Getting Started with Wireshark-The Ultimate Hands-On Course
- Description
- Curriculum
- FAQ
- Reviews
Wireshark can be intimidating. I remember how it felt when I first started looking at a trace file with Wireshark. Questions started flooding into my mind:
What should I look for? Where do I start? How can I find the packets that matter? What filters should I use? What is “normal” and what can I ignore in all this data?
I froze under the weight of all the detail in the packets.
If you have ever felt that way when looking at a pcap, this is the course for you!
Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems and isolate cybersecurity incidents. This skill will help all IT engineers to improve in their analysis and troubleshooting skills. Assignments have been designed with participation in mind. Download the trace file, try your hand at the questions that go along with it, and see if you can solve the network mystery in the packets.
While learning the art of packet analysis, we will also explore the Wireshark interface, configure custom columns, filters, and coloring rules, learning how to customize the layout so we can spot problems fast. This course will give you comfort with the Wireshark interface and the experience you need to understand core protocols.
My name is Chris Greer and I am a Wireshark University instructor, as well as a packet analysis consultant for companies all over the globe. Like you, I started out looking at packet traces, hoping to find the right ones to solve complex issues on the network. I this course, I bring real-world examples to every lecture, exercise, and course assignment. My goal is for you to get comfortable with the Wireshark interface, learn to interpret the packets, and find actionable data that will help you to resolve problems or spot security incidents faster.
Ready Packet People? Let’s dig!
-
1
Section Intro - What will we learn?This video gives us an introduction to how this Wireshark course will flow and how to follow along.
-
2
Installing Wireshark and the Command Line Tools
-
3
Lab 1 - Hands-On with Wireshark -
4
Section Review
Let's do a quick review of what we learned in this section of the course.
-
11
Introduction to Wireshark Filters
-
12
Capture Filters vs Display Filters
The first thing to learn about filtering traffic is the difference between a capture filter and a display filter. Capture filters are configured before the capture begins rolling. You only capture the specific traffic you are filtering for. This is a nice feature to use when you understand a few details about the problem and you want to keep the pcap small. Display filters are for post-capture filtering. They are designed to be applied, adjusted, or even removed. The original capture file stays the same. Let's learn some!
-
13
Filtering for IP Addresses, Source or Destination
The first filters you will learn are IP address and conversation filters. It is easier to memorize them when you have hands-on practice. So get out the pcap from Lab 1 and get some hands-on.
-
14
Filtering for Protocols and Port Numbers
In this lecture and demonstration we will learn how to filter for common protocols and TCP/UDP port numbers. Make sure to have the pcap ready to follow along!
-
15
Filtering for Conversations
Now that we know how to filter for ARP, IP, DNS, TCP and other protocols, let's learn how to filter for specific conversations in the pcap.
-
16
Operators in Display Filters
In this lecture we will learn about using the and, not, or, gt, and lt operators for creating more complex filters.
-
17
Demo: Using Operators when Filtering Traffic
Let's learn some scenarios when to practically use the and, not, or, gt and lt operators.
-
18
Special Operators - Contains, Matches, and In
The Wireshark display filter syntax also includes the "contains", "matches", and "in" operators. These open up the ability to search for text strings using regular expressions, or membership operators. Let's dig.
-
19
Demo: How to Use Special Operators When Filtering
In this lecture we look at examples of how to use "contains", "matches" and the "in" operators.
-
20
Lab 3 - Creating Display Filters in Wireshark
-
21
Section Review
Let's review the filters we learned.
-
22
Think BEFORE You Capture!
When a problem strikes, it is tempting to jump straight into Wireshark and start capturing traffic to save the day. Before getting too excited - let's back up a minute. Before clicking the blue sharkfin, there are some things we need to think about. Getting answers to the questions covered in this clip will save a ton of time when we start looking at a problem from the packet level.
-
23
How To Capture In a Switched Environment - Local Capture vs SPAN vs TAP
Switches isolate traffic to the ports directly involved in pathing the traffic. This can make it difficult to "listen in" with Wireshark and capture. In switched environments, we need to use one of the three methods of capture explained in this video to get to the right packets.
-
24
Capturing at Multiple Locations
Sometimes one point of view is not enough to solve a problem. In this clip we will discuss why a multi-point capture can be needed in some troubleshooting scenarios.
-
25
Should We Use a Capture Filter?
Before we click "capture", we need to decide whether or not to use a capture filter. This will only collect the traffic we specify, allowing us to focus on a specific conversation, port, protocol, or subnet.
-
26
Capturing Traffic with the Wireshark User Interface
Let's learn more about what happens when we click the blue fin!
-
27
How to Capture Intermittent Problems - Long Term Capture Configuration
Sometimes problems aren't so easy to capture in the act. Especially the ones that come and go. In this lecture we will learn about how to configure Wireshark for long-term capture so we can get everything!
-
28
How to Capture on the Command Line with Dumpcap
Command line capture is a quick way to collect packets on a system we SSH into, or for times when we don't want to use the full Wireshark GUI. Let's learn how to set this up in both Windows and MacOS.
-
29
Configuring a Ring-Buffer on the CLI
Now that we have the basics of setting up command line capture, let's learn how to configure that ring buffer - but this time from the CLI.
-
30
How and Where to Capture PacketsLet's test our knowledge of what we learned in this module.
-
31
Section Review
-
32
Packets and the OSI Model
-
33
Ethernet - The Frame Header
In this lecture we will dig into the Ethernet frame layout and show how each field works. We will also do a local capture in our own environment with Wireshark and take a peek at the MAC addressing.
