Format: 5 days Classroom Instruction

Start/End Times: 0830-1630

Recommended Class Size: 5-12

Audience: Intermediate

Target Audience:

This course is designed for Law Enforcement personnel that need to develop a set of packet investigation techniques through study of the Next Generation networking Protocols using Wireshark and other Open-Source Analysis tools. Successful completion of this course will provide these individuals with a path-way into the field of both Network and Forensics Analysis.

Recommended Prerequisites:

Completion of Wireshark 1 or equivalent networking and Wireshark experience


Advanced Network Analysis and Network Forensics encompasses the skills of not only capturing data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate and analysis techniques focusing on the use of vendor-neutral, Open-Source Tools such as Wireshark to provide insight into the following areas:

  • Specialized and advanced packet capture techniques
  • Recognition, analysis and threat recognition for a many of the next generation user protocol issues including IPv4/v6/v10, DHCPv4/v6, SCTP, DNS/DNSSec/MDNS, ICMP (v4 /v6), Email Protocols (POP / SMTP / IMAP), File Transfer Protocols (FTP/TFTP/FIX/File Sharing) and common Internet based User Protocols (HTTP, VoIP, IRC, IM)
  • Specialized Analysis techniques including suspicious data traffic reconstruction and viewing

Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical analysis skills. Attendees will receive a student guide including numerous reference files and networking and forensics tools, as well as a library of reference documents.


Course Details:

I. Introduction to Advanced Network Analysis

  • Logistics
  • Network analysis challenges – Nomenclature, Terminology and the Next Generation Protocols

II. Collecting the Data – Data Capture

  • Data Collection
    • Configuring Wireshark 2.0
      • New features to enhance capture – USBPcap / Androiddump
      • Using capture filters to capture specific suspect traffic
  • Stealth / Silent Collection of Data – Tips & Techniques
  • WiFi Device Analysis using AirPcap Control Panel
    • New Wireless Toolbar and WiFi features – WEP / WPA / WPA2 Decryption
    • Bluetooth capture features
  • Location – How Network Infrastructure Devices Affect Network Analysis
    • Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU

III. Network Analysis Methodology

  • Analyzing the 3 Different Network Communication Architectures
    • Client / Server
    • Peer-to-Peer
    • Terminal Host
  • Analyzing Conversations and Activities
    • Analyzing Conversations and Activities Using the new Expert Systems to Determine Unusual Activity
      • Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to recognize and analyze suspicious user traffic
  • A Sample Law Enforcement Network Forensics Analysis Methodology
    • 6 Steps for Law Enforcement based Network Analysis of suspicious traffic
      • Answering the key incident questions
      • A Sample Network Forensics Analysis Methodology
  • Diagraming Conversations – A Picture is worth 1024 Words
    • Related Packet and Intelligent Scrollbar features

IV. Analysis of Network Applications and User Traffic

  • The Networking Protocols
    • What’s Normal vs. Abnormal – The Role of Baseline Files
    • Building a Baseline Library – Where Do I go to Find Samples?
    • Forensics Analysis of an Intrusion
      • Scouting out the Target – Network Reconnaissance and Scanning Tools
      • Recognizing Scanning Signatures – NMAP / Retina / Nessus, etc..
  • Before and after IPv6 – New Protocols and New Functions
    • Configuration Protocols
      • Structure and Analysis of DHCPv4 / DHCPv6
  • Resolving Addresses – DNS / DNSSec / MDNS / LMNR
    • Structure and Analysis of DNS / DNSSec / MDNS / LMNR
    • Common DNS Exploits, Attacks and Examples of Intrusion Signatures
  • The Network Layer – IPv4 / IPv6
    • Structure and Analysis of IPv4 IPv6
    • IP Options – What’s the Big Deal?
    • Common IP Exploits and Examples of Intrusion Signatures
  • Utility and Troubleshooting Protocols – Internet Control Message Protocol (ICMPv4 / ICMPv6)
    • Structure and Analysis of ICMPv4 vs. ICMPv6
    • Network Analysis Using the ICMP Analysis – Types and Codes iii. Common ICMP Exploits and Examples of Intrusion Signatures
  • The Transport Layer – Moving the Data – TCP / UDP / SCTP
    • Structure and Advanced Analysis of TCP
    • TCP Options – What’s the Big Deal?
    • Advanced TCP Analysis Using Expert Systems
    • Structure and Advanced Analysis of UDP
    • Structure and Analysis of the new STCP
    • Common Transport Layer Exploits and Examples of Intrusion Signatures
  • The Application Layer – Analyzing Common User Protocols
    • Email Applications Using POP / SMTP / IMAP
      • Structure and Analysis of the Email Cloud
      • Assembling and evaluating Email traffic
    • Web-Based Applications Using HTTP / HTTP2
      • Structure and Analysis of HTTP / HTTPS – Decrypting SSL
      • Response Codes – The answer to analyzing HTTP and the new HTTP2
      • Reassembling and Exporting of Objects
    • Financial Interexchange Protocol (FIX)
      • Structure and Analysis of FIX
    • ??Instant Messenger (IM) Applications
      • Structure and analysis of Messaging Protocols

V. Where do we go from Here?

  • Wireshark 0LE – TCP/IP Networking Fundamentals Using Wireshark
  • Wireshark 1 – TCP/IP Network Analysis
  • Wireshark 2LE – Advanced Network &Security Analysis
  • Wireshark 3LE – Network Forensics Analysis
  • Wireshark 4LE – Mobile Device Forensics Analysis
  • Wireshark 5 – Cloud & Internet of Things (IoT) Technology & Advanced Network Analysis
  • Wireshark 6 – VoIP Technology & Advanced Network Analysis
  • Wireshark 7 – WiFi Technology & Advanced Network Analysis
  • Wireshark 8 – SCADA & ICS Technology & Advanced Network Analysis