tag:blogger.com,1999:blog-77405460720627818532024-02-06T22:08:51.211-08:00Inside Laura's LabA look inside Laura Chappell's protocol analysis lab and ramblings on her conference travels and onsite packet-level life. A bit of humor, a bit of technology - 10 bits in all.Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comBlogger75125tag:blogger.com,1999:blog-7740546072062781853.post-73950729180627607122010-12-01T15:31:00.000-08:002010-12-01T15:31:00.593-08:00Filtering OUT Traffic by IP Address - Aaargh!Another interesting question was posed at ask.wireshark.org this week - it brings up a topic that I cover in the Wireshark 201: Filtering course (check out the schedule to catch the next free seminar on this topic).<br /><br /><span style="font-weight: bold;">The Questio</span><span style="font-weight: bold;">n from ActualRandy</span><br /><span style="font-style: italic;">I want to see results where </span><span style="font-style: italic;">neither the destination, nor the source are the specified a</span><span style="font-style: italic;">ddress; here is my filter. </span> <span style="font-style: italic;font-family:courier new;" >ip.src != 192.168.1.119 && ip.dst != 192.168.1.119</span> <span style="font-style: italic;">To my surprise, it returns some results with the that IP, such as this one: </span> <span style="font-style: italic;">157 238.065591 192.168.1.1 192.168.1.119 ICMP Destination unreachable (Port unreachable)</span> <span style="font-style: italic;">The destination on this result is clearly one the filter should have blocked. What's up?</span><br /><br /><span style="font-weight: bold;">The Quick Answer</span><br />Avoid the use of <span style="font-family:courier new;">!=</span> when filtering OUT IP address traffic. Instead use this filter:<br /><br /><span style="font-family:courier new;">!ip.addr == 192.168.1.1 </span><br /><br /><span style="font-weight: bold;">The Long Answer</span><br />Sake Blok spent a bit more time explaining what was going on here. First of all - let's talk about the problem with a filter beginning with <span style="font-family:courier new;">ip.src !==</span>.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBSA-9_LCUH41Eip1XRGlScYotv9TXSjyHffMfHWJjUuVtRGPWgXp1U24cUmcmkzHlN6wWOuadbgG2aFrx1aWE9yVhAUB8VQc9Ty4U0xidQBgvFUP_kPgoPDgTLpJQffHjjU8MTIVNng0/s1600/120110-ipaddr.jpg"><img style="float: left; margin: 0pt 10px 10px 0pt; cursor: pointer; width: 385px; height: 173px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBSA-9_LCUH41Eip1XRGlScYotv9TXSjyHffMfHWJjUuVtRGPWgXp1U24cUmcmkzHlN6wWOuadbgG2aFrx1aWE9yVhAUB8VQc9Ty4U0xidQBgvFUP_kPgoPDgTLpJQffHjjU8MTIVNng0/s400/120110-ipaddr.jpg" alt="" id="BLOGGER_PHOTO_ID_5544376881536443746" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />As you can see from the image above, Wireshark turned the display filter area yellow to indicate something is wrong. If you hover over the field a tooltip explains that the filter may not work as desired.<br /><br />Here's the first issue with this type of filter. An IP header has two IP fields - the source IP address field and the destination IP address field. This filter looks in IP source address field first. If the field doesn't contain 24.4.7.217 -yippie! The filter matches and will be displayed. If the IP destination address field contains 24.4.7.217 the packet will be displayed as well. It's frustrating.<br /><br />Here's a version of the chart contained in Chapter 9 of the Wireshark Network Analysis book:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpzcQ90vda7RDmsK8uqhFQEY3pL26wl4vGuIQ-AwgIW5KyBEM2bX-Bzh_s784kqQZuZMJ42F9nxWfjF7Pa0G_Q2lsxcN8eGF3jr1txknRxC3VZAoPbTKQcWGmTlDAUWwxQEC7Ami-Y31Q/s1600/120110-ipaddr2.jpg"><img style="cursor: pointer; width: 386px; height: 124px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpzcQ90vda7RDmsK8uqhFQEY3pL26wl4vGuIQ-AwgIW5KyBEM2bX-Bzh_s784kqQZuZMJ42F9nxWfjF7Pa0G_Q2lsxcN8eGF3jr1txknRxC3VZAoPbTKQcWGmTlDAUWwxQEC7Ami-Y31Q/s400/120110-ipaddr2.jpg" alt="" id="BLOGGER_PHOTO_ID_5544377196683083218" border="0" /></a><br /><br />Here's the second issue that ActualRandy hit - his filter displayed an ICMP packet. Sake explained this quite eloquently at ask.wireshark.org. Numerous ICMP packets are what I call "two-headed packets" - they contain two IP headers - the true IP header and another IP header in the ICMP portion of the packet.<br /><br />Using the simple !ip.addr==192.168.1.119 addresses both issues and<br /><br />works like a charm.<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-39883031440821695222010-11-17T23:05:00.000-08:002010-11-26T23:10:36.603-08:00Window Updates Not From MicrosoftThe topic of Window Update packets surfaced at ask.wireshark.org recently.<br /><br />'Is it normal to see tcp window update packet (tcp.analysis.flags as a filter) for EVERY get/post request from a client workstation on the same LAN?'<br /><br />The answer is... maybe. First let's talk about the infamous Window Update designation in Wireshark.<br /><br />As TCP data packets arrive, their data is placed in the TCP receive buffer space until an application pulls that data out. If the data is sluggish at pulling the data out, the TCP receive buffer size begins to decrease. This is seen in every ACK packet sent by the host that is receiving data.<br /><br />Wireshark doesn't alert you to the shrinking TCP window size or any window size problems until a host gets down to a window size of zero. Then Wireshark screams that there is a Window Zero condition.<br /><br />After an application picks up data from the TCP receive buffer there is more space available and the sender increases their window size field value. THIS is what triggers Wireshark to mark the packet as a Window Update packet. It's a good thing.<br /><br />The Wireshark Expert Infos window Chats tab is where the Window Update notices are displayed. They've moved from the more alarming Warnings or even Notes section to this boring location.<br /><br />How can you quickly find if you have Window Update packets in your trace file? Apply a display filter for <span style="font-family:courier new;">expert.message=="Window update"</span> (watch the capitalization here). It's a simple and elegant color filter.<br /><br />If you have the Wireshark Network Analysis book, check out Chapter 13, Wireshark's Expert System, for a definition of all the TCP expert notifications.<br /><br />Now waht about seeing a TCP Window Update packet for EVERY GET/POST request from a client workstation on the same LAN? Well - it simply means that the HTTP application is pulling the data out of at the time a GET/POST is issued. Is that a problem? Nope. Is it normal? Nope - but hey - it's not a Window Zero issue and there's still buffer space available!<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-13540030282285006502010-10-28T22:55:00.000-07:002010-11-26T23:37:39.825-08:00Extract Fields with TsharkAn interesting question appeared at <a href="http://ask.wireshark.org/">ask.wireshark.org</a> this week – “How can I run Wireshark from the command line to open a file, and output a file containing only the UDP length of every DNS packet?”<br /><br />It’s an interesting question because folks often overlook (a) capturing traffic with Tshark and (b) using the <span style="font-family:courier new;">-T</span> parameter to pull field information.<br /><br />The answer was provided by skypemesm:<br /><br /><span style="font-family:courier new;">tshark -R 'dns' -r abc.pcap -T fields -e udp.length<br /></span><br /><span style="font-family:courier new;">-R “dns”</span> - applies a DNS display filter to the trace file<br /><br /><span style="font-family:courier new;">-r abc.pcap</span> - opens the abc.pcap file using Tshark<br /><br /><span style="font-family:courier new;">-T fields</span> - indicates we are pulling a field contents (default format: text)<br /><br />-e udp.length - tells Tshark to pull the value of the udp.length field<br /><br />The results of this type of operation print on the screen.<br /><br />What if you want to pull this information from a live capture?<br /><br />Ok - you have to watch out here since Bug 2234 restricts us from using a display filter during a live capture in Tshark. Sigh. We'll use a capture filter instead.<br /><br /><span style="font-family:courier new;">tshark -T fields -e udp.length -f "port 53" > udplength.txt</span><br /><br />In this case we are still pulling out the UDP length field values, but we've defined a capture filter for traffic to/from port 53 and piped the results to a text file.<br /><br />What else can you do? Well - you can use the <span style="font-family:courier new;">-a</span> parameter to define an autostop condition or the -c parameter to define the numbe of packets to capture.<br /><br /><strong>All Access Pass Members</strong>: The Tshark Command-Line Capture course is released on the new portal. I just added a section on the use of <span style="font-family:courier new;">-T/-e</span> parameters after writing this blog. You should have received an email with your login instructions. If you didn't - send an email to <a href="mailto:info@chappellU.com">info@chappellU.com</a>.<br /><br />Not an All Access Pass member? Jeepers - the price was just lowered so now is the time to sign up for one-year of online training at <a href="http://www.chappellu.com/">http://www.chappellu.com/</a>.<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-11956759649747914972010-10-12T19:29:00.000-07:002010-10-12T19:33:45.394-07:00Kindle Version Released!<span style="font-weight: bold;font-size:130%;" >Kindle! Kindle! Kindle!</span><br /><br />I've received lots of emails/queries lately asking if the Wireshark Study Guide and Exam Prep Guide will be available in Kindle formats.<br /><br />Well, the answer is no and yes and maybe.<br /><br /><span style="font-weight: bold;">Yes</span> - the Wireshark Certification Official Exam Prep Guide is now available on the Kindle (click to view Amazon page) - don't forget to download the Answer Sheets (PDF) over at www.wiresharkbook.com/epg as well. We had to get this book into eBook format as the enclosed CD was really limiting international distribution capabilities. All the practice exam questions on the CD are in the Kindle version of the book so you're not losing anything except the quiz engine to practice with.