network troubleshooting with wireshark - chappell university
TRANSCRIPT
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 2
Course Formats Available This 5-day course can be provided in two formats:
• Online Instructor-Led Training Generally provided in 3-hour or 6-hour increments over several days or spread over several weeks. An excellent option when students are geographically disbursed. This course can be customized using your own trace files. Get a course price estimate or formal course quote at www.chappellU.com (Pricing section). See Training Facility Requirements on page 5 for course setup details.
• Onsite Instructor-Led Training
Offering hands-on lab-based training at your location or a venue convenient for your team, this option is ideal for small or large audience sizes who prefer in-person instruction and a more personalized training approach. This course can be customized using your own trace files. Get a course price estimate or formal course quote at www.chappellU.com (Pricing section). See Training Facility Requirements on page 5 for course setup details.
Also Available – All Access Pass (AAP) Visit www.lcuportal2.com to learn more about the All Access Pass,
• One year subscription (single seat license) • Online recorded training sessions • Course progress tracking and transcripts • Course certificates • Access to monthly live online training events
Network Traffic Analysis and Troubleshooting Course Syllabus (2-Day Course) Page 1
Course Description This course offers hands-on training in network analysis and troubleshooting. This course begins with the core tasks and techniques for TCP/IP analysis (IP, TCP, UDP, ARP, DHCP, HTTP, ICMP and moves into capture and analysis techniques to spot the most common network problems. Students must provide their own laptops pre-loaded with Wireshark (www.wireshark.org/download). Instructor provides traffic analysis trace files for use in hands-on labs (on CD).
Course Syllabus and Estimated Schedule The schedule listed is tentative and will fluctuate depending on customer’s needs and focus during the course. Course Set Up and Analyzer Testing 1. Network Analysis Overview
1.1. Troubleshooting Tasks for the Network Analyst 1.2. Application Analysis Tasks for the Network Analyst 1.3. Legal Issues Related to Listening to Network Traffic 1.4. Overcome the "Needle in a Haystack" Issue
2. Wireshark Functionality Overview
2.1. Capturing Packets on Wired or Wireless Networks 2.2. How Wireshark Processes Packets – Dissectors, Filters 2.3. Key Wireshark Techniques – Filter/WLAN Toolbar, Status Bar, Profiles, Right-Click
3. Capturing Wired and Wireless Traffic
3.1. Know Where to Tap into the Network – Wired/WLAN, Duplex Issues, Switches 3.2. Infrastructure Effects – NAT/PAT, QoS Routing, VLANs, APs 3.3. Using File Sets and Optimizing for Large Capture Quantity 3.4. Using Default and Custom Capture Filters 3.5. Filter by a Protocol, Address or Host Name
4. Setting Up Your Troubleshooting Profile for Faster Analysis 4.1. Set Global and Personal Configurations 4.2. Use Time to Identify Network Issues 4.3. Customize Your User Interface Settings 4.4. Define Your Capture Preferences 4.5. Define IP and MAC Name Resolution 4.6. Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings 4.7. Use Colors to Distinguish Traffic (“T-“ Set of Coloring Rules)
5. Interpret Basic Trace File Statistics to Identify Trends
5.1. Launch Wireshark Statistics for Protocols and Applications 5.2. Identify the Most Active Conversations/Endpoints 5.3. Graphic Flow of Traffic 5.4. Analyze HTTP Statistics
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 2
6. Create and Apply Display Filters for Efficient Analysis
6.1. Create Display Filters Using Auto Complete 6.2. Create and Apply Saved Display Filters 6.3. Use Expressions for Filter System 6.4. Combine Display Filters with Comparison Operators 6.5. Avoid Common Display Filter Mistakes
7. Follow Streams and Reassemble Data
7.1. Follow and Reassemble UDP and TCP Conversations 7.2. Identify Common File Types
8. Use Wireshark's Expert System to Identify Anomalies
8.1. Launch Expert Info Quickly 8.2. Filter on TCP Expert Information Elements 8.3. Define TCP Expert Information
9. TCP/IP Analysis Overview
9.1. Define Basic TCP/IP Functionality and the Multistep Resolution Process 9.2. Define Port Number Resolution (Altering Wireshark’s Interpretations) 9.3. Define Network Name Resolution (Using Wireshark’s hosts file) 9.4. Define Route Resolution for a Local Target 9.5. Define Local MAC Address Resolution for a Target (Altering Wireshark’s Interpretations) 9.6. Define Route Resolution for a Remote Target 9.7. Define Local MAC Address Resolution for a Gateway (Altering Wireshark’s Interpretations)
10. Analyze Common TCP/IP Traffic Patterns
10.1. Analyze Normal/Unusual DNS Queries/Responses 10.2. Analyze Normal/Unusual ARP Requests/Responses 10.3. Analyze Gratuitous ARP 10.4. Analyze Normal/Unusual IPv4 Traffic 10.5. Analyze Normal/Unusual ICMP Traffic 10.6. Dissect the ICMP Packet Structure 10.7. Analyze Normal/Unusual UDP Traffic 10.8. Analyzed Normal/Unusual TCP Communications 10.9. Define the Establishment of TCP Connections 10.10. Define How TCP-based Services Are Refused 10.11. TCP Sequential Packet Tracking 10.12. Define TCP Flow Control 10.13. Analyze TCP Problems 10.14. Set TCP Protocol Parameters 10.15. Analyze Normal/Unusual DHCP Traffic 10.16. Analyze Normal/Unusual HTTP Communications 10.17. Graph HTTP Traffic Flows and Set HTTP Preferences 10.18. Analyze HTTPS Communications