-
34
Unicasts vs Broadcasts vs Multicasts
There are three basic communication types in ethernet. Unicasts, broadcasts, and multicasts. Let's learn each one and how they work.
-
35
The Internet Protocol - Learning the Header Values
In this lecture we comb the IP protocol header values, describing how each value works to deliver traffic across the internet between endpoints. We will learn IP Diffsrv, IP identification numbers, TTL, and protocol ID's.
-
36
Following a Packet Through the Network - Re-Encapsulation
Walk the network path like a packet would and learn how a new ethernet frame is built by every router along the path.
-
37
Lab 4 - Analyzing a Packet From Multiple Capture Points
-
38
Section Review
-
39
Section Overview
This is a quick introduction to this section about the IP Protocol. We were introduced to it in the last section, but now we will dig much deeper into it!
-
40
Digging Deeper into the IP ID
Let's look how we can practically use the IP ID field to analyze and troubleshoot network problems.
-
41
How to Use the TTL Field
The TTL field can help us to determine how far apart endpoints are in terms of router hops. Let's see how we can use this field for practical analysis.
-
42
How IP Fragmentation Works
Let's send some large pings, capture them, and see how IP fragmentation works.
-
43
The IP Flags
The "Do not fragment" bit is important to learn in the IP header. We'll look at how to use it practically.
-
44
Whoa! Investigating Suspect Scan Activity
It is possible that attackers could make use of IP fragmentation when scanning networks to try to avoid triggering IDS/IPS alerts. Let's look at an example.
-
45
A Look at IPv6
IPv6 is rapidly being deployed throughout enterprise networks today. In this video we will look at the header structure and see how it is different than IPv4.
-
46
Configuring Wireshark to Find GeoIP Locations
In order to use the GeoIP location feature of Wireshark, we first have to download the databases from Maxmind. Due to licensing restrictions, these need to be downloaded directly with a free account. It is worth it to download them!
-
47
Analyzing a DDoS Attack with GeoIP
We captured a scan that was coming in from several different areas of the world. In this video, we take a closer look at this DDoS attack with GeoIP.
-
48
Lab 5 - Is this scan as bad as it looks?
-
49
Section Review
-
50
UDP Intro
Don't underestimate UDP. It has a huge (and growing) presence on networks today. Critical services like DHCP, DNS, and VoIP have been running over UDP for decades. But more and more we are seeing emerging protocols such as QUIC and even RDP over UDP. Let's learn how to analyze these protocols.
-
51
The UDP Header Explained
-
52
How DHCP Works
When an endpoint first joins a network, it has to get an address, routing, subnet, and DNS information. This happens over the UDP-based protocol: DHCP. In this lecture we will see how this critical service works.
-
53
Analyzing DNS
DNS is the phone book of the internet. Applications cannot function without it. If DNS is slow or broken, services will simply not work. In this video we will dig into DNS and learn how to analyze requests and responses, as well as measure DNS response time with Wireshark filters.
-
54
Troubleshooting VoIP and Video Streams
-
55
UDP Review
-
56
Section Intro
Let's kick this section off with a brief overview of what we will learn about TCP.
-
57
Practical TCP - The Handshake
There is quite a bit that gets exchanged in the initial handshake of a TCP connection. Let's see why this part of the conversation is so important to capture.
-
58
Hands-On with TCP Flags
In this clip we will take a hands-on look at the handshake and the flags that make TCP tick.
-
59
Analyzing TCP Options
TCP options came about to extend the capabilities of the protocol. In this video we will learn about MSS, Window Scaling, Selective ACK, and timestamps.
-
60
How Sequence and Acknowledgement Numbers Work
Sequence and acknowledgement numbers are the underlying function of how TCP works to deliver data reliably. Let's make sure we are comfortable with how these numbers work.
-
61
Digging into Retransmissions
If data does not arrive at the receiver, or if the acknowledgement does not arrive at the original sender, TCP will retransmit it. Let's take a closer look at how this function works.
-
62
Let's Shut it Down - FINs vs Resets
Let's learn how TCP closes down connections. The two major ones are by using the FIN flag or by using resets.
-
63
Lab 6 - Is it the Client, Network, or Server? Can You Isolate the Problem?
-
64
TCP Analysis Review
Let's do a quick review of the things we learned in this section of the course.
-
65
Putting it All Together - Section Intro
This section will bring all the analysis skills together that we learned in this course. Let's learn the top five things to look for in the packets.
-
66
1. Slow Application Response Time
In this video we will look at how to identify slow application performance in web based applications, even in secure connections.
-
67
2. High Network Latency
If network latency is high or if an application suffers from many turns (requests and replies), applications will lag. We'll take a look at how to quickly spot this in Wireshark.
-
68
3. Network Packet Loss
-
69
4. Slow File Transfers - TCP Window Problems
When we move large amounts of data across a network from one endpoint to another, we have to have healthy TCP Receive windows to catch it. Low or zero windows can bring file transfers to a grinding halt and there is nothing that the network can do about it! Let's see how to identify these issues.
-
70
5. Network/Application Disconnects - TCP Resets
I receive quite a few complaints from people suffering from network or application disconnects. This video shows what I look for in the packets to hunt down the root cause.
-
71
What to do next with Wireshark - Where to go from here.
This lecture will give you an assignment to do on your own network after completing this course.
