0'/&(12.( 3%..2#()4./&,'/.( 6%702&%8%#/.!!!!!6kdun)hvw· 86%lrv...

Conference Agenda Instructor Bios

Session Abstracts & Requirements

SharkFestǯ17 US

June 19th -22nd 2017

Carnegie Mellon University

Pittsburgh, PA

6KDUN)HVW·��86�%LRV��$EVWUDFWV

Conference Agenda and Session Details ± SharkFest 2017 US jas01

Monday 19 June, 2017 8:00-9:00am Breakfast (Rangos)

9:00-5:00pm Laura Chappell·s ´Troubleshooting with Wiresharkµ Course

5:00-8:30pm SharkFest Check-In and Badge Pick-Up, Welcome Dinner & Reception (Resnick Pavilion)

Session Level Legend: Beginner = Intermediate = Advanced/Developer =

Tuesday 20 June, 2017

7:00-8:30am Breakfast (Rangos)

7:30am-5:00pm SharkFest Check-in and Badge Pick-up (Hallway outside of Rangos)

8:30-9:15am Keynote: Gerald Combs: The Past, Present & Future of the Wireshark Project (McConomy) McConomy Auditorium Connan McKenna/Peter/Wright

9:15-9:30am Break

Pick

Up

Your

Pac

ket C

halle

nge S

heet

s at

the R

egist

ratio

n Ta

ble (

outs

ide o

f Ran

gos)

9:30-10:45am

01 Practical Tracewrangling:

Exploring Capture File Manipulation/Extraction Scenarios ² Part 1 Jasper Bongertz

02 Introduction to Wireshark:

Rookie to Vet in 75 Minutes Betty DuBois

03 Using Wireshark to Solve Real Problems for Real People: Step-by-Step Real-World Case Studies in Packet Analysis Kary Rogers

10:45-11:00am Break

11:00am-12:15pm

04 Practical Tracewrangling: Exploring Capture File Manipulation/Extraction Scenarios ² Part 2 Jasper Bongertz

05 1HWZRUN�6HFXULW\«+DYHQ·t We

Solved It Yet? Mike Kershaw

06 Workflow-based Analysis of Wireshark Traces: Now We Can All Be Experts! Paul Offord

12:15-1:15pm LUNCH

1:15-2:30pm

07 Undoing the Network Blame Game & Getting to the Real Root Cause of Slow Application Performance Chris Greer

08 Command Line Review of Wireshark CLI Tools, tshark & more Christian Landström

09 Designing a Requirements-based Packet Capture Strategy John Pittle

2:30-2:45pm Break

2:45-4:00pm

10 Knowing the Unknown: How to Monitor & Troubleshoot an Unfamiliar Network Luca Deri

11 HANDS-ON TCP Analysis

Jasper Bongertz

12 Baselining with Wireshark to

Identify & Stop Unwanted Communications Jon Ford

4:00-4:15pm Break

4:15-5:30pm

13 Augmenting Packet Capture with Contextual Meta-Data: the What, Why & How Dr. Stephen Donnelly

14 Wireshark Case Study Exploration Sake Blok

15 Wireshark & Time: Accurate Handling of Timing when Capturing Frames Werner Fischer

5:30-9:00pm Sponsor Technology Showcase Reception and Dinner (Weigand Gym)




Wednesday 21 June, 2017

7:00-8:30am Breakfast (Rangos)

8:30 ± 9:30am Keynote: Dr. Peter Steenkiste, CS Professor, CMU (McConomy) McConomy Auditorium Connan McKenna/Peter/Wright

9:30 ± 9:45am Break

9:45-11:00am

16 Hands-on Analysis of Multi-Point Captures ² Part 1 Jasper Bongertz & Christian Landström

17 :,),%HDW«9LVXDOL]H�Data with Kibana & ElasticSearch Thomas d¶Otreppe

18 Analyzing Exploit Kit Traffic with Wireshark Bradley Duncan

Vis

it T

he R

eef!

11:00-11:15am Break

11:15am-12:30pm

19 Hands-on Analysis of Multi-Point Captures ² Part 2 Jasper Bongertz & Christian Landström

20 Work-Shmerk/Mirai-Shmiraii:

What are Those Evil Little IoT Devices Doing & How Can You Control Them? Brad Palm

21 Analysis Visualizations: Creating Charts to Speed-up Analysis Robert Bullen

12:30-1:30pm LUNCH

1:30-2:45pm

22 Understanding Throughput & TCP Windows: Factors that Can Limit TCP Throughput Performance

Kary Rogers

23 Top 10 Wireshark TIPS & TRICKS Megumi Takeshita

24 Undoing the Network Blame Game & Getting to the Real Root Cause of Slow Application Performance Chris Greer

2:45-3:00pm Break

3:00pm-4:15pm

25 Workflow-based Analysis of Wireshark Traces: Now We Can All Be Experts! Paul Offord

26 1HWZRUN�6HFXULW\«+DYHQ·t We Solved It Yet? Mike Kershaw

27 Network Forensics with Wireshark: Suspicious Traffic Detection Techniques Laura Chappell

4:15-4:30pm Break

4:30-5:45pm

28 The Doctor is In! Packet Trace

Reviews with the Experts Hansang Bae, Jasper Bongertz, Christian Landström, Sake Blok

29 A Web-Based Approach to Enhance Network Packet Capture & Decode Analysis Techniques using the Wireshark Command Line Tools Ronald Henderson

30 Using the Python/Django Web Framework to Build a Remote Packet Capture Portal with tshark Kevin Burns

6:00-9:00pm Group Packet Competition Dinner & Sponsor Technology Showcase (Weigand Gym)




Thursday 22 June, 2017

7:00am-8:30am Breakfast (Rangos)

8:30-9:30am SharkBytes! (McConomy) McConomy Auditorium Connan McKenna/Peter/Wright

9:45-11:00am

31 SMB/CIFS Analysis: Using Wireshark to efficiently Analyze & Troubleshoot SMB/CIFS Betty DuBois

32 Writing a Wireshark Dissector: 3 Ways to Eat Bytes Graham Bloice

33 Wireshark & Time: Accurate Handling of Timing when Capturing Frames Werner Fischer

Vis

it T

he R

eef!