<br /><br /><span style="font-weight: bold;">No</span> - the Study Guide (800-pager) is not available in Kindle format... yet. After reviewing a slew of technical books in Kindle format it has become abundantly clear that some books just look like garbage on the Kindle. The formatting is limited enough to make some images unreadable and tables a complete nightmare. Ok, ok... some limitations are mostly evident on the itty bitty Kindle (can we call it a Kindlette?). We purchased the big Kindle for the office to play around a bit more with the formatting and I ordered an iPad (just for research purposes, of course) - so this leads me to...<br /><br /><span style="font-weight: bold;">Maybe</span> - If we can survive the Kindle conversion nightmare that we've been living in for the past two weeks and tackle the hundreds of pages of reformatting required, then perhaps the Study Guide will make it to an eBook format. A simple look at the <span style="font-style: italic;">Mastering Windows Server 2008</span> Kindle edition by Mark Minasi really turned me off the idea of putting the Study Guide on the Kindle. It should be sold with a magnifying glass! Even if you enlarge the font, the graphic image is unreadable - granted, this was viewed on my Kindlette.<br /><br />Thanks to all of you who have offered ideas and assistance on getting the Exam Prep Guide through Amazon's formatting and the MobiCreator product. If you have additional ideas or feedback, send them into us at info@chappellseminars.com.<br /><br />Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-63607280346016304802010-10-05T13:23:00.000-07:002010-11-26T23:20:36.419-08:00Bot-Infected?<span class="text"><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >Unless you've been living under a rock (or playing the new Halo non-stop), you likely have heard of the FBI nabbing 100+ in a global cybercrime ring.<br /><br />You'll notice mention of Zeus. Zeus is financial malware - in essence, it listens to your online banking sessions and sends them to scumbag server (SS). Now if you do a little research, you'll find that Zeus is currently listed as the #1 botnet by some folks (</span></span><a href="http://www.trusteer.com/" target="_blank"><span style="LINE-HEIGHT: 15px;font-family:arial;" >Trusteer</span></a><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >). Many virus detection tools miss Zeus altogether. (I'm not surprised by that at all - I have a kitchen strainer that does a better job than some of the VDS options out there.).<br /><br />You could watch the conversation information and do some GeoIP mapping in Wireshark, but that might not be the best option (Gasp! Did I really say that? Yes.) Check out BotHunter (from my old employer, SRI International - yup - I was a waitress in the Executive Dining Room at the time when my peers were taking Latin and World History in their senior year of high school - another story for<br />another time).<br /><br />BotHunter basically monitors conversations with an awareness of your trusted network (you define that during the setup) while using Snort's event generation engine to report suspect behavior. It's an interesting tool to play with - in addition, check out </span></span><a href="http://www.bothunter.net/live/2010-10-04/index.html"><span style="LINE-HEIGHT: 15px;font-family:arial;" >http://www.bothunter.net/live/2010-10-04/index.html</span></a><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" > to view the BotHunter Internet Monitor page. BotHunter automatically grabs the latest C&C server list, malware DNS list, Russian Business Network address space and malicious backdoor/control ports from the SRI repository. The BotHunter repository service enables your "fielded BotHunter" to report infection profiles anonymously.<br /><br />It's an interesting and FREE product to help you battle bot-infected hosts. If you haven't had a chance to analyze the traffic to/from a bot-infected host - check out the sec-sickclient.pcap file over in the trace files available at </span></span><a href="http://www.wiresharkbook.com/" target="_blank"><span style="LINE-HEIGHT: 15px;font-family:arial;" >www.wiresharkbook.</span></a><a href="http://www.wiresharkbook.com/" target="_blank"><span style="LINE-HEIGHT: 15px;font-family:arial;" >com</span></a><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >.<br /><br /></span></span><span style="font-family:arial;"><b><span style="color:#333333;"><span style="LINE-HEIGHT: 15px">Interesting Links:<br /></span></span></b><span style="color:#333333;"><span style="LINE-HEIGHT: 15px">http://</span></span></span><a href="http://thepcsecurity.com/latest-security-software-cannot-detect-zeus-virus/" target="_blank"><span style="LINE-HEIGHT: 15px;font-family:arial;" >thepcsecurity.com/latest-security-software-cannot-detect-zeus-virus/<br /></span></a><span style="LINE-HEIGHT: 15px;font-family:arial;" >http://</span><a href="http://www.bbc.co.uk/news/world-us-canada-11457611" target="_blank"><span style="LINE-HEIGHT: 15px;font-family:arial;" >www.bbc.co.uk/news/world-us-canada-11457611<br /></span></a><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >http://</span></span><a href="http://www.thecyberjungle.com/listen.php" target="_blank"><span style="LINE-HEIGHT: 15px;font-family:arial;" >www.TheCyberJungle.com/listen.php<br /><br /></span></a><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >Remember to check out the Wireshark Certified Network Analyst program<br />at </span></span><a href="http://www.wiresharktraining.com/certification"><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >www.wiresharktraining.com/certification</span></span></a><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >!<br /><br />Enjoy!<br /><br /></span></span><i><span style="color:#333333;"><span style="LINE-HEIGHT: 15px;font-family:arial;" >Laura<br /><br />p.s. Thanks to everyone who suggested "back fixes" - it's healing nicely so far.</span></span></i></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-90217288216628669932010-09-29T13:22:00.000-07:002010-11-26T23:27:03.793-08:00Blogging through Muscle "Sapams"After 5 days of working up every excuse possible to avoid the dreaded doctor, I finally caved in when I dropped an AirPcap adapter and couldn't pick it up - yup - I'd ripped up my back somehow. The pain was incredible - just imagine - no monitor mode capability, no 802.11 headers, no multi-channel aggregation... it was a nightmare.<br /><br />My doc prescribed numerous meds including one to take "as needed for muscle sapam." After receiving the obligatory lecture on "don't drive or operate heavy equipment with these medicines" (does a Cisco Nexus box count?), I whimpered home and told my family I would be "a little loopy" this weekend. If I hadn't already taken some of these medications, I would have immediately raced my two teens to the doctor for treatment for eye-rolling - it's a strange and erratic affliction that plagues so many teens.<br /><br />I figured the perfect time to start working on this week's blog would be while cozying up on the couch waiting for the pain to subside with these new meds. This morning, however, I reviewed the numerous medically-induced blogs I whipped out while semi-comotose this past weekend.<br /><br />I realize one thing now - DON'T MEDICATE AND BLOG.<br /><br />Here are the titles of a few of the blogs I'd spewed out while numb.<br /><br />* Should Pot be Legalized in Farmville? Since I'm from California and the issue of legalizing pot is almost recommended Kindergarten fare, I wondered about adding pot farms in Farmville. What would the reaction be? If met with heavy opposition perhaps Hempville would be more open<br />to the issue.<br /><br /><br />* Put Audio Triggers into Wireshark - I did skulk around a bit on ask.wireshark.org, but had such a tough time typing Wiershark and TPCIP... almost hit "Submit" on an idea to add audio to the Expert Infos Composite function. Imagine importing the "Star Trek Audio Set" and hearing "Damn it, Jim... I'm just a doctor" each time a packet was lost or "Live long and prosper" for each retransmission. There's a loose reference to my old "Amazon Rain Forest" exercise I used with a NetScanTools Pro class...<br /><br /><br />* Intel - Do the Right Thing - Add an "A" to McAfee. This blog was rather short - simply suggesting that Intel's first move after acquiring McAfee should be to add that friggin' "a" to make it MacAfee - we all pronounce it that way already - c'mon - think of your customers here. There was a bit of a side-ramble regarding their Vegas conference in October featuring Bill<br />Clinton and some crazy off-beat reference to strip clubs too.<br /><br /><br />Well... perhaps you can tell I'm not off the meds yet - my mind is wandering ... and I hope it comes back sometime.<br /><br />So I apologize now if you've asked me a technical question, reached out for advice or pinged me with a thought... I've been busy controlling my "muscle sapams".<br /><br />Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-25930058807861109682010-09-22T13:18:00.000-07:002010-11-26T23:33:42.821-08:00ask.wireshark.org is Here!It's not a forum... it's a Q&A site!<br /><br />Last week Gerald announced ask.wireshark.org on his blog. The site is based on OSQA (an open source Q&A solution).<br /><br />I've been playing around on ask.wireshark.org and it's pretty interesting to read the variety of questions that have been posted. Just what I need - something else to keep me awake at night! Sigh.<br /><br /><span style="FONT-WEIGHT: bold">Go Ahead - Ask a Question</span><br />You can read the Q&A FAQ ("sweet baby corn cob?"), but here's the basic flow for using ask.wireshark.org:<br /><br />1. Sign up for a free account at ask.wireshark.org.<br />2. Click "ask a question." Be as clear and complete with your question. If someone doesn't understand or wants more facts, they can comment on your question.<br />3. You can add details by commenting on your own question as well.<br />4. When your question gets answered you will receive an email notification (this is a setting you can change in Users > User Tools > Autosubscribe me to).<br />5. Now here's the important part -<br />a. If the answer solved the issue, mark it "answered."<br />b. If someone asks for more information, please comment to provide it.<br /><br />Marking questions answered ensures that only truly unanswered questions show up when you click the Unanswered tab.<br /><br /><span style="FONT-WEIGHT: bold">Do We Need Those Stinkin' Badges?</span><br />Click on the Badges tab to see the various badges you can earn (and how many times they have been awarded since the launch of ask.wireshark.org) by being an active, contributing member.