wireshark certified network analyst boot camp course · pdf filewhy should i pursue the...

Wireshark Certified Network Analyst

Boot Camp Course A three-day hands-on lab/lecture course focusing on the key areas of the Wireshark Certified Network Analyst Exam.

Instructor: Laura Chappell, Founder of Wireshark University

Presented in conjunction

with Sharkfest 2013

June 19-21, 2013

9:00am – 5:00pm PST

Contents WCNA Boot Camp Course Overview ......................................................................................................... 1

Date, Time, and Location .......................................................................................................................... 1

What is Included in the WCNA Boot Camp? ............................................................................................. 1

Who Should Attend ................................................................................................................................... 1

Recommended Prerequisite Knowledge/Capabilities .............................................................................. 1

Bring-Your-Own-Laptop (BYOL) Requirements ......................................................................................... 2

WCNA Boot Camp Preparation ................................................................................................................. 2

About the Wireshark Certified Network Analyst™ Program .................................................................... 3

Why Should I Pursue the Wireshark Certified Network Analyst Certification? ........................................ 3

How Do I Earn the Wireshark Certified Network Analyst Status? ............................................................ 3

WCNA Boot Camp Course Estimated Daily Schedule ............................................................................... 4

Day One (June 19, 2013): Key Topics in Sections 1-11.......................................................................... 4

Day Two (June 20, 2013) : Key Topics in Sections 12-22 ...................................................................... 4

Day Three (June 21, 2013) : Key Topics in Sections 23-33 .................................................................... 4

Am I Ready for the WCNA Boot Camp? .................................................................................................... 5

Prerequisite Tasks ................................................................................................................................. 5

Prerequisite Quiz ................................................................................................................................... 5

Answer Key ............................................................................................................................................. 10

Appendix A: Wireshark Certified Network Analyst Exam Objectives (Test WCNA102.1) ...................... 12

Wireshark Certified Network Analyst Boot Camp [Sharkfest 2013] Page 1

WCNA Boot Camp Course Overview

This three-day boot camp class focuses on the key areas covered in the most current version of the Wireshark Certified Network Analyst Exam (WCNA102.1). Students will review these key areas through labs, lecture, and sample open-grading exams.

The WCNA Boot Camp Course releases at Sharkfest 2013.

Date, Time, and Location

Date: June 19-21, 2013 Time: 9:00am – 5:00pm PST Location: Clark Kerr Campus, UC Berkeley

What is Included in the WCNA Boot Camp?

All WCNA Boot Camp students will receive the following items upon arrival the first day of class:

WCNA Boot Camp Student Manual (includes labs and quizzes)

WCNA Boot Camp USB (containing trace files and supplemental resources)

All Access Pass One-Year Subscription Voucher (a $699 value)

WCNA Exam Voucher (a $299 value)

Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study

Guide (a $99 value)

Labs and lectures led by Laura Chappell, Founder of Wireshark University

Who Should Attend

This three-day course is designed for network professionals interested in obtaining the Wireshark Certified Network Analyst designation.

Recommended Prerequisite Knowledge/Capabilities

Students should have a strong working knowledge of interconnecting device functionality (switch, router, NAT, for example) and be comfortable with the elements of the TCP/IP protocol suite (ARP, TCP, UDP, IP, DHCP, ICMP, for example). In addition, students should already be familiar with the Wireshark interface and basic methods used to capture and filter traffic.

Students should review Am I Ready for the WCNA Boot Camp? on page 5 and be able to easily complete the tasks listed as well as correctly answer all the questions without the use of reference materials.

In addition, students must review and complete the Bring Your Own Laptop Format Requirements section below and complete the steps outlined in WCNA Boot Camp Preparation.


Bring-Your-Own-Laptop (BYOL) Requirements

Students attending this WCNA Boot Camp are required to bring their own laptops that are properly configured. There will not be time in class to help you configure your laptop, so ensure your system is installed and configured as described below prior to coming to class.