11:00-11:15am Break

11:15am-12:30pm

34 How tshark Saved my SDN Forensics: Hands-On tshark Usage with a Minor Python Connection Mike McAlister & Joseph Bull

35 My Life as a Troubleshooter: So what did you do today, Dad? Graeme Bailey

36 Packet Dupes, Drops, & Misses, Oh My! Scott Haugdahl & Mike Canney

12:30-1:30pm LUNCH

1:30 --2:45pm

37 Back to the Packet Trenches (Part 1)

Hansang Bae

38 Laura·s Top Wireshark Tricks Laura Chappell

39 Knowing the Unknown: How to Monitor & Troubleshoot an Unfamiliar Network Luca Deri

2:45-3:00pm Break

3:00-4:15pm

40 Back to the Packet Trenches (Part 2) Hansang Bae

41 Analyzing Exploit Kit Traffic

with Wireshark Bradley Duncan

42 TCP SACK Overview & Impact

on Performance John Pittle

4:30-5:00pm Closing Remarks& Packet Challenge Awards Ceremony (McConomy Auditorium)

5:00 ² 7:00pm Farewell Reception (Connan)



Incident Response and Network Forensics.

Connan

05 Network SeFXULW\«+DYHQ·t We Solved It Yet? VHW�JOREDO�VHFXULW\ WUXH«�WKDW�ZDV�HDV\��ULJKW"� A look at all the ways we continue to do security wrong, how the Internet of Things is inevitable and will destroy civilization as we know it, and how you might want to drink to escape the dark future but your fridge and drinks cabinet have established a mesh network and decided to secede to Russia. Instructor: Mike Kershaw, Kismet Creator & Wireless Hacker Mike is the author of Kismet, an open-source wireless sniffing and intrusion detection tool, as well as assorted other open source software and hardware projects.

McKenna/Peter/Wright

06 Workflow-based Analysis of Wireshark Traces: Now we can all be experts! Even with a relatively good knowledge of TCP/IP and Wireshark, it can be difficult to know where to start with the analysis of trace files. Hundreds of thousands of packets and many protocols can be totally overwhelming unless you have years of experience, or can get someone with years of experience to help. Workbench offers a systematic way to analyse traces based on the workflows modelled on the ways of experts. In this interactive session, we troubleshoot a performance problem from start through to root cause using Wireshark and the community edition of Workbench. Software and trace files will be available to everyone several weeks before the session start. Instructor: Paul Offord, CTO, TribeLab Paul Offord has had a 39-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems. Paul and the Problem Analysts at Advance7 help IT support teams in many business sectors troubleshoot difficult performance and stability problems. Paul has recently contributed code to the Wireshark project and is currently leading the team developing Workbench.

1:15-2:30pm

McConomy

07 Undoing the Network Blame Game and Getting to the Real Root Cause of Slow Application Performance Let's dig a little deeper into analyzing TCP to get to root cause. In this session, we¶ll interpret TCP symptoms to troubleshoot application problems. Using sample trace files, we¶ll examine: 1. Application disconnects 2. Identifying slow application response 3. How to determine if the network is really to blame Bring a laptop for this INTERACTIVE session. Sample trace files will be shared with the audience. Instructor: Chris Greer, Network Analyst, Packet Pioneer Chris Greer is a Network Analyst for Packet Pioneer LLC. Chris has several years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn¶t hunting down problems at the packet level, he can be found teaching Wireshark classes and writing articles for technical blogs and online magazines.

Connan

08 Command Line Review of Wireshark CLI Tools, tshark & more While the Wireshark GUI is constantly improving, some of the really powerful functionality is available when using the command-line tools shipped with Wireshark. Tools like tshark provide pre-filtering of huge amounts of trace data and the ability to correlate important values in a semi-automated and very powerful way. This talk covers how to improve your skills with the Wireshark CLI tools, focusing on tshark, and gives use-cases together with detailed exercises. This is a live, INTERACTIVE Session. Please bring your 'Shark to work through the analysis together! Instructor: Christian Landström, Sr. Security Consultant, Airbus DS Cybersecurity Christian Landström has worked in IT since 2004, focusing on network communications and security. In 2008, after graduating with a degree in computer science, he joined Synerity Systems and then moved with the whole Synerity team to Fast Lane GmbH in 2009 as a Senior Consultant for network analysis and security. Since 2013 he¶s been working as a Senior Consultant for Airbus Defence and Space CyberSecurity, focusing on IT security, incident response and network forensics.


09 Designing a Requirements-based Packet Capture Strategy«DQG�how it fits into an overall performance visibility strategy

Learn how to create a requirements-based packet capture strategy for your organization. Understand how packets are a cornerstone to your performance management capabilities and how to create a roadmap that you can use to communicate priorities and performance management capabilities that bring value to the business. Instructor: John Pittle, Distinguished Performance Consultant, Riverbed Technology, Inc.



Actively focused on Performance Engineering for networks, systems, and applications since the early 90s. Performance troubleshooting is my passion and joy. I've used NG Sniffer, HP Network Advisor, Ethereal, Wireshark, NetShark, AppResponse, Packet Analyzer, Transaction Analyzer, IT Guru, and the list goes on... Sr. Performance Consultant with OPNET Technologies since 2005, then came to Riverbed with the OPNET acquisition in 2012. Promoted to Distinguished Performance Consultant in 2015 reflecting expertise in the entire portfolio of Riverbed visibility and analysis products; as well as technical leadership within the consulting practice for our most complex customer engagements.

