Troubleshooting with Wireshark

(1)

SharkFest 2016 Pre-Conference Event

Troubleshooting

with Wireshark

Master Wireshark to locate the source of

network performance problems quickly.

Use the 4-part troubleshooting

methodology to catch problems.

Customize Wireshark to detect

problems with the click of a button.

Rapidly identify and graph path

delays and application delays.

Use the Wireshark’s Expert Info to

spot slow clients, servers, network

path latency issues and more.

LAURA CHAPPELL’S

June 11-13, 2016 ● SharkFest 2016 Pre-Conference Event

Register at www.wiresharktraining.com/troubleshooting2016.html

Hosted at the Computer History Museum, Mountain View, California

(2)

Register online at www.wiresharktraining.com/troubleshooting2016.html

1 WHO SHOULD ATTEND

This hands-on course is geared towards IT professionals, network engineers, and escalation teams who need to find network problems quickly. If you are responsible for any of the following network issues, this is the event for you!

Find the cause of slow file transfers Optimize the network

Measure bandwidth use for an application or user Identify problematic infrastructure devices

COURSE TOPICS

This hands-on course focuses on customization of Wireshark to identify numerous performance issues including the following:

Connection Blocked or Refused Application Request Refused Slow Application Response Times Server Application Faults

Content Redirection TCP Receive Buffer Issues

Altered TCP Connection Attributes Mismatched TCP Parameters Weak Signal (WLAN)

Asymmetric Routing

Packet Loss in the Infrastructure

High Path Latency Measurements Bandwidth Throttling

Delayed ACKs/Nagle Issue Packets Queued along Path Route Redirections

Virus/Malware on Network Hosts Name Resolution Problems

Missing Selective Acknowledgment (SACK) No Support for Window Scaling

Premature TCP Port Number Reuse and more…

WHEN AND WHERE

June 11-13, 2016

See the Daily Schedule section on page 5 for more details on daily start/end times.

Computer History Museum

Mountain View, California

Location: 1401 N Shoreline Blvd

Mountain View, California 94043 Closest Airports: ● San Jose Mineta Airport SJC

(11 miles)

● San Francisco Airport SFO (25 miles)

● Oakland Airport OAK (33 miles)

(4)

Register online at www.wiresharktraining.com/troubleshooting2016.html

2 ABOUT LAURA CHAPPELL, YOUR INSTRUCTOR

Laura Chappell, Founder of Wireshark University and Chappell University, is renowned for her

Wireshark skills and ability to train in an entertaining manner. She is the author of several Wireshark books including Wireshark Network Analysis: the Official Wireshark Certified Network Analyst Study Guide, Wireshark 101: Essential Skills for Network Analysis, and Troubleshooting with Wireshark: Locate the Source of Performance Problems.

Laura has been analyzing network traffic for over 20 years and has presented to thousands of State, Federal and international law enforcement officers, judicial members, engineers, network

administrators, technicians and developers on the subject of “tapping into networks.”

Ms. Chappell’s customers include Apple, Cisco, Dell, HP, Microsoft, IBM, Lockheed Martin, McAfee Corporation, US Arsenal, US Air Force, US Navy, NCIS, US Court of Appeals, United Bank of

Switzerland, Salesforce, SPAWAR, Symantec, Riverbed Technology, Palo Alto Networks, Australian High Tech Crime Centre, Macau Police Department, Hong Kong Police Department, Qualcomm, and more.

TUITION AND DISCOUNT SCHEDULE

Tuition covers all course materials, 1-year All Access Pass subscription, breakfast, lunch and break refreshments, evening events and your Certificate of Completion.

Troubleshooting with Wireshark 3-Day Event ... $1,095 Bundle Pricing (Pre-Conference Event AND SharkFest 2016 Entrance)

Early Bird Bundle Price (ends February 15, 2016) ... $2,090 Regular Bundle Price (after February 15, 2016) ... $2,390 Questions? Please email [email protected] or call +1 775-499-5766.

