TermPaperWarehouse.com - Free Term Papers, Essays and Research Documents

The Research Paper Factory

Free Essay

Netw202

In:

Submitted By primemal
Words 1678
Pages 7
10 WIRES ARK TIPS
00 W SHA
S
@laur rachap ppell
These tweets were released on Twitter (@la d aurachappell) fro June 18-Nov om vember 5, 2013. k #Wireshark Tip 1:

Turn OFF TCP pref for reassem when workin HTTP - see th Response Co in correct pa
T
p mbly ng he ode acket. #Wireshark Tip 2: k Use groups to find sets of words - frame matche "(attachment|tar|exe|zip)" s es

#Wireshark Tip 3: k Graph http.time in Wireshark 1.1 - Cool!
G
10

#Wireshark Tip 4: k Look for "data" in Statistics | Pro otocol Hierarchy when you suspe malicious tra ect affic.

#Wireshark Tip 5: k In 1.10, right-clic on an item in the Expert Info w ck window | Interne Search. Nice! et #Wireshark Tip 6: k Filter on tcp.ana alysis.flags && !tc cp.analysis.wind dow_update – click Save to mak it a button. ke #Wireshark Tip 7: k Edit/remove Filte Expression bu er uttons through P
Preferences | Filt Expressions. ter .

#Wireshark Tip 8: k Disable IP, TCP UDP checksum validation – ta sk offload very c
P,
m common #Wireshark Tip 9: k Select Help | Ab Wireshark | Folders to find y personal co
S
bout your onfigs/profiles.

#Wireshark Tip 10: k Right click on TC Stream field and Apply as Co
CP
olumn for spagh TCP traffic hetti #Wireshark Tip 11: k Right-Click on No. column heading to left-align – get it away from Time column
N

#Wireshark Tip 12: k Add an http.host column when analyzing web br
A
t a rowsing session ns #Wireshark Tip 13: k Select “Classic” in Wireshark 1.1 profiles to use brighter color palatte.
S
10 e #Wireshark Tip 15: k ance from the cllient’s perspectiv
Capture at the client to obtain RTT and performa
C
c
R
ve.

#Wireshark Tip 16: k Apply a IO graph line based on Bad TCP colorin rule string to correlate TCP/th
A
h ng hruput probs.

#Wireshark Tip 17: k Increase Filter Display max. list entries to 30 in User Preference
D
es.

#Wireshark Tip 18: k Increase “Open Recent” max list entries to 30 in User Preferenc n ces.

#Wireshark Tip 19: k Toggle Bytes pa with View | Packet Bytes – m room is nic
T
ane
P
more ce. #Wireshark Tip 20: k Clear recent files with File | Ope Recent | Clea the recent file list.
C
s en ar

#Wireshark Tip 21: k e.
I always disable the Bad Checks coloring rule sum #Wireshark Tip 22: k Enable Calculate Conversation Timestamps (TC Pref) to track TCP delta time e T
CP
k es. Learn Wire eshark Today! wiresharktra aining.com – wiresharkboo w ok.com – chap ppellu.com – lcuportal2.co om © Chap ppell University 2013-2014 #W y Wireshark Tips from @laurac s chappell – Pag 1 ge 100 WIRESHARK TIPS @laurachappell
#Wireshark Tip 23:

After #Wireshark Tip 22, add a tcp.time_delta column and sort high to low.

#Wireshark Tip 24:

Coloring Rule: http.response.code > 399 to highlight errors.

#Wireshark Tip 25:

Coloring rule: Bad TCP Con Options - tcp.hdr_len < 28 && tcp.flags.syn == 1.

#Wireshark Tip 26:

I always set View | Time Display Format | Secs. Since Prev. Displayed Packet.

#Wireshark Tip 27:

Use Prefs | Filter Exp. to reorder your Filter Exp. buttons.

#Wireshark Tip 28:

I use “|” name and “frame” string to create Filter Exp. button separator.