2:45-4:00pm

McConomy

10 Knowing the Unknown: How to Monitor & Troubleshoot an Unfamiliar Network Sometimes we need to monitor and troubleshoot networks that are totally unfamiliar, or produce reports evaluating the network health of a customer¶s network. The reasons for the lack of familiarity can be many-fold: consulting on a customer network issue for the first time, working with network administrators who know little about their network infrastructure or are simply prevented from sharing network details, etc. This presentation will introduce Wiresharkers to key concepts and methods for passive network analysis, including: - the key network elements/topology - possible security issues - overall network performance - traffic conversations or computers that are not behaving nicely Instructor: Luca Deri, Founder & Leader, ntop Project, CS Lecturer, University of Pisa Luca Deri is the leader of the ntop project (www.ntop.org), aimed at developing an open-source monitoring platform for high-speed traffic analysis. He worked for University College of London and IBM Research prior to receiving his PhD at the University of Berne with a thesis on software components for traffic monitoring applications. Well known in the open-source and Linux community, he currently shares his time between the ntop project and the University of Pisa where he has been appointed as lecturer for the CS department.

Connan

11 Hands-On TCP Analysis In this session, you¶ll work through a series of short but interesting sample TCP traces that will be distributed to participants prior to the beginning of the conference, giving you a chance to work and familiarize yourself with them before the group walkthrough, review and Q&A. The capture files will be made available at least 2 weeks before the conference starts at the following URL: https://blog.packet-foo.com/sharkfest-2017-hands-on-files/ Instructor: Jasper Bongertz, Sr. Technical Consultant, Airbus DS CyberSecurity Jasper Bongertz is a Senior Technical Consultant for Airbus Defence and Space CyberSecurity. He started working freelance in 1992 when he began studying computer science at the Technical University of Aachen, eventually moving to Airbus to focus on IT security, Incident Response and Network Forensics.


12 Baselining with Wireshark to Identify & Stop Unwanted Communications: : Clearing away the forest to see the trees Wireshark, in conjunction with other online tools, can be used to baseline network traffic - whether on a laptop, home network, or office network. It also can be used to help identify and filter out normal everyday traffic and clutter. Utilizing the Display Filter Macros, Statistics and online tools can help quickly identify suspicious traffic. This, along with tools like ProcessHacker or even netstat, can be used to identify processes communicating across the network. The goal of this session is to help you identify unwanted communications and stop them. This is likely to be a hands-on session, so please bring your laptop! Instructor: Jon Ford, Web Application Security Analyst, MainNerve LLC Jon is a Web Application Security Analyst with MainNerve, Llc. He performs a variety of other jobs as well, from penetration testing of network systems, to wireless (802.11) exploitation to teaching personal cyber security and all the way up to doing dishes and taking out the trash. Jon has used Wireshark extensively in all of these jobs, minus the trash and dishes, but hopes to find a way to incorporate Wireshark into those duties as well one day. MainNerve LLC specializes in network and information security services and technology innovations. The company¶s mission is to help organizations assess and manage risks associated with critical assets. MainNerve exists to fill the critical gap in cybersecurity technology and expertise for the SMB market by employing critical subject matter expertise and supporting that with state-of-the-art technologies and affordable solutions.

4:15-5:30pm

McConomy

13 Augmenting Packet Capture with Contextual Meta-Data: the what, why & how Full packet capture and archiving are increasingly important, providing µground truth¶ evidence for investigating security incidents and performance issues. But captured packets by themselves lack context ± such as information about where they were captured and the environment at the time of capture. This becomes especially problematic when packets are captured from multiple points, data resides in multiple places or multiple files, or when the data being analyzed is historical. Augmenting packet data with meta-data can help provide useful context about when, where and how packets



were captured and the environment at the time of capture. It can also record a range of post-capture data such as comments or information from analytics applications. This presentation will discuss what types of meta-data can be useful, what they can be useful for, and how meta-data can be encoded into packet capture data to ensure permanent context to the packets that are captured. Instructor: Dr. Stephen Donnelly, CTO, Endace Stephen has worked on packet capture and time stamping systems for 20 years, receiving his PhD on ³High Precision Timing in Passive Measurements of Data Networks´ from the University of Waikato, New Zealand. He was a founding employee at Endace, developing FPGA based packet capture and timing systems. He has developed clock synchronization systems and high performance network monitoring virtualization for Endace appliances, and collaborated with customers in Telcos, Finance, Test & Measurement, Enterprise, and Government to solve unique problems. Stephen is a contributor to the Wireshark, libpcap, Argus and Suricata open source projects.

Connan

14 Wireshark Case Study Exploration: Looking Beyond the Obvious In this session, Sake will do a walkthrough of real-world cases he¶s encountered. He¶ll start with the obvious and show you how to look deeper into trace files to discover much more information from them. This session is INTERACTIVE. Please bring your laptops. Instructor: Sake Blok, Packet Analyst, SYN-bit Sake has been analyzing packets since the end of the last century. Over the years, he¶s uncovered device bugs from multiple vendors and presented his findings to the vendors to fix issues. He¶s also discovered many misconfiguration on customer networks that have led to functional or performance problems with applications running over the network and provided resolutions through reports presented to his customers. In 2009, Sake started the company SYN-bit to provide Network Analysis services to enterprises across Europe. In the course of his work, Sake started developing extra functionality for Wireshark that he missed in his day-to-day job. He also enhanced multiple protocol dissectors to suit his analysis needs. In 2007 he was asked by Gerald to join the Wireshark Core Development team.


15 Wireshark and Time: Accurate Handling of Timing when Capturing Frames Sometimes an analysis task requires accurate handling of timing in capturing frames. Also, NTP and IEEE 1588 PTPv2 (Precision Time Protocol) are the most widely used time protocols for network synchronization. These standard protocols are used for time synchronization networking systems with accuracies ranging from micro to milliseconds, depending on different network environments. In this presentation, we will dig into problems rooted in time symptoms. Wireshark configuration profiles, display filters, and color rules can provide specific focus when you troubleshoot time issues. Instructor: Werner Fischer, Principal Networking Consultant, avodaq AG Werner Fischer is a long-term Dual-CCIE (R/S, Security) with over 20 years of experience in the networking arena. At avodaq, Werner works as a Principal Networking Consultant on System Architectures. He provides design guidance in key projects and is responsible for transferring new technology of networking solutions to internal and external audiences. Werner holds numerous industry certificates and has been a Sniffer Certified Master since 2003, VMware Certified Professional (4/5/6) and has also attained the Gold Certified Engineer status from the IPv6 Forum. Prior to joining avodaq 10 years ago, Werner worked as a Network Project Engineer for Siemens AG.

