@there.com>,
2009-01-08T22:36:19.495Z,SendConn,08CB3FF87FA34699,17,exchsvr:20709,relayhost:25,<,”250 Requested mail action okay, completed.”,
2009-01-08T22:36:19.589Z,SendConn,08CB3FF87FA34699,18,exchsvr:20709,relayhost:25,>,DATA,
2009-01-08T22:36:19.589Z,SendConn,08CB3FF87FA34699,19,exchsvr:20709,relayhost:25,<,”354 Enter mail, end with “”.”” on a line by itself.”,
2009-01-08T22:36:25.417Z,SendConn,08CB3FF87FA34699,20,exchsvr:20709,relayhost:25,-,,Remote
2009-01-08T22:37:25.431Z,SendConn,08CB3FF87FA346A1,0,,relayhost:25,*,,attempting to connect
2009-01-08T22:37:25.431Z,SendConn,08CB3FF87FA346A1,1,exchsvr:20736,relayhost:25,+,,

The conversation seemed to go fine at the beginning but something was happening at the end. Since this log did not freely give up that information, we used Microsoft’s Network Monitor 3.2 (btw-if you are still using an older version of Network Monitor, you should upgrade to v3.2. It does have some nice features that make it more user friendly - but not as nice as Wireshark) to capture the actual packets between the Exchange server and the smart relay host. We ran Network Monitor directly on the Exchange server.

At this point, we were able to capture the transaction failures. The results were very interesting and a good lesson in packet analysis versus protocol analysis. The packet analysis showed that TCP was working well. Everything at layer 4 and below seemed to be working well. This was a relief. However, it appeared that the actual problem existed at layer 6 & 7. The Exchange server was ending the SMTP (Simple Mail Transport Protocol) conversation with the “.” command (a single dot on a line by itself). The Exchange server was then waiting for the smart relay host to reply with a 250 2.6.0 status message saying the message was successfully queued for delivery. The Exchange server would then reply with a QUIT command and end the SMTP session. Since the smart relay was not responding at all with the expected status message, the SMTP conversation was timing out and messages were building up in the queue.

We found out that there were some patches for the smart relay host so we applied those. Once that was done, the messages seemed to flow normally. The other puzzling thing about this is that we have two other hub sites with the same configuration that are not experiencing this problem. So, sometime today we will be rolling out the patches to those smart relay hosts to prevent this problem from happening at those sites. This issue started out of the blue but seemed coincide with the same time Exchange Server 2007 rollup 5 was applied.

The point of this whole blog posting is that while the TCP protocol was working fine and everything looked good there, the SMTP protcol was not working correctly. It is important for a network engineer to understand networking through all of the OSI layers. You cannot just assume that if things are working well at the lower levels that things at the higher levels will work too. The reverse logic is true also. So, understand the protocols at the lower layers and also the PROTOCOLS at the upper layers if you really want to be an effective troubleshooting expert.

Let’s be good network citizens out there!

Dec 10 2008   1:33PM GMT

Did you see this? - Latest Laura Chappell Newsletter

Posted by: Troy Tate
Networking, tools, Monitoring, reporting, IT education, performance monitoring, troubleshooting, howto, network analysis, Metrics, wireshark, packet capture, education, analysis

Newsletter 120908

Discount Codes - Nmap Book – Wireshark Certification Status – Global Knowledge – Movie Update - Virtual Conference Survey

 

Holiday/End-of-Year Specials at www.wiresharkU.com

• 25% off on Wireshark University Self-Paced Courseware (code WSU1208)
• $500 off already discounted price on Laura Chappell Master Library (code LCML1208)

Hot Links

• Summit 09 Notification
• Wireshark University Discounts - See above
• Fyodor Releases Nmap Network Scanning Book!
• Virtual Conference Survey - Should we or shouldn’t we?
• Pesky Pike: Dead Rocker - D’Ambrosia/Teves, see “Hollywood” item below
• Wireshark Training Video: Customized Columns (YouTube)

 

Fyodor Releases Nmap Book

Gordon “Fyodor” Lyon, the creator of the must-have tool, Nmap, has released the long-awaited title “Nmap Network Scanning”. This 468-page book  nmap.org) is a required reading for anyone securing a network. I was thankful that Fyodor sent me a pre-release copy of the book, which was a blessing since the content was more in-depth than I’d hoped for. Chapters define scan variations, OS fingerprinting techniques, tips and tricks and the newly-developed ZenMap, the graphic front end for Nmap. “Nmap Network Scanning” should be front and center on your desk for months and years to come! Thanks, Fyodor!

