WSU04

WSU04: Wireshark Network Forensics

and Security

Appendix H:
Wireshark
University
Course List

www.wiresharkU.com
 Wireshark University™

These courses offer basic through advanced functionality in troubleshooting and network
forensics using Wireshark, the world’s most popular network analyzer.

WSU01: Wireshark Functionality and Fundamentals

Learn how to use Wireshark efficiently and effectively by placing Wireshark in the ideal
location to capture traffic (even on a switched network). Learn to focus on key traffic
using filters and display your results with Wireshark’s graphs.

Available in instructor-led format or self-paced video format.

Course Overview – Introduction ........................................................................ 00:00

Section 1: Introduction to Wireshark ........................................................... 0:00

Module A. History, Authors and License .............................................. 0:11
Module B. How Wireshark Works......................................................... 3:51
Module C. Wireshark Folders, Plugins and Help.................................. 13:57
Module D. Resources and References for Analysts ............................ 18:55

Section 2: Capturing Packets...................................................................... 0:00

Module A. Select an Active Interface ................................................... 0:12
Module B. Capture to a File.................................................................. 4:35
Module C. Capture to a Ring Buffer ..................................................... 13:14
Module D. Open and Work with File Sets ............................................ 18:59
Module E. Default Capture Filters ........................................................ 21:36
Module F. Create New Capture Filters................................................. 27:05
Module G. Avoid Dropped Packets ...................................................... 34:07
Module H. Test Yourself ....................................................................... 37:34

Section 3: Configuring Global Preferences ................................................. 0:00

Module A. Customize the User Interface.............................................. 0:11
Module B. Set Global Capture Preferences ......................................... 15:09
Module C. Define Name Resolution Preferences ................................ 22:22
Module D. Alter Protocol Settings ........................................................ 33:49
Module E. Key Preference Settings ..................................................... 46:44

Section 4: Navigation and Colorization Techniques .................................... 0:00

Module A. Go to a Specific Packet Number ......................................... 0:11
Module B. Find Packets Based on Payload Values ............................. 4:40
Module C. Sort Columns ...................................................................... 10:51
Module D. Use and Customize Packet Colors ..................................... 14:56
Module E. Mark Packets....................................................................... 30:11
Module F. Show a Packet in a New Window........................................ 33:29
Module G. Test Yourself....................................................................... 35:11

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-2

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

Section 5: Using Time Values and Summaries ........................................... 0:00

Module A. Use the Default Time Column Setting and Precision.......... 0:11
Module B. Use Time between Packets ................................................ 6:26
Module C. Set a Time Reference and View Capture Time .................. 11:33
Module D. Troubleshooting with Time.................................................. 14:08
Module E. Analyze Summary Information ............................................ 18:54
Module F. Test Yourself ....................................................................... 26:53

Section 6: Examining Basic Trace File Statistics......................................... 0:00

Module A. Examine Protocol Hierarchies............................................. 0:11
Module B. View Network Connections ................................................. 3:46
Module C. View Network Endpoints ..................................................... 9:38
Module D. Evaluate Destinations ......................................................... 17:36
Module E. View IP Address Information............................................... 20:22
Module F. Evaluate Packet Lengths..................................................... 22:48
Module G. Evaluate Port Types ........................................................... 25:31
Module H. Examine Multicast Streams and Settings .......................... 27:32
Module I. Test Yourself......................................................................... 35:43

Section 7: Advanced Trace File Statistics ................................................... 0:00

Module A. Create IO Graphs ................................................................ 0:11
Module B. Create TCP Time-Sequence Graphs .................................. 22:27
Module C. Analyze Flow Graphs .......................................................... 40:30
Module D. Evaluate Service Response Times ..................................... 53:26
Module E. Analyze BOOTP/DHCP Statistics ....................................... 59:47
Module F. View HTTP Statistics ........................................................... 1:03:50
Module G. Create Round-Trip Time Graphs ........................................ 1:11:06