<br /><br /><span style="FONT-WEIGHT: bold">Pick Up Some Great Tips</span><br />By reading through some of the questions/answers at ask.wireshark.org, you can learn:<br /><br />* How to create an offset filter for Ethernet packets<br />* How to display all TCP connections with SYN packets<br />* The cause of SMB STATUS_ACCESS_DENIED packets<br />* How checksum errors can become a red herring in troubleshooting<br /><br />I remember the old CompuServe NetWire days - it's fun to get active online again.<br /><br />See you there!<br /><br />Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-87893953588511375882010-09-15T13:16:00.000-07:002010-11-26T23:35:12.119-08:00Troubleshooting with Coloring RulesWireshark contains an Expert system (click that colored button in the lower left corner on the status bar) which highlights packets of concern. There are so many network issues that are not detected with the Expert system, however. Consider creating a custom profile that contains a set of "butt ugly" coloring rules to call your attention to highlight potential performance issues.<br /><br />Some of my favorite troubleshooting coloring rules look for protocol anomalies, error responses and high delta times. Other coloring rules focus on packets that may hint at (or scream about) security issues.<br /><br />Here's a list of some of the coloring rules I will cover in the October 19th webinar:<br /><br /><br />* High delta times in displayed packets: When you filter on a conversation, look for sudden increases in delta times, but watch out for moments when user intervention is required to send the next packets - users are slow.<br /><br /><br />* 4 NOPs in the TCP Options Area: I've covered this over at the Wireshark Tips page - you just never want to see this one.<br /><br /><br />* HTTP Error Codes: Any HTTP response code higher than 299 indicates either a client error or server error.<br /><br /><br />* Small TCP Window Size Values: Even if the Window Size field isn't at 0, a low value can totally stop a data transfer process. Wireshark's Expert won't catch packets with a Window size of 50 - it will just catch a Window Size of 0.<br /><br /><br />In the webinar we will also talk about using "butt uglies" - colors that you detest - to call attention to the performance problems indicated in a trace file.<br /><br />It will be a full webinar (with a maximum of 1,000 seats), so register early and arrive early to the session. The recorded version will only be available to the All Access Pass members.<br /><br />Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-91729560274373961652010-09-07T08:08:00.000-07:002010-09-07T08:08:00.514-07:00Analyzing HUGE Packets - TSO/LRO<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht3_wp8vjyXfqfoCyN0RBzHC5yfDoQanv-zAjZ93KYgAW2wmiKWEvdQOPdX2Xm0CY2GgFYRbvLATzLjhcq4iwaZwQe6Q6UrxtfE9WvLCeA1wehCxKwJrwnv78h68DOdbb45DOG5oap_c0/s1600/bigframe.png"><img style="float: left; margin: 0pt 10px 10px 0pt; cursor: pointer; width: 375px; height: 199px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht3_wp8vjyXfqfoCyN0RBzHC5yfDoQanv-zAjZ93KYgAW2wmiKWEvdQOPdX2Xm0CY2GgFYRbvLATzLjhcq4iwaZwQe6Q6UrxtfE9WvLCeA1wehCxKwJrwnv78h68DOdbb45DOG5oap_c0/s400/bigframe.png" alt="" id="BLOGGER_PHOTO_ID_5514006675454066930" border="0" /></a>Recently I received a trace file from a customer having performance problems. One of the issues in the trace file was a series of packets with large length values such as 32,885 or 35,094 or 61,557.<br /><br />I've been seeing this characteristic more and more often when analyzing trace files.<br /><br />This is not a situation of jumbo frames.<br /><br /><br />This is a situation called TCP Segmentation Offload (or TSO)/Large Receive Offload (LRO).<br /><br />TSO/LRO are hardware functions. A host with TSO-enabled hardware sends TCP data to the NIC without segmenting the data in software. The NIC will perform TCP segmentation. NICs supporting LRO receive packets and reassemble them before passing the data on to the local software. <br /><br />When Wireshark is loaded and capturing on a system that performs TSO/LRO, Wireshark may show you these really large frames - it's not lying - that is the size of the frame before segmentation has occurred (in the case of outbound packets handled with TSO) or after reassembly has occurred (in the case of inbound packets handled with LRO). <br /><br />If you want to see the packets as they actually look when traversing the network - capture them at a location along the path using a FDX tap or port spanning/monitoring. The frames should then be the standard size.<br /><br />Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!<br /><br />Enjoy!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-51237123831704834252010-09-02T19:59:00.000-07:002010-09-06T20:08:07.337-07:00Hiding Columns in the New Wireshark 1.4.0!<span style="font-weight: bold;">Resources:</span><br />Wireshark version 1.4.0 download - www.wireshark.org/download.html<br />Wireshark Certified Network Analyst - www.wiresharktraining.com/certification<br />Wireshark Network Analysis Study Guide - www.wiresharkbook.com<br />Wireshark Certification Exam Prep Guide - www.wiresharkbook.com/epg<br /><br />Register for the free Wireshark 201 Filtering Webinar on September 8, 10am-11am PDT - www.chappellseminars.com/s-wireshark201.html<br />-----<br /><br />This week we had over 800 people register for the free Wireshark 101 Jumpstart<br />online course. You can download the handouts and review the topics covered.<br /><br />During the webinar I focused on some of the cool new features of Wireshark<br />version 1.4.0. One of my favorite new features - Apply As Column - has even<br />gotten better than it was in the release candidate versions!<br /><br />At Sharfest 2010, I was showing the new Apply As feature to the audience. Gerald<br />Combs, creator of Wireshark, was in that audience.<br /><br />Simply right click on a field in a packet and choose Apply As to add that field as a<br />column in the Packet List pane. My favorite fields to add are:<br /><br /> * TCP Window Size field<br /> * TCP Sequence Number field<br /> * TCP Acknowledgment Number field<br /> * IP Time to Live field<br /> * 802.11 Channel/Frequency field (from a RadioTap or PPI header)<br /><br /><br />During that presentation I mentioned how fabulous it would be if I could<br />temporarily hide one of the new columns then quickly enable it again later.<br /><br /><span style="color: rgb(204, 102, 0);font-size:130%;" ><span style="font-weight: bold;">Try it Yourself</span></span><br /><br /><span style="font-weight: bold;">Step 1</span><br />Download and extract all the book supplements (available online at<br />www.wiresharkbook.com/downloads.html).<br /><br /><span style="font-weight: bold;">Step 2</span><br />In Wireshark version 1.4.0, open the trace file called http-download-bad.pcap. This trace file contains the traffic of someone connecting to a web server and downloading a file. The performance stinks.<br /><br /><span style="font-weight: bold;">Step 3</span><br />Expand the TCP header in packet #1 and right-click on the Window Size field (near the<br />end of the TCP header). Select Apply As Column. Your new Window Size column<br />appears in the Packet List pane.<br /><br /><span style="font-weight: bold;">Step 4</span><br />Right click on the new Window Size column and select Rename Column Title... - change<br />the name to WinSize.<br /><br /><span style="font-weight: bold;">Step 5</span><br />Now click the new WinSize column twice to see the Window Size field values lowest to highest - do you see the "Window Zero" condition in the trace file? What is the IP address of the host that states it has no receive buffer space (indicated by a Window Size of 0)? Yup - that would be the problem with the file download process!<br /><br /><span style="font-weight: bold;">Step 6</span><br />Let's say you don't always want to see that column though. Simply right click on the WinSize column heading and select Hide Column. When you want to see it again, just right click on any column heading and select Displayed Columns. Sweet!<br /><br />Thanks Gerald and the Wireshark development team! This is a great addition!<br /><br />Enjoy!<br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-66829865271339028842010-08-19T19:58:00.000-07:002010-09-06T19:59:14.716-07:00Official Exam Prep Guide Hits Amazon!<span class="text"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Visit </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/epg" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.wiresharkbook.com/epg</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> to see sample pages.<br />Visit the </span></span><a bitly="BITLY_PROCESSED" href="http://www.amazon.com/gp/offer-listing/1893939987/ref=dp_olp_0?ie=UTF8&redirect=true&condition=all" target="_blank"><span style="font-size: 12px; line-height: 15px;">Amazon Marketplace page</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> to purchase.<br />---------------------------------------------------------------------------------------------------------------<br /><br />It's been a busy time teaching webinars covering the Wireshark Certified Network <br />Analyst Exam and then the Exam Prep Guide being released (earlier than <br />expected) on Amazon.<br /><br />Watch the recorded Wireshark Certified Network Analyst video at<br /></span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharktraining.com/certification" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.wiresharktraining.com/certification</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />The new Exam Prep Guide is designed to help you evaluate your readiness to <br />take the Wireshark Certified Network Analyst (WCNA) Exam.<br /><br />Thanks to all of our reviewers and good luck to all of you who have registered to <br />take the Exam at </span></span><a bitly="BITLY_PROCESSED" href="http://www.webassessor.com/pai" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.webassessor.com/pai</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">!<br /><br />Laura Chappell<br />---------------------------------------------------------------------------------------------------------------<br />More information and to download the Exam Information Pack, visit<br /></span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharktraining.com/certification"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">www.wiresharktraining.com/certification</span></span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-79082715973180240822010-08-11T19:55:00.000-07:002010-09-06T19:57:18.838-07:00Wireshark Certification Exam is Released!