(5)

Register online at www.wiresharktraining.com/troubleshooting2016.html

3 HANDS-ON TRAINING–BRING YOUR OWN LAPTOP (BYOL)

This training event is hands-on. Bring your own laptop pre-configured with the latest version of Wireshark1.

You can download the latest stable version of Wireshark for MAC OSX, Linux, or Windows from www.wireshark.org.

Ensure your laptop has a functional USB port as course materials will be provided on a USB stick. DVD “just-in-case” versions will also be available at the event, but not provided in the Student Kit.

CANCELLATION AND STUDENT SUBSTITUTION POLICY

If unable to attend the scheduled training class, please call Wireshark University at

+1 (775) 499-5766 to cancel your registration. Cancellations made fourteen (14) calendar days’ prior to the start date of the course will receive a refund of prepaid registration fees minus a $50 administration fee.

No refunds will be given for cancellation requests made less than 14 days before the course begins. If you do not show up for a scheduled course without prior notification (“no show”), no refund will be given.

Student substitutions are allowed, but notification must be made to [email protected] no less than five (5) full business days before the start of the class (not including the class start date).

EVENING EVENT – SHARKFEST 2016 REGISTRANTS ONLY

When you register for both the 3-Day Troubleshooting with Wireshark event and SharkFest 2016 (June 13-16, 2016), you will be invited to the

SharkFest 2016 Welcome Dinner taking place on June 13th_{in the Grand Hall}

of the Computer History Museum.

Register for both events and pick up your SharkFest 2016 badge on Monday, June 16th_{directly outside the Troubleshooting with Wireshark event.}

1_{You will be advised in advance of the event if a specific version of Wireshark is required to avoid any current bugs or}

(6)

Register online at www.wiresharktraining.com/troubleshooting2016.html

4 ABOUT THE ALL ACCESS PASS ($699 VALUE)

The All Access Pass (AAP) one-year subscription enables you to take numerous online courses whenever and wherever you want. In addition, you can join Laura Chappell live in a variety of online events that happen through the year.

AAP Portal Features

Course Gradebooks indicate progress through your courses. Print Course Certificates upon successful completion.

Download course documents and trace files for many classes. Use the Chat feature to communicate with other students

and the instructor.

Sample Online Course List

WCNA Exam Prep Questions

Lab Solutions for Wireshark 101: Essential Skills for Network Analysis

Analyzing the Window Zero Condition Build Wireshark Filters from Snort Rules Create a Security Profile

Find Stuff Fast with Wireshark Filter Expression Buttons CS42: Hacked Hosts

CS43: Analyze and Improve Throughput CS44: Top 10 Reasons Your Network is Slow CS45: TCP Analysis in-Depth

CS46: DHCP/ARP Analysis

CS47 Nmap Network Scanning 101 CS48: Wireshark 101 Jumpstart CS50: WLAN Analysis 101

AAP subscription access is provided in the event Registration packets on Saturday, June 11, 2016.

(7)

Register online at www.wiresharktraining.com/troubleshooting2016.html

5 DAILY SCHEDULE

Class runs from 9am-5pm each day.

Saturday, June 11

8:00 am Coffee and Registration (Second Floor – Hahn Auditorium Lobby) 9:00 am Class begins (with morning break)

12:00 pm Lunch break (45 minutes)

12:45 pm Class resumes (with afternoon break) 5:00 pm Class day ends

Sunday, June 12

8:00 am Coffee (Second Floor – Hahn Auditorium Lobby) 9:00 am Class begins (with morning break)

12:45 pm Class resumes (with afternoon break) 5:00 pm Class day ends

Monday, June 13

8:00 am Coffee (Second Floor – Hahn Auditorium Lobby) 9:00 am Class begins (with morning break)

12:45 pm Class resumes (with afternoon break) 5:00 pm Class ends

5:30 pm

SharkFest 2016 Welcome Dinner

2_{(Grand Hall) - Badges required}

(8)

Register online at www.wiresharktraining.com/troubleshooting2016.html

6 DETAILED CONTENT OUTLINE

The following outline defines the course content. The order in which materials are presented may be altered to allow more complex topics to be presented earlier in the day.

