Wireshark Webinars

I have attended multiple Wireshark webinars presented by Riverbed and leaders in the field. They title this series "Return to the Packet Trenches" with some sort of variation or subtitle for the different sessions. I always walk away with something new. This latest webinar was no exception. It reviewed several CLI options for creating, analyzing, and editing packet captures. I highly recommend attending these webinars if you have any interest in Wireshark and staring at packets. For more resources I recommend or to see the tools I've created, please look at my "Network Performance" drop-down menu at the top of this page. Here are links to their resources as sent to me in their follow-up email: Wireshark CLI tools & scripting (by Sake Blok) https://sharkfestus.wireshark.org/assets/presentations18/33.zip Presentation Video https://youtu.be/IZ439VNvJqo (1:11:14) TShark Command Line using PowerShell (by Graham Bloice) https://sharkfesteurope.wireshark.org/assets/presentations17eu/33.7z Custom LUA dissectors to the rescue in root cause analysis (by Sake Blok) https://sharkfesteurope.wireshark.org/assets/presentations17eu/21.pdf Review the SharkFest’18 EUROPE agenda and other information, For more "Packet Trenches"  resources, check out these links. Watch the replay...
Read More

Synchronize Wireshark Profiles

As mentioned in this post, you can create and share custom profiles. However, that is not the extent of profile management. Another great way to utilize these files is to synchronize Wireshark profiles between systems. In this day and age you probably have more than one computer (laptop, VM, home desktop??). Also, if you’re like me you probably have Wireshark installed on anything you can get your hands on! It can be a bit of a pain to keep your favorite Wireshark settings such as protocol options, coloring rules, and saved display filters up to date with each Wireshark installation. Using Dropbox (or a similar service) you can easily keep your Wireshark profiles in sync on all computers. All that is required is another quick and easy modification and a shared storage location; whether it be a local storage drive or cloud storage. The pertinent folders are shared in the previously linked post as well as in the Wireshark documentation....
Read More
Share Wireshark Profiles

Share Wireshark Profiles

As mentioned in this post, Wireshark is easy to customize and even provides the ability to share custom profiles. Just about everything that can be modified can be shared. I outlined several of those items in the linked post. Wireshark uses files to store the config items located in a couple of key places. The ones I have shared below are all contained in the "Personal configuration" directory. To get sharing right away follow these steps: Open the "Help" menu Click the "About Wireshark" option Select the "Folders" tab Find the folder that contains the file(s) you want to change Copy or share that folder Place the respective folder(s) or file(s) into the same directory on the other install The next time you open Wireshark you'll have access to the new profiles Shared Profiles Here is my go to profile This is a link to the rest of my profiles. These are a work in progress with some more complete than...
Read More
Wireshark Profiles

Wireshark Profiles

One of the great things about Wireshark is the completely customizable interface. Users can change the layout, column settings, protocol decode options, add/remove buttons, change colors, add/remove filters, and more. There is a lot of documentation on how to even write new protocol dissectors. Due to its open source nature and the active development community, one can modify the code and/or participate in its official development. What this means is no two instances of a Wireshark install have to be the same. Analysts can mold the tool into exactly what they need for their particular job. This is all done through the use of profiles. In fact, a single install can have multiple profiles. This is useful to tailor different profiles to specific protocols or troubleshooting scenarios. For example, one profile could be used for troubleshooting web traffic and another could be used for diagnosing wireless issues. I currently have about 10 profiles ranging from a minimalist view to one specifically for...
Read More

Problems After Updates?

One of the most common problems any IT admin faces is a software update. While software updates are generally considered a good thing, because they patch security flaws, fix bugs, try to improve performance, and more, they are also a common source of problems. Every admin knows to be ready for calls after a scheduled maintenance window. This issue was no different.   A ticket came in stating users could not access a web app through the backend system after an upgrade to Java 1.7. The server, java, and app logs all looked ok and appeared to be running properly. Also, interestingly, the web app worked when accessed directly from a web browser. This sounded like a perfect opportunity for a quick packet capture and analysis. Here is what was produced:     *Note: In order to maintain the SSL session info I could not anonymize this, so I'm just using a screen shot instead of sharing the capture on CloudShark.   I've done quite a few...
Read More
Become a Certified Wire Shark (WCNA)

Become a Certified Wire Shark (WCNA)

I recently sat for the Wireshark Certified Network Analyst (WCNA) certification again. This will be the second time I have taken it and the second time I have passed. I have taken several various networking certification exams, networked with people who have sat for others, and read about many more. Keeping all of that in mind, I think this is one of the most straightforward certification tests I have seen. Laura Chappell, Gerald Combs, and the team have done a great job with the books and preparation materials. If you're wondering if the exam is right for you, please continue.   Who should test? Network Admins If you are a network admin or analyst in any capacity then this certification will add to your resume and give you an edge over your peers. More than that, it will teach you about the protocols and applications that traverse your network and their expected behaviors. How can you architect and maintain a road if you don't...
Read More
Rename Files to WS File Set Format

Rename Files to WS File Set Format

Using file sets in Wireshark is a great feature. It allows for quickly navigating between smaller files instead of experiencing sluggish performance when analyzing one large file. However, there are times when packet captures were taken using a system other than Wireshark (such as TCPDump or Dumpcap). Other times someone else performs the captures and uses a different naming convention. Either way, there are times when it would be nice to convert these names into Wireshark's file set naming convention. For a full write-up on the function and naming convention, please see Wireshark's documentation here. To get started renaming files, please see below. Using Windows PowerShell: Create a folder where you want to rename files Create a new powershell script file with .ps1 extension (i.e. rename.ps1) Use the following script: 4. Run the script by executing it in PowerShell or right-clicking on it and selecting "Run with Powershell"  Disclaimer: I'm relatively new to PowerShell, so this script isn't the most efficient. As I learn...
Read More