network troubleshooting with wireshark - chappell university

Network Troubleshooting with Wireshark Sample 2-Day Course Outline

CREATE YOUR OWN CUSTOMIZED COURSE OUTLINE AT WWW.CHAPPELLU.COM

Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University

Course Formats Available This 5-day course can be provided in two formats:

• Online Instructor-Led Training Generally provided in 3-hour or 6-hour increments over several days or spread over several weeks. An excellent option when students are geographically disbursed. This course can be customized using your own trace files. Get a course price estimate or formal course quote at www.chappellU.com (Pricing section). See Training Facility Requirements on page 5 for course setup details.

• Onsite Instructor-Led Training

Offering hands-on lab-based training at your location or a venue convenient for your team, this option is ideal for small or large audience sizes who prefer in-person instruction and a more personalized training approach. This course can be customized using your own trace files. Get a course price estimate or formal course quote at www.chappellU.com (Pricing section). See Training Facility Requirements on page 5 for course setup details.

Also Available – All Access Pass (AAP) Visit www.lcuportal2.com to learn more about the All Access Pass,

• One year subscription (single seat license) • Online recorded training sessions • Course progress tracking and transcripts • Course certificates • Access to monthly live online training events

Network Traffic Analysis and Troubleshooting Course Syllabus (2-Day Course) Page 1

Course Description This course offers hands-on training in network analysis and troubleshooting. This course begins with the core tasks and techniques for TCP/IP analysis (IP, TCP, UDP, ARP, DHCP, HTTP, ICMP and moves into capture and analysis techniques to spot the most common network problems. Students must provide their own laptops pre-loaded with Wireshark (www.wireshark.org/download). Instructor provides traffic analysis trace files for use in hands-on labs (on CD).

Course Syllabus and Estimated Schedule The schedule listed is tentative and will fluctuate depending on customer’s needs and focus during the course. Course Set Up and Analyzer Testing 1. Network Analysis Overview

1.1. Troubleshooting Tasks for the Network Analyst 1.2. Application Analysis Tasks for the Network Analyst 1.3. Legal Issues Related to Listening to Network Traffic 1.4. Overcome the "Needle in a Haystack" Issue

2. Wireshark Functionality Overview

2.1. Capturing Packets on Wired or Wireless Networks 2.2. How Wireshark Processes Packets – Dissectors, Filters 2.3. Key Wireshark Techniques – Filter/WLAN Toolbar, Status Bar, Profiles, Right-Click

3. Capturing Wired and Wireless Traffic

3.1. Know Where to Tap into the Network – Wired/WLAN, Duplex Issues, Switches 3.2. Infrastructure Effects – NAT/PAT, QoS Routing, VLANs, APs 3.3. Using File Sets and Optimizing for Large Capture Quantity 3.4. Using Default and Custom Capture Filters 3.5. Filter by a Protocol, Address or Host Name

4. Setting Up Your Troubleshooting Profile for Faster Analysis 4.1. Set Global and Personal Configurations 4.2. Use Time to Identify Network Issues 4.3. Customize Your User Interface Settings 4.4. Define Your Capture Preferences 4.5. Define IP and MAC Name Resolution 4.6. Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings 4.7. Use Colors to Distinguish Traffic (“T-“ Set of Coloring Rules)

5. Interpret Basic Trace File Statistics to Identify Trends

5.1. Launch Wireshark Statistics for Protocols and Applications 5.2. Identify the Most Active Conversations/Endpoints 5.3. Graphic Flow of Traffic 5.4. Analyze HTTP Statistics


Network Troubleshooting with Wireshark Course – Sample 2-Day Course Outline • Copyright Chappell University Page 2

6. Create and Apply Display Filters for Efficient Analysis

6.1. Create Display Filters Using Auto Complete 6.2. Create and Apply Saved Display Filters 6.3. Use Expressions for Filter System 6.4. Combine Display Filters with Comparison Operators 6.5. Avoid Common Display Filter Mistakes

7. Follow Streams and Reassemble Data

7.1. Follow and Reassemble UDP and TCP Conversations 7.2. Identify Common File Types

8. Use Wireshark's Expert System to Identify Anomalies

8.1. Launch Expert Info Quickly 8.2. Filter on TCP Expert Information Elements 8.3. Define TCP Expert Information

9. TCP/IP Analysis Overview

9.1. Define Basic TCP/IP Functionality and the Multistep Resolution Process 9.2. Define Port Number Resolution (Altering Wireshark’s Interpretations) 9.3. Define Network Name Resolution (Using Wireshark’s hosts file) 9.4. Define Route Resolution for a Local Target 9.5. Define Local MAC Address Resolution for a Target (Altering Wireshark’s Interpretations) 9.6. Define Route Resolution for a Remote Target 9.7. Define Local MAC Address Resolution for a Gateway (Altering Wireshark’s Interpretations)

