Description
This course is the first in a series of three courses, in which we will learn about the Wireshark software, the various tools in the software and how to use them for network analysis and troubleshooting TCP/IP based networks. We will learn how to use the software, how to use capture and display filters, statistics tools, the expert system, and special features. All topics covered in the course include theory, case studies and hand-on exercises. The course is based on the new Wireshark version 3.
Objectives
By the end of the course, the participant will be able to:
- Start Wireshark and use it in various scenarios.
- Understand how to locate Wireshark for efficient packet capture.
- Use Wireshark in various network topologies and scenarios.
- Configure capture and display filters.
- Effectively use statistics tools, including IO graphs and TCP stream graphs.
- Effectively use the expert system to locate network issues.
Target Audience
R&D, engineering, and technical Support, IT, and communications managers
Prerequisites
Basic knowledge in networking and the TCP/IP protocol stack (Introduction to Networking course level) with basic level understanding of Windows/Linux shell scripts and Python
Duration
8 Hours
Outline
Introduction to Wireshark
- How Wireshark Works
- Capturing Packets
- Wireshark toolbars and menus
- Navigation and colorization techniques
- Using Time Values and Summaries
- Examining Basic Trace File Statistics
- Save, Export and Print
Where to locate Wireshark
- How to decide where to capture data from
- Taps and port-mirror
- Local and remote monitoring
- Capture data from multiple interfaces
- Capture data on virtual machines
Mastering Wireshark for efficient packet capture
- Capture data to single and multiple files
- Mergecap and file merging
- Capture data from local and remote interfaces
- Wireshark folders, configuration files and plugins
- Configure user interface, global and protocols preferences
- MAC/IP/TCP-UDP protocol resolution
- Import and export files
- Wireshark performance issues
- Working with profiles
Capture filters basics
- Capture filters syntax
- Compound capture filters
- Offset filters
- The cfilters file
Display filters
- Ways to configure display filters
- Simple and structured filters
- Focusing on protocol and text strings
- The dfilters file
Using basic statistics tools
- Capture file properties
- Resolved addresses properties
- Protocol hierarchies
- Endpoint and conversation statistics
- Protocols statistics
Using smart statistics tools
- Create basic and advanced I/O graphs
- Create TCP Time-Sequence graphs
- Analyze flow graphs
- Evaluate service response times
- Create Round-Trip-Time graphs
- Analyze TCP/IP flows
- Analyse applications flows
The Expert System Basics
- The Expert-Infos window and how to use it for network troubleshooting
- Error events and understanding them
- Warnings events and understanding them
- Notes events and understanding them
CLI and Tshark/TCPDump
- Working with CLI tools
- Working with Linux and TCPDump
- How to use Syntax and filters
- Buffers and optimization
- Ways to save capture files
- Wireshark for Linux
Exercises
- Configuring packet capture on single and multiple interfaces
- Using navigation and colouring techniques
- Using time values
- Configuring L2/L3/L4 name resolution
- Saving, importing, and exporting files
- Configuring user interface and global preferences
- Configuring basic capture filters and the cfilters file
- Configuring structured and offset capture filters
- Configuring basic L2/3/4 display filters and the dfilters file
- Locate text-strings in a capture file
- Using basic statistics tools for IP and UDP/TCP traffic analysis
- Find the top talkers and protocols on a Network
- Working with IO graphs for traffic analysis
- Using IO graphs for bandwidth and throughput analysis
- Using IO graphs with display filters
- Using the Expert-Infos to find network issues
- Working with CLI and Scripting tools
