Training Wireshark Packet Class
From BruCON 2014
Contents
Wireshark - Packet Class by Didier Stevens
Course Description
Wireshark is the number one network security tool according to SecTools.org top 125 Network Security Tools survey. But did you ever spend time to familiarize yourself with the many powerful features of this excellent security tool? If you did not, then now is your chance to learn as much as you can in this class and receive several unpublished tools (like a Lua dissector generator), scripts and dissectors developed by Didier for Wireshark.
This training is for the novice and intermediate Wireshark user.
- First, Didier will familiarize you with the user interface of Wireshark.
- Then, we will touch upon the art of capturing traffic. You might think that you just need to install Wireshark on your machine to capture traffic, but that is just one way to do it. We will also look at ways to capture traffic at different points in the network, using network devices and dedicated hardware.
- Learning about capture filters will help you control the size of your capture files on busy networks. Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.
- Colorizing traffic and using display filters (not to be confused with capture filters) are key in finding the interesting packets hiding in your capture files.
- Your head will spin when you see all the build-in statistics. Wireshark comes with many statistical reports that help you drill down into your captures. Many of these statistical tools support display filters, allowing you to customize your reports. And when we say reports, we talk about graphics too: Wireshark can produce graphical representations of your network traffic. When you master this feature, you will be able to grasp aspects of your network traffic with the blink of an eye.
- Data send over a network is split-up in several packets and can adopt many protocols. It can be a hard task figure out what all these packets mean. But Wireshark understands this and can reassemble these packets into streams so that you can view and extract the data you are interested in, so that you get an abstracted view and are no longer “lost in packets”.
- We will also learn about Wireshark's expert system, an often overlooked feature that can save you many hours of peaking at packets.
Once we are familiar with Wireshark's many important features, we will look at all types of traffic. Regular day-to-day traffic like DNS, TCP/IP, HTTP, SMTP, WLAN, … but, of course, also the irregular traffic like network scans (nmap anyone?) and network discovery, and traffic from hacker tools and malware like botnets. Network forensics is an important skill to master, and Wireshark is an essential tool to help you master this skill.
As an experienced Wireshark user, Didier has come to hit some limits of Wireshark, and has worked past these limitations using command-line tools like Tshark and specialized scripts. In this training, Didier will share with you how he has gone beyond “simple” Wireshark. For example, say that you have traffic captures worth a couple of Gigabytes. Just using Wireshark to look at this traffic becomes virtually impossible, unless you have an insanely specced-out machine that your boss will never give you. But using the right command-line tools, together with some specialized Python scripts, Didier will learn you how to take this hurdle. Wireshark can also be extended using the C and Lua programming languages. In this class, we will look into Lua taps and dissectors to help you analyze traffic that “pure” Wireshark does not understand. Wireshark dissectors are often designed to analyze a network protocol. Say you are reversing a botnet, then you can develop your own dissector that analyses the custom network protocol that the botnet uses to communicate between the C&C and the clients. But custom dissectors can help you even with known network protocols. For example, Didier will teach you the inner workings of a simple custom dissector he developed in Lua to analyze HTTP cookies. This simple dissector is very useful to filter-out traffic according to server sessions, like PHP or ASP sessions.
In a nutshell, this packed training will teach you both simple and advanced Wireshark skills that are essential for security professionals and hackers. You do not need any prior exposure to Wireshark to attend this training, but a basic understanding of networking is required. Programming in Lua is not a required skill for this training, we will explain all you need to know about Lua in this training. But some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.
Who should attend
IT Security professionals, network engineers, ..., anyone else who comes into contact with packets with a desire to dissect them.
Objectives
During the course, the student will:
- Get a thorough overview of Wireshark's features
- Learn how to customize Wireshark
- Learn how to script Wireshark
Course Contents
Day 1
- Get familiar with the user interface of Wireshark
- The art of capturing traffic
- Capture traffic at different points in the network
- Using network devices to capture traffic
- Using dedicated hardware to capture traffic
- Capture filters
- Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.
- Display filters (not to be confused with capture filters)
- Colorizing traffic
- Build-in statistics
- Report
- Graphs
- Customize with display filters
- Streams and data
- Wireshark's expert system
Day 2
- Practical capture analysis
- Regular day-to-day traffic
- DNS
- TCP/IP
- HTTP
- SMTP
- WLAN
- …
- Irregular traffic
- Network scans (nmap anyone?)
- Network discovery
- Traffic from hacker tools
- Traffic from malware like botnets
- …
- Network forensics
- Regular day-to-day traffic
- Scripting
- Command-line scripting with Tshark, Python and Lua
- Lua listeners
- Lua dissectors
- Use a Lua dissector generator
- Refactor existing Lua dissectors
- New protocol dissectors
- Post dissectors
Prerequisites
A basic understanding of networking is required. Some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.
A laptop with the latest version of Wireshark installed (Windows/Linux/OSX) and with Python 2.7. Administrative rights are useful to install some Python modules. If you don't have administrative rights, make sure that you can perform a capture and run Lua scripts. If you are in doubt, make sure that you have administrative rights. Make sure that there is no security software running that could interfere with capturing.
Trainer Biography
Didier Stevens (Security Consultant, Didier Stevens Labs, Contraste Europe NV) is an IT security professional well known for his security and forensic tools, like the Network Appliance Forensic Toolkit (NAFT). Didier is an experienced Wireshark user, he started using it when it was still known as Ethereal.
Didier holds many IT certifications and is an MVP Security. Relevant to this training are his WCNA certification (Wireshark Certified Network Analyst) and CCNP/Security certification (Cisco Certified Networking Professional). You can find his tools on his security blog http://blog.DidierStevens.com
More information is available on Didier Stevens Blog
@DidierStevens
Mon. 22 - Tue. 23 September 2014 (09:00 - 17:00)