<span class="text"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Download the </span></span><a bitly="BITLY_PROCESSED" href="http://www.chappellseminars.com/files/wsucertinfopk11Aug10.pdf" target="_blank"><span style="font-size: 12px; line-height: 15px;">Exam Information Pack<br /></span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Download the </span></span><a bitly="BITLY_PROCESSED" href="http://www.chappellseminars.com/files/wcna_scheduleexam081110.pdf" target="_blank"><span style="font-size: 12px; line-height: 15px;">Step-by-Step Registration Information Pack</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br /></span></span><a bitly="BITLY_PROCESSED" href="http://www.chappellseminars.com/s-wcna.html"><span style="font-size: 12px; line-height: 15px;">Register</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> - Free webinar: </span></span><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Become a Wireshark Certified Network Analyst<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">---------------------------------------------------------------------------------------------------------------<br /><br />I am thrilled to announce that the Wireshark Certified Network Analyst Exam is <br /></span></span><b><span style="color:#990000;"><span style="font-size: 12px; line-height: 15px;">NOW AVAILABLE !</span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> The Exam is available globally in a proctored format through <br />Kryterion. Currently the Exam is only available in English.<br /><br /></span></span><b><i><span style="font-size:100%;color:#333333;"><span style="font-size: 16px; line-height: 19px;">The Wireshark Certification Exam was designed to confirm <br />individual competencies in using Wireshark to locate the <br />cause of network problems (poor performance or security-<br />related) and confirm your knowledge of TCP/IP network <br />communications in general.<br /><br /></span></span></i></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">The Exam is based on the thirty-three areas of study defined in the Exam Focus <br />and Content section of this document. The four primary areas covered in this <br />Exam are:<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Wireshark Functionality</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">TCP/IP Network Communications</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Network Troubleshooting</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Network Security</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li></ul><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br />To earn the Wireshark Certified Network Analyst status, you must pass a single <br />exam—the WCNA-100x Exam (version 100.1 is the current version).<br /><br /></span></span><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Register for the Exam<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">The Wireshark Certified Network Analyst Exam is available at hundreds of testing <br />centers around the world. You can take your Exam at a KRYTERION High-stake <br />Online Secure Testing (HOST) location near you. To locate a local testing center, <br />visit </span></span><a bitly="BITLY_PROCESSED" href="http://www.kryteriononline.com/host_locations" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.kryteriononline.com/host_locations</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />The Wireshark Certified Network Analyst Exam is a closed-book Exam consisting <br />of 100 questions. The Exam time limit is 2 hours (120 minutes). Exam questions <br />are in true/false or multiple choice format (there is only one correct answer for <br />each multiple choice question). Many of the questions include a Wireshark <br />screen image.<br /><br /></span></span><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Exam Pricing<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">The Wireshark Certified Network Analyst Exam cost is USD 299. The Wireshark <br />Certified Network Analyst Exam Practice Exam (online) cost is USD 29.<br /><br /></span></span><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Pass/Fail Grading<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">The Wireshark Certified Network Analyst Exam is graded on a pass/fail basis. <br />Passing scores are set by using statistical analysis. At the completion of the <br />Exam, Candidates receive a score report along with a score breakout by Exam <br />section.<br /><br /></span></span><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">How to Register for Your Exam<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Register for the proctored Wireshark Certified Network Analyst Exam online at <br /></span></span><a bitly="BITLY_PROCESSED" href="http://www.webassessor.com/pai" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.webassessor.com/pai</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />Step-by-step Exam Registration instructions and complete Exam Preparation <br />recommendations are available at </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharktraining.com/certification" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.wiresharktraining.com/certification</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />The Official Exam Prep Guide will be on Amazon around August 23rd - learn more <br />at </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/epg" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.wiresharkbook.com</span></a><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/epg" target="_blank"><span style="font-size: 12px; line-height: 15px;">/epg</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />Thanks to all of you who have been so patient as we rewrote, redesigned and <br />redeveloped the Exam. We are excited to see Wireshark become more popular <br />each month and hope the Wireshark Certified Network Analyst designation <br />becomes a de facto certification for all IT professionals.<br /><br />Laura Chappell<br />---------------------------------------------------------------------------------------------------------------<br />More information and to download the Exam Information Pack, visit<br /></span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharktraining.com/certification"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">www.wiresharktraining.com/certification</span></span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-25016930844629771772010-07-21T19:50:00.000-07:002010-09-06T19:54:59.660-07:00Wireshark Exam Prep Guide in Final Editing!Update: The book has gone to the printers. We expect it to be available on<br />Amazon around August 23rd. For more information, visit<br />www.wiresharkbook.com.<br /><br />Yes - this blog has been quiet for a bit - I've been putting in an unreal amount of<br />time prepping the Wireshark Certified Network Analyst Exam and the new<br />Wireshark Certified Network Analyst Official Exam Prep Guide (shown above).<br /><br />After writing the Wireshark Network Analysis: Official Wireshark Certified Network<br />Analyst Study Guide, we had talked about building a prep guide to provide a feel<br />for the questions on the Exam.<br /><br />The result is a 202-page Exam Prep Guide that covers over 300 questions in the<br />book and over 300 questions in both timed and untimed exam format on the<br />accompanying CD.<br /><br />The Exam is about ready to release - both the Exam and Exam Prep Guide<br />should be announced on the same day (get ready). Measure and validate your<br />analysis skills using the Exam Prep Guide and taking the Wireshark Certified<br />Network Analyst Exam!<br /><br />More information on the Exam release and requirements will be coming up over<br />at www.wiresharktraining.com/certification.<br /><br />For more information on the Wireshark Certified Network<br />Analyst Official Exam Prep Guide, visit<br />www.wiresharkbook.com/epg.<br /><br />Are you ready? Check out the Exam Prep questions below:<br /><br />Note: If Amazon.com doesn't have the Wireshark Network Analysis book in stock,<br />check out our Amazon Marketplace page.<br /><br />The MAC name resolution process resolves the first 3 bytes of the<br />MAC address to the OUI value contained in Wireshark’s manuf file.<br /><br /> __ True<br /> __ False<br /><br />The first two packets of a single TCP handshake process can be<br />used to determine the long term average round trip latency time<br />between hosts.<br /><br />__ True<br />__ False<br /><br /><br />The display filter tcp.analysis.flags shows all packets that<br />have the TCP Reset bit set to 1.<br /><br />__ True<br />__ False<br /><br /><br />ICMP Destination Unreachable messages sent in response to an<br />FTP connection attempt indicate the FTP port is likely firewalled.<br /><br />__ True<br />__ False<br /><br /><br />Which TCP setting must be enabled in order to use the<br />tcp.analysis.flags display filter?<br /><br />__ A. Try Heuristic Subdissectors First<br />__ B. Analyze TCP Sequence Numbers<br />__ C. Allow Subdissector to Reassemble TCP Streams<br />__ D. Window Scaling and Relative Sequence Numbers<br /><br /><br />Which Calc value is best suited to graphing the IO rate using<br />tcp.len?<br />__ A. SUM(*)<br />__ B. MIN(*)<br />__ C. LOAD(*)<br />__ D. MAX(*)<br /><br /><br />Enjoy life... one bit at a time.<br /><br />Laura<br /><br /><span style="font-style: italic;">Answers: True (that's the purpose of the manuf file), False (you need more than</span><br /><span style="font-style: italic;">just a single SYN, SYN/ACK to figure out the long-term average RTT), False (this</span><br /><span style="font-style: italic;">filter shows packets marked as retransmissions, window zero, checksum errors,</span><br /><span style="font-style: italic;">etc. - not TCP reset packets), True (if the port were open, we'd see a SYN/ACK, if it</span><br /><span style="font-style: italic;">were closed we'd see a RST - an ICMP response indicates a likely firewall</span><br /><span style="font-style: italic;">fantastic Wireshark display filter), A (you want to count up all the TCP data - not</span><br /><span style="font-style: italic;">just know the minimum or maximum values for the time period - the LOAD(*) is</span><br /><span style="font-style: italic;">used for time values).</span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-6885657967877544492010-06-02T19:48:00.000-07:002010-09-06T19:50:39.047-07:00Google's Secure Search... Not So Secure?<span class="text"><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Watch two </span></span></i><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/coffee"><i><span style="font-size: 12px; line-height: 15px;">new video</span></i></a><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/coffee"><i><span style="font-size: 12px; line-height: 15px;">s</span></i></a><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> examining Google searches using HTTP and HTTPS - now <br />available at www.wiresharkbook.com/coffee. Note that the trace files used in the <br />video are in the download section of that site.