#Wireshark Tip 29:

Stats | TCP Stream Gr | Time-Seq Gr (tcptrace) - top grey line is available rec. window space – pic.twitter.com/7wifRtFURu #Wireshark Tip 30:

I always add a tcp.stream column to quickly catch new connections being established -

#Wireshark Tip 31:

Wireshark 1.10 has an http.time field in responses - turn off TCP pref 4 reassembly first.

#Wireshark Tip 32:

Those grey lines dipping down in Time Seq. graph (tcptrace) are duplicate ACKs

#Wireshark Tip 33:

Select Help > About Wireshark > Folders > personal config dir > profiles!

#Wireshark Tip 34:

Update Wireshark from an earlier vers? Might need to disable IP checksum validation

#Wireshark Tip 35:

Click Internals > Supported Protocols (slow!) to find protocols/apps dissected by Wireshark.

#Wireshark Tip 36:

Edit | Prefs | Name Resolution - add path to GeoIP dir (see bit.ly/1cjd23a for database).

#Wireshark Tip 37:

HTTP over some other port (not 80)? Edit | Preferences | Protocols | HTTP -add to the port list.

#Wireshark Tip 38:

I always right-click the No. column header to change alignment to left - cleaner view.

#Wireshark Tip 39:

Fast way to set protocol prefs. Right-click on the protocol in the detail window - Protocol Prefs!

#Wireshark Tip 40:

The display filter "a && b || c" is processed as "a && (b || c)" - go figure! See Aug 7 tweets.

#Wireshark Tip 41:

Use wlan.fc.retry == 1 to locate WLAN retries.

#Wireshark Tip 42:

Export field info - add as column, File | Export Packet Dissections (packet summary line only)

#Wireshark Tip 43:

Use Editcap to split big traces into file sets - use File | File Sets to view

#Wireshark Tip 44:

Wireshark 1.10 Status Bar includes percentage info when you apply a display filter.

#Wireshark Tip 45:

Use the filter/coloring rule string/button sip.Status-Code > 300 to detect SIP errors.

#Wireshark Tip 46:

Filter on tcp.analysis.retransmissions to see standard/fast retransmissions.

#Wireshark Tip 47:

Use CIDR format for a subnet display filter - for example, ip.addr==10.2.0.0/16.

Learn Wireshark Today! wiresharktraining.com – wiresharkbook.com – chappellu.com – lcuportal2.com
© Chappell University 2013-2014 #Wireshark Tips from @laurachappell – Page 2

100 WIRESHARK TIPS @laurachappell
#Wireshark Tip 48:

Customize profiles - Right-click on a field and select Apply as Column on interesting field.

#Wireshark Tip 49:

Wireshark 1.10.1 has an auto-update feature - also Help | Check for Updates is new.

#Wireshark Tip 50:

Use Preferences | Filter Expressions to edit, reorder, disable, delete Filter Expression buttons.

#Wireshark Tip 51:

New TCP Time-Seq graph depicts SACK packets in blue. Nice! pic.twitter.com/9CpP92kBn3

#Wireshark Tip 52:

Tshark subnet stats - tshark -q -z io,stat,3600,ip.addr==192.168.1.0/24 >stats.txt (manual stop)

#Wireshark Tip 53:

Click and drag over areas to zoom in on TCP Stream Graphs. Click Home to revert.

#Wireshark Tip 54:

When no dissector is available, right-click and follow the stream to look for commands, etc.

#Wireshark Tip 55:

Statistics | Show Address Resolution (1.10.1) pulls all name resolution from trace file - nice!

#Wireshark Tip 56:

Two great reasons to add a column: ability to sort and export column data.

#Wireshark Tip 57:

Why is that packet colored that way? Expand the Frame section for the answer.

#Wireshark Tip 58:

Use Editcap to split a single large trace file into a manageable file set.

#Wireshark Tip 59:

Hate seeing "blackjack" and other dynamic client port values? Turn off transport name resolution.

#Wireshark Tip 60:

My Golden Rule #1 - Capture as close to the client as you can be for the client perspective!