The students must bring a laptop with the most recent version of Wireshark 1.8.x installed (available at www.wireshark.org). We will not be using Wireshark 1.9.x unless specifically denoted in advance of the course. Students may use any OS version on their laptop, but Laura Chappell will be using and displaying Wireshark installed on Windows 7.

A functional USB port is required to access WCNA Boot Camp trace files and other supplemental materials that will be available via USB stick.

Prior to class, you must follow the steps defined in WCNA Boot Camp Preparation on page 2 to return your Default profile to its original state before the start of class.

In summary, before you arrive at the WCNA Boot Camp, you must:

Confirm that the latest version of Wireshark 1.8.x is installed and functional on your laptop. Confirm that you can launch Wireshark and open a trace file. Ensure you have a working USB port on your laptop. Read and follow the instructions in WCNA Boot Camp Preparation.

It is critical that you work through the WCNA Boot Camp Preparation steps before class so that you arrive with a properly configured Wireshark system.

WCNA Boot Camp Preparation

Your Wireshark system should contain a Default profile that is in its original state. Follow the steps below to clean up any changes you may have made to the Default profile:

1. Launch Wireshark. 2. Select Help | About Wireshark | Folders. 3. Open your Personal Configuration folder. 4. Delete (or move any files) in this folder. Do not delete a profiles directory, if one exists. A clean

personal configuration folder is shown below.

http://www.wireshark.org/


About the Wireshark Certified Network Analyst™ Program

The Wireshark Certified Network Analyst Exam is a globally-available, proctored exam to meet the secure and widely available delivery requirements desired by candidates. The Exam is available online or at Kryterion Testing Centers worldwide.

Visit www.wiresharktraining.com/certification for additional information on the Wireshark Certified Network Analyst program. Questions regarding your Wireshark Certified Network Analyst status may be directed to [email protected].

Why Should I Pursue the Wireshark Certified Network Analyst Certification?

Successful completion of the Wireshark Certified Network Analyst Exam indicates you have the knowledge required to capture network traffic, analyze the results, and identify various anomalies related to performance or security issues.

How Do I Earn the Wireshark Certified Network Analyst Status?

To earn the Wireshark Certified Network Analyst status, you must pass a single exam—the WCNA-102x exam. Register for the proctored Wireshark Certified Network Analyst Exam online at www.webassessor.com/pai. (PAI represents the Protocol Analysis Institute, the parent company of Wireshark University and Chappell University). For more information on the Exam registration process, visit www.wiresharktraining.com/certification.

Upon completion of the Wireshark Certified Network Analyst Exam, an individual will receive a pass/fail score. Candidates who successfully pass the Wireshark Certified Network Analyst Exam will receive their Wireshark Certified Network Analyst Welcome Kit package that contains the candidate’s certificate and details on maintaining Wireshark Certified Network Analyst status. For more information on the Wireshark Certified Network Analyst program, visit www.wiresharktraining.com/certification.


WCNA Boot Camp Course Estimated Daily Schedule1

The following daily schedule indicates which sections are covered each day.

Day One (June 19, 2013): Key Topics in Sections 1-11 Section 1: Network Analysis Overview

Section 2: Introduction to Wireshark

Section 3: Capture Traffic

Section 4: Create and Apply Capture Filters

Section 5: Define Global and Personal Preferences

Section 6: Colorize Traffic

Section 7: Define Time Values and Interpret Summaries

Section 8: Interpret Basic Trace File Statistics

Section 9: Create and Apply Display Filters

Section 10: Follow Streams and Reassemble Data

Section 11: Customize Wireshark Profiles

Day Two (June 20, 2013) : Key Topics in Sections 12-22 Section 12: Annotate, Save, Export and Print Packets