<br /><br /></span></span></i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">As a follow-up to last week's "Peeking at Google's Secure Search Beta Traffic" <br />blog, I did a bit more poking around in the secure search traffic after getting this <br />question via Twitter.<br /><br />Here are the steps seen in the trace file called google-https-<br />cachedlink_plus_sitelink.pcap over at the wiresharkbook.com </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/downloads.html" target="_blank"><span style="font-size: 12px; line-height: 15px;">download page</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />1. Access https://www.google.com<br />2. Search for "hacking cisco ip phones"<br />3. Click on the cached link for one result (a blog page)<br />4. Click on one of the links on that blog page<br /><br />In analyzing the traffic, I noticed the following:<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">It takes 3 TLS/SSL connections just to load the Google secure search <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">page.</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">When I clicked on the cached link I </span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">connected to</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"> Google's web cache site <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">(webcache.googleusercontent.com CNAME googlehosted.l.google.com).</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">My original search terms were contained in clear text in the GET query to <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Google's cache server.</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">My original search terms were also contained in the packets generated to <br /></span></span><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">the Symantec secure browsing server.</span></span><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">When I clicked one of the links on the cached page, I connected to the <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">target website and provided my referral information (including my search <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">terms</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">)</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li></ul><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span><b><span style="font-size:85%;color:#cc6600;"><span style="font-size: 14px; line-height: 17px;">This is NOT secure searching if you click a cached link in <br />Google's "secure" search beta.<br /><br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Heck - apply the display filter</span></span><b><span style="font-family:Courier New;color:#333333;"><span style="font-size: 12px; line-height: 14px;"> http.request.method == "GET" && frame <br />contains "hacking"</span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> and see how many times my search term showed up in <br />the traffic.<br /><br />So... what's the point of Google's secure search? Google states the following:<br /><br /></span></span><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">"With Google search over SSL, you can have an end-to-end encrypted search <br />solution between your computer and Google. This secured channel helps protect <br />your search terms and your search results pages from being intercepted by a <br />third party. This provides you with a more secure and private search experience."<br /><br /></span></span></i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Wow - that's as misleading as my son saying his homework is "mostly finished." <br />Am I not a third-party? Maybe a bit of clarity is warranted here, Googlites!<br /><br />Google - I suggest you kill the cached link feature on your secure search page. <br />Otherwise you aren't offering any secrecy to unsuspecting folks who might click <br />on those links.<br /><br />Enjoy life... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-15977843469423729202010-05-25T19:47:00.000-07:002010-09-06T19:48:38.622-07:00Peeking at Google's Secure Search Beta Traffic<span class="text"><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Watch the </span></span></i><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/coffee"><i><span style="font-size: 12px; line-height: 15px;">new video</span></i></a><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> comparing Google searches using HTTP and HTTPS - <br />now available at www.wiresharkbook.com/coffee. Note that the two trace files <br />used in the video are in the download section of that site.<br /><br /></span></span></i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">If you haven't been following Google lately, you might have missed their "secure <br />search" announcement. It's HTTPS-based, but don't think you're totally secure <br />from prying eyes when you web browse (also see Chapter 23 of the Wireshark <br />Network Analysis book for details on HTTPS analysis). <br /><br /></span></span><b><span style="color:#cc6600;"><span style="font-size: 12px; line-height: 15px;">Secure Search Doesn't Hide Target Browsing<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Just because your Google search process is running with HTTPS and is <br />encrypted, this doesn't mean that when you click that link your browsing <br />session that follows is encrypted. Some chatter last week indicated that <br />Google's "secure search" somehow protected you more than it really does. <br />Sure, your browsing session is encrypted, but the minute you click on an HTTP <br />link, I can read the DNS query issued (if any) and the HTTP session to the target <br />site.<br /><br /></span></span><b><span style="color:#cc6600;"><span style="font-size: 12px; line-height: 15px;">Yes, Removing the Referrer Data will Screw up Analytics<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">One "side effect" of Google's secure search option is that when you click on the <br />target link from the Google's secure search page, the referrer information is not <br />sent to the target - they can't tell from whence you came. Oh, boy - this really is <br />going to mess up the analytics.<br /><br />Analytics-hounds are going to freak out on this one!<br /><br />Get an All Access Pass at </span></span><a bitly="BITLY_PROCESSED" href="http://www.chappellseminars.com/aap.html"><span style="color:#003399;"><span style="font-size: 12px; line-height: 15px;">here</span></span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> and check out the </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/coffee" target="_blank"><span style="font-size: 12px; line-height: 15px;">video</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"> detailing the two Google <br />search processes.<br /><br />Enjoy life... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-40264701735320919792010-05-02T19:45:00.000-07:002010-09-06T19:46:54.947-07:00Talking Tech with RunAs Radio<span class="text"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Last week I had the chance to talk with Richard Campbell and Greg Hughes of <br />RunAs Radio. You can listen </span></span><a bitly="BITLY_PROCESSED" href="http://www.runasradio.com/default.aspx?showNum=160" target="_blank"><span style="font-size: 12px; line-height: 15px;">here</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br /></span></span><b><span style="color:#cc6600;"><span style="font-size: 12px; line-height: 15px;">Don't know about RunAs Radio?<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">RunAs Radio started back in 2007 and offers weekly radio shows primarily for a <br />Microsoft-centric audience. My episode #160! I got interested in RunAs Radio <br />when I learned that Andy Malone had been interviewed recently on RunAs Radio <br />(I'm on a Cloud Computing panel with Andy at TechEd next month).<br /><br /></span></span><b><span style="color:#cc6600;"><span style="font-size: 12px; line-height: 15px;">Grey Hair, Fire Extinguishers, Needles in a Haystack, Vegas and More<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Although the session started with a reference to my ever-increasing grey hairs <br />and the need for a fire extinguisher in the kitchen, Richard pushed towards the <br />issues related to wireless analysis. "It's been abused so much."<br /><br />We chatted about "jacked up access points" and saturation of the WLAN <br />environment in a Vegas casino.<br /><br /></span></span><b><span style="color:#cc6600;"><span style="font-size: 12px; line-height: 15px;">Cool Topics/Presenters<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Visit the </span></span><a bitly="BITLY_PROCESSED" href="http://www.runasradio.com/archives.aspx" target="_blank"><span style="font-size: 12px; line-height: 15px;">RunAs Radio archives </span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">to check out the other 159 programs. Here are <br />some that I really enjoyed listening to.<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Doug Toombs - free tools - although he missed Wireshark for some <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">unknown reason - at least he got Nmap in there. </span></span><a bitly="BITLY_PROCESSED" href="http://www.runasradio.com/default.aspx?showNum=150" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">Listen here</span></span></a><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">.</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Nick Simons - he's the guy that killed Clippy - Nick talks about some free <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">tools for IT pros. </span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">I know you all love free tools! </span></span><a bitly="BITLY_PROCESSED" href="http://www.runasradio.com/default.aspx?showNum=150" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">Listen here</span></span></a><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">.</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">Steve Riley - now over at Amazon's Cloud Computing division - it's <br /></span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">always interesting to listen to Steve. </span></span><a bitly="BITLY_PROCESSED" href="http://www.runasradio.com/default.aspx?showNum=126" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">Listen here</span></span></a><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;">.