Advanced network troubleshooting using wireshark

Description

The purpose of the course is to provide the participant with in-depth practical knowledge of Wireshark protocol analyser and how to use it with additional tools for network analysis. In the course we talk about the software, TCP/IP core protocols, applications behaviour analysis, network forensics and how to use Wireshark and additional scripting tools for thorough analysis of network problems in medium to large scale networks. All topics covered in the course include theory, case studies and hand-on exercises, and is based on the new Wireshark version 3.

Objectives

By the end of the course, the participant will be able to:

• Understand Wireshark and use it for network analysis
• Understand the TCP/IP protocol suite and its behaviour over the network
• Understand common applications behaviour over the network
• Locate abnormal behaviour of network protocols and applications
• Troubleshoot network problems in small to mid-range enterprise networks
• Analyse performance degradation issues and locate their causes
• Locate the root cause for most common network problems
• Use Tshark and TCPdump for Network analysis
• Perform network analysis in high-speed large-scale networks
• Use Wireshark and scripting tools for network forensics
• Use Pyshark and scripting tools for network analysis

Target Audience

R&D, engineering and technical Support, IT and communications managers

Prerequisites

Basic knowledge in networking and the TCP/IP protocol stack (Introduction to Networking course level) with basic level understanding of Windows/Linux shell scripts and Python

Duration

5 Days

Outline

Introduction to Wireshark

• How Wireshark Works
• Capturing Packets
• Wireshark toolbars and menus
• Navigation and colorization techniques
• Using Time Values and Summaries
• Examining Basic Trace File Statistics
• Save, Export and Print
• Lab exercises and case studies

Where to locate Wireshark

• How to decide where to capture data from
• Taps and port-mirror
• Local and remote monitoring
• Capture data from multiple interfaces
• Capture data on virtual machines
• Lab exercises and case studies

Mastering Wireshark for efficient packet capture

• Capture data to single and multiple files
• Mergecap and file merging
• Capture data from local and remote interfaces
• Wireshark folders, configuration files and plugins
• Configure user interface, global and protocols preferences
• MAC/IP/TCP-UDP protocol resolution
• Import and export files
• Wireshark performance issues
• Working with profiles
• Lab exercises and case studies

Capture filters basics

• Capture filters syntax
• Compound capture filters
• Offset filters
• The cfilters file
• Lab exercises and case studies

Display filters

• Ways to configure display filters
• Simple and structured filters
• Focusing on protocol and text strings
• The dfilters file
• Lab exercises and case studies

Using basic statistics tools

• Capture file properties
• Resolved addresses properties
• Protocol hierarchies
• Endpoint and conversation statistics
• Protocols statistics
• Lab exercises and case studies

Using smart statistics tools

• Create basic and advanced I/O graphs
• Create TCP Time-Sequence graphs
• Analyze flow graphs
• Evaluate service response times
• Create Round-Trip-Time graphs
• Analyze TCP/IP flows
• Analyse applications flows
• Lab exercises and case studies

The Expert System Basics

• The Expert-Infos window and how to use it for network troubleshooting
• Error events and understanding them
• Warnings events and understanding them
• Notes events and understanding them
• Lab exercises and case studies

CLI and Tshark/TCPDump

• Working with CLI tools
• Working with Linux and TCPDump
  • How to use Syntax and filters
  • Buffers and optimization
  • Ways to save capture files
• Wireshark for Linux

IPv4 analysis

• IPv4 principles of operation and packet structure: duplicate addresses, routing issues, fragmentation
• ICMPv4 – protocol operation, analysis and troubleshooting
• IPv4 ARP – operation and troubleshooting
• DHCP analysis
• Lab exercises and case studies

TCP/UDP analysis

• L4 connectivity
  • L4 operations
  • Connectivity and reliability
  • Well known ports
• UDP principles and packet structure
  • UDP Basics and frame structure
  • UDP operation
• TCP principles and packet structure
  • TCP principles, packet structure and state machine
  • The Sliding Windows mechanism and window size changes
  • Ack frequency, delayed Ack and the Nagel algorithm
  • Slow start, flow and congestion control
  • TCP enhancements: Selective Ack, Time stamps, scale factor and more
  • The TCP chimney offload mechanism
  • Bandwidth/throughput and delay issues
• Lab exercises and case studies

Packet Loss, Delay, Jitter and Retransmissions

• Packet loss and recovery – UDP and TCP
• Previous segment lost and Out-of-Order Segments events
• Duplicate ACKs and Fast Retransmissions
• TCP Retransmissions and their impact on network performance
• Delay/jitter influence on TCP behaviour
• Zero window, Window changes and other window problems
• Lab exercises and case studies