6KDUN)HVW·�7 US Bios & Abstracts



WEDNESDAY, 21 JUNE

8:30 - 9:30am

Keynote: Examining the Case for a New Transport Protocol Dr. Peter Steenkiste, Professor, School of Computer Science and of Electrical and Computer Engineering

Peter Steenkiste is a Professor of Computer Science and of Electrical and Computer Engineering at Carnegie Mellon University. His current research is in the areas of future Internet architecture and wireless networking. His research interests are in the areas of networking and distributed computing. While at CMU, Dr.Steenkiste worked on Nectar, the first workstation clusters built around a high-performance, switch-based local area network. He contributed both to the optimization of the communication subsystem and to the development of programming tools for workstation clusters. The optimization of application-level communication performance over commodity networks was further explored in the Gigabit Nectar and Credit Net projects. All these projects developed prototype systems that were used by a wide range of application groups, allowing a realistic evaluation of the research. Dr. Steenkiste is a member of the ACM and a Fellow of the IEEE. He has been on many program committees and was co-chair for the OPENSIG'99 workshop and the "Eighth International Workshop on Quality of Service (IWQOS'00)". He was also program chair for HPDC'2000 and general co-chair for ACM SIGCOMM'02. More recently, he was program co-chair for MobiCom 2008. He has been an associated editor for IEEE. Transactions on Parallel and Distributed Systems (1998-1999), IEEE/ACM Transactions on Networking (2000-2003), and Cluster Computing (2000-2004), and he is currently on the editorial board of the "Journal of Grid Computing".

9:45-11:00am

McConomy

16 Hands-On Analysis of Multi-Point Captures ² Part 1 A 2-part session that will take you on the challenging journey of analyzing performance issues throughout a whole network path. Loadbalancers, firewalls, proxy servers might be involved, and finding the right spot to analyze the problem is not always an easy task. This talk focuses multipoint capture file analysis and packet matching from different capture points. This will be an interactive session with live analysis, so bring your Wireshark and join the fun!

Instructors: Christian Landström and Jasper Bongertz, Senior Consultants, Airbus DS CyberSecurity Jasper Bongertz is a Senior Technical Consultant at Airbus Defence and Space CyberSecurity and started working freelance in 1992 while he began studying computer science at the Technical University of Aachen. Christian Landström works in IT since 2004, with a strong focus on network communications and IT security. After graduating in computer science in 2008 and joining Jasper Bongertz at Synerity Systems directly afterwards Jasper and Christian moved with the whole Synerity team to work for Fast Lane GmbH in 2009 as Senior Consultants for network analysis and security. Since 2013 they are working as Senior Consultants for Airbus Defence and Space CyberSecurity focusing on IT security, Incident Response and Network Forensics.

Connan

17 :L)L�%HDW«9LVXDOL]H�'DWD�ZLWK�.LEDQD�DQG�(ODVWLF6HDUFK Visualization is the way to go to analyze and understand data and Kibana and Elasticsearch are fantastic tools to visualize logs. ElasticSearch can also go beyond logs and store pretty much any document or data set. Beats, another project of the Elastic Stack, is a library that provides an easy way to ship data to ElasticSearch. Thomas will present a new tool that leverages Beats to store WiFi frames in ElasticSearch and then search, filter and visualize that data using Kibana. Instructor: Thomas d¶Otreppe, AirCrack-ng Author Thomas D¶Otreppe is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues.




18 Analyzing Exploit Kit Traffic with Wireshark This lab is designed to help people using Wireshark investigate exploit kit (EK) activity and find EK traffic in a pcap to identify root cause. It also covers some of the post-infection traffic seen from Windows-based malware infections caused by EKs. We¶ll begin by configuring Wireshark from the default settings to better examine HTTP traffic. Scenarios are:

1: Searching for an EK based on information in an IDS alert 2: Finding EK indicators after IDS alerts on post-infection traffic 3: No alerts or indicators, but someone has ransomware!

We¶ll also cover tips on how to identify the Windows host that was infected by the exploit kit and answer questions about investigations based on the instructor¶s personal experience.

Instructor: Bradley Duncan, Threat Intelligence Analyst, Palo Alto Networks - Unit 42 Brad Duncan specializes in network traffic analysis and exploit kit detection. After more than 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010. He is currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad is also a volunteer handler for the Internet Storm Center (ISC) and has posted more than 80 diaries at isc.sans.edu. He routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he's provided over 900 pcaps of malicious activity to the community.

11:15am ² 12:30pm

McConomy

19 Hands-On Analysis of Multi-Point Captures ² Part 2 A 2-part session that will take you on the challenging journey of analyzing performance issues throughout a whole network path. Loadbalancers, firewalls, proxy servers might be involved, and finding the right spot to analyze the problem is not always an easy task. This talk focuses multipoint capture file analysis and packet matching from different capture points. This will be an interactive session with live analysis, so bring your Wireshark and join the fun!

Instructors: Christian Landström & Jasper Bongertz, Sr. Consultants, Airbus DS CyberSecurity Jasper Bongertz is a Senior Technical Consultant at Airbus Defence and Space CyberSecurity and started working freelance in 1992 while he began studying computer science at the Technical University of Aachen. Christian Landström works in IT since 2004, with a strong focus on network communications and IT security. After graduating in computer science in 2008 and joining Jasper Bongertz at Synerity Systems directly afterwards Jasper and Christian moved with the whole Synerity team to work for Fast Lane GmbH in 2009 as Senior Consultants for network analysis and security. Since 2013 they are working as Senior Consultants for Airbus Defence and Space CyberSecurity focusing on IT security, Incident Response and Network Forensics.