</span></span><span style="font-family:Arial;font-size:85%;color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li></ul><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"><br /><br />Go check out the podcasts at RunAs Radio and enjoy life... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-50417392096724123542010-05-02T19:44:00.000-07:002010-09-06T19:45:54.111-07:00The "Death of" Series<span class="text"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">I've been having a great time working on some really lousy networks! You too?! What a coincidence! <g><br /><br />As conference season approaches (June), I've just finished writing up my draft presentations. I'll be starting a series of presentations inspired by the Dexter series on Showtime. As we've run through the entire season just recently, the <br />images of death were first and foremost on my mind when I started sketching out these presentations. <br /><br /></span></span><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">DEATH OF A NETWORK: Identify the Hidden Cause of Lousy Network Performance<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">I'm going to have fun with this one! This is my "finger pointing" session and I have some major pointing to do! I'm not going to sugar coat some of the more recent causes of pathetic performance and I'll be showing the trace files used <br />to nail down who's really killing the network.<br /><br /></span></span><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">DEATH OF SECURITY: Breached Hosts/Stolen Data/IP Espionage<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">A long conversation with a buddy at a 3-letter agency gave me some ideas of what to share in this session. We'll talk some recent case stuff before looking at suspicious traffic and have a heart-to-heart about the methods in which your <br />network security may fail you. <br /><br /></span></span><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">ADD SOME HUMOR TOO...<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">It's not all death and doom though. I added some "ugly network" humor in there. In fact I'm going to have difficulty keeping a straight face as I walk through the traffic of a certain hip phone that exudes attitude on the network. Hmmm.... who could that be?<br /><br /></span></span><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;"></span></span></i><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">ALL ACCESS PASS MEMBERS<br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">I'll be recording these "Death of" presentations for our All Access Pass members, so get a membership if you want to<br />catch these new presentations without heading to a conference.<br /><br />Of course, I won't be serving wine or beer, but you'll probably remember the information better that way!<br /><br />Enjoy life... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-67889385885044822902010-04-28T19:42:00.000-07:002010-09-06T19:43:32.703-07:00When Wireshark Gets Confused...<span class="text"><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Note:<br />SIP/VoIP call setup is covered in Chapter 27 of </span></span></b><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/" target="_blank"><b><span style="font-size: 12px; line-height: 15px;">Wireshark Network Analysis</span></b></a><b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.]<br /><br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">I was scrambling around in preparation for a VoIP training session recently <br />when I opened a new VoIP trace file that depicted a simple call set up routine <br />followed by the actual call.<br /><br />Strangely, Wireshark had an issue identifying one side of the SIP connection - <br />as you can see in the graphic above. Wireshark dissected one-half of the <br />conversation as FF (Foundation Fieldbus) traffic.<br /><br /></span></span><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">What in the world is going on here?<br /><br /></span></span></i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Wireshark defines the protocol column value based on the highest layer of <br />decode that it can apply to the packet. In this case, Wireshark found something <br />in these packets to indicate the traffic was Foundation Fieldbus packets.<br /><br />I compared the packets defined as "FF" to the packets correctly interpreted as <br />SIP.<br /><br /></span></span><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;"></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">Aha! The port number fields tell the story. In the UDP header, packets that <br />contained the source port of 1089 are dissected as Foundation Fieldbus. Ok - <br />let's just skip past the fact that the sender in Frame 2 above is not responding <br />to the correct port number defined in Frame 1.<br /><br />My focus was on getting Wireshark to dissect the packets marked Foundation <br />Fieldbus as SIP packets. I certainly don't want to alter the preferences of <br />Wireshark so that all packets containing source port 1089 are dissected as SIP <br />packets (as they likely are just ephemeral ports and not SIP at all).<br /><br />The quick solution is to right click on the packets dissected as Foundation <br />Fieldbus and select Decode As. Selecting SIP as the desired dissection and <br />applying this to the trace file fixed the problem quickly. Wireshark now <br />dissected source port 1089 as SIP. Clicking the "Show Current" button in the <br />Decode As window displays all manually altered dissection configurations.<br /><br />It's not often that I have to apply Wireshark's Decode As function - typically I hit <br />companies using non-standard port numbers for applications for various <br />understandable and just plain whacky reasons). <br /><br />It's a great feature to know - just in case you hit a strange dissection.<br /><br />Enjoy life... </span></span><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">in the Netherland</span></span></i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">s... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-60469052494842545522010-04-20T19:40:00.000-07:002010-09-06T19:42:05.005-07:00Europe Welcomes Wireshark University<span class="text"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">On May 31st, the first Wireshark University course opens in the Netherlands! <br />The Core 1 course registration is now open with our first European partner, <br />SCOS. For information, visit </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkuniversity.nl/" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.wiresharkuniversity.nl</span></a><a bitly="BITLY_PROCESSED" href="http://www.wiresharkuniversity.nl/" target="_blank"><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br /></span></span></a><b><span style="font-size:130%;color:#006600;"><span style="font-size: 20px; line-height: 24px;">You do not want to miss this event!<br /><br /></span></span></b><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">This course teaches you how to capture wired and wireless traffic and interpret <br />the most common TCP/IP communications including IP, ICMP, UDP, TCP, <br />DNS, ARP, DHCP, HTTP and email traffic.<br /><br />Register online today at </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkuniversity.eu/trainingdates.htm" target="_blank"><span style="font-size: 12px; line-height: 15px;">http://www.wiresharkuniversity.eu/trainingdates.htm</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">. <br />For more information, email </span></span><a bitly="BITLY_PROCESSED" href="mailto:info@scos.nl" target="_blank"><span style="font-size: 12px; line-height: 15px;">info@scos.nl</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />In addition, SCOS is a European distributor of the new Wireshark Network <br />Analysis book (</span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.nl/" target="_blank"><span style="font-size: 12px; line-height: 15px;">www.wiresharkbook.nl</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">). There should be copies of the book <br />available at the training to help you prepare for the upcoming Wireshark <br />Certified Network Analyst Exam (due Q2/2010). For more information on the <br />Exam, visit </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharktraining.com/certification.html" target="_blank"><span style="font-size: 12px; line-height: 15px;">Wireshark University</span></a><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">.<br /><br />Betty DuBois, Lead Wireshark University Instructor, will be presenting this 5-day <br />event focusing on the key capabilities of Wireshark, the world's most popular <br />network analyzer, and TCP/IP communications analysis.<br /><br />Special thanks to Matt Hamburg of SCOS for hosting this very special event.<br /><br />Enjoy life... </span></span><i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">in the Netherland</span></span></i><span style="color:#333333;"><span style="font-size: 12px; line-height: 15px;">s... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-58066144348432666602010-04-14T19:39:00.000-07:002010-09-06T19:40:47.859-07:00Baseline Today!<span class="text"><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">In one of the early book reviews, Marcos Christodonte II states “I’m a firm <br />believer in baselining network traffic. In this section, Wireshark Network <br />Analysis details the importance of baselining and the types of traffic to focus on. <br />Like other sections, this section also provides screenshots, showing how to <br />analyze traffic and packet statistics.” [Read the full review </span></span><a bitly="BITLY_PROCESSED" href="http://www.wiresharkbook.com/reviews.html" target="_blank"><span style="font-size: 12px; line-height: 15px;">here</span></a><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">.]<br /><br />Every IT professional should take baselining seriously. It’s not difficult to do and <br />will save you time, money, frustration and possibly your job when all hell breaks <br />loose on the network.<br /><br />Baselines define your network’s vital signs when it is healthy. Baselines are <br />used to define not only the basic traffic flows of an application or process – they <br />also help define the number of connections required by a process, the type of <br />connection, the port numbers, interdependencies with other hosts, typical round <br />trip times, average packet per second rates, average load time and more.