DNS Traffic Analysis

• DNS, MDNS and Secured DNS (DNSsec) – the theory
• IPv4 and IPv6 record types
• Normal and suspicious behavior of DNS
• How to isolate unusual behavior of DNS
• Configuring smart DNS filters
• DNS performance issues
• Lab exercises and case studies

HTTPv1/2 Traffic analysis, including Fiddler

• HTTP operation and message structure
• HTTP request methods and statues codes
• Analyses HTTP streams: normal operation and problems
• How to watch HTTP statistics
• How to export HTTP objects
• Analyzing HTTPs communications
• Packet analysis and troubleshooting
• Lab exercises and case studies

FTP Traffic Analysis

• FTP/FTPs principles of operation
• Active and passive FTP
• FTP performance and how to locate performance problems
• Lab exercises and case studies

Enterprise Applications Analysis and Troubleshooting

• MS-Terminal and Citrix operation and troubleshooting
• SMB/CIFS operation and analysis
• DCS/RPC operation and analysis
• Database applications analysis (from the network point of view)
• Lab exercises and case studies

SIP, IPT and Streaming applications

• IP telephony principles of operations
• SIP principles of operations, messages and error codes
• RTP, RTCP and media transfer
• Video over IP and RTSP
• Normal operation and what might get wrong
• Wireshark features for IPT – SIP, VoIP Calls, RTP, RTSP
• Capture and display filters for IPT and multimedia
• Wireshark features for IPT – RTP session parameters and stream analysis, filters and RTP playback feature
• Lab exercises and case studies

Network Security and Forensics

• Gather information – what to look for
• Unusual traffic patterns
• Complementary tools
• MAC and IP address spoofing
• Attacks signatures and signature locations
• ARP poisoning
• Header and sequencing signatures
• Attacks and exploits
• TCP splicing and unusual traffic
• DoS and DDoS Attacks
• Protocol scans
• DNS-based attacks
• Find maliciously malformed packets
• Lab exercises and case studies

Wireshark software architecture and additional tools

• Wireshark application architecture
• Software applications and tools
• Merge and splitCAP
• Tools and methods for massive packet capture
• DNS, HTTP, SIP/IPT and specific protocol tools
• Lab exercises and case studies

Writing smart capture applications

• Conditional triggering of capture
• Deeper look in to capture filters
• Using Python for smart inspection and analysis
• Performing and synchronizing capture on multiple sources
• Lab exercises and case studies

Labs

1. Configuring packet capture on single and multiple interfaces
2. Using navigation and colouring techniques
3. Using time values
4. Configuring L2/L3/L4 name resolution
5. Saving, importing and exporting files
6. Configuring user interface and global preferences
7. Configuring basic capture filters and the cfilters file
8. Configuring structured and offset capture filters
9. Configuring basic L2/3/4 display filters and the dfilters file
10. Locate text-strings in a capture file
11. Using basic statistics tools for IP and UDP/TCP traffic analysis
12. Find the top talkers and protocols on a Network
13. Working with IO graphs for traffic analysis
14. Using IO graphs for bandwidth and throughput analysis
15. Using IO graphs with display filters
16. Using the Expert-Infos to find network issue
17. Working with CLI and Scripting tools
18. Analysing ARP traffic and ARP problems
19. Understanding normal UDP and TCP behaviour
20. Resolving TCP retransmission problems
21. TCP Duplicate ACKs and Fast retransmissions problems
22. TCP resets and why they happen
23. TCP zero-window and window changes and why they happen
24. Determine the cause for slow applications
25. Delays and how they influence applications
26. Use TCP stream graphs to analyse TCP behaviour
27. Analysing packet losses, where they come from and why
28. Using the Expert Infos to find application events
29. TCP performance issues
30. TCP delay/jitter calculations
31. TCP timestamps, scale factor and selective ACKs
32. Analysing SIP connectivity problems
33. Analyse SSL/TLS connectivity
34. Analysing DNS problems
35. Analysing DNS performance problems
36. Analysing FTP connectivity issues
37. Analysing HTTP connectivity
38. Analysing HTTP performance issues
39. SIP connectivity problems
40. Degradation in voice quality
41. Video freezes analysis
42. Unusual traffic patterns
43. DDoS attack patterns
44. DNS Attacks
45. Case studies and challenges
46. Writing shell scripts with Wireshark
47. Writing Python statistics and search tools