Section 13: Use Wireshark’s Expert System

Section 14: TCP/IP Analysis Overview

Section 15: Analyze Domain Name System (DNS) Traffic

Section 16: Analyze Address Resolution Protocol (ARP) Traffic

Section 17: Analyze Internet Protocol (IPv4/IPv6) Traffic

Section 18: Analyze Internet Control Message Protocol (ICMPv4/ICMPv6) Traffic

Section 19: Analyze User Datagram Protocol (UDP) Traffic

Section 20: Analyze Transmission Control Protocol (TCP) Traffic

Section 21: Graph IO Rates and TCP Trends

Section 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6) Traffic

Day Three (June 21, 2013) : Key Topics in Sections 23-33 Section 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic

Section 24: Analyze File Transfer Protocol (FTP) Traffic

Section 25: Analyze Email Traffic

Section 26: Introduction to 802.11 (WLAN) Analysis

Section 27: Voice over IP (VoIP) Analysis Fundamentals

Section 28: Baseline “Normal” Traffic Patterns

Section 29: Find the Top Causes of Performance Problems

Section 30: Network Forensics Overview

Section 31: Detect Scanning and Discovery Processes

Section 32: Analyze Suspect Traffic

Section 33: Effective Use of Command-Line Tools

For a complete list of Wireshark Certified Network Analyst Exam Objectives, see Appendix A.

1 Estimated daily schedule; actual schedule may vary.


Am I Ready for the WCNA Boot Camp?

To ensure you get the most out of the WCNA Boot Camp, you should be comfortable with the following Wireshark tasks and correctly answer all quiz questions without using reference materials. The Answer Key is located on page 10. If you cannot quickly complete the tasks or you need to reach for reference materials to answer quiz questions, you may need a bit more practice and study time before registering for the WCNA Boot Camp.

Prerequisite Tasks

Task 1: Determine on which interfaces Wireshark can capture traffic.

Task 2: Apply a capture filter for traffic to or from a specific port number.

Task 3: Successfully open a trace file.

Task 4: Determine how many packets are in a trace file.

Task 5: Expand individual areas or entire subtrees in the Packet Details pane.

Task 6: Resize and sort columns in the Packet List pane.

Task 7: Identify all active TCP conversations in a trace file.

Task 8: Create an IO Graph.

Task 9: Apply a display filter for traffic to or from a specific IP address.

Task 10: Save a filtered set of packets to a new file.

Prerequisite Quiz

Q-1. Wireshark relies on the WinPcap driver when running on a Windows host.

True

False

Q-2. The TCP handshake consists of SYN, SYN/ACK and ACK packets.

True

False

Q-3. The Wireshark IO Graph can be used to view the packets-per-second rate of traffic.

True

False

Q-4. The filter ip.addr == 10.10.10.10 can be used as a capture filter.

True

False


Q-5. The packet shown above would be forwarded out all switch ports.

True

False

Q-6. Based on the image above, Wireshark has captured 216 packets.

True

False


Q-7. Promiscuous mode must be enabled when using Wireshark to capture traffic between other

hosts on a network.

True

False

Q-8. The IP address notation 10.6.0.0/16 refers to all hosts whose IP address begins with 10.6.

True

False

Q-9. The Wireshark Packet Details pane displays individual header fields and values if Wireshark has

a dissector for those headers.

True

False

Q-10. Wireshark Capture Filters can be applied to saved trace files.

True

False

Q-11. The packet shown above should not be forwarded by routers.

True

False


Q-12. DNS can be used to discover the IP address of a host.

True

False

Q-13. Ethernet headers are stripped off and reapplied by routers during the forwarding process.

True

False

Q-14. You cannot alter the format of the Time column in Wireshark’s Packet List pane.

True

False

Q-15. Wireshark’s default trace file format appends .cap to the end of the file name.

True

False

Q-16. The filter icmp.type==3 can be used as a capture filter or display filter.

True

False

Q-17. The image above depicts the first packet of a TCP handshake.

True

False


Q-18. Multicasts are used to communicate with a group of hosts.

True

False

Q-19. UDP is a connection-oriented transport protocol.

