
This video gives us an introduction to this course, how the labs will work, and what you will need to go from beginner to Wireshark Hero.
Welcome to the first lecture in this course! Lets learn how to install Wireshark and the command line tools.
In this video we will show how the lab files work, how you can access them, and where the questions are embedded in the pcap.
There are some things you will need to know to get the most out of this course. Let's discuss them. However if you are new to packet analysis, don't worry this course is for you!
Let's get to your first lab! Open the pcap, watch the video, and follow along.
This section will cover how to configure the Wireshark interface. How can we make our packet analysis faster? Let's dig in.
The first thing to learn about filtering traffic is the difference between a capture filter and a display filter. Capture filters are configured before the capture begins rolling. This is a nice feature to use when you understand a few details about the problem and you want to keep the pcap small. Display filters are for post-capture filtering. They are designed to be applied, adjusted, or even removed. The original capture file stays the same. Let's learn some!
One of the most common filters you will need to know is an IP address filter. Let's practice.
In this lecture and demonstration we will learn how to filter for common protocols and TCP/UDP port numbers. Also how to quickly set filters for conversations.
Let's find words in clear text on the wire!
Let's review the filters we learned.
When a problem strikes, it is tempting to jump straight into Wireshark and start capturing traffic to save the day. Before getting too excited - let's back up a minute. Before clicking the blue sharkfin, there are some things we need to think about. Getting answers to the questions covered in this clip will save a ton of time when we start looking at a problem from the packet level.
Switches isolate traffic to the ports directly involved in pathing the traffic. This can make it difficult to "listen in" with Wireshark and capture. In switched environments, we need to use one of the three methods of capture explained in this video to get to the right packets.
When to use a capture filter. Client vs server side capture.
Before we click "capture", we need to decide whether or not to use a capture filter. This will only collect the traffic we specify, allowing us to focus on a specific conversation, port, protocol, or subnet.
Before we click "capture", we need to decide whether or not to use a capture filter. This will only collect the traffic we specify, allowing us to focus on a specific conversation, port, protocol, or subnet.
Command line capture is a quick way to collect packets on a system we SSH into, or for times when we don't want to use the full Wireshark GUI. Let's learn how to set this up in both Windows and MacOS.
In this lecture we will dig into the Ethernet frame layout and show how each field works. We will also do a local capture in our own environment with Wireshark and take a peek at the MAC addressing.
There are three basic communication types in ethernet. Unicasts, broadcasts, and multicasts. Let's learn each one and how they work.
In this lecture we comb the IP protocol header values, describing how each value works to deliver traffic across the internet between endpoints. We will learn IP Diffsrv, IP identification numbers, TTL, and protocol ID's.
This is a quick introduction to this section about the IP Protocol. We were introduced to it in the last section, but now we will dig much deeper into it!
Let's look how we can practically use the IP ID field to analyze and troubleshoot network problems.
The TTL field can help us to determine how far apart endpoints are in terms of router hops. Let's see how we can use this field for practical analysis.
Let's send some large pings, capture them, and see how IP fragmentation works.
IPv6 is rapidly being deployed throughout enterprise networks today. In this video we will look at the header structure and see how it is different than IPv4.
Don't underestimate UDP. It has a huge (and growing) presence on networks today. Critical services like DHCP, DNS, and VoIP have been running over UDP for decades. But more and more we are seeing emerging protocols such as QUIC and even vendor proprietary streaming applications over UDP.
When an endpoint first joins a network, it has to get an address, routing, subnet, and DNS information. This happens over the UDP-based protocol: DHCP. In this lecture we will see how this critical service works.
Let's kick this section off with a brief overview of what we will learn about TCP.
There is quite a bit that gets exchanged in the initial handshake of a TCP connection. Let's see why this part of the conversation is so important to capture.
In this clip we will take a hands-on look at the handshake and the flags that make TCP tick.
TCP options came about to extend the capabilities of the protocol. In this video we will learn about MSS, Window Scaling, Selective ACK, and timestamps.
Sequence and acknowledgement numbers are the underlying function of how TCP works to deliver data reliably. Let's make sure we are comfortable with how these numbers work.
This section will bring all the analysis skills together that we learned in this course. Let's learn the top five things to look for in the packets.
In this video we will look at how to identify slow application performance in web based applications, even in secure connections.
If network latency is high or if an application suffers from many turns (requests and replies), applications will lag. We'll take a look at how to quickly spot this in Wireshark.
This lecture will give you an assignment to do on your own network after completing this course.
Wireshark can be intimidating. I remember how it felt when I first started looking at a trace file with Wireshark. Questions started flooding into my mind:
What should I look for? Where do I start? How can I find the packets that matter? What filters should I use? What is "normal"?
I froze under the weight of all the detail in the packets.
If you have ever felt that way when looking at a pcap, this is the course for you!
Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems. This skill will help all IT engineers to improve in their analysis and troubleshooting skills. Labs have been designed with participation in mind. Download the trace file, try your hand at the questions that go along with it, and see if you can solve the network puzzle in the packets.
While learning the art of packet analysis, we will also explore the Wireshark interface, configure custom columns, filters, and coloring rules, learning how to customize the layout so we can spot problems fast. This course will give you comfort with the Wireshark interface and the experience you need to understand core protocols.
My name is Chris Greer and I am directly affiliated with the Wireshark Foundation. I teach packet analysis for companies all over the globe. In this course, I bring real-world examples to every lecture, exercise, and course assignment. My goal is for you to get comfortable with the Wireshark interface, learn to interpret the packets, and find actionable data that will help you to resolve problems or spot security incidents faster.
Ready Packet People? Let's dig!