Course Overview:
This 3-days course aims to introduce students to basic principles of packet networks analysis using Wireshark tool – the world’s most popular network analyzer. It covers in detail, all basics elements and features of Wireshark. The course starts with reviewing key concepts and formalisms of ISO OSI Reference Model (ITU-T X.200) to more efficiently troubleshoot network layer by layer, and TCP/IP protocol suite. The essential part of the training is dedicated to methods and aspects of packet capturing process and offline analysis of the captured traffic. The goal of the analysis is to identify and resolve problems related to certain services and protocols, verify communication between peers at each layer of the OSI model, as well as prevent problems before they occur. In-depth lectures are supported by a numerous examples and practical exercises based on sample capture files with traffic patterns from real-live networks. The course assumes participants have some background in modern computer networks.
Course Objectives:
- Acquire good understanding of basic terms and objects of the ISO OSI Reference Model and TCP/IP
- protocol suite, and ability to apply it to real world problem solving.
- Build a solid foundation in the key skills of packet network analysis and troubleshooting using Wireshark – a tool for packet capture and analysis.
- Understand the elements, main capabilities as well as limitations of Wireshark, in particular, capturing
- process, traffic filtering mechanisms (similarities and differences between capture and display filters),
- common and protocol-specific features.
- Identify root cause of common poor network performance problems.
- Analyze user-application functionality.
Target Audience:
Information technology students and specialists, customer service engineers, application support engineers,and network engineers who:
- need to learn essential packet network analysis and troubleshooting skills, including locating the cause of problems at any layer from physical to application layer, such us high-latency, packet loss, limited throughput,
- understand practical network analysis techniques.
Course Duration:
- 21 hours – 3 days
Course Content:
Day 1: Network analysis overview
- ISO OSI reference model. Protocols, services, applications.
- TCP/IP networksessentials. Protocols: Ethernet,ARP,IP,ICMP,DHCP,TCP,UDP,FTP,HTTP.
- Troubleshooting tools, methodologies.
Introduction to Wireshark
- What is Wireshark? Portable Wireshark. Resources.
- Wireshark GUI structure: Panes (Packet List, Details, Packet Bytes), Status Bar, … .
- Architecture and processing flow. What and why cannot be seen with Wireshark?
- Supported protocols. Dissectors.
- Preferences and configurations; global and profile specific.
- Time values.
- Lab exercises.
Day 2: Capture Traffic
- Things to consider before start.
- Promiscuous mode.
- Capture filters.
- Automatic stop criteria.
- Lab exercises.
Traffic analysis: tools and approaches
- Analysis checklist.
- Quantitative analysis. (a) Basic predefined descriptive statistics and summaries: Capture Properties, Protocol Hierarchy, Conversations, Endpoints, Packets Lengths, IPspecific. (b) Protocol specific analysis (e.g.: TCP Stream Graphs).
- Flow visualization.
- Filtering traffic: Display filters, following stream.
- Using features: nameresolution,colorization,marking,ignoring,commenting,usingtimereferences, time shifts, … .
- Accessing options through Right-Click functionality.
- Understanding Expert System.
- Interpretation (reference patterns), OS/driver Offload features impact.
- Saving results
- Lad exercises and case studies
Day 3 Traffic analysis: common issues in network performance assessment
- Cause of performance problems.
- Packet loss.
- Bandwidth issues. Layered approach to measurement.
- Latency: assessing end to end latency, visualization.
- Lab exercises.
Traffic analysis: protocols
- Application layer: HTTP, FTP.
- Transport Layer: TCP, UDP.
- (a) Packet loss and recovery. (b) Previous segment lost and Out-of-Order Segments events. (c) Duplicate TCP ACKs and Fast Retransmissions. (d) TCP Retransmissions. (e) TCP Zero Window, Window changes and other window problems.
- Network Layer: IPv4, fragmentation.
- Data-Link Layer: Ethernet II.
- Lab exercises and case studies (vulnerabilities in the IP and TCP protocols).