<br /><br />Chapter 28 includes my baseline checklists - listing the traffic you should be <br />capturing and what you should be looking for when characterizing "normal" <br />behavior. <br /><br />For example, if you want to create a baseline of your login/logout sequences, <br />consider the following questions:<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">What discovery process takes place during login?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">What server does the client connect to?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">What are the processes seen during login?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">How many packets does a typical login require?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Are there any login dependencies?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li></ul><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /><br />When someone complains about a slow login process, compare the current <br />ugly login to the baseline you created.<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Are there any large gaps in time?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Are there any Expert Info notifications?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Do you see the same number of conversations as in your baseline?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Do you see the same number of endpoints as in your baseline?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Do you see the same protocols as in your baseline?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Do you see the same number of packets as in your baseline?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Do you see the same dependencies as in your baseline?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Did the name resolutions process match your baseline?</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></li></ul><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br />You don't have to know everything about every packet and protocol in use. Use <br />the ugly trace and the baseline trace to identify large gaps in time, large <br />differences in packets, unusual error responses. All of this enables you to point <br />the finger at the problem.<br /><br /></span></span><b><span style="font-size:100%;color:#cc6600;"><span style="font-size: 16px; line-height: 19px;">Remember - in a finger-pointing world, the only finger <br />that counts is the network analyst's finger!<br /><br /></span></span></b><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">So… schedule some time to create your baselines now – before you need <br />them.<br /><br />Enjoy life... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-57990265933610934142010-04-06T19:36:00.000-07:002010-09-06T19:39:08.401-07:00HELP! I've Been Tooned<span class="text"><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">If you went to BrainShare 2010 and watched the Monday or Thursday keynotes, <br />they were preceded by two short behind-the-scenes videos. In each video a <br />domineering packet geekess prepares systems for the show while "Fred" <br />(likely the user from hell) sweats it out through last-minute stress.<br /><br />Yup - the geekess was my voice and a toon of me (although my boobs are <br />smaller as I told the project coordinator, Russ Dastrup, after seeing the initial <br />animation images).<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(0, 0, 0);"><a bitly="BITLY_PROCESSED" href="http://www.youtube.com/watch?v=OGISJDqF1lI" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">Monday BrainShare keynote video</span></span></a><a bitly="BITLY_PROCESSED" href="http://www.youtube.com/watch?v=OGISJDqF1lI" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a></li><li style="line-height: 0px; color: rgb(0, 0, 0);"><a bitly="BITLY_PROCESSED" href="http://www.youtube.com/watch?v=c-4sca8Q8wQ" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;">Thursday BrainShare keynote video</span></span></a><a bitly="BITLY_PROCESSED" href="http://www.youtube.com/watch?v=c-4sca8Q8wQ" target="_blank"><span style="font-family:Arial;font-size:85%;color:#000000;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a></li></ul><a bitly="BITLY_PROCESSED" href="http://www.youtube.com/watch?v=c-4sca8Q8wQ" target="_blank"><span style="font-size: 12px; line-height: 15px;"><br /></span></a><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">Russ asked me to prepare a script of some of the geeky things that I might say <br />- if you're an old-timer, you might have caught the reference to Compsurf <br />(remember those good old days?). There was also a reference to Wireshark in <br />there.<br /><br />Chris Miller supplied the voice talent for Geeko and Fred - from what I heard at <br />the recording studio, Chris is a pretty famous voice talent (Geppetto in Shrek is <br />listed as one of his credits - cool!). Those voices were recorded before mine. I <br />meandered into Soundtek Studios here in Campbell, California for my voice-<br />overs. When I walked in I was spending more time looking at their recording <br />equipment (they are a Mac shop) than the instruments (although I did consider <br />playing a little tambourine).<br /><br />It was ironic when they had network problems (an unplugged Ethernet cable) <br />before we started. The technician, Pat, was speaking another language most of <br />the time - "too hot" "too out there" "more eeeee". At one point he told me to be <br />"less orgasmic" when I was trying to add some energy to my voice (I'd been up <br />almost all night working book edits and I was in dire need of a triple espresso).<br /><br />At the keynote a few people said "Hey! That's Laura!" and they were right. Ya just <br />never know where I'll show up. <br /><br />Enjoy life... one bit at a time!<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-41880174580910739752010-03-28T19:33:00.000-07:002010-09-06T19:36:33.364-07:00Six Wireshark Network Analysis Video Supplements are Ready!Coffee and a Quickie offers a quick glimpse at some of the topics discussed in the Wireshark Network Analysis book.Yesterday I added another video focusing on using pre-made profile elements. The videos are all over at www.wiresharkbook.com/coffee.<br /><br />The book is now on Amazon - they are ramping up stock, so be patient!<br /><br /><span style="font-weight: bold;">Conference Season Heating Up</span><br />We're working on calendars this week as the conference abstract and presentation deadlines loom. So far, I am planning on being at the following conferences:<br /><br /><ul><li>Microsoft TechEd</li><li>Sharkfest 2010</li><li>HP TechForum (preshow seminar)</li><li>HTCIA International</li></ul><br />We are looking at running some Wireshark Bootcamps. These will be 3-day intense Wireshark hands-on courses focused on the objectives defined for the Wireshark Certified Network Analyst exam. The objectives are listed at the front of each chapter of the Wireshark Network Analysis book.<br /><br />Don't Forget - there are lots of resources over at the www.wiresharkbook.com website - don't forget to download the trace files and other supplements.<br /><br />Enjoy life... one bit at a time.<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-41586060172713101452010-03-03T19:23:00.000-08:002010-09-06T19:32:38.163-07:00Wireshark Network Analysis has Left the BuildingWhat shall I do with myself this morning? Hmmm... I already cleaned off my desk of all remnants of the book writing/editing process. I drafted up the book website (that will be home to the trace files and book supplements).Instinctively I launch Wireshark - heading out to get the latest development release at www.wireshark.org/download/automated/. Ooooh... we're now on version 1.3.4 SVN (subversion) 32095.<br /><br />Wireshark was a moving target while I wrote the book and we're releasing the book with features you won't even see if you don't load the development version or wait until v1.4 comes out.<br /><br />I've been examining each feature and working on descriptions and scenarios to depict the out-of-order packets (which are sometimes retransmissions), retransmissions vs. fast retransmissions, duplicate ACKs (and what triggers them)<br /><br /><ul><li>HTTPS decryption methods including the long and error prone key entry in the preferences section and the best TCP preference settings to view and filter on the SSL/TLS handshake</li><li>step-by-step procedures for application analysis methods to determine if an application affected network browsing performance (I analyzed Aptimize Website Accelerator running on Microsoft's Sharepoint website) - graphing methods to illustrate the effect of this tuning product</li><li>building a table to show WLAN capture options - when do you want promiscuous mode enabled/disabled and what can you "see" without monitor mode capability</li><li>diagramming networks with NAT/PAT devices, firewalls, layer 2 switches, MPLS configurations and more - all in an effort to explain how these devices affect the traffic</li><li>maintaining my new feature checklist to ensure I covered the new Packet List pane, fabulous load times, ignore packets feature, Apply as Column feature, etc.</li><li>keeping a master list of all the hot capture, display and color filters I've built to catch and vividly show the traffic that really explains what's going on</li><li>inventorying all the book trace files that are referenced in the Practice What You've Learned section of each chapter - that was an undertaking!</li></ul><br />It's been a lot of work - puff, puff - but strangely enticing. Each morning I had a list of features I would focus on that day. Each day I was able to marvel at Wireshark's capabilities. Each day I created charts and graphs of amazing network problems.<br /><br />Oh... gotta go... that new development version of Wireshark is calling!<br /><br />Laura<div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-76952939419558273292010-02-10T19:17:00.000-08:002010-09-06T19:21:34.218-07:00Organic Software Visualization puts Wireshark Development in a New Light<span class="text"><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;"><span style="color: rgb(102, 102, 102);">Check out</span></span></span><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;"> </span></span></b><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/9329501" target="_blank"><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">www.vimeo.com/9329501</span></span></b></a><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">. Don't worry... I'll wait right here until you return...