True

False

Q-20. You can purchase Wireshark through www.wireshark.org.

True

False


Answer Key

A-1. True. Wireshark relies on the WinPcap driver when running on a Windows host.

A-2. True. The TCP handshake consists of SYN, SYN/ACK and ACK packets. This is referred to as the

three-way handshake.

A-3. True. The packet shown would be forwarded out all switch ports because it is addressed to the

Ethernet broadcast address (0xff:ff:ff:ff:ff:ff).

A-4. True. The Wireshark IO Graph can be used to view the packets-per-second rate of traffic. The IO

Graph can also be configured to display bits per second and bytes per second.

A-5. False. The filter ip.addr == 10.10.10.10 is a display filter. The proper capture filter would

be host 10.10.10.10.

A-6. False. Based on the Status Bar in the image shown, Wireshark has captured 12,716 packets.

A-7. True. Promiscuous mode enables Wireshark to capture traffic that is destined to other hardware

addresses, not just the local hardware address.

A-8. True. This is a CIDR IP address notation. The term 10.6.0.0/16 refers to all hosts whose IP

address begins with 10.6.

A-9. True. The Wireshark Packet Details pane displays individual header fields and values if Wireshark

has a dissector for those headers.

A-10. False. Wireshark Capture Filters can only be applied during the capture process, not to saved

trace files.

A-11. True. The packet shown has a Time-to-Live value of 1. Routers cannot forward the packet on as it

is “expired”.

A-12. True. DNS queries can be sent to discover the IP address of a host.

A-13. True. Ethernet headers are stripped off and reapplied by routers during the forwarding process.

A-14. False. You can alter the format of the Time column in Wireshark’s Packet List pane by selecting

View | Time Display Format.


A-15. False. Wireshark’s default trace file format appends .pcapng to the end of the file name. Prior to

version 1.8.x, Wireshark appended .pcap to the file names.

A-16. False. The filter icmp.type==3 is a display filter.

A-17. False. The image does not depict the first packet of a TCP handshake which would have only the

SYN bit set.

A-18. True. Multicasts are used to communicate with a group of hosts.

A-19. False. UDP is a connectionless transport protocol. TCP is a connection-oriented transport

protocol.

A-20. False. Wireshark is open source and free.


Appendix A: Wireshark Certified Network Analyst Exam Objectives

(Test WCNA102.1)

Key Area The icon marks key topics to study in preparation for the Exam.

Section 1: Network Analysis Overview Define the Purpose of Network Analysis

List Troubleshooting Tasks for the Network Analyst List Security Tasks for the Network Analyst List Optimization Tasks for the Network Analyst List Application Analysis Tasks for the Network Analyst Define Legal Issues of Listening to Network Traffic Overcome the "Needle in the Haystack " Issue Understand General Network Traffic Flows Review a Checklist of Analysis Tasks

Section 2: Introduction to Wireshark Describe Wireshark's Purpose Know How to Obtain the Latest Version of Wireshark Compare Wireshark Release and Development Versions Report a Wireshark Bug or Submit an Enhancement

Capture Packets on Wired or Wireless Networks Open Various Trace File Types Describe How Wireshark Processes Packets Define the Elements of the Start Page Identify the Nine GUI Elements Navigate Wireshark’s Main Menu Use the Main Toolbar for Efficiency Focus Faster with the Filter Toolbar Make the Wireless Toolbar Visible

Access Options through Right-Click Functionality Define the Functions of the Menus and Toolbars

Section 3: Capture Traffic Know Where to Tap Into the Network Know When to Run Wireshark Locally Capture Traffic on Switched Networks

Use a Test Access Port (TAP) on Full-Duplex Networks Define When to Set up Port Spanning/Port Mirroring on a Switch Analyze Routed Networks

Analyze Wireless Networks Define Options for Capturing at Two Locations Simultaneously (Dual Captures) Identify the Most Appropriate Capture Interface Capture on Multiple Adapters Simultaneously Capture Traffic Remotely