Section 8: Creating Display Filters .............................................................. 0:00

Module A. Follow a TCP Stream ......................................................... 0:11
Module B. Create Filters from Conversations and Endpoints .............. 11:34
Module C. Default Display Filters and Filter Syntax ............................. 24:14
Module D. Build and Save Filters Based on Packets........................... 37:11
Module E. Filter on Payload Bytes ....................................................... 50:44
Module F. Use Expressions to Build Display Filters............................. 1:03:02
Module G. Use Boolean Operands and Negatives .............................. 1:10:47
Module H. The 10 Most Useful Filters .................................................. 1:20:43
Module I. Manually Edit the Filter File ................................................. 1:28:38

Section 9: Save, Export and Print ............................................................... 0:00

Module A. Save Filtered, Marked and Ranges of Packets................... 0:11
Module B. Chart Conversation/Endpoint/Flow Graph Information ....... 7:18
Module C. Save and Reassemble Data Streams................................. 15:15
Module D. Export Packet Information................................................... 26:00
Module E. Print Packets ....................................................................... 30:25
Module F. Capture/Edit Screen Shots for Reports ............................... 34:38

Section 10: Expert System and Miscellaneous Tasks ................................... 0:00

Module A. Use Expert Information ....................................................... 0:11
Module B. Analyze Firewall ACL Rules................................................ 20:27
Module C. Protocol Forcing .................................................................. 31:46
Module D. Merging Files....................................................................... 36:42
Module E. Zoom, Autoscroll and Resizing Columns ............................ 40:25

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-3

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

Section 11: Using Command-Line Tools ....................................................... 0:00

Module A. tshark and dumpcap............................................................ 0:11
Module B. capinfos ............................................................................... 17:57
Module C. editcap................................................................................. 20:10
Module D. mergecap ............................................................................ 24:03
Module E. text2pcap............................................................................. 29:45

Appendix A: Wireshark Lab Exercises [Video and PDF File] .......................... 0:00

Appendix B: Trace File Catalog [Video and PDF File] .................................... 0:00

Appendix C: Command-Line Tools Reference [Video and PDF File] ............. 0:00

Appendix D: Wireshark University Course List [Video and PDF File] ............. 0:00

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-4

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

WSU02: Wireshark TCP/IP Network Analysis

This course focuses on both the normal and abnormal communication patterns of the
TCP/IP suite and most common applications including DHCP, DNS, FTP, Telnet, HTTP,
POP and SMTP.

Available in instructor-led format or self-paced video format.

Course Overview - Introduction ......................................................................... 0:00

Section 1: TCP/IP Functionality Overview................................................... 0:00

Module A. Resources and References for Analysts............................. 0:11
Module B. Capture on Hubbed, Switched and Routed Networks ........ 10:07
Module C. The TCP/IP Resolution Process ......................................... 16:38
Module D. Faults in the Resolution Process ........................................ 23:11

Section 2: Analyze Domain Name System (DNS) Traffic ............................ 0:00

Module A. Understand DNS Packet Structure ..................................... 0:11
Module B. Filter on DNS Traffic............................................................ 7:41
Module C. Analyze Normal DNS Traffic ............................................... 23:27
Module D. Analyze Unusual DNS Traffic ............................................. 38:16

Section 3: Analyze Address Resolution Protocol (ARP) Traffic ................... 0:00

Module A. Understand ARP Packet Structure...................................... 0:11
Module B. Filter on ARP Traffic............................................................ 4:19
Module C. Analyze Normal ARP Traffic ............................................... 10:59
Module D. Analyze Unusual ARP Traffic.............................................. 16:48

Section 4: Analyze Internet Protocol Version 4 (IPv4) Traffic ...................... 0:00

Module A. Understand IPv4 Packet Structure ..................................... 0:11
Module B. Filter on IPv4 Traffic ........................................................... 9:36
Module C. Analyze Normal IPv4 Traffic............................................... 22:33
Module D. Analyze Unusual IPv4 Traffic ............................................. 24:50