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 3
11. Identify the Cause of Network Performance Problems 11.1. Generate Basic and Advanced I/O Graphs 11.2. Analyzing the cause of high latency 11.3. Defining the location of packet loss 11.4. Comparing path throughput for various applications 11.5. Analyzing window size issues 11.6. Identifying intercepting device issues
12. Graph I/O Rates and TCP Trends
12.1. Generate Basic and Advanced I/O Graphs 12.2. Filter I/O Graphs 12.3. Graph Round Trip Time and Throughput Rates 12.4. Interpret TCP Window Size Issues 12.5. Interpret Packet Loss, Duplicate ACKs and Retransmissions
13. Use Command-Line Tools
13.1. Command-Line Tool Overview Course Wrap Up
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 4
Course Customization: Trace Files Courses can be customized based on the customer’s requirements and trace files provided in a timely manner. The goal of the course is to teach students a more efficient analysis method for spotting the cause of performance problems using Wireshark’s capabilities for capture and analysis. Using the customer’s own trace files provide students with experience analyzing their own traffic. Some things to keep in mind when supplying trace files to use in your course:
• We must receive the files at least 30 days before the course in order to integrate them into the course.
• Trace files should be no larger than 50MB each. If you have larger trace files, we can provide instructions on how to split them into file sets or we can arrange a special upload area to accommodate larger files.
• Trace files should not be taken just by “plugging into a switch and capturing.” This would only allow us to see broadcast and multicast traffic. Consider running Wireshark on a client during the capture sequence.
• Provide us with the following information on each trace file submitted: o Method of capture (e.g., spanned a switch port) o Capture location (e.g., close to user x who complains of performance issues) o Key IP address/host names (e.g., UserX is 10.3.4.2) o Any concerns you would like investigated in the trace files
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 5
Training Facility Requirements
Onsite Instructor-Led Courses Ms. Chappell will need to project her laptop throughout the presentation. Appropriately-sized projection screens should be placed in the room to ensure full visibility of the projected screens. A single projection screen (minimum 12’ height) is suggested for smaller audience sizes (less than 50 students); larger and additional projection screens are required for larger audiences. Inadequate screen visibility for attendees will have a serious negative affect on attendee performance and success. In larger venues (typically hosting over 50 attendees), a wireless microphone will be required. Note that wired microphones/stand microphones will not work as Ms. Chappell is typing on her keyboard and walking the room through much of the event. Whiteboards are suggested in smaller venues (hosting less than 50 attendees); they are not used in larger venues. Please notify Ms. Chappell if she will be joined by assistants for the hearing impaired. Ms. Chappell speaks very quickly and at least two interpreters are suggested for the event.
Online Instructor-Led Courses There are three different options for student access to the Online Instructor-Led courses.
• Option 1: Conference Room/Projector/Speaker
In this configuration all students are at a single facility. One computer is connected to the Internet and webinar service. That computer projects the lesson video while feeding audio to the audience via speakers. Note: In order for students to ask individual questions of the instructor, each student must be logged in to the online training system during the class.
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 6
• Option 2: Two-Computers per Student; Headset Required
In this configuration all students have two computers - One computer is connected to the Internet and webinar service. That computer projects the lesson video while feeding audio to the audience via headset. The second Computer is the Wireshark computer. This option may not work for long class hours as the headsets can become uncomfortable. Note: In order for students to ask individual questions of the instructor, each student must be logged in to the online training system during the class.
• Option 3: Single Computer per Student; Headset Required (Option Not Recommended)
In this configuration all students have a single computer and headset. Students must toggle back and forth between Wireshark and the webinar. This is not an ideal situation, but it has been used before. This option may not work for long class hours as the headsets can become uncomfortable.
