5 Takeaways From Wireshark Boot Camp & Sharkfest12

I attended Laura Chappell’s Wireshark Certified Network Analyst BOOT CAMP along with Sharkfest 2014 June 14-20, at Dominican University in San Rafael, California. This was the seventh Sharkfest which began in 2008 and attendance has grown each year. Sharkfest is an educational conference focused on sharing knowledge, experience and best practices among members of the Wireshark global developer and user communities.

A Little About Wireshark

Wireshark (formerly known as Ethereal) is the world's most popular network analyzer. Wireshark is an open source software (OSS) project that is released under the GNU General Public License (GPL).  Wireshark was released on July 1998 as a cost effective means for Gerald Combs to track down network problems and facilitate his understanding of networking protocols in general. Combs was amazed by a community having similar interests and their active involvement around his initial development efforts. Today, there are over 700 Wireshark developers through the world, credited with building an enhancing Wireshark which has grown to over 2,272,715 lines of code and well over 500,000 downloads per month.

Wireshark Network Analyst BOOT CAMP ’14

Some of my personal takeaways from attending Laura Chappell’s Wireshark Network Analyst BOOT CAMP ’14:

1. There is a WLAN component of the Wireshark Certified Network Analyst (WCNA) titled, “Introduction to 802.11 (WLAN) Analysis” and past WCNA test results shared by Laura have shown the majority of test takers having difficulty with even at this introductory level of WLAN Analysis (see slides below for reference).
2. Wireshark does not natively have the ability to capture packets but instead relies on the services of other programs such as Dumpcap which itself relies on OS specific WinPcap, AirPcap, and libpcap link-layer interface
3. Wireshark officially supports AirPcap for 802.11 frame capture in Microsoft Windows environments. Multiple AirpCap adapters can be used to capture multiple 802.11 channels which can be aggregated together. 802.11n and earlier are supported.
4. Wireshark is a “First Responder” tool that is deployed immediately when the cries of “the network is slow” ring out
5. Given an overwhelming number of packets captured, it is critical to perform captures at the right location within the network and utilize optimum display and capture filters to filter these packets and locate the needle in the haystack.

Sharkfest14

It was really fantastic to see the mix of attendees at the event.  The majority seemed to be from enterprise and governmental entities with a smaller number of service providers.  The agenda was separated into Beginner, Intermediate, and Advanced tracks to be as inclusive as possible for the attendees experience levels.  Commercial network analysis vendors seemed primarily focused on analyzing network problems at the network core rather than the edge, because of financial return.  This was the response given with regards to capturing and decoding next generation 802.11ac traffic at the network edge.

There were a couple sessions on the agenda focused on WLAN’s including: Wi-Fi Threats and Counter Measures for the advanced track and Wi-Fi Direction Finding for beginners.  There was a lot of focus on the Transmission Control Protocol, specifically in the areas of Sequence Number Analysis, Sliding Window, Selective Acknowledgements, Nagle's algorithm, and Delayed Acks and protocol indicators of TCP traffic problem.

It was nice to see a lot of  interest regarding 7signal's WLAN analysis capabilities when discussed with other show attendees...no shortage of visibility problems in their WLANs.

Remember: Wireshark is Community – a way for people with common interests to get together.

Gerald Comb’s Favorite Saying: “The packets never lie!”