Automatically Save Packets to One or More Files Optimize Wireshark to Avoid Dropping Packets Conserve Memory with Command-Line Capture


Section 4: Create and Apply Capture Filters Describe the Purpose of Capture Filters Build and Apply a Capture Filter to an Interface

Filter by a Protocol

Create MAC/IP Address or Host Name Capture Filters

Capture One Application’s Traffic Only

Use Operators to Combine Capture Filters Create Capture Filters to Look for Byte Values Manually Edit the Capture Filters File Share Capture Filters with Others

Section 5: Define Global and Personal Preferences Find Your Configuration Folders

Set Global and Personal Configurations

Customize Your User Interface Settings

Define Your Capture Preferences

Define How Wireshark Automatically Resolves IP and MAC Names Plot IP Addresses on a World Map with GeoIP Resolve Port Numbers (Transport Name Resolution) Resolve SNMP Information Configure Filter Expressions Configure Statistics Settings

Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings Configure Protocol Settings with Right-Click

Section 6: Colorize Traffic Use Colors to Differentiate Traffic Disable One or More Coloring Rules Share and Manage Coloring Rules Identify Why a Packet is a Certain Color Create a “Butt Ugly” Coloring Rule for HTTP Errors

Color Conversations to Distinguish Them

Temporarily Mark Packets of Interest

Section 7: Define Time Values and Interpret Summaries Use Time to Identify Network Problems

Understand How Wireshark Measures Packet Time

Choose the Ideal Time Display Format

Identify Delays with Time Values Create Additional Time Columns Measure Packet Arrival Times with a Time Reference Identify Client, Server and Path Delays Calculate End-to-End Path Delays Locate Slow Server Responses Spot Overloaded Clients View a Summary of Traffic Rates, Packet Sizes and Overall Bytes Transferred


Section 8: Interpret Basic Trace File Statistics Launch Wireshark Statistics

Identify Network Protocols and Applications

Identify the Most Active Conversations List Endpoints and Map Them on the Earth Spot Suspicious Targets with GeoIP

List Conversations or Endpoints for Specific Traffic Types Evaluate Packet Lengths List All IPv4/IPv6 Addresses in the Traffic List All Destinations in the Traffic List UDP and TCP Usage Analyze UDP Multicast Streams

Graph the Flow of Traffic Gather Your HTTP Statistics Examine All WLAN Statistics

Section 9: Create and Apply Display Filters Understand the Purpose of Display Filters Create Display Filters Using Auto-Complete Apply Saved Display Filters Use Expressions for Filter Assistance Make Display Filters Quickly Using Right-Click Filtering

Filter on Conversations and Endpoints

Understand Display Filter Syntax

Combine Display Filters with Comparison Operators Alter Display Filter Meaning with Parentheses Filter on the Existence of a Field Filter on Specific Bytes in a Packet Find Key Words in Upper or Lower Case Use Display Filter Macros for Complex Filtering

Avoid Common Display Filter Mistakes Manually Edit the dfilters File

Section 10: Follow Streams and Reassemble Data Follow and Reassemble UDP Conversations

Follow and Reassemble TCP Conversations

Follow and Reassemble SSL Conversations Identify Common File Types

Section 11: Customize Wireshark Profiles Customize Wireshark with Profiles Create a New Profile Share Profiles Create a Troubleshooting Profile

Create a Corporate Profile Create a WLAN Profile Create a VoIP Profile Create a Security Profile


Section 12: Annotate, Save, Export and Print Packets Annotate a Packet or an Entire Trace File

Save Filtered, Marked and Ranges of Packets Export Packet Contents for Use in Other Programs Export SSL Keys Save Conversations, Endpoints, I/O Graphs and Flow Graph Information Export Packet Bytes

Section 13: Use Wireshark’s Expert System Launch Expert Info Quickly Colorize Expert Info Elements