Section 5: Analyze Internet Control Message Protocol (ICMP) Traffic......... 0:00

Module A. Understand ICMP Packet Structure ................................... 0:11
Module B. Filter on ICMP Traffic ......................................................... 6:21
Module C. Analyze Normal ICMP Traffic............................................. 11:14
Module D. Analyze Unusual ICMP Traffic ........................................... 19:34

Section 6: Analyze User Datagram Protocol (UDP) Traffic.......................... 00:00

Module A.Understand UDP Packet Structure..................................... 0:11
Module B.Filter on UDP Traffic ........................................................... 3:32
Module C.Analyze Normal UDP Traffic .............................................. 12:23
Module D.Analyze Unusual UDP Traffic............................................. 17:13

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-5

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

Section 7: Analyze Transmission Control Protocol (TCP) Traffic................. 0:00

Module A.Understand TCP Packet Structure ..................................... 0:11
Module B.Filter on TCP Traffic ........................................................... 11:49
Module C. Analyze Normal TCP Traffic............................................... 20:36
Module D. Analyze Unusual TCP Traffic ............................................. 36:54
Module E. Analyze Handshake Problems ............................................ 44:52
Module F. Analyze the TCP Recovery Process ................................... 50:42
Module G. Analyze TCP Congestion Traffic......................................... 1:07:24

Section 8: Analyze Dynamic Host Configuration Protocol (DHCP) Traffic ... 0:00
Module A. Understand DHCP Packet Structure.................................. 0:11
Module B. Filter on DHCP Traffic ........................................................ 8:25
Module C. Analyze Normal DHCP Traffic ........................................... 13:34
Module D. Analyze Unusual DHCP Traffic.......................................... 24:36

Section 9: Analyze Hypertext Transfer Protocol (HTTP) Traffic................... 0:00

Module A.Understand HTTP Packet Structure .................................. 0:11
Module B.Filter on HTTP Traffic......................................................... 4:35
Module C.Analyze Normal HTTP Traffic ............................................ 11:55
Module D.Analyze Unusual HTTP Traffic........................................... 27:35

Section 10: Analyze Telnet Traffic ................................................................ 0:00

Module A.Understand Telnet Packet Structure.................................. 0:11
Module B.Filter on Telnet Traffic ........................................................ 3:30
Module C.Analyze Normal Telnet Traffic ........................................... 8:17
Module D.Analyze Unusual Telnet Traffic.......................................... 16:34

Section 11: Analyze File Transfer Protocol (FTP) Traffic............................... 0:00

Module A. Understand FTP Packet Structure ..................................... 0:11
Module B. Filter on FTP Traffic............................................................ 4:46
Module C. Analyze Normal FTP Traffic ............................................... 15:02
Module D. Analyze Unusual FTP Traffic ............................................. 21:56

Section 12: Analyze Post Office Protocol (POP) Traffic ................................ 0:00
Module A.Understand POP Packet Structure .................................... 0:11
Module B.Filter on POP Traffic........................................................... 3:28
Module C.Analyze Normal POP Traffic .............................................. 6:30
Module D.Analyze Unusual POP Traffic ............................................ 12:37

Section 13: Analyze Simple Mail Transfer Protocol (SMTP) Traffic ............... 0:00
Module A.Understand SMTP Packet Structure.................................. 0:11
Module B.Filter on SMTP Traffic ........................................................ 3:36
Module C. Analyze Normal SMTP Traffic ........................................... 7:42
Module D. Analyze Unusual SMTP Traffic.......................................... 15:11

Appendix A: Trace File Catalog [Video and PDF File] .................................... 0:00

Appendix B: Requests for Comments Sets [Video and PDF File] ................... 0:00

Appendix C: Command-Line Tools Reference [Video and PDF File] .............. 0:00

Appendix D: Wireshark University Course List [Video and PDF File] .............. 0:00

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-6

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

WSU03: Wireshark Troubleshooting Network Performance

This course focuses on the cause of poor network performance including packet-loss,
retransmissions, high latency, low throughput rates, minimal bandwidth, application
errors, configuration faults, resolution problems and protocol behavior problems.

