WSU01 [Self-Paced Course]
Wireshark Functionality
and Fundamentals
]]>
Course Content
Learn how to use Wireshark efficiently and effectively by placing Wireshark in the ideal location
to capture traffic (even on a switched network). Learn to focus on key traffic using filters and
display your results with Wireshark’s graphs.
Course Overview - Introduction
Section 1: Introduction to Wireshark
a) History, Authors and License
b) How Wireshark Works
c) Wireshark Folders, Plugins and Help
d) Resources and References for Analysts
e) CACE Technologies - AirPcap
f) Capture on Hubbed, Switched and Routed Networks
Section 2: Capturing Packets
a) Select an Active Interface
b) Capture to a File
c) Capture to a Ring Buffer
d) Open and Work with File Sets
e) Default Capture Filters
f) Create New Capture Filters
g) Avoid Dropped Packets
h) Test Yourself
Section 3: Configuring Global Preferences
a) Customize the User Interface
b) Set Global Capture Preferences
c) Define Name Resolution Preferences
d) Alter Protocol Settings
e) My Favorite Preferences
Section 4: Navigation and Colorization Techniques
a) Go To a Specific Packet Number
b) Find Packets Based on Payload
c) Sort Columns
d) Use and Customize Packet Colors
e) Mark Packets
f) Show a Packet in a New Window
g) Test Yourself
Section 5: Using Time Values and Summaries
a) Use the Default Time Column Setting and Precision
b) Use Time Between Packets
c) Set a Time Reference and View Capture Time
d) Troubleshooting with Time
e) Analyze Summary Information
f) Test Yourself
Section 6: Examining Basic Trace File Statistics
a) Examine Protocol Hierarchies
b) View Network Connections
c) View Network Endpoints
d) Evaluate Destinations
e) View IP Address Information
f) Evaluate Packet Lengths
g) Evaluate Port Types
h) Examine Multicast Streams and Settings
i) Test Yourself
Section 7: Examining Advanced Trace File Statistics
a) Create IO Graphs
b) Create TCP Time-Sequence Graphs
c) Analyze Flow Graphs
d) Evaluate Service Response Times
e) Analyze BOOTP/DHCP Statistics
f) View HTTP Statistics
g) Create Round-Trip Time Graphs
Section 8: Creating Display Filters
a) Follow a TCP Stream
b) Create Filters from Conversations and Endpoints
c) Default Display Filters and Filter Syntax
d) Build and Save Filters Based on Packets
e) Filter on Payload Bytes
f) Use Expressions to Build Display Filter
g) Use Boolean Operands and Negatives
h) The 10 Most Useful Filters
i) Manually Edit the Filter File
Section 9: Save, Export and Print
a) Save Filtered, Marked and Ranges of Packets
b) Chart Conversation/Endpoint/Flow Graph Information
c) Save and Reassemble Data Streams
d) Export Packet Information
e) Print Packets
f) Capture/Edit Screen Shots for Reports
Section 10: Expert System and Miscellaneous Tasks
a) Use Expert and Expert Info Composite Information
b) Analyze ACL Firewall Rules
c) Protocol Forcing
d) Merging Files
e) Zoom, Autoscroll and Resizing Columns
Section 11: Using Command-Line Tools
a) tshark and dumpcap
b) capinfos
c) editcap
d) mergecap
e) text2pcap
]]>Pcapdiff is a tool developed by the EFF to compare two packet captures and identify potentially forged, dropped, or mangled packets. Two technically-inclined friends can set up packet captures (e.g. tcpdump or Wireshark) on their own computers and produce network traffic between their two computers over the Internet. Later, they can run pcapdiff on the two packet capture files to identify suspicious packets for further investigation. See Detecting packet injection: a guide to observing packet spoofing by ISPs and EFF's Test Your ISP Project for more background.
If you ever plan to become a CCNA first visit the ICND exams, buy the CCNA Certification Libary from CiscoPress but definitely get some hands-on experience. Simply check whether you know all the commands listed in my: *Cheat Sheet*.]]>
]]>
In this blogcast I've combined each segment that Ive made into a single 28min blogcast that covers the demo environment and shows you how to configure Network Access Protection from the server to the client and even the switch itself with a little bit of troubleshooting at the end. In fact I've shared the Cisco switch config below for your use!
http://snipplr.com/view/3490/ios7cryptrb/
ios7crypt: encrypts and decrypts passwords with Cisco IOS7 algorithm
PickupLine is a network exploration tool that, among other things, is capable of bypassing authentication on authenticated wireless networks.
]]>I have been working for more than a year on ACE analysis, and this will be my
second OPNETWORK conference
There was a reception last night in the Willard Hotel, wonderful ambience, and
the light finger foods, and spinach stuffed ravioli was really really good.