Connan

20 Work-Shmerk/Mirai-Shmirai: What are those evil IoT devices doing & how can you control them? This will be an interactive session in which the audience will be exposed to various IOT devices and methods to discover/abuse the protocols they operate with. The session will be focused on how to conduct network capture and analysis with Wireshark of the various IOT targets, how to reverse engineer the protocols, and then utilize a tool to craft packets that will control the IOT devices. The interactive portion will be based around a wireless environment, where attendees can do their own network reconnaissance, use the SCAPY packet crafting tool, and manipulate an IOT device with visual feedback of their feats. Instructor: Brad Palm, Lead Network Analyst, USMC MCNEL Brad is a network analyst for the United States Marine Corps, working in the Cyber Engineering and Network Efficiency Lab (MCNEL). His team focuses on network capture and analysis for USMC networks, testing emerging technologies and devices for the USMC Systems Command, and utilizing captured traffic to influence test scenarios that better represent the USMC network traffic profile in developmental testing phases. Brad has completed in-depth vendor studies/comparisons for WAN optimization devices, supported Tier1-level programs/applications in troubleshooting and optimization tasks for the USMC Enterprise Network, and deployed in support of tactical units to provide network analysis. His team uses a combination of TAPs, high speed capture devices, Riverbed Packet Analyzer, and Wireshark to accomplish their mission.


21 Analysis Visualizations: Creating Charts to Speed-Up Analysis They say a picture is worth 1,000 words. So how many packets is one worth? This session will discuss several practical visualizations that can help you hunt like a shark in a sea of packets. You¶ll learn about Wireshark¶s built-in visualizations, e.g. its I/O graph and tcptrace, which are immensely useful. But you¶ll also learn that tshark and Excel can be combined to produce custom visualizations appropriate for the task at hand. Instructor: Robert Bullen, Cloud Services Engineer, Blue Cross Blue Shield of MN Robert Bullen has been in the packet analysis space in one form or another for most of his 20-year career as both a developer and user. For the last five years he¶s been an application performance engineer for two Minnesota-based enterprises where he has relied heavily on the Wireshark tool suite, and during which time he contributed enhancements to the Wireshark code base. Robert has attended more Sharkfests than he hasn¶t. This will be his third time as a Sharkfest speaker.

1:30 ² 2:45 pm



McConomy

22 Understanding Throughput & TCP Windows: Factors that can Limit TCP Throughput Performance Receive windows and congestion windows and send buffers, oh my! A walk-through with examples of the different factors affecting the sender and receiver that can limit TCP throughput performance. Instructor: Kary Rogers, Director, Staff Engineering, Riverbed Technology Kary first learned the value of packet analysis helping customers solve difficult issues in Riverbed TAC, and has since moved onto a management role for the company. Not wanting to lose the skills he fought hard to learn, he started a packet analysis website, PacketBomb.com, where he posts tutorials and case studies for the hapless network engineer struggling to prove that it's not the network.

Connan

23 Top 10 Wireshark TIPS & TRICKS In this session, Megumi shows her Top 10 TIPS and TRICKS for looking inside of packets, finding trouble and visualizing traffic. QT-based Wireshark has many new features that can be used to enhance Wireshark in just a few steps. Megumi will demonstrate the use of Wireshark ranking style, visualization of I/O graphs, flow graphs, 802.11 protocol analysis, troubleshooting, and more. Instructor: Megumi Takeshita, Packet Otaku and Owner, Ikeriri Network Service Megumi Takeshita, known as Packet Otaku, runs a packet analysis company after having worked as a network analyst at BayNetworks and Nortel Networks for many years. Ikeriri Network Service is a reseller of Riverbed, Metageek, Dualcomm, Profitap and other packet capture products in Japan. Megumi has written more than 10 books about packet analysis and deep inspection using Wireshark in Japanese and has also attended every SharkFest since they began in 2008.


24 Undoing the Network Blame Game to get to the Real Root Cause of Slow Application Performance Let's dig a little deeper into analyzing TCP to get to root cause. In this session, we¶ll interpret TCP symptoms to troubleshoot application problems. Using sample trace files, we¶ll examine: 1. Application disconnects 2. Identifying slow application response 3. How to determine if the network is really to blame Bring a laptop for this INTERACTIVE session. Sample trace files will be shared with the audience. Instructor: Chris Greer, Network Analyst, Packet Pioneer Chris Greer is a Network Analyst for Packet Pioneer LLC. Chris has several years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn¶t hunting down problems at the packet level, he can be found teaching Wireshark classes and writing articles for technical blogs and online magazines.

3:00 ² 4:15pm

McConomy

25 Workflow-based Analysis of Wireshark Traces: Now we can all be experts! Even with a relatively good knowledge of TCP/IP and Wireshark, it can be difficult to know where to start with the analysis of trace files. Hundreds of thousands of packets and many protocols can be totally overwhelming unless you have years of experience, or can get someone with years of experience to help. Workbench offers a systematic way to analyse traces based on the workflows modelled on the ways of experts. In this interactive session, we troubleshoot a performance problem from start through to root cause using Wireshark and the community edition of Workbench. Software and trace files will be available to everyone several weeks before the session start Instructor: Paul Offord, CTO, TribeLab Paul Offord has had a 39-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems. Paul and the Problem Analysts at Advance7 help IT support teams in many business sectors troubleshoot difficult performance and stability problems. Paul has recently contributed code to the Wireshark project and is currently leading the team developing Workbench.

Connan

26 1HWZRUN�6HFXULW\«+DYHQ·t We Solved It Yet? A look at all the ways we continue to do security wrong, how the Internet of Things is inevitable and will destroy civilization as we know it, and how you might want to drink to escape the dark future but your fridge and drinks cabinet have established a mesh network and decided to secede to Russia. Instructor: Mike Kershaw, Wireless Hacker Mike is the author of Kismet, an open-source wireless sniffing and intrusion detection tool, as well as assorted other open source software and hardware projects.