Available in instructor-led format or self-paced video format.

Course Introduction - Introduction ..................................................................... 0:00

Section 1: Analyzer Placement ................................................................... 0:00

Module A. Analyzing Hubbed, Switched and Routed Networks . 0:11
Module B. Analyzing Full-Duplex Networks ............................... 16:09
Module C. Capturing in Stealth Mode........................................ 28:20

Section 2: Normal Network Communications .............................................. 0:00

Module A. When Everything Goes Right.............................................. 0:11
Module B. The Multi-Step Resolution Process..................................... 10:18
Module C. Reviewing Normal Traffic.................................................... 17:15
Module D. Is this Normal? .................................................................... 49:37

Section 3: Causes of Performance Problems.............................................. 0:00

Module A. Where Network Faults Occur.................................... 0:11
Module B. Where Delays are Incurred....................................... 4:03
Module C. Test Yourself – DNS Errors...................................... 11:43

Section 4: Wireshark Functions for Troubleshooting ................................... 0:00

Module A. Using Pre-Defined Coloring Rules ...................................... 0:11
Module B. Basic and Advanced IO Graphs.......................................... 5:34
Module C. Use the Delta Time Value ................................................... 19:36
Module D. Analyze Expert Information................................................. 25:12
Module E. Look Who’s Talking............................................................. 31:33
Module F. Follow the Stream................................................................ 37:25
Module G. Bandwidth Use, Round Trip Time, TCP Performance........ 44:19
Module H. Flow Graphing..................................................................... 58:07
Module I. Statistics (Various)................................................................ 1:02:57

Section 5: Latency Issues ........................................................................... 0:00

Module A. The Five Primary Points in Calculating Latency ................. 0:11
Module B. Plotting High Latency Times ............................................... 10:33
Module C. Using the frame.time_delta Filter ........................................ 24:06

Section 6: Packet Loss and Retransmissions.............................................. 0:00

Module A. Indications of Packet Loss .................................................. 0:11
Module B. Reading Wireshark Code .................................................... 16:18
Module C. Packet Loss and Recovery ................................................. 30:26

Section 7: Misconfigurations and Redirections............................................ 0:00

Module A. Visible Misconfigurations..................................................... 0:11
Module B. Don’t Forget the Time ......................................................... 18:36

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-7

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

Section 8: Dealing with Congestion............................................................. 0:00

Module A. Congestion Areas................................................................ 0:11
Module B. Flooded Out......................................................................... 14:01

Section 9: Baseline Network Communications ............................................ 0:00

Module A. Your First Task When You Leave Class ............................. 0:11

Appendix A: Wireshark Lab Exercises [Video and PDF File] .......................... 0:00
Lab Exercise Information............................................................ 0:11
Slow Browsing ........................................................................... 1:16
Slow DHCP ............................................................................ 9:23
Bad FTP ............................................................................ 16:40
Failed FTP Session.................................................................... 24:55
POST No Bills ............................................................................ 30:25
Poisoned ............................................................................ 37:17
Frustrated Client......................................................................... 41:52

Appendix B: Trace File Catalog [Video and PDF File] ................................... 0:00

Appendix C: Wireshark Code Sample [Video and PDF File] .......................... 0:00

Appendix D: ICMP Type and Code List [Video and PDF File] ........................ 0:00

Appendix E: Command-Line Tools Reference [Video and PDF File] ............. 0:00

Appendix F: Wireshark University Course List [Video and PDF File] ............. 0:00

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-8

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

WSU04: Wireshark Network Forensics and Security

This course focuses on network forensics including capture locations, stealth-mode
capture, optimal capture and display filters, validating encrypted logins, identifying
reconnaissance processes, locating header and payload signatures, catching
penetration tests, malware behavior, backdoor communications and virus traffic.