CREATE Y
Network Trou
Abou
and clarityHigh TechMs. Chaponsite and
available analysis a
Clients
YOUR OWN
ubleshooting with
ut the
y have earnedhnology Crimepell is the Foud online train
online througnd training.
Ms. Chand lo
• • • • • • • • • • • • • •
CUSTOMIZ
Wireshark Course
InstrucLaura Chaptitles on nethe Good Winternationadministrat Ms. ChappeAssociationElectronic EFBI’s Infrag
d her a top spe Investigatiounder of Chap
ning in the are
gh the All Acc
happell’s cliencal law enfor
United StatUnited StatUnited StatHong Kong Apple Lockheed MCisco SysteSalesforce Netflix Dell, Inc. IBM CorporMicrosoft CSutherlandUnited Ban
ED COURSE
e – Sample 2-Day C
ctor ppell is a highletwork commWitch,” Laura nal law enforctors, technici
ell is a membn (HTCIA) andEngineers (IEEgard organizatpot as an indu
on Associationppell Universeas of networIn 2007, Ms. firm devotedinterception,troubleshoot Laura’s netw
cess Pass at ch
nt base is globcement agentes Navy tes Arsenal tes Court of APolice Depar
Martin ms
ration Corporation Asbill & Bren
nk of Switzerla
E OUTLINE A
Course Outline • C
ly-energetic sunications, ahas presente
cement officeans and deve
er of the High an AssociateEE) since 198tion. Her blenustry speakern and US Couity (www.chark protocols, Chappell fou
d to teaching t, network foreting.
work analysis, happellU.com
bal and includncies.
Appeals rtment
nnan, LLP and
AT WWW.CH
Copyright Chappel
speaker and analysis and se
ed to thousaners, judicial melopers.
h Technologye Member of 9. Ms. Chapp
nd of humor, r at Microsoftrt conference
appellU.com) network forended Wireshthe art of wirensics, TCP/IP
troubleshootm and through
des numerou
HAPPELLU.C
ll University
author of numecurity. Nick
nds of State, Fembers, engi
y Crime Investthe Institute
pell is also a mpersonal exp
t, Novell, Hewes. which develo
ensics and netark Universit
retapping/comP analysis and
ting and secuh customized
s Fortune 100
COM
merous industnamed “Glen
Federal and ineers, netwo
tigation for Electrical
member of theperiences, enewlett-Packard
ops and delivtwork tools. y, an educatimmunicationd network
rity training id online/onsit
0, federal, sta
Page 7
try nda,
ork
and e ergy ,
vers
onal s
s te
ate
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 8
• Federal Home Loan Bank of San Francisco • McAfee Corporation • Qualcomm Incorporated • Symantec Corporation • Riverbed Technologies • Naval Criminal Investigative Services (NCIS) • Northern Indiana Power Company • Microchip Technology, Inc. • CapitalOne Financial Services • City of Canberra (Australia) • Macau Police Department • Australian High Tech Crime Centre • Fidelity National Information Services • City of San Francisco • … and several unnamed Federal agencies
Conferences Ms. Chappell is consistently a top-rated speaker at numerous industry and private
conferences including: Microsoft TechEd US Microsoft TechEd Europe Microsoft TechReady (Internal Technical Conference) High Technology Crime Investigation International Conference IEEE Regional Conference (California) Novell BrainShare Conference Novell Advanced Technical Training Conference US Courts Technical Training Conference United States Secret Service Electronic Crimes Task Force Quarterly Meetings OpenSourceWorld/LinuxExpo US European Forensics Conference
Publications Ms. Chappell has authored numerous industry titles.
Wireshark Network Analysis: The Official Wireshark Network Analyst Study Guide (Chappell University)
Wireshark Certified Network Analyst: Official Exam Prep Guide (Chappell University)
Guide to TCP/IP (Pearson; co-Author Ed Tittel) Introduction to Network Analysis (podbooks) Network Analysis Case Studies (podbooks) Introduction to Cisco Router Configuration (Cisco Press) Advanced Cisco Router Configuration (Cisco Press) Multiprotocol Internetworking (Novell Press) NetWare LAN Analysis: IPX/SPX (Novell Press)
CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM
Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 9
Contact Information Coordinator: Brenda Cardinal [email protected] Phone: +1 408-378-7841
Fax: +1 408-378-7891 Mail: 5339 Prospect Road, #343 San Jose, California 95129 USA
Websites: www.chappellU.com - Chappell University www.lcuportal2.com - Online Training Portal www.wiresharkU.com - Wireshark University