<br /><br />This is by far one of the coolest videos I've seen in a long time. Created by Loris Degioanni (creator of WinPcap), this video visually represents the Wireshark development process from its inception using a tool called code_swarm.<br /><br />The video shows an organic information visualization (a term coined by Ben Fry) which "eschews traditional data confinement in space and lets the elements play together in free form and unpredictable ways."<br /><br />The result is stunning! <br /><br /></span></span><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">Code_Swarm<br /></span></span></b><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">Visit </span></span><a bitly="BITLY_PROCESSED" href="http://vis.cs.ucdavis.edu/%7Eogawa/codeswarm/" target="_blank"><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">vis.cs.ucdavis.edu/~ogawa/codeswarm/</span></span></b></a><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"> for more information on code_swarm and to see the visualizations for the following projects:<br /><br /></span></span><ul style="padding: 0pt; margin: 0px 0px 0px 40px;"><li style="line-height: 0px; color: rgb(102, 102, 102);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Apache</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"> - </span></span><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1076588" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">www.vimeo.com/1076588</span></span></a><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1076588" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a></li><li style="line-height: 0px; color: rgb(102, 102, 102);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Python</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"> - </span></span><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1093745" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">www.vimeo.com/1093745</span></span></a><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1093745" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a></li><li style="line-height: 0px; color: rgb(102, 102, 102);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">Eclipse</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"> - </span></span><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1130828" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">www.vimeo.com/1130828</span></span></a><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1130828" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a></li><li style="line-height: 0px; color: rgb(102, 102, 102);"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">PostgreSQL</span></span><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"> - </span></span><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1081680" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;">www.vimeo.com/1081680</span></span></a><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1081680" target="_blank"><span style="font-family:Arial;font-size:85%;color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a></li></ul><a bitly="BITLY_PROCESSED" href="http://www.vimeo.com/1081680" target="_blank"><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"><br /></span></span></a><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">Additional project videos can be found at </span></span><a bitly="BITLY_PROCESSED" href="http://code.google.com/p/codeswarm/wiki/Gallery" target="_blank"><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">code.google.</span></span></b></a><a bitly="BITLY_PROCESSED" href="http://code.google.com/p/codeswarm/wiki/Gallery" target="_blank"><b><span style="color:#993300;"><span style="font-size: 12px; line-height: 15px;">com/p/codeswarm/wiki/Gallery</span></span></b></a><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">.<br /><br /></span></span><i><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"></span></span></i><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">You can see when specific areas of a project are HOT. For example, in Wireshark's code_swarm there are moments when everyone is focused on the dissectors (shown in light blue) - the image radiates a halo of light blue as <br />dissector code is checked in (like stars flying in). At other times, feverish work was being done on the GTK (Graphical Toolkit) to make Wireshark more user friendly.<br /><br />Release files are indicated in red. Sudden red bursts can be seen when version is released. A legend in the upper left corner helps the viewer understand what parts of the project are most active at any time. Names flash when that <br />developer checks in code. The histogram at the bottom of the screen indicates the size and time of commits to the project.<br /><br /><br /></span></span><i><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"></span></span></i><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">In June 2006 all hell breaks loose when Wireshark is born of Ethereal. The histogram goes wild with commits and you can see all the work being done to change the name to Wireshark - in the manuals, in the dissectors, in the plugins <br />- everywhere.<br /><br />I showed the various code_swarm videos to my kids when they came home from school today. Their first reaction - "Whoa... that's cool!" Second reaction from my son - "Do you think they have something like that for WoW?" Sigh....<br /><br /></span></span><i><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;"></span></span></i><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">Their final reaction really hit me (after living on 3 hours sleep a night trying to finish the Wireshark Network Analysis book and try to catch the features and capabilities of this celestial moving target) - "It looks like the project is a black hole sucking in the life around it."<br /><br /></span></span><b><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">Good observation.<br /><br /></span></span></b><span style="color:#666666;"><span style="font-size: 12px; line-height: 15px;">Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.comtag:blogger.com,1999:blog-7740546072062781853.post-44211038985494140622010-01-19T19:12:00.000-08:002010-09-06T19:23:04.015-07:00Haiti: High and Low Tech Rescue<div id="e57" style="position: absolute; left: 313px; top: 410px; width: 383px; height: 30px;font-family:arial;"><span class="text" style="font-size:100%;"><span style="color: rgb(102, 102, 102);"><span style="line-height: 15px;"></span></span><b><i><span style="line-height: 15px;"><br /></span></i></b></span> </div> <span style=";font-family:arial;font-size:100%;" class="text" ><span style="color: rgb(102, 102, 102);"><span style="line-height: 15px;">It's heartbreaking to see the loss of life in Haiti right now, especially the children. One image from cnn.com haunts me – a 1 month old child held in the arms of a rescuer (image #12 at </span></span><a bitly="BITLY_PROCESSED" href="http://edition.cnn.com/2010/WORLD/americas/01/13/haiti.earthquake.photos/index.html" target="_blank"><span style="line-height: 15px;">edition.cnn.com/2010/WORLD/americas/01/13/haiti.earthquake.photos/index.</span></a><a bitly="BITLY_PROCESSED" href="http://edition.cnn.com/2010/WORLD/americas/01/13/haiti.earthquake.photos/index.html" target="_blank"><span style="line-height: 15px;">html</span></a><span style="color: rgb(102, 102, 102);"><span style="line-height: 15px;">).<br /><br />Cellular communications has had a tremendous role in this disaster – from victims text messaging for assistance to families finding each other. It underscores the importance of shoring up cellular networks in preparation for<br />disasters.<br /><br />Google updated their satellite imagery to show amazing before and after images of the devastation - </span></span><a bitly="BITLY_PROCESSED" href="http://www.theglobeandmail.com/news/world/before-and-after-satellite-images/article1432785/" target="_blank"><span style="line-height: 15px;">www.theglobeandmail.com/news/world/before-and-after-</span></a><a bitly="BITLY_PROCESSED" href="http://www.theglobeandmail.com/news/world/before-and-after-satellite-images/article1432785/" target="_blank"><span style="line-height: 15px;">satellite-images/article1432785/</span></a><span style="color: rgb(102, 102, 102);"><span style="line-height: 15px;">. Click on one of the images to zoom in as close as you can.<br /><br />At msnbc.com, image #32 at </span></span><a bitly="BITLY_PROCESSED" href="http://www.theglobeandmail.com/news/world/before-and-after-satellite-images/article1432785/" target="_blank"><span style="line-height: 15px;">www.msnbc.msn.</span></a><a bitly="BITLY_PROCESSED" href="http://www.theglobeandmail.com/news/world/before-and-after-satellite-images/article1432785/" target="_blank"><span style="line-height: 15px;">com/id/34845446/displaymode/1247/?beginSlide=1</span></a><span style="color: rgb(102, 102, 102);"><span style="line-height: 15px;"> displays SearchCam, a victim location device that offers tremendous ability in looking in confined spaces. You can watch a video about SearchCam technology at </span></span><a bitly="BITLY_PROCESSED" href="http://www.theglobeandmail.com/news/world/before-and-after-satellite-images/article1432785/" target="_blank"><span style="line-height: 15px;">www.con-space.</span></a><a bitly="BITLY_PROCESSED" href="http://www.theglobeandmail.com/news/world/before-and-after-satellite-images/article1432785/" target="_blank"><span style="line-height: 15px;">com/video/victim-location-system-searchcam-2000</span></a><span style="color: rgb(102, 102, 102);"><span style="line-height: 15px;">.<br /><br />The other impressive group in these disasters is always the canine units: Irish and Spanish rescuers, Germany’s International Search and Rescue (ISAR) group, Canadian Search and Disaster Dog Association, California's National<br />Disaster Search Dog Foundation (SDF), and many others.<br /><br />These dogs react differently to survivors and victims – if a survivor is found, the dogs bark loudly; if a victim is found, they scratch at the rubble. For all of our high technology, they still amaze us. Nearly 70 hours after the quake, Hunter (a Border Collie from SDF) found two young girls trapped under 4 feet of concrete.<br /><br />Our thanks to the many military, civilian and canine heroes helping the victims and families who have been devastated by this quake.<br /><br />Please donate to your favorite relief charity today.<br /><br />Laura</span></span></span><div class="blogger-post-footer">- Get geeky at www.chappellU.com -</div>Laurahttp://www.blogger.com/profile/17667710054709025147noreply@blogger.com