Packet Analysis Using Wireshark
Published by O'Reilly Media, Inc.
Acquire a deep understanding of network traffic
Packet analysis with Wireshark is one of the most critical hands-on skills to have as a security practitioner. It is also a versatile skill, spanning many facets of cybersecurity. If you read a technical report on network security, threat intelligence, and even on application security, Wireshark is commonly referenced. At security conferences such as DEF CON, attendees and groups such as the Wall of Sheep monitor the network for nefarious activities and sensitive data. Packet analysis and Wireshark are also used in system administration, troubleshooting networks, incident response, and forensics.
Join expert Ming Chow to learn the basics of packet analysis; that is, looking at and understanding network traffic. You’ll get an introduction to the network packet, the open systems interconnection (OSI) model, and a packet capture (PCAP) file, and then you’ll use Wireshark to reconstruct a conversation between two computers, extract pictures from a PCAP file, extract credentials that were sent insecurely on a network, and analyze maltraffic. Real network traffic will be used in exercises.
What you’ll learn and how you can apply it
By the end of this live, hands-on online course, you’ll understand:
- What a network packet is, and how it encapsulates the OSI model
- The dangers of sending sensitive data unencrypted, “in-the-clear,” over an open or untrusted network
- The difference between encoding and encryption
And you’ll be able to:
- Reconstruct files (e.g., images, video, audio, apps) from network traffic
- Catch sensitive information (including usernames and passwords) from network traffic
- Verify sensitive information without illegally logging into a system without permission
- Filter network traffic by IP address(es), protocol, and strings
- Analyze network traffic containing malware
- Get all the IP addresses and their associated domains in a set of network traffic
This live event is for you because...
- You’re a software engineer or web developer who wants to know more on how things work on the network level.
- You are a security practitioner who wants to understand how things (i.e., the network, network communications under the hood) really work, beyond just using security tools.
- You want to become a network engineer or specialist, or a system administrator.
- You aspire to work in network security or threat intelligence.
Prerequisites
- A computer with Wireshark downloaded
- The Git repository that contains the PCAPs for the labs in this class (to be added)
- Basic working knowledge of computers, including installing software, uploading and downloading content, hardware, and software
- Rudimentary knowledge of computer security concepts such as plain text, encryption/decryption, and malware
Recommended preparation:
- Watch Exploring General Concepts of the OSI Model (video)
Recommended follow-up:
- Read Practical Packet Analysis, third edition (book)
- Read Practical Malware Analysis (book)
- Read Exploitation, second edition (book)
- Read Networking Self-Teaching Guide: OSI, TCP/IP, LANs, MANs, WANs, Implementation, Management, and Maintenance (book)
- Explore The Art of Hacking (video collection)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Packet analysis, basic networking, and Wireshark (30 minutes)
- Presentation: What’s packet analysis and why use it?; What’s a packet?; OSI model; TCP/IP and TCP/IP three-way handshake; What’s a PCAP file?; overview of Wireshark; the Wireshark interface
- Hands-on exercise: Open a simple PCAP file
- Q&A
Reconstructing files (20 minutes)
- Presentation: Brief overview of network protocols (layer 7) where data is in plain text; reconstructing a conversation in Wireshark
- Hands-on exercises: Extract pictures from FTP traffic; reconstruct a media file
- Q&A
- Break
Finding and verifying plain text credentials (20 minutes)
- Presentation: A brief overview of Base64 and basic HTTP authorization
- Hands-on exercises: Find credentials sent in plain text and verify their validity
- Q&A
Finding and reconstructing content from a large network traffic set (20 minutes)
- Hands-on exercises: Find credentials sent in plain text and verify if they are valid
- Presentation: String searching and filtering in Wireshark; shortcut to identifying credentials sent in plain text; getting a list of all the domains and IP addresses in the set of network traffic
- Q&A
Analyzing network traffic containing malware (20 minutes)
- Hands-on exercise: Analyze a PCAP
- Presentation: An explanation of this maltraffic
- Q&A
Wrap-up and Q&A (10 minutes)
Your Instructor
Ming Chow
Ming Chow is an associate teaching professor within the Department of Computer Science at Tufts University. His areas of interest are web and mobile security. Ming has spoken at numerous organizations and conferences including the HTCIA, OWASP, InfoSec World, Design Automation Conference (DAC), DEF CON, Intel, SOURCE, HOPE, BSides, and ACM SIGCSE. He’s served as a mentor to a BSides Las Vegas Proving Ground track speaker since 2014, a track focused on helping new speakers in the information security and hacker communities acclimate to public speaking. Ming was recognized with the 2016 Henry and Madeline Fischer Award, given to the faculty member of the Tufts School of Engineering judged by graduating seniors to be “Engineering’s teacher of the year,” as well as the 2017 Lerman-Neubauer Prize for Outstanding Teaching and Advising recipient at Tufts, awarded to a faculty member who has had a profound intellectual impact on their students, both inside and outside the classroom.