Available in instructor-led format and self-paced video format.

Course Overview – Introduction ........................................................................ 0:00

Section 1: Analyzer Placement ................................................................... 0:00

Module A. Tap in to Hubbed, Switched and Routed Networks ............ 0:11
Module B. Tap in to Full-Duplex Links.................................................. 12:42
Module C. Capture in Stealth Mode ..................................................... 19:01
Module D. Your Analysis Lab ............................................................... 23:50

Section 2: Unusual Network Communications............................................. 0:00

Module A. Understanding Normal TCP/IP Resolution Processes........ 0:11
Module B. TCP/IP Resolution Process Vulnerabilities ......................... 6:37
Module C. Spotting Unusual Traffic...................................................... 14:14

Section 3: Reconnaissance Processes ....................................................... 0:00

Module A. Port Scans........................................................................... 0:11
Module B. Mutant Scans ...................................................................... 15:15
Module C. IP Scans.............................................................................. 21:24
Module D. Application Mapping............................................................ 28:34
Module E. OS Fingerprinting ................................................................ 40:32

Section 4: Analyzing ICMP Traffic............................................................... 0:00

Module A. ICMP Types and Codes ...................................................... 0:11
Module B. ICMP Discovery................................................................... 12:25
Module C. Router Redirection .............................................................. 29:10
Module D. Dynamic Router Discovery ................................................. 37:17
Module E. Service Refusal ................................................................... 40:09
Module F. OS Fingerprinting ................................................................ 46:16

Section 5: TCP Security ............................................................................ 0:00

Module A. TCP Segment Splicing ........................................................ 0:11
Module B. Malformed TCP Packets ..................................................... 5:00
Module C. Reset Injections (aka Reset Attacks) .................................. 8:49
Module D. Fake TCP Resets................................................................ 12:34

Section 6: Address Spoofing....................................................................... 0:00

Module A. MAC Address Spoofing ...................................................... 0:11
Module B. IP Address Spoofing ........................................................... 4:42

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-9

© 2007 Protocol Analysis Institute, Inc.
 Wireshark University™

Section 7: Building Firewall ACL Rules ....................................................... 0:00

Module A. Overview of ACL Rule Types and Options ......................... 0:11
Module B. Automatically Generating ACL Rules.................................. 5:24

Section 8: Signatures of Attacks ................................................................. 0:00

Module A. Signature Locations ............................................................ 0:11
Module B. Obtaining Signatures........................................................... 14:02
Module C. Sample Botnet Attacks........................................................ 19:35
Module D. Password Cracks ................................................................ 38:54
Module E: Denial of Service Attacks .................................................... 51:06
Module F. Redirections......................................................................... 1:07:38

Appendix A: Wireshark Lab Exercises [Video and PDF File] .......................... 0.00
Lab Exercise Information............................................................ 0:11
Covert FTP Communications ..................................................... 0:52
Dueling Honeypots..................................................................... 6:54
Worm-Infected System............................................................... 14:28
Hidden Data ............................................................................ 24:45
Checking for a Poisoner ............................................................. 32:45
Clear Text Passwords ................................................................ 39:08
Decrypt SSL Traffic with an RSA Key......................................... 41:13

Appendix B: Trace File Catalog [Video and PDF File] .................................... 0:00

Appendix C: Wireshark Code Sample [Video and PDF File]........................... 0:00

Appendix D: ICMP Type and Code List [Video and PDF File]......................... 0:00

Appendix E: IANA Port List [Video and PDF File] ........................................... 0:00

Appendix F: Snort Rules [Video and PDF File]............................................... 0:00

Appendix G: Command-Line Tools Reference [Video and PDF File] .............. 0:00

Appendix H: Wireshark University Course List [Video and PDF File] .............. 0:00

WSU04: Wireshark Network Forensics and Security - Appendix H Page H-10

© 2007 Protocol Analysis Institute, Inc.