Filter on TCP Expert Information Elements

Define TCP Expert Information

Section 14: TCP/IP Analysis Overview Define Basic TCP/IP Functionality

Follow the Multistep Resolution Process

Define Port Number Resolution

Define Network Name Resolution

Define Route Resolution for a Local Target

Define Local MAC Address Resolution for a Target

Define Route Resolution for a Remote Target

Define Local MAC Address Resolution for a Gateway

Section 15: Analyze Domain Name System (DNS) Traffic Define the Purpose of DNS

Analyze Normal DNS Queries/Responses

Analyze DNS Problems Dissect the DNS Packet Structure

Filter on the DNS/MDNS Traffic

Section 16: Analyze Address Resolution Protocol (ARP) Traffic Define the Purpose of ARP Traffic

Analyze Normal ARP Requests/Responses

Analyze Gratuitous ARP

Analyze ARP Problems Dissect the ARP Packet Structure

Filter on ARP Traffic

Section 17: Analyze Internet Protocol (IPv4/IPv6) Traffic Define the Purpose of IP

Analyze Normal IPv4 Traffic

Analyze IPv4 Problems Dissect the IPv4 Packet Structure

Filter on IPv4/IPv6 Traffic Sanitize IPv4 Addresses in a Trace File

Set Your IP Protocol Preferences


Section 18: Analyze Internet Control Message Protocol

(ICMPv4/ICMPv6) Traffic Define the Purpose of ICMP

Analyze Normal ICMP Traffic

Analyze ICMP Problems Dissect the ICMP Packet Structure

Filter on ICMP and ICMPv6 Traffic

Section 19: Analyze User Datagram Protocol (UDP) Traffic Define the Purpose of UDP

Analyze Normal UDP Traffic

Analyze UDP Problems Dissect the UDP Packet Structure

Filter on UDP Traffic

Section 20: Analyze Transmission Control Protocol (TCP) Traffic Define the Purpose of TCP

Analyze Normal TCP Communications

Define the Establishment of TCP Connections

Define How TCP-based Services Are Refused Define How TCP Connections are Terminated

Track TCP Packet Sequencing

Define How TCP Recovers from Packet Loss

Improve Packet Loss Recovery with Selective Acknowledgments

Define TCP Flow Control

Analyze TCP Problems Dissect the TCP Packet Structure

Filter on TCP Traffic

Set TCP Protocol Parameters

Section 21: Graph IO Rates and TCP Trends Use Graphs to View Trends

Generate Basic I/O Graphs Filter I/O Graphs

Generate Advanced I/O Graphs

Compare Traffic Trends in I/O Graphs

Graph Round Trip Time

Graph Throughput Rates Graph TCP Sequence Numbers over Time

Interpret TCP Window Size Issues

Interpret Packet Loss, Duplicate ACKs and Retransmissions


Section 22: Analyze Dynamic Host Configuration Protocol

(DHCPv4/DHCPv6) Traffic Define the Purpose of DHCP

Analyze Normal DHCP Traffic

Analyze DHCP Problems Dissect the DHCP Packet Structure

Filter on DHCPv4/DHCPv6 Traffic Display BOOTP-DHCP Statistics

Section 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic Define the Purpose of HTTP

Analyze Normal HTTP Communications

Analyze HTTP Problems Dissect HTTP Packet Structures

Filter on HTTP or HTTPS Traffic Export HTTP Objects

Display HTTP Statistics

Graph HTTP Traffic Flows Set HTTP Preferences

Analyze HTTPS Communications Analyze SSL/TLS Handshake Analyze TLS Encrypted Alerts Decrypt HTTPS Traffic Export SSL Keys

Section 24: Analyze File Transfer Protocol (FTP) Traffic Define the Purpose of FTP

Analyze Normal FTP Communications Analyze Passive Mode Connections Analyze Active Mode Connections