McKenna/Peter/ 27 Network Forensics with Wireshark: Suspicious Traffic Detection Techniques



Wright This session covers the essentials of network forensics methodology, key Wireshark skills, and methods for locating suspicious traffic. Laura will analyze numerous malicious trace files from her ³nasty traces´ collection while demonstrating the advantages of using a ³Network Forensics Profile´ in Wireshark. Instructor: Laura Chappell, Founder, Senior Analyst, Wireshark University As the founder of Wireshark University and Chappell University, Laura Chappell researches, writes, and presents on Wireshark, troubleshooting, network forensics, and more. Laura¶s clients include most of the Fortune 100 companies, and numerous federal, state, and international law enforcement/cybercrime agencies. She has released three books on Wireshark (available on Amazon) and has recorded much of her training courseware for the Chappell University online AllAccess Pass (www.lcuportal2.com).

4:30 ² 5:45pm

McConomy

28 The Doctor is In! Packet Trace Reviews with the Experts The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they¶ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees during the session so that the ³not-knowing what to expect and whether it can be solved´ experience of working through an unknown trace file can be preserved. Come to this session and learn to ask the right questions and look at packets in different ways. PLEASE BRING PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL! Panelists: Hansang Bae, Jasper Bongertz, Christian Landström, Sake Blok

Connan

29 A Web-Based Approach to Enhance Network Packet Capture & Decode Analysis Techniques using the Wireshark Command Line Tools

This presentation will demonstrate how to use the Integration of Wireshark CLI tools within the Network Security Toolkit (NST). NST incorporates a web-based frontend to both dumpcap for capture and tshark for packet analysis. Both a Single-Tap and Multi-Tap Network Packet Capture interface will be presented and demoed live. These interfaces provide an enhancement to streamline packet capture and decode within a web browser. The setup of dumpcap command line arguments, custom capture filters and various startup capture methods will be shown. The web interface to tshark for packet decoding will also be demoed. Specialized packet decode displays from the results of tshark PSML and PDML output will be presented along with geolocation. The automatic generation of ³Follow TCP streams´ display filters will be shown to quickly isolate and analyze a particular TCP stream session. Network Packet Capture Management, Ring Buffer Capture as a Service (RBCaaS) and Capture Transfer to Cloudshark features will also be demo¶d live. Instructor: Ronald Henderson, CTO, UNIVERSAL Technologies Ronald W. Henderson has more than 30 years' experience in various enterprise network computing environments including infrastructure, virtual computing, open source development, networks, systems, security architecture, data center design, deployment and management. As Chief Technology Officer (CTO) for UNIVERSAL Technologies, Inc. was lead architect and project head on numerous research and development initiatives which resulted in the creation of effective integrated enterprise solution products in the areas of enterprise server based and virtual desktop computing. Co-author of the Network Security Toolkit (NST) which is a Linux distribution that provides easy access to best-of-breed Open Source Network Security Applications and should run on most X86_64 platforms. NST was created in 2003 and includes a web-based frontend to the Wireshark command suite for both Single or Multi-Tap network packet capture and decode analysis.


30 Using the Python/Django Web Framework to Build a Remote Packet Capture Portal with tshark In this course we will present a methodology and development framework that was used for creating an open source packet capture portal based on tshark. We will review the Python/Django framework and how it was used to build a web based remote packet capture and analysis portal. The course will concentrate on the various uses of tshark as well as how a development framework was built around it. Although we will be reviewing programming and development concepts students will not need to be experienced programmers in order to benefit from the material. Instructor: Kevin Burns, Principal Engineer, Data Center Engineering, Comcast Kevin Burns is a Principal Engineer in the Data Center Engineering team at Comcast Communications. He has been involved in network and application troubleshooting since 1995. He is the author of TCP/IP Troubleshooting Toolkit and a past Sharkfest presenter. Kevin loves solving difficult problems, developing troubleshooting tools, and sharing his experiences and knowledge with others.




THURSDAY, 22 JUNE

8:30 ² 9:30am SharkBytes!

9:45 ² 11:00am

McConomy

31 SMB/CIFS Analysis: Using Wireshark to Efficiently Analyze and Troubleshoot SMB/CIFS SMB/CIFS is a ubiquitous protocol whether we like it or not. Being able to understand the inner workings is critical to performance monitoring and troubleshooting the file transfer protocol used by Microsoft and Samba. This session will cover the SMB implementation used by Server2012/2016 and Windows 8.1/10. Trace files will be made available during the session so attendees may follow along in Wireshark. Service Response times and LOAD in I/O Graphs will be covered. Bring your laptops! Instructor: Betty DuBois, Chief Detective, Network Detectives Betty DuBois is the Chief Detective for Network Detectives. She has been analyzing networks since 1997, performing fault isolations, application profiles, and network baselines for a wide variety of clients. As an Instructor for Wireshark University, she is known for her ability to make a dry, complex subject fun and interesting by using both humor and real-world examples. Betty has presented at Sharkfest and Networld+Interop and for the Atlanta chapters of HTCIA and ISSA. Her "Network Mystery" series can be found at www.wireshark.org/docs. Betty¶s industry certifications include Certified Wireshark University Instructor, Wireshark Certified Network Analyst, HP ProCurve AIS, and Sniffer Certified Expert.

Connan

32 Writing a Wireshark Dissector: 3 Ways to Eat Bytes The presentation outlines the 3 most popular methods to write a dissector, using plain text files with WSGD, using a Lua script file and finally a C dissector. An introduction to how dissectors fit into the Wireshark system is given, then each method is compared for ease of initial development, facilities offered and run-time performance. Instructor: Graham Bloice, Software Developer, Trihedral UK Ltd. & Wireshark Core Developer Graham is a Software Developer with Trihedral UK Limited where he helps produce their VTSCada HMI\Scada toolkit. Graham is also a Wireshark core developer, mainly concentrating on the Windows build machinery and DNP3 dissectors. He uses Wireshark frequently in his day job when analysing telemetry protocols used in the SCADA world, and inter-machine traffic for the company¶s distributed SCADA product.