#Wireshark Tip 61:

U don't need to load the whole trace of a DoS attack - a quick peek tells the story.

#Wireshark Tip 62:

Right-click on the Profile column on the Status Bar to create a new custom profile!

#Wireshark Tip 63:

Golden #Wireshark Tip for Network Forensics - open the Statistics | Protocol Hierarchy first.

#Wireshark Tip 64:

If u use a capture filter and save to pcapng, capture filter info is in Stats | Summary! Nice!

#Wireshark Tip 65:

See original packet+ retrans,-packet loss has not occurred yet-move Wireshark closer to sender.

#Wireshark Tip 65:

Filter for SMB errors - smb.nt_status > 0. Make it a coloring rule too!

#Wireshark Tip 66:

ARP storm detection can be enabled in ARP/RARP preferences (Edit | Preferences | Protocols).

#Wireshark Tip 67:

Turn on Expert icons (last item) in Preferences | User Interface to learn Expert button colors.

#Wireshark Tip 68:

Try http.request.uri contains "/profile_images/" filter and then cruise Twitter feeds. Funny.

#Wireshark Tip 69:

http.request.method == "POST" will show all POST HTTP messages.

#Wireshark Tip 70:

After defining an awesome display filter, click Save to make it a filter expression

#Wireshark Tip 71:

File | Export Objects | HTTP (make sure TCP pref for reassembly is on). Also see NetworkMiner.

#Wireshark Tip 72:

Statistics | HTTP | Packet Counter for HTTP Response Codes.

Learn Wireshark Today! wiresharktraining.com – wiresharkbook.com – chappellu.com – lcuportal2.com
© Chappell University 2013-2014 #Wireshark Tips from @laurachappell – Page 3

100 WIRESHARK TIPS @laurachappell
#Wireshark Tip 73:

Click a field in Packet Detail window - look at Status Bar for field filter name.

#Wireshark Tip 74:

Detect multicast bursts - Statistics | UDP Multicast Streams.

#Wireshark Tip 75:

SMB error filter - smb.nt_status > 0 || smb2.nt_status > 0.

#Wireshark Tip 76:

SIP error filter - sip.Status-Code > 399.

#Wireshark Tip 77:

NFS error filter - nfs.status2 > 0 || nfs.status3 > 0.

#Wireshark Tip 78:

Filter for SMB delays over 1 second - smb.time > 1.

#Wireshark Tip 79:

LoWin Size-(tcp.window_size>0 && tcp.window_size 0 to find IP framents (yuck).

About Laura Chappell, Network Analyst, Instructor, and Wireshark® Evangelist
Laura Chappell is a highly-energetic speaker and author of numerous industry titles on network analysis, troubleshooting, and security. Nicknamed “Glenda, the Good Witch,” Laura has presented to thousands of State, Federal and international law enforcement officers, judicial members, engineers, network administrators, technicians and developers on the subject of “tapping into networks.” She focuses on troubleshooting, optimization, security and application analysis.
Ms. Chappell is the Founder of Chappell University (www.chappellU.com) which develops and delivers onsite and online training in the areas of network protocols, network forensics and network analysis tools.
In 2007, Ms. Chappell founded Wireshark University (www.wiresharkU.com), the worldwide premiere educational firm focused on teaching the art of wiretapping/communications interception, network forensics, TCP/IP analysis, network troubleshooting and network security.
Laura’s network analysis, troubleshooting and security training is available online through the All Access Pass at www.chappellU.com and through customized online/onsite analysis and training.