10. Analyze Common TCP/IP Traffic Patterns

10.1. Analyze Normal/Unusual DNS Queries/Responses 10.2. Analyze Normal/Unusual ARP Requests/Responses 10.3. Analyze Gratuitous ARP 10.4. Analyze Normal/Unusual IPv4 Traffic 10.5. Analyze Normal/Unusual ICMP Traffic 10.6. Dissect the ICMP Packet Structure 10.7. Analyze Normal/Unusual UDP Traffic 10.8. Analyzed Normal/Unusual TCP Communications 10.9. Define the Establishment of TCP Connections 10.10. Define How TCP-based Services Are Refused 10.11. TCP Sequential Packet Tracking 10.12. Define TCP Flow Control 10.13. Analyze TCP Problems 10.14. Set TCP Protocol Parameters 10.15. Analyze Normal/Unusual DHCP Traffic 10.16. Analyze Normal/Unusual HTTP Communications 10.17. Graph HTTP Traffic Flows and Set HTTP Preferences 10.18. Analyze HTTPS Communications



11. Identify the Cause of Network Performance Problems 11.1. Generate Basic and Advanced I/O Graphs 11.2. Analyzing the cause of high latency 11.3. Defining the location of packet loss 11.4. Comparing path throughput for various applications 11.5. Analyzing window size issues 11.6. Identifying intercepting device issues

12. Graph I/O Rates and TCP Trends

12.1. Generate Basic and Advanced I/O Graphs 12.2. Filter I/O Graphs 12.3. Graph Round Trip Time and Throughput Rates 12.4. Interpret TCP Window Size Issues 12.5. Interpret Packet Loss, Duplicate ACKs and Retransmissions

13. Use Command-Line Tools

13.1. Command-Line Tool Overview Course Wrap Up



Course Customization: Trace Files Courses can be customized based on the customer’s requirements and trace files provided in a timely manner. The goal of the course is to teach students a more efficient analysis method for spotting the cause of performance problems using Wireshark’s capabilities for capture and analysis. Using the customer’s own trace files provide students with experience analyzing their own traffic. Some things to keep in mind when supplying trace files to use in your course:

• We must receive the files at least 30 days before the course in order to integrate them into the course.

• Trace files should be no larger than 50MB each. If you have larger trace files, we can provide instructions on how to split them into file sets or we can arrange a special upload area to accommodate larger files.

• Trace files should not be taken just by “plugging into a switch and capturing.” This would only allow us to see broadcast and multicast traffic. Consider running Wireshark on a client during the capture sequence.

• Provide us with the following information on each trace file submitted: o Method of capture (e.g., spanned a switch port) o Capture location (e.g., close to user x who complains of performance issues) o Key IP address/host names (e.g., UserX is 10.3.4.2) o Any concerns you would like investigated in the trace files



Training Facility Requirements

Onsite Instructor-Led Courses Ms. Chappell will need to project her laptop throughout the presentation. Appropriately-sized projection screens should be placed in the room to ensure full visibility of the projected screens. A single projection screen (minimum 12’ height) is suggested for smaller audience sizes (less than 50 students); larger and additional projection screens are required for larger audiences. Inadequate screen visibility for attendees will have a serious negative affect on attendee performance and success. In larger venues (typically hosting over 50 attendees), a wireless microphone will be required. Note that wired microphones/stand microphones will not work as Ms. Chappell is typing on her keyboard and walking the room through much of the event. Whiteboards are suggested in smaller venues (hosting less than 50 attendees); they are not used in larger venues. Please notify Ms. Chappell if she will be joined by assistants for the hearing impaired. Ms. Chappell speaks very quickly and at least two interpreters are suggested for the event.

Online Instructor-Led Courses There are three different options for student access to the Online Instructor-Led courses.

• Option 1: Conference Room/Projector/Speaker

In this configuration all students are at a single facility. One computer is connected to the Internet and webinar service. That computer projects the lesson video while feeding audio to the audience via speakers. Note: In order for students to ask individual questions of the instructor, each student must be logged in to the online training system during the class.



• Option 2: Two-Computers per Student; Headset Required

In this configuration all students have two computers - One computer is connected to the Internet and webinar service. That computer projects the lesson video while feeding audio to the audience via headset. The second Computer is the Wireshark computer. This option may not work for long class hours as the headsets can become uncomfortable. Note: In order for students to ask individual questions of the instructor, each student must be logged in to the online training system during the class.