33 Wireshark and Time: Accurate Handling of Timing when Capturing Frames Sometimes an analysis task requires accurate handling of timing in capturing frames. Also, NTP and IEEE 1588 PTPv2 (Precision Time Protocol) are the most widely used time protocols for network synchronization. These standard protocols are used for time synchronization networking systems with accuracies ranging from micro to milliseconds, depending on different network environments. In this presentation, we will dig into problems rooted in time symptoms. Wireshark configuration profiles, display filters, and color rules can provide specific focus when you troubleshoot time issues. Instructor: Werner Fischer, Principal Networking Consultant, avodaq AG Werner Fischer is a long-term Dual-CCIE (R/S, Security) with over 20 years of experience in the networking arena. At avodaq, Werner works as a Principal Networking Consultant on System Architectures. He provides design guidance in key projects and is responsible for transferring new technology of networking solutions to internal and external audiences. Werner holds numerous industry certificates and has been a Sniffer Certified Master since 2003, VMware Certified Professional (4/5/6) and has also attained the Gold Certified Engineer status from the IPv6 Forum. Prior to joining avodaq 10 years ago, Werner worked as a Network Project Engineer for Siemens AG.



11:15am ² 12:30pm

McConomy

34 How tshark saved my SDN Forensics: Hands-on tshark Usage with a Minor Python Connection Tshark was a critical component in Booz Allen Hamilton winning the 2016 Digital Forensics Research Work Shop (DFRWS) international Software Defined Networking (SDN) digital forensics challenge. This was achieved by creating a prototype solution for the extraction of forensics artifacts from SSL/TLS encrypted packets between a SDN switch and controller. Tshark provided a mechanism to consume the recovered encryption keys and automate the analysis of the Openflow protocol. This led to the complete enumeration of the network (e.g., devices preset, device details) and SDN network flow rules (both static and dynamic). Tshark was pivotal in the recovery of artifacts and was used with Python to create visualizations of the network traffic. Mr. Bull and Mr. McAlister will provide a hands-on opportunity for the attendees to follow along as they review the network forensics side of their solution with Tshark, and will facilitate an opportunity for the attendees to try it out themselves. Instructors: Mike McAlister, Lead Technologist & Joseph Bull, Chief Engineer, Booz Allen Hamilton This briefing is presented on behalf of Booz Allen Hamilton by Mr. Joseph Bull and Mr. Michael McAlister. Mr. Bull is a system security engineer with 15 years of experience supporting DoD, Civil, and Commercial clients holding his CISSP and CSEP certifications, and Mr. McAlister is a US Navy Veteran who earned his GCIH, and CSM with over 10 years of experience in Protocol Analyst. Recently Booz Allen Hamilton won the DFRWS SDN digital forensics challenge with the support of Joseph Bull, Chris Christou, Tyler Duquette, Emre Ertekin, Michael Lundberg, Michael McAlister and Greg Starkey. Booz Allen Hamilton advocates for open source solutions such as Wireshark to further advance SDN and the associated forensics tradecraft.

Connan

35 My Life as a Troubleshooter: So what did you do today, Daddy? In this session, I¶ll share some of the real world troubleshooting cases I've engaged in recently, These can range from small networks suffering from poorly-written applications to large global systems with thousands of servers. Virtualised environments both server and desktop. Cloud hosted systems like AWS. My troubleshooting is end to end from the users to the storage and everything in between. I¶ll explain some of the methodologies I've developed and how I approach complex systems and hard to diagnose problems. I use Wireshark as a first line tool nearly every day and know it is the fastest way to prove root cause, not just surmise what the problem may be. There will be plenty of tips and useful insights to take away as well as sharing experiences. Instructor: Graeme Bailey, Troubleshooter & Founder, TARCA Graeme is a UK-based troubleshooter with over 35 years experience in all aspects of system and infrastructure, having worked for Burroughs, HP, 3Com and others. He founded TARCA (troubleshooting and root cause analysis) in 2008, having identified a clear need for an independent consultancy firm with the capability to address end to end performance. Taking network analysis further than the network itself, TARCA encompasses applications, workstations, servers, storage, networks and connectivity, to provide a unique, unbiased insight into issues. TARCA helps to resolve problems for their clients more rapidly, often bringing together a wide variety of third parties and gaining agreement as to the precise cause of the issue. This maximises productivity potential for both people and equipment, often resulting in huge savings through the improvements they make together.


36 Packet Dupes, Drops, and Misses, Oh My! Anomalous packet captures can come back to bite you. Duplicate, dropped, or missing packets and flows can make analysis very challenging, downright aggravating or, even worse, lead to misdiagnosis. Even expert systems can be easily fooled, so how to validate? This session exposes a number of real world use cases, using Wireshark to illustrate ways in which you can spot less-than-ideal captures such as misconfigured mirror ports, oversubscribed taps and packet brokers, duplicate or bad duplication of packets, one-way packet flows, and more. Learn how to use what you got or when to punt in this action-packed session! Instructors: Scott Haugdahl, Architect, Blue Cross Blue Shield MN & Mike Canney, Packet Analyst Scott's analysis career started with developing PC-DOS-based packet analysis tools, evolved to designing expert systems, and cumulated with architecting high-end packet visibility fabrics for large capacity sniffers, security, and APM appliances. He has been a Wireshark enthusiast since Ethereal 0.99 or thereabouts! Outside of work Scott loves photography and travel. Scott will team up with Mike Canney, another long-time packet analysis guru, to balance and provide Mike's unique perspectives as well. A true entrepreneur, Mike has worked independently as well as for APM and NPM vendors. Professionally, Mike enjoys solving the most difficult problems given packet traces and personally, spending time with his young and growing family!