9:04 AM 8/27/2007
technical assistants introduction.
think of it as the science behind ace.
not point and click, how to, this is the theory of how the numbers are
calculated.
explaining to app dev that he broke a underforming app. you must be able to
support your conclusions.
not blind acceptance of the math, but understanding what the math behind the
answers is.
pdf copy of the slides on the desktop.
going over two main analysis components.
the summary of delays.
where it has spent it's time
quick predict
where it will spend it's time
talk about the various source of delays...
finish with how simulation works.
components of delay:
where should i spend my energy on troubleshooting?
summary delay chart pinpoints the areas that need analysis.
review of network delays
network hops...
complexity can be simplified... analogy of resistors and circuits.
there is an equivalent network between the client and server. it's not crucial to
model the actual, reducing complexity to simplify analysis.
bandwidth is the easiest to understand. we all agree, basically bandwidth delay
is the time it takes to clock a certain number bits per second on to the wire.
varies with the size of the packet!
the longer the packet, the longer it takes to clock on to the circuit.
from start of the packet to the end... 2000 bit packet, on a 2000 bit/second
circuit equals 1 second from start to end of packet to hit the wire.
latency delay:
length of time that it takes the rising edge of the bit to transit the circuit.
thousand mile cable, with an electric cable, propgation delay, longer to reach
california, than bethesda.
opnet defines latency ONE WAY... ping would return round-trip latency...!!!!
remember to divide in half if using ping
the bottleneck link controls how much the bandwidth plays in the equation...
usually the slowest links are entry and exit of the circuit... t1 is three times
slower than a t3 because of throttling delay.
throwing more bandwidth at a problem, only solves one of the components of the
problem.
roads, bandwidth = how many lanes the road has...
latency is the distance of that road, one lane road to new york, four hours, four
lane road still takes four hours, but if i want to send a fleet of trucks, the
four lane road allows me to send more data.
***warehouse analogy... could be created here***
application turns
application will experience the latency of the circuit, for each application
turn.
latency delay = circuit latency * (turns +1)
CONGESTION DELAY
is queing delay on devices, not the wire, you can not store data on the wire.
this is variable based on congestion.
you have to calulate the congestion delay for every single packet.
calculating network delays
clocking data on to the wire, and latency delay. BUT then we see additional delay
due to congestion delays.
clocking the data off the wire will take the same amount of time... but it does
not matter as much...
40% of mistakes because they did not specify bandwidth on import. you MUST answer
to the extent that you can.
you can not change them once they are imported... import configuration, toggle it
to previous, and then tweak the numbers when you select bandwidth and latency.
packet trains
bundles of packets, an application may send a block of data, 10 k forinstance,
and tcp chops it up into chunks
calulating delay for packet trains
so we will treat packet trains like 1 big packet
we see how bundles act like small packets, but can experience the same congestion
delays.
turns + 1 = application turns
you always experience latency once
pie chart
is telling you the benefit you will get for fixing this thing... bandwidth,
latency, congestion.
calculating delays, advanced
take the mental image if you started increasing bandwidth, to infinity , the
whole thing would compress , squeezing out bandwidth, what do you have left...
lab excercise.
response time = 26.03
bandwidth delay = (3.199,760*8)/1544000 = 16.58
percentage of bandwidth = 16.58/26.03 = 63.7
user think time is a new feature of it guru 14.
you can specify anything greater than X time factor is user think time... telling
the user to wait five seconds between screen refreshes.
you must perform the sanity check to defend your results in ACE
key concept.
every packet has a time value when you look at it in wireshark
ace knows TWO time values for each packet, when it was received and when it left.
Trace merge:
based on lining up clocks this is trivial, packet left, packet received.
single side adjust
if you specify the latency too high, you would get packet crosses.
sending a packet train... 10 packets... the ack's come back...........big gap in
the ack's
either the packet was delayed, or that ack was delayed.
acknowledgements may delayed...
there are rules that govern how ack's get delayed.
key concept: if we graph the delays... packet size, packet delay... small packets
have small delays... large packets have large delays.
*
/congestion
/____
/bandwidth ^
/______
/latency ^
/ -------
never zero latency
tcp guarantees that a packet will cross the network, it also protects the
network.
prevents single users from hogging the network
what does protocol delay look like
it is delay added by the network layer, that is overhead on the packet train.
tcp protocol delay causesd by:
tcp windowing
slow start
notice the inflight data graph is ramping up...
http 1.0 would be susceptible to this issue
frozen window
nagle's window
sending one packet at a time is inefficient
bundling to prevent inefficiency in the network
can be a problem in mainframe communications
retranmission
tcp covers how long it takes to recover from packet loss
out of sequence packets
lab 2
summary of labs, conclusion
was a congestion problem
the trace file showed the effect of protocol congestion which was slowing down
the packets
how to explain parrallel effects
reading the paper while eating breakfast
another example, dessert in the oven, making steaks... things that happen at the
same time
two types of applications:
transactional
e.g. database queries
sequential
or
parallel
multiple calls with dependencies
asynchronous
voice calls...
so parallel effects are something you have to do TWO things to make them go away.
analysis vs experimentation
simulation, is recreating variables and tuning them for determining different
effects
use QuickPredict for experiments
barchart
sweep
multi-user quick predict
Registration Desk and Internet Café open on Sunday:
Please check in at the registration desk located, in the Amphitheater Foyer of The Ronald Reagan Building, to obtain your conference badge, personal agenda, and welcome bag.