Wireshark Certification Status

Final beta tests are underway for a planned January 2009 release of the long-awaited Wireshark Certification test. The Wireshark Certification Information Packet (WCIP) should be out at the beginning of the year (sign up to receive the document at www.wiresharktraining.com/certification).I know you’ve waited a long time for the certification and I appreciate your patience - it took me a lot longer to get the questions together and ensure we could deliver via the Internet.

Global Knowledge Signed as Wireshark Authorized Training Partner

We are thrilled to sign on Global Knowledge as our North American Wireshark University Authorized Training Partner. In Q1 2009, two new Wireshark courses release – the first course focuses on Wireshark basic through advanced functionality and in-depth review of TCP/IP communication patterns (CORE 1). The second course delves into troubleshooting and network forensics with the Wireshark Certification Vouchers included in the course price (CORE 2). More course information will be put on www.wiresharkU.com before end of year.Read the press release.

The Only Thing Slower than This Network is Hollywood!

Well, folks… after hearing about the ‘movie’ project for a few years now, you’re probably thinking the darn thing isn’t going to make it out there. You’re probably right, but one more step was checked off last week – the script was finalized. The writers, Joe D’Ambrosia and Tom Teves (Murray Hill 5 Productions) gave me the near-shocking news on Friday. If you don’t know these guys, check out the “Dead Rocker” (appropriate for kids) at www.youtube.com/watch?v=I5aD00UeE9g. I kinda figured out who the murderer was (at least I knew what the main clue was) after watching a second time. Can you/your kids figure it out?

Happy Holidays to All! [Oh... and if you checked out the movie link...no, I'm not a spy and no, my kids don't play soccer.]

Laura Chappell

Oct 27 2008   8:52PM GMT

Did you see this? - (Wire)Sharkfest 2008 videos - including Vint Cerf - now available

Posted by: Troy Tate
Networking, forensics, Security, tools, Microsoft Windows, Linux, Monitoring, web, reporting, Google, internet, IT education, WAN, LAN, performance monitoring, troubleshooting, Performance, Network TAPs, howto, network analysis, Metrics, wireshark, packet capture, research, education, toolkit, man-in-the-middle, analysis

Checkout the Sharkfest 2008 videos at LoveMyTool.com. If you use Wireshark or want to learn network troubleshooting, this is one of the best resources you can have in your toolkit. The videos will give you a better understanding of this tool and other tools out there.

There is even a video of Dr. Vinton G. Cerf, vice president and Chief Internet Evangelist for Google. He is responsible for identifying new enabling technologies and applications on the Internet and other platforms for the company. Widely known as a “Father of the Internet,” Vint is the co-designer with Robert Kahn of TCP/IP protocols and basic architecture of the Internet.

Have a great day and thanks for stopping by!

Oct 3 2008   7:59PM GMT

Did you see this? - Open Source Tools University

Posted by: Troy Tate
administration, Networking, Firewalls, forensics, Security, tools, Monitoring, reporting, internet, IT education, WAN, LAN, debugging, Data security, SSL, performance monitoring, blogging, design, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, Metrics, wireshark, packet capture, research, blog, podcast, diagnostics, toolkit, analysis

If you are like me, you like those little goodie tools like nmap and wireshark that do something that is actually pretty complex but do it well and have a great following. I just came across this website that I am going to have to take some time to go through and find all of the nuggets it offers. Hope you get some use out of it too and let us know what you discover and how it made your job easier.

LoveMyTool

There are presentations on this site like the Wireshark IO Graph for Response Time Analysis (by Ray Tompkins).This should be a great online learning experience. You will find contributors like Sake Blok, a Wireshark Core Developer and Denny K Miu of StartupforLess.org - A Survival Guide for Bootstrapping Entrepreneurs