• Option 3: Single Computer per Student; Headset Required (Option Not Recommended)

In this configuration all students have a single computer and headset. Students must toggle back and forth between Wireshark and the webinar. This is not an ideal situation, but it has been used before. This option may not work for long class hours as the headsets can become uncomfortable.

CREATE Y

Network Trou

Abou

and clarityHigh TechMs. Chaponsite and

available analysis a

Clients

YOUR OWN

ubleshooting with

ut the

y have earnedhnology Crimepell is the Foud online train

online througnd training.

Ms. Chand lo

• • • • • • • • • • • • • •

CUSTOMIZ

Wireshark Course

InstrucLaura Chaptitles on nethe Good Winternationadministrat Ms. ChappeAssociationElectronic EFBI’s Infrag

d her a top spe Investigatiounder of Chap

ning in the are

gh the All Acc

happell’s cliencal law enfor

United StatUnited StatUnited StatHong Kong Apple Lockheed MCisco SysteSalesforce Netflix Dell, Inc. IBM CorporMicrosoft CSutherlandUnited Ban

ED COURSE

e – Sample 2-Day C

ctor ppell is a highletwork commWitch,” Laura nal law enforctors, technici

ell is a membn (HTCIA) andEngineers (IEEgard organizatpot as an indu

on Associationppell Universeas of networIn 2007, Ms. firm devotedinterception,troubleshoot Laura’s netw

cess Pass at ch

nt base is globcement agentes Navy tes Arsenal tes Court of APolice Depar

Martin ms

ration Corporation Asbill & Bren

nk of Switzerla

E OUTLINE A

Course Outline • C

ly-energetic sunications, ahas presente

cement officeans and deve

er of the High an AssociateEE) since 198tion. Her blenustry speakern and US Couity (www.chark protocols, Chappell fou

d to teaching t, network foreting.

work analysis, happellU.com

bal and includncies.

Appeals rtment

nnan, LLP and

AT WWW.CH

Copyright Chappel

speaker and analysis and se

ed to thousaners, judicial melopers.

h Technologye Member of 9. Ms. Chapp

nd of humor, r at Microsoftrt conference

appellU.com) network forended Wireshthe art of wirensics, TCP/IP

troubleshootm and through

des numerou

HAPPELLU.C

ll University

author of numecurity. Nick

nds of State, Fembers, engi

y Crime Investthe Institute

pell is also a mpersonal exp

t, Novell, Hewes. which develo

ensics and netark Universit

retapping/comP analysis and

ting and secuh customized

s Fortune 100

COM

merous industnamed “Glen

Federal and ineers, netwo

tigation for Electrical

member of theperiences, enewlett-Packard

ops and delivtwork tools. y, an educatimmunicationd network

rity training id online/onsit

0, federal, sta

Page 7

try nda,

ork

and e ergy ,

vers

onal s

s te

ate



• Federal Home Loan Bank of San Francisco • McAfee Corporation • Qualcomm Incorporated • Symantec Corporation • Riverbed Technologies • Naval Criminal Investigative Services (NCIS) • Northern Indiana Power Company • Microchip Technology, Inc. • CapitalOne Financial Services • City of Canberra (Australia) • Macau Police Department • Australian High Tech Crime Centre • Fidelity National Information Services • City of San Francisco • … and several unnamed Federal agencies

Conferences Ms. Chappell is consistently a top-rated speaker at numerous industry and private

conferences including: Microsoft TechEd US Microsoft TechEd Europe Microsoft TechReady (Internal Technical Conference) High Technology Crime Investigation International Conference IEEE Regional Conference (California) Novell BrainShare Conference Novell Advanced Technical Training Conference US Courts Technical Training Conference United States Secret Service Electronic Crimes Task Force Quarterly Meetings OpenSourceWorld/LinuxExpo US European Forensics Conference

Publications Ms. Chappell has authored numerous industry titles.

Wireshark Network Analysis: The Official Wireshark Network Analyst Study Guide (Chappell University)

Wireshark Certified Network Analyst: Official Exam Prep Guide (Chappell University)

Guide to TCP/IP (Pearson; co-Author Ed Tittel) Introduction to Network Analysis (podbooks) Network Analysis Case Studies (podbooks) Introduction to Cisco Router Configuration (Cisco Press) Advanced Cisco Router Configuration (Cisco Press) Multiprotocol Internetworking (Novell Press) NetWare LAN Analysis: IPX/SPX (Novell Press)



Contact Information Coordinator: Brenda Cardinal [email protected] Phone: +1 408-378-7841

Fax: +1 408-378-7891 Mail: 5339 Prospect Road, #343 San Jose, California 95129 USA

Websites: www.chappellU.com - Chappell University www.lcuportal2.com - Online Training Portal www.wiresharkU.com - Wireshark University

network troubleshooting with wireshark - chappell university

Documents