Learn Wireshark Today! wiresharktraining.com – wiresharkbook.com – chappellu.com – lcuportal2.com
© Chappell University 2013-2014 #Wireshark Tips from @laurachappell – Page 5

Similar Documents

Free Essay

Netw202 Week 5

...NETW202 Week 5 Lab Report To complete your Week 5 lab report, answer the questions below concerning number conversions and network addressing. Create your report using the template and submit it to the Week 5 Dropbox by the due date. Use the reference documents and websites as required to complete the iLab questions. In order to be eligible to receive full credit, you must write in complete sentences and use the lab report template. Answers that are not written in complete sentences will receive point deductions. Use a red-colored font for you answers. Answers that are not written in complete sentences will receive point deductions. You are to add in any references you do use. Please support all of your decisions. In order to be eligible to receive full credit, you must write in complete sentences and use the lab report template. You are to take off the cover of the template because this is a page of instructions, but include your header. Place your answers in the template below the questions. Remove any graphics or explanations so that your deliverable has questions and your answers only. If you do not use the iLab template and complete the header, you will receive a 2-point deduction on your grade for this assignment. Your Name NETW202, Professor’s Name Current Date iLab #5 Section I: Skillsoft iLabs Lab Grading Rubric Category | Points | Description | Section 1Converting Decimal to Binary and Binary to Decimal— 9 points total * Task 1 * Task 2 * Task 3...

Words: 1158 - Pages: 5

Premium Essay

Netw202 W3 Lab

...Introduction Assignment Gain skills required for the practical portion of the CCENT certification: The steps of the lab are contained in the Sample Solution. This particular lab does not require Cisco hardware to complete. Conditions You will find that the lab is most effective if you use it as a guide and work out your calculations on a separate sheet of paper. You can then check your work by clicking on the Hint button found in each step. Notes After taking a vLab for the first time using the Sample Solution, try the Suggested Approach link for a challenge. You've got a number of tools available on the left bar of the main page to aid you in your lab. Here are brief notes on each. Diagram Task Index Task 1 – Computing Usable Subnets and Hosts Task 1 – Computing Usable Subnets and Hosts Step 1: You are given the Class C network address: 192.168.89.0. From this network, if you needed to create 2 subnets, how many bits would need to be borrowed at a minimum? Action: Count on your fingers to work out how many bits need to be borrowed to create 2 subnets. Explanation: You can use this simple trick to determine the number of bits needed. Hold out your hand and counting on your fingers from left to right, the first finger equals 2, the second finger is double that (4), the third finger is doubled again (8), and so on. As an example, let’s say you needed 10 subnets. Count on your fingers until you reach the first number that is equal to or exceeds the value 10. Going from...

Words: 3485 - Pages: 14

Premium Essay

Netw202 Wk4 Lab Worksheet

...1. /20 11111111.00000000.00000000.00000000 11111111.11111111.11110000.00000000 2. /20 255.255.240.0 base2 | 2^7 | 2^6 | 2^5 | 2^4 | 2^3 | 2^2 | 2^1 | 2^0 |   | Decimal | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | Binary | 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |   | 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |   | 240 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 |   | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |   | 3. /20 12 bits in host portion. (2n-2) 212-2=4094 4. /21 11111111.00000000.00000000.00000000 11111111.11111111.11111000.00000000 255.255.248.0 base2 | 2^7 | 2^6 | 2^5 | 2^4 | 2^3 | 2^2 | 2^1 | 2^0 |   | decimal | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | Binary | 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |   | 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |   | 248 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 0 |   | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |   | 11 bits in host portion. (2n-2) 211-2=2046 5. /22 11111111.00000000.00000000.00000000 11111111.11111111.11111100.00000000 255.255.252.0 base2 | 2^7 | 2^6 | 2^5 | 2^4 | 2^3 | 2^2 | 2^1 | 2^0 |   | decimal | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | Binary | 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |   | 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |   | 252 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 |   | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |   | 10 bits in host portion. (2n-2) 210-2=1022 6. /23 11111111.00000000.00000000.00000000 11111111.11111111.11111110.00000000 255.255.254.0 base2 | 2^7 | 2^6 | 2^5 | 2^4 | 2^3 | 2^2 | 2^1 |...

