T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm

1. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 T1-1: I’ve downloaded Wireshark… Now what? Monday, March 31, 2008 – 10:30am – 12:00pm Betty DuBois Principal Consultant | DuBois Training & Consulting, LLC SHARKFEST '08 Foothill College March 31 - April 2, 2008

2. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Agenda • Data Capture • Capture methods • Caveats • Capture options • Capture filters • Data Analysis • Statistics • Summary Information • Protocol hierarchy • Conversations • Endpoints • IO Graphing (basic only – Advanced are covered T2-9 on Tuesday) • Expert – (need to come to my class T2-6 on Tuesday for this) • Basic display filtering • Reassembly • Coloring rules

3. Data Capture – How do I get the data? • Capture methods • Wired • Wireless

4. Data Capture – How do I get the data? • Capture Caveats • Wired • Hubs • Taps • Mirrors/Monitors/SPANs • Wireless • Promiscuous • AirPcap

5. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Capture - Options

6. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Capture – Focus with Filters • Syntax: • Protocol Direction Host(s) Value Logical Operations Other expression • Protocol • ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. • Direction • src, dst, src and dst, src or dst • Logical Operations • not, and, or • Example: • tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128

7. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis • Don’ts • Don’t get caught in the vortex! • Don’t start by scrolling through the packets • Do’s • Use Statistics to baseline your environment • Use Statistics to determine where your focus should be • Use Graphing to support your hypothesis in those finger pointing meetings

8. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Statistics>Summary

9. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Statistics>Protocol Hierarchy

10. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Statistics>Conversations

11. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Statistics>End Points

12. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Statistics>IO Graphing

13. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Basic Display Filters • When in doubt, right-click. • Find the fields you are interested in first, then build your filters with a right-click.

14. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Basic Display Filters • Filter Bar • The Filter bar will change colors to signify if your syntax is correct. • Green is correct • Red is incorrect • Yellow is questionable • The Filter dropdown willlet you chose your 10 most recent filters.

15. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis - Reassembly • Follow the Streams – Favorite feature in Wireshark

16. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Coloring Rules • Colors help you focus on specific protocols, and/or to spot errors quickly.

17. SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Data Analysis – Coloring Rules • Rules to live by: • Color rules are read like an ACL, first rule to apply wins. • Rule sets can be shared among friends with Import/Export • Use an empty rule set if you normally use a complex rule set, but commonly turn off your colors. Your files will load faster.

18. Q & A • Questions?????

19. Thanks For Coming! Enjoy the rest of the conference.