1:30-2:45pm

McConomy

37 Back to the Packet Trenches (Part 1) In an increasingly prevalent cloud and Saas-based networking world, foundational troubleshooting practices are destined to change. In this 2-part session, Hansang will review on and off-prem cloud and SaaS troubleshooting scenarios when trying to identify root cause. He¶ll also discuss what it will be like as you adopt the cloud, how to capture in AWS, and how different cloud vendors may or may not have TCP/IP Offload Engines to address latency issues when uploading. He'll also show how one-sided traces to a SaaS vendor can be diagnosed. Instructor: Hansang Bae, CTO, Riverbed Technology Hansang Bae led the Network/Application Performance Engineering Team with direct responsibility for Packet Capture Infrastructure at Citi until July, 2012 when he joined Riverbed Technology as Director of Cascade Product Architecture. He has since taken on the role of Chief Scientist and then CTO for the company. With his broad knowledge of protocol analysis in a complex enterprise infrastructure, Hansang brings a unique perspective to packet analysis.

Connan

38 Wireshark Tips & Tricks Learn Wireshark tips & tricks from Laura Chappell, the founder of Wireshark University. Instructor: Laura Chappell, Founder, Senior Analyst, Wireshark University As the founder of Wireshark University and Chappell University, Laura Chappell researches, writes, and presents on Wireshark, troubleshooting, network forensics, and more. Laura¶s clients include most of the Fortune 100 companies, and numerous federal, state, and international law enforcement/cybercrime agencies. She has released three books on Wireshark (available on Amazon) and has recorded much of her training courseware for the Chappell University online AllAccess Pass (www.lcuportal2.com).


39 Knowing the Unknown: How to Monitor & Troubleshoot an Unfamiliar Network Sometimes we need to monitor and troubleshoot networks that are totally unfamiliar, or produce reports evaluating the network health of a customer¶s network. The reasons for the lack of familiarity can be many-fold: consulting on a customer network issue for the first time, working with network administrators who know little about their network infrastructure or are simply prevented from sharing network details, etc. This presentation will introduce Wiresharkers to key concepts and methods for passive network analysis, including: - the key network elements/topology - possible security issues - overall network performance - traffic conversations or computers that are not behaving nicely Instructor: Luca Deri, Founder & Leader, ntop Project, CS Lecturer, University of Pisa Luca Deri is the leader of the ntop project (www.ntop.org), aimed at developing an open-source monitoring platform for high-speed traffic analysis. He worked for University College of London and IBM Research prior to receiving his PhD at the University of Berne with a thesis on software components for traffic monitoring applications. Well known in the open-source and Linux community, he currently shares his time between the ntop project and the University of Pisa where he has been appointed as lecturer for the CS department.



3:00-4:15pm

McConomy

40 Back to the Packet Trenches (Part 2) In an increasingly prevalent cloud and Saas-based networking world, foundational troubleshooting practices are destined to change. In this 2-part session, Hansang will review on and off-prem cloud and SaaS troubleshooting scenarios when trying to identify root cause. He¶ll also discuss what it will be like as you adopt the cloud, how to capture in AWS, and how different cloud vendors may or may not have TCP/IP Offload Engines to address latency issues when uploading. He'll also show how one-sided traces to a SaaS vendor can be diagnosed. Instructor: Hansang Bae, CTO, Riverbed Technology Hansang Bae led the Network/Application Performance Engineering Team with direct responsibility for Packet Capture Infrastructure at Citi until July, 2012 when he joined Riverbed Technology as Director of Cascade Product Architecture. He has since taken on the role of Chief Scientist and then CTO for the company. With his broad knowledge of protocol analysis in a complex enterprise infrastructure, Hansang brings a unique perspective to packet analysis.

Connan

41 Analyzing Exploit Kit Traffic with Wireshark This lab is designed to help people using Wireshark investigate exploit kit (EK) activity and find EK traffic in a pcap to identify root cause. It also covers some of the post-infection traffic seen from Windows-based malware infections caused by EKs. We¶ll begin by configuring Wireshark from the default settings to better examine HTTP traffic. Scenarios are: 1: Searching for an EK based on information in an IDS alert 2: Finding EK indicators after IDS alerts on post-infection traffic 3: No alerts or indicators, but someone has ransomware! We¶ll also cover tips on how to identify the Windows host that was infected by the exploit kit and answer questions about investigations based on the instructor¶s personal experience. Instructor: Bradley Duncan, Threat Intelligence Analyst, Palo Alto Networks - Unit 42 Brad Duncan specializes in network traffic analysis and exploit kit detection. After more than 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010. He is currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad is also a volunteer handler for the Internet Storm Center (ISC) and has posted more than 80 diaries at isc.sans.edu. He routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he's provided over 900 pcaps of malicious activity to the community.


42 TCP SACK Overview and Impact on Performance Selective ACK is an important performance enhancement to TCP. Learn the details of how to interpret the SACK field and relate to performance of the application. Instructor: John Pittle, Distinguished Performance Consultant, Riverbed Technology, Inc. Actively focused on Performance Engineering for networks, systems, and applications since the early 90s. Performance troubleshooting is my passion and joy. I've used NG Sniffer, HP Network Advisor, Ethereal, Wireshark, NetShark, AppResponse, Packet Analyzer, Transaction Analyzer, IT Guru, and the list goes on... Sr. Performance Consultant with OPNET Technologies since 2005, then came to Riverbed with the OPNET acquisition in 2012. Promoted to Distinguished Performance Consultant in 2015 reflecting expertise in the entire portfolio of Riverbed visibility and analysis products; as well as technical leadership within the consulting practice for our most complex customer engagements.

4:30-5:00pm Packet Challenge Awards and Closing Comments (McConomy) Gerald Combs & Friends

5:00-7:00pm Farewell Reception ² Connan & MConomy

0'/&(12.( 3%..2#()4./&,'/.( 6%702&%8%#/.!!!!!6kdun)hvw· 86%lrv...

Documents