Novell Home

At a fateful lunch meeting last November, an idea that has been brewing in the back of my mind for many years suddenly began to breathe life into my daily work. I couldn't sleep. I couldn't eat (anything except chocolate and chips). I could only begin defining what would be one of the most exciting and challenging projects that I've tackled in recent years.

As many of you know, I have been "living, eating and breathing at the packet-level" for years—since the late 1980s. Now, 2007 marks my 20th year of happily sloshing through packets on a daily basis. I've learned so much by watching the traffic on the wire over the years. It doesn't matter what the manual or the specs say; if I can see the communications, I can learn it faster and recognize the cause of problems the moment they occur. The packets never lie.

I've seen this same accelerated learning pattern in thousands of my students over the 20+ years I've been teaching packet-level communications; suddenly the light comes on—the eyes widen—and they've got it! They've dramatically increased their value to their company; they've significantly decreased the amount of time and money required to fix and secure their networks. And most important, they realize that it is not rocket science; it is very logical and understandable, even if they did need a helping hand to get started.

That November lunch meeting was with John Bruno of CACE Technologies (cacetech.com, a company I was acutely interested in since their acquisition of Gerald Combs, the founder of Wireshark (formerly Ethereal), undeniably the world's most popular network analyzer tool. Knowing that the WinPcap team (including Loris Degioanni and Gianluca Varenni) was also part of CACE Technologies, made the future of Wireshark appear brighter than ever to me.

After numerous, long phone calls, a few three-hour meals, several Gantt charts, semi-coherent napkin sketches and numerous sleepless nights, Wireshark University and the Wireshark Certification Program was born!

> So What is Wireshark and Why a University?
Wireshark is the world's foremost network protocol analyzer, and is the standard in many industries. It's the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Gerald Combs, the creator of Ethereal, initiated the Wireshark network protocol analyzer project, which is a successor to Ethereal. The Ethereal core developer team moved with Gerald to the Wireshark project. It has a rich and powerful feature set, and runs on most computing platforms including Windows, OS X, and Linux. It's freely downloadable as open source, and is released under the GNU General Public License.

According to Gerald, "Wireshark University's mission is to develop and release quality, self-paced and instructor-led training on network analysis, troubleshooting, security and optimization using the world's most popular analyzer, Wireshark . It has more than 1.5 million downloads per year!"

"The Wireshark Certification Program validates a candidate's ability to efficiently and effectively troubleshoot network communications and perform network forensics with Wireshark. It goes beyond typical book-based certifications and shows that you can properly analyze, troubleshoot, and secure a real computer network. For employees and consultants, this shows that you have useful and practical skills. For employers this provides an extra level of trust and validation in the hiring and review processes."

Visit wiresharkU.com for more information on Wireshark Certified self-paced courses, instructor-led course partners and the Wireshark Certification Program.

> Getting Wireshark Certified in 2007
The Wireshark Certification Program requires knowledge of Wireshark functionality, but the emphasis is first and foremost on the ability to identify the cause of network problems including:

  • high latency
  • upstream or downstream data loss
  • improperly configured networks
  • misbehaving applications
  • routing problems
  • general communication faults

The security aspect of the certification program focuses on identifying and solving security issues related to:

  • network reconnaissance and discovery
  • insecure applications
  • virus and malware infections
  • attacks on services
  • evidence of infected or altered systems
  • phone-home applications
  • developing solutions to block further security breaches

Computer networks carry more and more critical information all the time, and it's important that people know what's happening on those networks.

Wireshark University provides the skills and knowledge necessary to properly manage your network's performance and security.

–Gerald Combs,
founder of Wireshark (formerly Ethereal)

> Building the Certification and Advanced Courses
In developing the Wireshark University curriculum, we want to bring network analysis to the forefront of troubleshooting and network forensics emphasizing the need to capture the traffic first, analyze the results and move rapidly toward resolution based on the packet evidence.

The Wireshark Certification Program and certification test are based on four Wireshark University courses. (See Figure 1.)