Analyze FTP Problems Dissect the FTP Packet Structure

Filter on FTP Traffic

Reassemble FTP Traffic

Section 25: Analyze Email Traffic Analyze Normal POP Communications Analyze POP Problems Dissect the POP Packet Structure

Filter on POP Traffic

Analyze Normal SMTP Communication Analyze SMTP Problems Dissect the SMTP Packet Structure

Filter on SMTP Traffic


Section 26: Introduction to 802.11 (WLAN) Analysis Analyze Signal Strength and Interference

Capture WLAN Traffic

Compare Monitor Mode and Promiscuous Mode Set up WLAN Decryption Prepend a Radiotap or PPI Header Compare Signal Strength and Signal-to-Noise Ratios

Describe 802.11 Traffic Basics

Analyzed Normal 802.11 Communications Dissect Basic 802.11 Frame Elements Filter on WLAN Traffic Analyze Frame Control Types and Subtypes Customize Wireshark for WLAN Analysis

Section 27: Voice over IP (VoIP) Analysis Fundamentals Define VoIP Traffic Flows Analyze Session Bandwidth and RTP Port Definition Analyze VoIP Problems

Examine SIP Traffic

Examine RTP Traffic Play Back VoIP Conversations Decipher RTP Player Marker Definitions Create a VoIP Profile

Filter on VoIP Traffic

Section 28: Baseline “Normal” Traffic Patterns Define the Importance of Baselining Baseline Broadcast and Multicast Types and Rates Baseline Protocols and Applications

Baseline Boot up Sequences Baseline Login/Logout Sequences

Baseline Traffic during Idle Time Baseline Application Launch Sequences and Key Tasks

Baseline Web Browsing Sessions

Baseline Name Resolution Sessions Baseline Throughput Tests Baseline Wireless Connectivity Baseline VoIP Communications

Section 29: Find the Top Causes of Performance Problems Troubleshoot Performance Problems

Identify High Latency Times Point to Slow Processing Times Find the Location of Packet Loss Watch Signs of Misconfigurations

Analyze Traffic Redirections Watch for Small Payload Sizes

Look for Congestion Identify Application Faults

Note Any Name Resolution Faults


Section 30: Network Forensics Overview Compare Host to Network Forensics Gather Evidence Avoid Detection Handle Evidence Properly

Recognize Unusual Traffic Patterns

Color Unusual Traffic Patterns

Section 31: Detect Scanning and Discovery Processes Define the Purpose of Discovery and Reconnaissance

Detect ARP Scans (aka ARP Sweeps) Detect ICMP Ping Sweeps

Detect Various Types of TCP Port Scans

Detect UDP Port Scans

Detect IP Protocol Scans Define Idle Scans

Know Your ICMP Types and Codes Analyze Traceroute Path Discovery Detect Dynamic Router Discovery Define Application Mapping Processes Use Wireshark for Passive OS Fingerprinting

Detect Active OS Fingerprinting Identify Spoofed Addresses and Scans

Section 32: Analyze Suspect Traffic Identify Vulnerabilities in the TCP/IP Resolution Processes Find Maliciously Malformed Packets Identify Invalid or Dark Destination Addresses Differentiate between Flooding or Standard Denial of Service Traffic Find Clear Text Passwords and Data

Identify Phone Home Behavior

Catch Unusual Protocols and Applications Locate Route Redirection Using ICMP Catch ARP Poisoning Catch IP Fragmentation and Overwriting Spot TCP Splicing

Watch Other Unusual TCP Traffic Identify Password Cracking Attempts Build Filters and Coloring Rules from IDS Rules

Section 33: Effective Use of Command-Line Tools Define the Purpose of Command-Line Tools Use Wireshark.exe (Command-Line Launch)

Capture Traffic with Tshark List Trace File Details with Capinfos

Edit Trace Files with Editcap

Merge Trace Files with Mergecap Convert Text with Text2pcap Capture Traffic with Dumpcap Define Rawshark

wireshark certified network analyst boot camp course · pdf filewhy should i pursue the...

Documents