Embed Size (px)
Citation preview
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
T1-1: I’ve downloaded Wireshark… Now what?
Monday, March 31, 2008 – 10:30am – 12:00pm
Betty DuBoisPrincipal Consultant | DuBois Training & Consulting, LLC
SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Agenda
Data Capture Capture methods
Caveats Capture options Capture filters
Data Analysis Statistics
Summary Information Protocol hierarchy Conversations Endpoints IO Graphing (basic only –
Advanced are covered T2-9 on Tuesday)
Expert – (need to come to my class T2-6 on Tuesday for this)
Basic display filtering Reassembly Coloring rules
Data Capture – How do I get the data?
Capture methods Wired Wireless
Data Capture – How do I get the data?
Capture Caveats Wired
Hubs Taps Mirrors/Monitors/SPANs
Wireless Promiscuous AirPcap
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Capture - Options
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Capture – Focus with Filters
Syntax: Protocol Direction Host(s) Value
Logical Operations Other expression
Protocol ether, fddi, ip, arp, rarp, decnet, lat,
sca, moprc, mopdl, tcp and udp. Direction
src, dst, src and dst, src or dst Logical Operations
not, and, or
Example: tcp dst 10.1.1.1 80 and tcp dst
10.2.2.2 3128
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis
Don’ts Don’t get caught in the vortex! Don’t start by scrolling through the packets
Do’s Use Statistics to baseline your environment Use Statistics to determine where your focus should
be Use Graphing to support your hypothesis in those
finger pointing meetings
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>Summary
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>Protocol Hierarchy
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>Conversations
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>End Points
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Statistics>IO Graphing
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Basic Display Filters
When in doubt, right-click.
Find the fields you are interested in first, then build your filters with a right-click.
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Basic Display Filters
Filter Bar The Filter bar will change colors to signify if your syntax is
correct. Green is correct Red is incorrect Yellow is questionable
The Filter dropdown willlet you chose your 10 most recent filters.
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis - Reassembly
Follow the Streams – Favorite feature in Wireshark
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Coloring Rules
Colors help you focus on specific protocols, and/or to spot errors quickly.
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Data Analysis – Coloring Rules
Rules to live by: Color rules are read like an ACL, first rule to apply wins. Rule sets can be shared among friends with Import/Export Use an empty
rule set if you normally use a complex rule set, but commonly turn off your colors. Your files will load faster.
Q & A
Questions?????
Thanks For Coming!
Enjoy the rest of the conference.
