Troubleshooting and Securing TCP/IP Networks with Wireshark

Classroom Learning

Also available via

Who Needs to Attend

Anyone interested in learning to troubleshoot and secure TCP/IP networks and analyze network traffic with Wireshark, especially network engineers, information technology specialists, security analysts, and those interested in taking the Wireshark Certification Exam.

Prerequisites

Analyzing TCP/IP Networks with Wireshark

Follow-On Courses

There are no follow-ons for this course.

Certification Programs and Certificate Tracks

This course is part of the following programs or tracks:

Wireshark® Certified Network Analyst

Core 2 - Wireshark University Certification Course

In this lab-based course, you will gain the skills required to effectively troubleshoot and secure a TCP/IP network by analyzing network traffic with Wireshark as you prepare for the Wireshark Certification Exam. Spend half of your class time learning techniques to analyze traffic on poorly performing TCP/IP networks using the world's most popular analyzer, Wireshark. After that, you will learn to identify reconnaissance processes on the network and indications that a host is compromised. With the strong emphasis on hands-on lab exercises and real-world case studies in this course, you will gain skills you can use immediately following the class. On the last day of class, you will review Wireshark functionality, TCP/IP troubleshooting, and security.

What You'll Learn

Prepare for the Wireshark Certification Exam
Place the analyzer properly for traffic capture on a variety of network types
Review the TCP/IP Resolution Flowchart to identify where performance problems may occur
Configure Wireshark for effective network troubleshooting
Analyze slow network performance caused by latency problems
Identify the location of and possible causes of packet loss on the network
Analyze traffic from misconfigured networks and applications
Review the evidence of network redirection
Analyze network connections that are experiencing congestion
Baseline network communications for comparative analysis
Review the TCP/IP Resolution Flowchart to identify where security problems may occur
Analyze various reconnaissance processes to identify possible targets
Analyze Internet Control Message Protocol (ICMP) traffic to identify suspicious behavior
Examine symptoms of TCP-based attacks and breaches
Differentiate traffic from spoofed and non-spoofed host addresses
Create firewall Access Control List (ACL) rules based on suspicious traffic
Identify the location of signatures of various network breaches

Course Outline

1. Analyzer Placement

Analyzing Hubbed Networks
Analyzing Switched Networks
Analyzing Routed Networks
Analyzing WAN Links
Tapping into Full-Duplex Links
Capturing in Stealth Mode
Obtaining Evidence Using a Honeypot

2. Normal Network Communications

When Everything Goes Right
The Multi-Step Resolution Process
Building the Packet

3. Causes of Performance Problems

Where Network Faults Occur
Time is of the Essence

4. Wireshark Functions for Troubleshooting

Using Pre-Defined Coloring Rules
Basic and Advanced IO Graphs
Use the Delta Time Value
Analyze Expert Information
Look Who's Talking
Graph Bandwidth Use, Round Trip Time, and TCP Performance
Flow Graphing
Statistics (Various)

5. Latency Issues

The Five Primary Points in Calculating Latency
Plotting High Latency Times
Free Latency Calculators
Using the frame.time_delta Filter

6. Packet Loss and Retransmissions

Packet Loss and Recovery - UDP vs. TCP
Previous Segment Lost Events
Duplicate ACKs
TCP Retransmissions and Fast Retransmissions
Out-of-Order Segments

7. Misconfigurations and Redirections

Visible Misconfigurations
Don't Forget the Time

8. Dealing with Congestion

Shattered Windows
Flooded Out

9. Baseline Network Communications

Your First Task When You Leave Class

10. Unusual Network Communications

Vulnerabilities in the TCP/IP Resolution Process
Route Resolution
Spotting Unacceptable Traffic

11. Reconnaissance Processes

Port Scans
Mutant Scans
IP Scans
Application Mapping
OS Fingerprinting

12. Analyzing ICMP Traffic

ICMP Types and Codes
ICMP Discovery
Router Redirection
Dynamic Router Discovery
Service Refusal
OS Fingerprinting

13. TCP Security

TCP Segment Splicing
TCP Fake Resets

14. Address Spoofing

MAC Address Spoofing
IP Address Spoofing

15. Building Firewall ACL Rules

Overview of ACL Rule Types

16. Signatures of Attacks

Signature Locations
Header Signatures
Sequencing Signatures
Payload Signatures
Obtaining Signatures
Attacks and Exploits
Password Cracks
Denial of Service Attacks
Redirections

17. Wireshark Functionality Review

18. Troubleshooting Review

19. Network Security Review

Labs

Each section of this course includes hands-on labs to test and reinforce concepts and practice tasks.

For this hands-on course, please bring a laptop loaded with Wireshark. You may download Wireshark for free at www.wireshark.org.

Classroom Dates and Locations

Date	Location Details
Sep 27 - Oct 1, 2010	Washington, DC	Register
Oct 18 - 22, 2010	Atlanta, GA	Register
Oct 25 - 29, 2010	Morristown, NJ	Register
Nov 1 - 5, 2010	Chicago (Schaumburg), IL	Register
Nov 8 - 12, 2010	Raleigh, NC	Register
Nov 15 - 19, 2010	San Jose, CA	Register
Nov 15 - 19, 2010	New York, NY	Register
Nov 29 - Dec 3, 2010	Dallas, TX	Register
Dec 13 - 17, 2010	Washington, DC	Register
Jan 17 - 21, 2011	Atlanta, GA	Register
Feb 14 - 18, 2011	Dallas, TX	Register
Feb 21 - 25, 2011	Washington, DC	Register
Feb 28 - Mar 4, 2011	Chicago (Schaumburg), IL	Register
Mar 7 - 11, 2011	Raleigh, NC	Register
Mar 14 - 18, 2011	San Jose, CA	Register