  1. WSU01: Wireshark Fundamentals and Functionality
  2. WSU02: Wireshark TCP/IP Network Analysis
  3. WSU03: Wireshark Troubleshooting Network Performance
  4. WSU04: Wireshark Network Forensics and Security

These four Wireshark University courses focus on interpretation and analysis of numerous trace files, which are included with the selfpaced and instructor-led courseware. For a partial listing of trace files covered in the courses, see Chasing Traces.

Note: The trace files are also on Laura's Lab Kit v8 which was distributed to all 2007 BrainShare attendees. For more information on Laura's Lab Kit v8, visit packet-level.com/llk8 or download the ISO image from novell.com/connectionmagazine.

At the time this article was written, the Wireshark Certified Network Analyst certification test is being developed with VLabSource. The VLabSource solution offers a Web-based interactive test that lets you operate Wireshark in a virtual environment to complete a series of tasks. Performance is evaluated on the accuracy of results gathered using Wireshark on active traffic as well as saved trace files. For more information on test registration and preparation, visit wiresharkU.com or send e-mail to info@wiresharkU.com.

The Wireshark University curriculum strives to bring network analysis to the forefront of troubleshooting and forensics and emphasizes the need to capture the traffic first, analyze the results and move rapidly toward resolution based on the packet evidence.


> Case Studies: Analysis to the Rescue
Often, when I am called onsite to troubleshoot a network or identify security breaches I find that the local team has performed numerous tasks in an attempt to correct the network problem. These tasks may include reinstalling software, replacing network devices and checking cabling systems.

In the majority of onsite visits, I can plug into the network and quickly point to the problem area. For example, one customer complained that network performance was terrible; large file transfers were taking up to 30 minutes instead of the previous three minutes of transfer time. After just five minutes of listening in on the traffic to and from the user's system, it was apparent that the user's system was performing properly and upstream packet loss was the likely cause of the performance problems. The client system correctly generated duplicate ACK packets to re-request the missing packets. Eventually the user's system would receive the missing packets, but the delay time and frequency of packet loss were significant. (See Figure 2.)

Laura Chappell is the world's foremost expert on protocol analysis and an excellent educator. She's one of the rare few that can do AND teach.

When the opportunity to create Wireshark University came up, it was simply too good to pass up.

—Gerald Combs
founder of Wireshark (formerly Ethereal)

Then I spanned the server's switch port and listened in to determine if the server was not sending out the packets in proper sequence. Nope; the server was sending the packets out perfectly and resending packets that the user's system defined as missing.

Moving the analyzer down the path from the server to the user's system eventually yielded the result when we noted packets being dropped on the redundant link between two switches. Since the customer did not have a spare switch lying around, we briefly removed the redundant link and you could almost hear the network coming up to full speed. The effect was immediate and dramatic. A quick call to the user who experienced the slow file transfers validated that the network was performing properly again; she begged us "don't change anything!" The good news is that a quick view of the network traffic guided us to the problem. The bad news is that the customer was experiencing this problem for months before tapping in and locating the problem.

In another case, I was working on a network where systems were dying after just a few minutes. The CPU utilization would climb steadily to 100 percent and then the systems would lock up.

By looking at the packets to and from an infected system you can identify the method of reinfection, identify any phone-home targets and look for signatures that can be used when setting up filtering and blocking devices on the network.

Before restarting one of the local hosts, the IT team and I hubbed out to the user; we didn't want to bother spanning a switch port because we needed quick answers. We set up our analyzer with a capture filter focused on traffic to and from the troubled host and then booted it up.


In this case, it wasn't long after bootup that the local host set up a TFTP (Trivial File Transfer Protocol) connection to another host and downloaded a file called analiz.exe. It definitely didn't look good. Next the host connected to an IRC channel. By following the TCP stream we could see the entire IRC communication in clear text as the IRC server told the local host what other files to download. (See Figure 3.)

By examining the trace file and doing some research, we learned that our host was infected with the W32/Rbot-RP worm. We could also figure out how to stop further infections: we had to find the route that allowed the TFTP and IRC traffic out of the network. By reviewing the contents of the files being downloaded we could also perform a grep on the local drive to find any other files that had the same signatures, regardless of the file name.