Registration opens Sunday, Aug 26th between the hours of 2 pm and 9 pm.
and at 7 am on Monday morning.
Network Warrior
by Gary A. Donahue
Publisher: O'Reilly
Pub Date: June 01, 2007
Print ISBN-10: 0-596-10151-1
Print ISBN-13: 978-0-59-610151-0
Pages: 598
Custom HOSTS editing will let you resolve the same IP address to different names, here are a few pointers on doing this:
Go to
C:\windows\system32\drivers\etc
edit the HOSTS file with notepad or something like vi.
format is IP address TAB desiredname
for example:
Use the last MAC address octet to differentiate.
127.0.0.1 localhost
192.168.1.29 SERVER-1A.COMPANY.INTERNAL.COM
192.168.1.29 SERVER-19.COMPANY.INTERNAL.COM
192.168.1.29 SERVER-23.COMPANY.INTERNAL.COM
This gives you a UNIQUE dns type name to resolve to and when picking the interfaces in the GUI you will be able to check and refer to the correct one with the MAC octet for that interface.
]]>OPNETWORK 2007
MY SESSION AGENDA
Kenneth Hunt
Monday, August 27
09:00 - 12:00 1412 ACE™ Uncovered: How ACE Analysis Really Works
12:00 - 13:00 2011 Keynote
13:00 - 14:00 2000 Lunch
14:00 - 16:00 1453 Implementing a Performance Engineering Process Within Your Organization
17:00 - 18:00 1440 Live Demo — Active Application Performance Monitoring with SLA Commander™ and ACE™
18:00 - 22:00 2001 Dinner / Reception and Entertainment
Tuesday, August 28
09:00 - 12:00 1418 Modeling Applications with the Standard Application Models
12:00 - 13:00 2012 Keynote
13:00 - 14:00 2000 Lunch
14:00 - 18:00 1415 Application Capture and Import Strategies with ACE™ — Advanced
18:00 - 19:00 1721 Birds of a Feather: Network Documentation
18:00 - 22:00 2001 Dinner / Reception and Entertainment
Wednesday, August 29
09:00 - 12:00 1423 Case Studies: Application, Server, and Enterprise Analysis I
12:00 - 13:00 2013 Keynote
13:00 - 14:00 2000 Lunch
14:00 - 16:00 1427 Capacity and Performance Planning for Mainframes — Introduction
16:00 - 18:00 1456 Importing Performance Data for Effective Capacity Management with IT Guru® Systems Planner
18:00 - 19:00 1717 Birds of a Feather: NETWARS
18:00 - 22:00 2002 Partner Pavilion / Dinner
Thursday, August 30
09:00 - 12:00 1465 Server Consolidation and Virtualization Planning with IT Guru® Systems Planner
12:00 - 13:00 2014 Keynote
13:00 - 14:00 2000 Lunch
16:00 - 18:00 1459 Capacity and Performance Planning for Mainframes — Advanced
18:00 - 22:00 2001 Dinner / Reception and Entertainment
Friday, August 31
09:00 - 12:00 1413 Troubleshooting and Predicting Web Application Performance with ACE™
12:00 - 13:00 2000 Lunch
server1:~# nmap -iL hostname.txt -n -p 27401
I will explain this, the -iL option loads the file with hostnames in it,
-n prevents DNS resolution, since, we probably are using IP addresses and -p is the flag for PORT.
server1:~# nmap -iL hosts -n -p 27401
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-30 14:14 EDT
Interesting ports on 192.168.10.29:
PORT STATE SERVICE
27401/tcp open unknown
Interesting ports on 192.168.10.23:
PORT STATE SERVICE
27401/tcp open unknown
Interesting ports on 192.168.10.67:
PORT STATE SERVICE
27401/tcp open unknown
The Open1X project is dedicated to bringing a free, open source 802.1X/WPA/WPA2/IEEE802.11i implementation to as many target platforms as possible. [...]
IEEE 802.1X
IEEE 802.1X [...] provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol.
[...]
Some vendors are implementing 802.1X for wireless access points, to be used in certain situations where an access point needs to be operated as a closed access point, addressing the security vulnerabilities of WEP (see 802.11i). The authentication is usually done by a third-party entity, such as a RADIUS server.