Words: 1815 - Pages: 8

Free Essay

Netw202 Week 7 Lab

...Name: Steve Stucots Date: 4/13/11 Professor: Frank Sive ------------------------------------------------- Operating and Configuring a Cisco IOS Device (20 points) Write a short paragraph (minimum three college-level sentences) below that summarizes what was accomplished in this lab, what you learned by performing it, how it relates to this week’s TCO’s and other course material; and just as important, how you feel it will benefit you in your academic and professional career. (10 points) In this lab I used the control line interface (CLI) to increase the number of lines in the history buffers, increased the inactivity timer on the console port, and stopped the attempted name resolution of mistyped commands. I also entered the logging synchronous command to synchronize unsolicited messages and debug privileged EXEC command output with the input from the CLI. Commands like these are helpful with working on Cisco devices. ------------------------------------------------- Copy and Paste the following screenshots from your Operating and Configuring a Cisco IOS Device lab below. Task 3: Change History Size to 100 lines (5 points) Task 5: Set the logging synchronous command (5 points) Performing Initial Router Setup (20 points) Write a short paragraph (minimum three college-level sentences) below that summarizes what was accomplished in this lab, what you learned by performing it, how it relates to this week’s TCO’s and other course material; and just as important...

Words: 412 - Pages: 2

Premium Essay

Netw202 Week 5 Lab Report

...NETiLab Grading Rubric Category | Points | Description | Section 1Performing Switch Startup and Initial Configuration—20 Points Total * Task 1: Step 2 * Related Explanation or Response * Task 1: Step 15 * Related Explanation or Response * Task 1: Step 21 * Related Explanation or Response * Task 1: Step 24 * Related Explanation or Response * Summary Paragraph | 121212128 | Paste the requested screenshot.Provide the requested answer.Paste the requested screenshot.Provide the requested answer.Paste the requested screenshot.Provide the requested answer.Paste the requested screenshot.Provide the requested answer.In your own words, summarize what you have learned about IP Subnetting and configuration. | Section 2Enhancing the Security of Initial Switch Configuration—20 Points Total * Task 1: Step 7 * Related Explanation or Response * Task 1: Step 12 * Related Explanation or Response * Task 1: Step 18 * Related Explanation or Response * Task 1: Step 27 * Related Explanation or Response * Summary Paragraph | 121212128 | Paste the requested screenshot.Provide the requested answer.Paste the requested screenshot.Provide the requested answer.Paste the requested screenshot.Provide the requested answer.Paste the requested screenshot.Provide the requested answer.Answer the question or provide the required observation when requested.In your own words, summarize what you have learned about IP Subnetting...

Words: 1279 - Pages: 6

Premium Essay

Netw 202 Week 2 Quiz

...NETW202 Week 2 Quiz #1 Grade Details - All Questions | Question 1. | Question : | (TCO 1) _____ service delivers the fastest connections available at an economical megabit-per-second price. | |   | Student Answer: | | Dedicated leased line |   | | | DSL |   | | | Fiber-optic Ethernet |   | | | Satellite |   | Instructor Explanation: | Chapter 1.2.4.3, Week 1 Lecture | | |   | Points Received: | 5 of 5 |   | Comments: | | | | Question 2. | Question : | (TCO 1) With _____, message priorities are matched with the type of communication and its importance to the organization. | |   | Student Answer: | | fault tolerance |   | | | server pathways |   | | | quality of service |   | | | scalability |   | Instructor Explanation: | Chapter 1.3.2.1, Week 1 Lecture | | |   | Points Received: | 5 of 5 |   | Comments: | | | | Question 3. | Question : | (TCO 1) Redundant connections allowing for alternate paths if a link or device fails is known as _____. | |   | Student Answer: | | fault tolerance |   | | | server pathways |   | | | quality of service |   | | | scalability |   | Instructor Explanation: | Chapter 1.3.2.1, Week 1 Lecture | | |   | Points Received: | 5 of 5 |   | Comments: | | | | Question 4. | Question : | (TCO 1) Which of the Internet connection options provides the lowest bandwidth? | |   | Student Answer: | | Cable |   | | | DSL |   | | | Leased lines |   | | |...

Words: 545 - Pages: 3

Popular Essays

Private Standards in Azerbaijan Essay
Sucesss Essay
English Essay
Leather Sector Essay
They Say I Say Essay
Gun Control Essay