sharkfest ‘16 europe · 2017-04-26 · sharkfest ’16 europe • arnhem, netherlands • october...

SharkFest ‘16 Europe #sf16eu Top 5 False Positives Jasper Bongertz Wednesday, October 19th, 2016 Trace Wrangler | Packet-Foo

Upload: others

Post on 10-Mar-2020

9 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

SharkFest ‘16 Europe

#sf16eu

Top 5 False Positives

Jasper Bongertz

Wednesday, October 19th, 2016

Trace Wrangler | Packet-Foo

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

Before we start…

• Packet-Foo Network Analysis blog: https://blog.packet-foo.com

• TraceWrangler Website: https://www.tracewrangler.com

• My Wireshark color profile:

https://goo.gl/hsoIKp

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

Agenda

1. Negative Delta Times

2. Frame size and checksum problems

3. Retransmissions and Duplicate ACKs

4. Zero Window

5. Retransmission cost

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

1. Negative Delta Times

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

1 - Wireshark Demo

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

2. Frame size & checksum problems

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

2 - Wireshark Demo

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

False Positive 2 explained

The offloading effect

Application

Operating System

NIC driver

Application

Operating System

NIC driver

Dum

pcap

Sender Receiver

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

3. Retransmissions & Duplicate ACKs

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

3 – Wireshark Demo

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

False Positive 3 explained (1/3)

Mirror

Port Monitor

Port

SPAN with a single port

mirrored

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

False Positive 3 explained (2/3)

Mirror

Port Monitor

Port

Mirror

Port

SPAN with two ports mirrored

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

False Positive 3 explained (3/3)

Mirror

Port Monitor

Port

Mirror

Port

SPAN with two ports mirrored

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

4. Zero Window

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

4 – Wireshark Demo

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

5. Retransmission cost

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

5 – Wireshark Demo

SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu

Q&A Mail: [email protected]

Web: blog.packet-foo.com

Twitter: @packetjay

SharkFest ’19 Europe · 2019. 11. 11. · #sf19eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8 SharkFest ’19 Europe #sf19eu • Palacio Estoril Hotel, Estoril, Portugal

SharkFest ’17 Europe - Wireshark · SharkFest ’17 Europe ... 20 QUIC: Using Wireshark to Understand QUIC Quickly ... •View> Coloring rules…, new rule name: UDP source port

How 802.11ac Will Hide Problems from Wireshark - Sharkfest

Pre-Conference Troubleshooting Class - Wireshark · Pre-Conference Troubleshooting Class SharkFest’17 Europe Agenda Instructor Bios Session Abstracts & Requirements SharkFest’17

SharkFest ’19 Europe · 2019. 11. 19. · TShark, the Swiss army knife André Luyer Rabobank. #sf19eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8 ... Marketing CLR

Wireshark Certified Network Analyst Boot Camp Course - Sharkfest

SharkFest ’17 Europe - Wireshark SharkFest ’17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer [email protected]

Solera Networks at Sharkfest 2008

SharkFest ‘16 Europe · SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu Where’s the catch? - Depending on the type of intrusion you’re facing,

Sharkfest Analysing WLAN 2009 06

802.11 Secrets Revealed - Sharkfest - Wireshark

Using Wireshark Software as an Applications Engineer - Sharkfest

SharkFest '17 Europe - Wireshark · PDF fileSharkFest '17 Europe ... • Includes Wireshark & Lua scripts ... CSMA/CA offers different Inter Frame Spaces (IFS)

Troubleshooting WLANs (Part 2) - SharkFest™ Europe · Troubleshooting WLANs (Part 2) ... User is complaining about sporadic hangers in bar code scanners, ... CCK = Complementary

SharkFest ’17 Europe · · 2017-11-15SharkFest ’17 Europe ... (CNX)-Ethernet, CCNA, ... •Significant increase in the use of Network Address Translation

SharkFest ’18 Europe - sharkfesteurope.wireshark.org · #sf18eu • Johannes Weber • • @webernetz Johannes Weber SharkFest ’18 Europe #sf18eu • Imperial Riding School Renaissance

SharkFest ’18 Europe SharkFest ’19 Europe · 2019-11-08 · SharkFest ’18 Europe #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Discover Wireshark’s

SharkFest ‘16 Europe · 2017. 4. 26. · •use tcpdump/windump with BPF . SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu Demo 3 – Extracting

WiFi Intrustion Detection from WireShark SharkFest

SharkFest ’18 Europe SharkFest ’19 Europe · #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Troubleshooting WLANs (Part 2) Troubleshooting WLANs using

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10

Application Performance Analysis using Wireshark - Sharkfest

IPv6 Address Planning - SharkFest

SharkFest ’18 Europe SharkFest ’19 Europe · SharkFest ’18 Europe #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Layer 1 & 2 Analysis Using Wireshark,

SharkFest ’18 Europe · #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Eddi Blenkers SharkFest ’18 Europe #sf18eu • Imperial Riding School Renaissance

SharkFest ’17 Europe - Wireshark · SharkFest ’17 Europe ... •Web: Capture while using browser’s Developer Tools. ... • Note: If Wireshark is doing DNS name resolution during

Dissecting Man-on-the-Side Attacks · SharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu QUANTUMINSERT S e p t e m b e r 2 0, 2 0 1 3 [...] According

SharkFest ’18 Europe - WiresharksFlow, Wireshark and ntop • Wireshark can be used with sFlow traffic to • Dissect sFlow packets • Dissect packets in sFlow flow samples •

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Expose VoIP Problems With Wireshark June 15, 2010 Sean Walberg Vantage Media SHARKFEST ‘10 Stanford

Capture Limitations of a Laptop - Sharkfest - Wireshark

Troubleshooting with Layer 2 Control Protocols - SharkFest™ · SharkFest ‘16 • Computer History Museum • June 13-16, 2016 SharkFest ‘16 Troubleshooting with Layer 2 Control

SharkFest ’18 Europe · 2018. 11. 2. · SharkFest ’18 Europe #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Troubleshooting WLANs (Part 2) Rolf Leutert

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST

SharkFest ‘16 Europe - WiresharkSharkFest ’16 Europe • Arnhem, Netherlands • October 17-19, 2016 • #sf16eu LACP Requirements •“… all interfaces in the channel group

Booking Form - Sharkfest 2017 · Booking Form - Sharkfest 2017 Created Date: 7/13/2017 6:47:30 PM