Many times we are behind the curve on stopping security breaches. Analyzing the traffic of infected systems allows us to identify the infection signatures and set up filtering to block further infections as we clean up the mess lying around the network.

Using multiple captures to files and possibly a ring buffer, we can use Wireshark to watch all the traffic leading up to a problem as well. For example, if a server constantly crashes in the middle of the night, we can set up a capture to watch traffic to and from the server, filling up a series of 100MB files to run through the night using ring buffer files to control the total number of files created. (See Figure 4.)

Chasing Traces

The four Wireshark University courses focus on interpretation and analysis of numerous trace files, which are included with the selfpaced and instructor-led courseware, and include the following:

Trace File Description
lost-route.pcap ICMP host unreachable; messages tell us that the router closest to the target can't reach it.
mdns.pcap Examining the MDNS traffic that BitTorrent generates on the wire—what ugly garbage!
nessus.pcap A Nessus penetration test running on the production network—easy to catch and filter on due to its signature in the payload.
nmap-idlescan.pcap One of the most interesting TCP scan methods around; notice the use of a zombie system and the IP header ID field value to find open ports.
one-way-drops.pcap Sitting on a 'load balanced' link that appears to be a one-way street and not load balancing at all—busted!
podcast-shutup-already.pcap You shut down that podcast—or so you think; a look at the I/O chart reveals that it continues to yap away long after the podcast has been shut down.
pop-download-slow.pcap E-mail seems slow today; a look at the size of the files indicates we may be getting flooded by SPAM.
secret-ftp.pcap In the middle of an ugly BitTorrent session, some unknown application makes an FTP connection in the background; I never asked for that!
ssl3session.pcap Now you know what a proper SSL setup and teardown should look like.
rsasnakeoil.pcap Decrypt an RSA SSL3 session by configuring Wireshark to use the appropriate RSA key.
sym-update.pcap Ouch! What a painful Symantec update process with loads of TCP window updates and lost packets leading to 14 second delays!
tcp-fragscan.pcap What's up with the IP header length value? It's too short on starting packets. Hmmm...this appears to be a fragmented scan.
tcp-low-mss.pcap What an ugly HTTP session! A look at the MSS negotiation during the handshake indicates what the problem is.
Window-scaling.pcap Inside the handshake the client indicates that it can do window scaling with a multiplier of 4. Too bad the server can't.
Note: These trace files are also on Laura's Lab Kit v8 which was distributed to all 2007 BrainShare attendees. For more information on Laura's Lab Kit v8, visit packet-level.com/llk8 or download the ISO image from novell.com/connectionmagazine.

Wireshark: Sniff free or die...

Read more of Laura Chappell's article online: 10 Reasons to Analyze Your Network Communications. And be sure to catch all of Laura's companion animated articles.

> It's Time to Take the Plunge
You've probably heard me say it before: "Analysis isn't brain surgery...it's logical." It requires that you really learn what TCP/IP communications should and shouldn't look like on the wire. It also requires that you learn to use the analyzer to quickly point to problems by identifying proper (and improper) operation of protocols and applications. If the TCP/IP stack is performing fine, but the connection is dying, then you need to look up toward the application. Finally, every good analyst should know how to spot reconnaissance and attacks on the wire and identify signatures of undesirable traffic. This enables you to figure out how to block that unacceptable traffic. For example, you might not know that macof, the flooding tool freely available on the Internet, has only one signature that you can block on—the Window Size field value of 512.

Ideally, a Wireshark Certified Network Analyst will be able to pick up any analyzer and identify the cause of problems or the source of security breaches. In addition, this certification content will help candidates understand the underlying communications technologies to improve their efficiency when studying for other certification programs; analysis is the perfect skill set to complement CNE, Master CNE, CCIE, CISSP and GIAC.

It's also time for me to take the plunge—to release my accumulated courseware through a regulated, formalized education program so I can teach more people the art of analysis.

So together with Gerald Combs, the Winpcap team, CACE Technologies, VLabSource and some tremendous advisors, I'm releasing Wireshark University at BrainShare 2007! red N



© 2014 Novell