Wireshark 2 – Next Generation Protocols and Advanced Network Analysis using Wireshark

This course is designed for Networking, Government and Security personnel that need to develop a set of packet investigation techniques through study of the Next Generation Networking Protocols using Wireshark and other Open-Source Analysis tools. Successful completion of this course will provide these individuals with a path-way into the field of both Network and Forensics Analysis.

Format: 5 days Classroom Instruction
Start/End Times: 0830-1630
Recommended Class Size: 5-12
Audience: Intermediate
More information: www.scos.training
Recommended Prerequisites: Completion of Wireshark 1 or equivalent networking and Wireshark experience


Advanced Network encompasses the skills of not only capturing data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate and analysis techniques focusing on the use of vendor-neutral, OpenSource Tools such as Wireshark to provide insight into the following areas:

  • Specialized and advanced packet capture techniques
  • Recognition, analysis and threat recognition for a many of the next generation user protocol issues including IPv4/v6/v10, DHCPv4/v6, SCTP, DNS/DNSSec/MDNS, ICMP (v4 /v6), Email Protocols (POP / SMTP / IMAP), File Transfer Protocols (FTP/TFTP/FIX/File Sharing) and common Internet based User Protocols (HTTP, VoIP, IRC, IM)
  • Specialized Analysis techniques including suspicious data traffic reconstruction and viewing

Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical analysis skills. Attendees will receive a student guide including numerous reference files and networking and forensics tools, as well as a library of reference documents.

Course Details:

I. Introduction to Advanced Network Analysis

  • Logistics
  • Network analysis challenges – Nomenclature, Terminology and the Next Generation Protocols

II. Collecting the Data – Data Capture

  • Data Collection
    • Configuring Wireshark 2.0
    • New features to enhance capture – USBPcap / Androiddump
  • Using capture filters to capture specific suspect traffic
  • Stealth / Silent Collection of Data – Tips & Techniques
  • WiFi Device Analysis using AirPcap Control Panel
  • New Wireless Toolbar and WiFi features – WEP / WPA / WPA2 Decryption ii. Bluetooth capture features
  • Location – How Network Infrastructure Devices Affect Network Analysis
  • Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU

III. Network Analysis Methodology

  • Analyzing the 3 Different Network Communication Architectures
    • Client / Server
    • Peer-to-Peer
    • Terminal Host
  • Analyzing Conversations and Activities
    • Analyzing Conversations and Activities Using the new Expert Systems to Determine Unusual Activity
    • Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to recognize and analyze suspicious user traffic
  • A Sample Advanced Network Analysis Methodology
    • 6 Steps for practical Network Analysis of suspicious traffic
      • Answering the key questions
      • A Sample Network Analysis Methodology
  • Diagraming Conversations – A Picture is worth 1024 Words
    • Related Packet and Intelligent Scrollbar features

IV. Analysis of Network Applications and User Traffic

  • The Networking Protocols
    • What’s Normal vs. Abnormal – The Role of Baseline Files
    • Building a Baseline Library – Where Do I go to Find Samples?
    • Forensics Analysis of an Intrusion
      • Scouting out the Target – Network Reconnaissance and Scanning Tools
      • Recognizing Scanning Signatures – NMAP / Retina / Nessus, etc.
  • Before and after IPv6 – New Protocols and New Functions
    • Configuration Protocols
      • Structure and Analysis of DHCPv4 / DHCPv6
    • Resolving Addresses – DNS / DNSSec / MDNS / LMNR
      • Structure and Analysis of DNS / DNSSec / MDNS / LMNR
      • Common DNS Exploits, Attacks and Examples of Intrusion Signatures
    • The Network Layer – IPv4 / IPv6 / IPv10
      • Structure and Analysis of IPv4 vs. IPv6 vs. IPv10
      • IP Options – What’s the Big Deal?
      • Common IP Exploits and Examples of Intrusion Signatures
    • Utility and Troubleshooting Protocols – Internet Control Message Protocol (ICMPv4 / ICMPv6)
      • Structure and Analysis of ICMPv4 vs. ICMPv6
      • Network Analysis Using the ICMP Analysis – Types and Codes
      • Common ICMP Exploits and Examples of Intrusion Signatures
    • The Transport Layer – Moving the Data – TCP / UDP / SCTP / QUIC / SPDY
      • Structure and Advanced Analysis of TCP
      • TCP Options – What’s the Big Deal?
      • Advanced TCP Analysis Using Expert Systems
      • Structure and Advanced Analysis of UDP
      • Structure and Analysis of the new STCP
      • Google Transport Protocols SPDY / QUIC vii. Common Transport Layer Exploits and Examples of Intrusion Signatures
    • The Application Layer – Analyzing Common User Protocols
      • Email Applications Using POP / SMTP / IMAP
        • Structure and Analysis of the Email Cloud
        • Assembling and evaluating Email traffic
      • Web-Based Applications Using HTTP / HTTP2
        • Structure and Analysis of HTTP / HTTPS – Decrypting SSL
        • Response Codes – The answer to analyzing HTTP and the new HTTP2
        • Reassembling and Exporting of Objects
      • Financial Interexchange Protocol (FIX)
        • Structure and Analysis of FIX
      • ??Instant Messenger (IM) Applications
        • Structure and analysis of Messaging Protocols

V. Where do we go from Here?

  • Wireshark 0 – TCP/IP Networking Fundamentals Using Wireshark
  • Wireshark 1 – TCP/IP Network Analysis
  • Wireshark 2 – Advanced Network and Security Analysis
  • Wireshark 3 – Network Forensics Analysis
  • Wireshark 4 – Mobile Device Forensics Analysis
  • Wireshark 5 – Cloud and Internet of Things (IoT) Advanced Network Analysis
  • Wireshark 6 – VoIP Advanced Network Analysis
  • Wireshark 7 – WiFi Advanced Network Analysis
  • Wireshark 8 – SCADA and ICS Advanced Network Analysis