This video training with Keith Barker covers Wireshark, the world's most popular

protocol analyzer, including topics such as installing Wireshark, navigating in the

GUI, customizing and using it as a troubleshooting tool and more.

Recommended Skills

=Familiarity with networking concepts and protocols

=Network+ (equivalent knowledge) or greater

Recommended Equipment
=Windows, Linux or Mac OS to install Wireshark

Related Job Functions:

=Network professionals of all levels
=Security experts
=Developers
=Educators

Whether you need to perform a security application analysis or troubleshoot

something on a network, Wireshark is the tool for you! The popular, open-source
tool is dubbed the "world's foremost network protocol analyzer." (It's also free
and is a cross-platform tool!) In this video training, CBT Nuggets trainer Keith
Barker walks you through everything you need to know about this versatile analyzer.
He�ll teach you how to install Wireshark, navigate it, and utilize it to best fit
your needs. Topics he covers include: navigating the graphical user interface
(GUI), creating profiles, filtering, customization and more. Get ready to learn
Wireshark inside-out and how to use it to your benefit!

Videos:

Getting the Most From This Series

In this video, Keith introduces the series, along with some examples of why using a
protocol analyzer (such as Wireshark) is a critical skill. Keith explains the
prerequisites and techniques for getting the most from the time you spend enjoying
this Wireshark nugget series. Accessing the Nuggetlab files (as well as other
series that are in progress but not yet finished) are demonstrated.

Jumpstart with Wireshark

Wireshark is the world's most popular (and free) protocol analyzer. In this Nugget,
Keith walks you through the installation, setup, and a capture-to get you started
right away! The trace file created in this video is available in the NuggetLab
download area.

Navigating in the GUI

It's a Graphical User Interface (GUI), so how hard can it be? For someone who isn't
aware of features or what the icons do, the GUI can appear unfriendly.
Understanding the different areas in the GUI, and what they can do, will save hours
of trial and error. Those who are new to Wireshark, as well as people who have used
it before, can learn some time-saving tidbits in this Nugget.

Arranging Wireshark Your Way

The default arrangement within Wireshark is a starting point, but most of us will
be changing these settings to fit our needs better. In this Nugget, Keith walks you
through sorting, moving, hiding, and restoring columns, as well as using the packet
details area to view and manipulate the protocols captured in the trace.

Wireshark and GNS3

Using virtual environments are a great way to test and validate
servers/applications/devices before putting them on a live production network. GNS3
provides an emulated network and has excellent Wireshark integration. In this
Nugget, we take a sample network and then apply packet capturing to four different
points in that network, in order to compare and contrast the network traffic as it
crosses those points in the network. This Nugget focuses on Wireshark. For videos
on the GNS3 specifically, please refer to the GNS3 series right here at CBT
Nuggets. Also, the four capture files used in this video are available for download
from the NuggetLab area.

Dissectors
Wireshark uses many groups of protocol interpreters (behind the scenes) called
"dissectors." These dissectors provide the useful information that we typically see
in the details area for a capture. In this Nugget, we will take a look at how
Wireshark knows which dissector to use to interpret a specific layer of a protocol
stack, and what we can do when Wireshark doesn't know what dissector to use.

Profiles
Wireshark is used for various purposes. One day we might be doing security
application analysis, and the next day, troubleshooting latency on the network. The
customization of the columns and fields used for each type of analysis will be
different, and that is where profiles can save a bunch of time. By creating
profiles with the perfect settings for a given task, we can switch back and forth
between profiles on the fly, and not have to manually alter the settings each time
we use Wireshark. In this Nugget, Keith walks you through creating a custom
profile, and changing some of the defaults regarding the new profile. The capture
file used in this video is available in the NuggetLab download area.

Looking for Latency

By using the column for TCP Delta for individual sessions, we can see how long of a
delay exists between the packets in a TCP stream. In this Nugget, Keith discusses
where latency may exist and how to start using Wireshark to identify it. This video
also demonstrates how to move settings from a custom profile from one computer to
another. The files used in this video, including additional IOS router commands
(that inject latency at R2), can be found in the NuggetLab files associated with
this video.

Controlling the Capture

There are several ways to capture network traffic so that Wireshark can use it. In
this Nugget, Keith explains several options including taps, SPAN and local
interfaces. Once the location of the capture has been identified, there are several
important options such as not filling up your the hard disk that need to be
considered as well. Using multiple file options, including a ring buffer, are
explained and demonstrated. Supporting NuggetLab files for this video are
available.

Capture Filters
When there are gigabytes of data flowing across the network, and we need 24 hours
worth of capture time, there will likely be a challenge regarding disk space on the
Wireshark computer (even if splitting the capture over multiple files). In this
Nugget, Keith walks you through and demonstrates the use of Capture Filters in
Wireshark. Capture Filters allow Wireshark to only include the traffic you specify
(that will be saved in the capture file), while everything else is filtered out.
The homework assignment for this video is available in the NuggetLab area.