Part 1: Troubleshooting Methodology

 Overview of the Four-Part Analysis Methodology  Use Your Troubleshooting Checklist

Part 2: Master Key Wireshark Troubleshooting Tasks

 Create a Troubleshooting Profile  Enhance the Packet List Pane Columns  Change the Time Column Setting  Filter on a Host, Subnet or Conversation  Filter on an Application Based on Port Number  Filter on Field Existence or a Field Value  Filter OUT “Normal” Traffic (Exclusion Filters)  Create Filter Expression Buttons

 Launch and Navigate Through the Expert Infos  Change Dissector Behavior (Preference Settings)  Find the Top Talkers

 Build a Basic IO Graph  Add a Coloring Rule

Part 3: Capture Technique

 Tips on Choosing a Capture Location

 Tips for Working with Large Trace Files and High Throughput Networks  Tips for Locating the Cause of Intermittent Problems

 Tips for Naming Your Trace Files

 Capture Options for a Switched Network  Capture on High Traffic Rate Links  Consider Your Wireless Capture Options

 Capture to a File Set in High Traffic Rate Situations  Use Capture Filters when Necessary

 Command-Line Capture Techniques (Tshark/Dumpcap)

Part 4: Identify TCP/IP Resolution Problems

 Name Resolution Problems  Route Resolution Problems

 MAC Address Resolution Problems

Part 5: Troubleshoot with Time

 Avoid the Distractions of “Normal” or Acceptable Delays  Detect Delays in UDP Conversations

 Detect Delays in TCP Conversations  Identify High DNS Response Time  Identify High HTTP Response Time

(9)

Register online at www.wiresharktraining.com/troubleshooting2016.html

7 Part 6: Identify Problems Using Wireshark’s Expert

 Understand Wireshark’s Expert Infos System/Dissector Designations  Previous Segment Not Captured

 Duplicate ACKs

 Out-of-Order Packets  Fast Retransmissions  Retransmissions

 Spurious Retransmissions  ACKed Unseen Segment  Keep Alive and Keep Alive ACK  Zero Window

 Window Full

 Zero Window Probe and Zero Window Probe ACK  Window Update

 Reused Ports  Checksum Errors

Part 7: Identify Application Errors

 Detect DNS Errors  Detect HTTP Errors  Detect SMB/SMB2 Errors  Detect SIP Errors

 Detect Error Responses of Other Applications

Part 8: Master Basic and Advanced IO Graph Functions

 Graph and Compare Conversation Throughput  Graph Application Traffic

 Use CALC Functions on the Advanced IO Graph

Part 9: Graph Throughput Problems

 Detect Consistently Low Throughput due to Low Packet Sizes  Identify Queuing Delays along a Path

 Correlate Drops in Throughput with TCP Problems (the “Golden Graph”)

Part 10: Graph Time Delays

 Graph High Delta Times (UDP-Based Application)  Graph High TCP Delta Time (TCP-Based Application)

Part 11: Graph Other Network Problems

 Graph Window Size Problems  Graph Packet Loss and Recovery

Part 12: Working with Command Line Tools and 3rd Party Tools

 Export Packet List Pane Columns to CSV Format  Export Your Trace File/Packet Comments Report  Sanitize Trace Files

(10)

Register online at www.wiresharktraining.com/troubleshooting2016.html

8 HOTEL DETAILS: MAPLETREE INN

408.720.9700

711 East El Camino Real Sunnyvale, CA 94087

$169 USD + tax (10.565%) June 10-17, 2016

[email protected]

Group Code for the Discounted Room Block

The discounted rate is available 6/10-16/2016 when using the code 804.

