Advanced Network / Security Analysis with Wireshark

Duration:

5 Days

Audience:

This course is designed for Networking, and Security that need to further enhance their Network Analysis skills through study of Advanced Network Analysis using Wireshark and other Open-Source Network / Forensic Analysis tools. Successful completion of this course will provide these individuals with a path-way into the field of both Network and Forensics Analysis.

Recommended Course Prerequisites:

It is recommended that attendees to this course complete the previous course: Troubleshooting TCP / IP Networks with Wireshark or have significant experience knowledge of Network Analysis using Wireshark. Attendees will be required to bring their own laptop. Information for downloading the required software will be provided at time of enrollment.

Course Description:

Network and Forensics Analysis encompasses the skills of not only capturing data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate and analysis techniques focusing on the use of vendor-neutral, Open-Source Tools such as Wireshark to provide insight into the following areas:

  • Advanced Network and Forensics Analysis methodologies
  • Network performance analysis and Security threat recognition for a variety of network performance issues, network attack and exploit scenarios including network reconnaissance techniques, Bot-Net threat recognition  as well as common user protocol issues including IP related Protocols (IP(v4/v6) / DHCP (v4/v6), TCP/SCTP, DNS/DNSsec, ICMP(v4 /v6), Email Protocols (POP / SMTP / IMAP) and other, common Internet based User Protocols (HTTP, VoIP, IRC, IM)
  • Open-Source Network Analysis Tools
  • Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing techniques.
  • Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical Network and Forensics Analysis skills. Attendees will receive a training binder including numerous reference Wireshark trace files and a DVD with networking and forensics tools, as well as a library of Network Forensics Analysis reference documents.

Course Objectives:

As a result of successful completion of this workshop, participants will be able to:

  • Understand the principles of Network and Forensics Analysis and how to apply them
  • Select and configure various Open-Source tools for Network Forensics Analysis to capture and recognize traffic patterns associated with suspicious network behavior
  • Reconstruct User activities such as Emails, file transfer or Web-Browsing for detailed analysis
  • Understand and recognize potential performance and network security infrastructure mis-configurations
  • Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical Network and Forensics Analysis skills. Attendees will receive a training binder including numerous reference capture trace files and a DVD with networking and forensics tools, as well as a library of Network and Forensics Analysis reference documents.

Course Outline:

Introduction to Advanced Network Analysis

  • Logistics
  • Network analysis challenges – Data Collection
  • The new protocols – how have the traditional protocol suites changed?
    • Before and After IPV6

Collecting the Data – Data Capture

  • Data Collection
    • Location –How Network Infrastructure Devices Affect Network Analysis
      • Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU
    • Stealth / Silent Collection of Data – Tips & Techniques
    • WiFi Device Analysis

Network Analysis Methodology

  • Analyzing the 3 Different Network Communication Architectures
  • Analyzing Conversations and Activities
    • Using Expert Systems to Determine Unusual Activity
      • Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to identify suspicious behavior
    • A Sample Network Analysis Methodology
      • 6 Steps for Advanced Network Analysis
    • Diagraming Conversations

Advanced Analysis of Network Applications and User Traffic

  • The Networking Protocols
    • What’s Normal vs. Abnormal – The Role of Baseline Files
    • Building a Baseline Library – Where Do I go to Find Samples?
  •  Before and after IPv6 – New Protocols and New Functions
    • Configuration Protocols – DHCP / DHCPv6
      • Structure and Analysis of DHCP  vs. DHCPv6
    • Resolving Addresses – DNS  / DNSsec
      • Structure and Analysis of DNS / DNSsec
    • Networking Protocols – IPv4 / IPv6
      • Structure and Analysis of IPv4  vs. IPv6
      • IP Options – What’s the Big Deal?
    • Utility Protocols – Internet Control Message Protocol (ICMPv4 / ICMPv6)
      • Structure and Analysis of ICMPv4 vs. ICMPv6
      • Network Analysis Using the ICMP Analysis – Types and Codes
    • Moving the Data – TCP / SCTP
      • Structure and Advanced Analysis of TCP
      • TCP Options – What’s the Big Deal?
      • Advanced TCP Analysis Using Expert Systems
        • Correcting Data Transmission Problems – Retransmissions – Fast vs. Regular
        • Detecting Problems – Duplicate Acknowledgements
        • Flow Control and TCP Windows Scaling
      • TCP is Broken? – Stream Control Transmission Protocols (SCTP)
    • Network Analysis of User Traffic and Common User Protocols
      • Email Applications Using POP / SMTP / IMAP
        •  Structure and Analysis of the Email Cloud
        • Web-Based Applications Using HTTP
          • Structure and Analysis of HTTP / HTTPS
            • Unscrambling SSL
          • Response Codes – The answer to analyzing HTTP
          • Reassembling and Exporting of Objects
        • Voice over IP (VoIP) VoIP Applications
          • Structure and Analysis of the VoIP Protocols
          • Signaling – SIP / MGCP / H.323 / SCCP / Unistem
          • Analyzing VoIP Data – the Codecs
        •  Instant Messenger (IM) Applications
          • Structure and analysis of IM Protocols

I’ve Been Hacked?  – Network Forensics Analysis

  • Overview and history of Network Forensics Analysis
    • Answering the key incident questions
    • A Sample Network Forensics Analysis Methodology
  • Forensics Analysis of an Intrusion
    • Scouting out the Target – Network Reconnaissance and Scanning Tools
      • Recognizing Scanning Signatures – NMAP / Retina / Nessus, etc..
      • Using Wireshark to Build ACL Rules
    • Common IP Exploits and Examples of Intrusion Signatures
      • IPv6 Tunnel Attacks – What’s the Big Deal?
    • Common TCP Exploits and Examples of Intrusion Signatures
    • Recognizing and Analyzing Suspicious ICMP Traffic Analysis
    • Where do I go from Here?