Display Filters
Many times, capture files can be large and contain thousands of network
conversations. Using a Display Filter, we can tell Wireshark which packets to
display, allowing us to focus on that specific traffic. In this Nugget, Keith
demonstrates the logic, creation, and use of Display Filters. The starting profile
preference file used in this video in available in the NuggetLab area, along with
the capture file used in this video.

Adv. Display Filters

Often, to see the exact traffic we want to see, a complex (or at least more
detailed) Display Filter is needed. In this Nugget, Keith walks you through how to
create advanced filters using the details pane of Wireshark, and the all-powerful
right mouse button. The profile and capture files for this video are in the
NuggetLab area for this video.

Zeroing in on Conversations
Focusing on a single conversation among the thousands that may be part of a capture
file could be like looking for a needle in a haystack. Fortunately, Wireshark has
some sweet tools to assist us in following conversations. In this Nugget, Keith
walks you through four separate ways to focus on specific conversations within a
capture file. The capture file, along with the preferences file for the profile
used in this video, are available in the NuggetLab area.

Upgrading Wireshark
In this Nugget, Keith walks you through the upgrade to version 1.10. This new
version hosts a variety of new features including auto-update, HTTP request-
response time-stamps and additional display filter functionality. The two capture
files demonstrated in this video, along with the preferences file from the profile
used at the beginning of the video, are available in the NuggetLab area for this
video.

Sorting out a Troubled Network

What's really going on inside of the network? In this Nugget, join Keith on a
journey to investigate (based on a Wireshark capture, and using your display filter
skills) to identify what type of malicious traffic is on the network. The capture
file, profile preferences file and "Solution for display filter.txt" are all
available in the NuggetLab area.

Raspberry Pi Remote Monitoring

Having a remote dedicated capturing device on remote switches is a luxury, and by
using a Raspberry Pi for that remote monitoring, the price just went way way down.
In this Nugget, Keith demonstrates how you can use a $35 (US) Raspberry Pi, and
support X Windows GUI right back to your management computer.

How Regular are Your Expressions?

Wireshark's display filters support using regular expressions and wildcards that
can save us lots of time when searching our packet captures. In this Nugget, Keith
walks you through examples of when and how to use these including demonstrations.
The capture file, regular expression file, and the preferences file from the
profile used in the video are all available in the NuggetLab area. Download them
and have them ready so you can practice right along with the video.

Coloring Rules
Another method to assist us in seeing and interpreting packets is to use coloring
rules for various types of packets. In this Nugget, Keith walks you through how to
determine why a color was used, and then how to change the defaults if desired.
Exporting custom color settings for portability are also discussed and
demonstrated. The profile preferences file, along with the capture file used in
this video, are available in the NuggetLab area.

Using Temporary Colors

Coloring rules are great, but what about temporarily assigning a color to focus on
a specific conversation or session in a specific trace file? In this Nugget, Keith
explains and demonstrates how to use temporary colors to focus on the packets that
are of most interest to you. The profile preferences file, along with the capture
file used in this video, are waiting for you in the NuggetLab area.

Exporting
How do we get a portion of a capture file (as part of a new file or a report), into
the hands of those who need it? One solution is to use the Export feature in
Wireshark. In this Nugget, Keith walks you through the benefits and options of
exporting. The preferences file from the profile used in this video as well as the
capture file are available in the NuggetLab file area.

Input/Output Graphs
Identifying the protocols, hosts, subnets (etc) that are using up the most
bandwidth is easily done with IO graphs in Wireshark. In this Nugget, Keith walks
you through the creation and use of these graphs. The capture file used in this
video is available in the NuggetLab file area.

Expert Infos in Wireshark

When Wireshark offers a "recommendation" regarding a potential problem, it can
assist us in finding problems more quickly. The "Expert Infos" comments that are
added can automatically alert us to errors and issues within a capture file. In
this Nugget, Keith walks you through using this feature. The preferences file (from
the profile used at the beginning of this video) along with the capture used, are
available as part of the NuggetLab files associated with this video.

Seeing What the User Downloaded

Two cooks with equal skills, the same recipe, and the same ingredients, can make
the same meal. Likewise, when Wireshark has all the packets involved in a session,
it can often allow the recreation of the files seen or downloaded by a user. In
this Nugget, Keith shows you how to see graphic files from HTTP sessions, and how
to recreate and locally save an FTP file from a Wireshark capture. The profile
preferences file along with the capture and other images used in this video are
available in the NuggetLab file area for this video.

VoIP
One of the types of traffic we are likely to see in a capture file is Voice over IP
(VoIP). In this Nugget, Keith walks you through how to look at, graph and replay
voice conversations from the captured packets using Wireshark. The profile
preferences file, along with the capture file used in this video are available via
the NuggetLab file area for this video.

IPv6
Using a protocol analyzer can shed light on what is really happening with IPv6,
including the ability to verify what is actually happening on the network compared
to what is supposed to happen. In this Nugget, Keith walks you through setting up a
test IPv6 network and then capturing and analyzing the traffic with Wireshark.
Merging of files also is covered in this video. Capture and config files used in
this Nugget are in the NuggetLab file area.

Total Series Duration: 07:56:16