The Maple Tree Inn is contemporary and elegant. Enjoy the meaning of comfort at the Maple Tree Inn in Sunnyvale. The Maple Tree Inn offers stylish oversized accommodations with value-added services and amenities. Breakfast, parking, and high-speed wireless internet is included in the SharkFest 2016 room rate. The Maple Tree Inn is located 5.70 miles from the Computer History Museum. Single or Double occupancy in Deluxe Queen/Queen, Single Queen or King room.

The hotel has 170 guest rooms and a nice, large pool patio area with a fire pit. Hotel amenities include:

• Guest Laundry • Fitness Center

• Lobby Computer/Printer • Outdoor Heated Pool • Hot Tub

• BBQ, Fire Pit, Wet Bar

• Complimentary Hospitality Reception Mon-Thurs

• Every room has a microwave, refrigerator, hair dryer, umbrella, iron and full ironing board

Cutoff Date for Discounted Room Rate

The Cut-off Date is May 10, 2016. Any reservation requests made after the Cut-off Date will be accepted subject to room and rate availability.

Cancellation Policy

(11)

Register online at www.wiresharktraining.com/troubleshooting2016.html

9 HOTEL DETAILS: DOMAIN HOTEL

408.247.0800

1805 East El Camino Real Sunnyvale, CA 94087

$179 USD + tax (10.565%) June 10-17, 2016

[email protected]

Group Code for the Discounted Room Block

The discounted rate is available 6/10-16/2016 when using the code 1606SHARK.

The Domain Hotel is located in the heart of Silicon Valley, minutes from the San Jose Airport, Santa Clara Convention Center, California’s Great America and Santa Clara Levi’s Stadium. Public spaces welcome guests with an environment to meet, relax, and unwind as well as conduct business. Our hotel has 136 guestrooms and over 9,500 square feet of state-of-the-art meeting and event facilities that will accommodate groups from 10 to 400. The spacious guestrooms offer flat-screen TV’s, large workspaces and high speed internet access, making them suitable for the rigorous workload of the business or leisure traveler. When it’s time to relax, guests can enjoy some sun at our outdoor heated pool & spa, blow off steam in our remodeled fitness studio, or grab a drink and watch the game in our exciting new lobby bar. The Domain also has a dining room serving a full buffet breakfast, dinner and evening room service. The new menus created by our Executive Chef are sure to delight!

Amenities include:

 Complimentary high speed Wi-Fi throughout the hotel  Complimentary parking and daily newspaper

 Complimentary shuttle service to/from local corporate offices, San Jose Airport, and urban transit stations (based on availability within 7 miles)

 Newly expanded fitness center  24 hour business center  New 47” flat-screen TV’s

 Featuring 44 two-queen rooms and 11 suites  iPod docking stations with alarm

 Keurig coffee makers

 Third floor superior guestrooms with private balconies

 Mineta San Jose Airport (SJC): 7.9 miles – estimated driving time is 13 minutes.

 San Francisco International Airport (SFO): 32.7 miles – estimated driving time is 38 minutes.  Oakland International Airport (OAK): 37.9 miles – estimated driving time is 44 minutes.

Cutoff Date for SharkFest Room Rate

The Cut-off Date is May 13, 2016. Any reservation requests made after the Cut-off Date will be accepted subject to room and rate availability.

Cancellation Policy

(12)

Register online at www.wiresharktraining.com/troubleshooting2016.html

10 SHUTTLE SERVICE

• Shuttle service will be available from the Domain Hotel and Maple Tree Inn during this pre-conference class and the SharkFest’16 pre-conference days.

• Shuttle service will accommodate a limited number of riders and is available on a first-come, first-served basis.

• Those wishing to use the free shuttle service must reserve a seat in advance by sending an email request with your hotel reservation confirmation information to [email protected].

CONTACT US

Do you have any questions about this event? Please feel free to contact us directly.

Email: [email protected] Phone: 1 (775) 499-5766 Fax: 1 (775) 499-5770 Wireshark University

59 Damonte Ranch Parkway, #B340 Reno, Nevada USA

Troubleshooting with Wireshark

SharkFest 2016 Pre-Conference Event