Troubleshooting with Wireshark

SharkFest 2015 Pre-Conference Event
LAURA CHAPPELL’S
Troubleshooting
with Wireshark
®
Master Wireshark to locate the source of
network performance problems quickly.
Use the 4-part troubleshooting
methodology to catch problems.
Customize Wireshark to detect
problems with the click of a button.
Rapidly identify and graph path
delays and application delays.
Use the Wireshark’s Expert Infos to
spot receiver congestion, the point of
packet loss, out-of-order segments
and more.
Hosted at the Computer History Museum, Mountain View, California
June 20-22, 2015 ● SharkFest 2015 Pre-Conference Event
Register at www.wiresharktraining.com/troubleshooting2015.html
CONTENTS
Who Should Attend........................................................................................................................................... 1
Course Topics .................................................................................................................................................. 1
When and Where .............................................................................................................................................. 1
June 20-22, 2015........................................................................................................................................ 1
Computer History Museum Mountain View, California ..................................................................................... 1
About Laura Chappell, Your Instructor ................................................................................................................ 2
Tuition and Discount Schedule .......................................................................................................................... 2
Hotel Discount Booking and Details ................................................................................................................... 3
Hands-On Training–Bring Your Own Laptop (BYOL) .............................................................................................. 3
Cancellation and Student Substitution Policy ..................................................................................................... 3
Evening Event – SharkFest 2015 Registrants Only ............................................................................................... 3
About the All Access Pass ($699 Value).............................................................................................................. 4
AAP Portal Features ..................................................................................................................................... 4
Sample Online Course List ............................................................................................................................ 4
AAP Live Event List – 2014-2015 ................................................................... Error! Bookmark not defined.
Daily Schedule ................................................................................................................................................. 5
Saturday, June 20 ........................................................................................................................................ 5
Sunday, June 21 .......................................................................................................................................... 5
Monday, June 22 ......................................................................................................................................... 5
Detailed Content Outline................................................................................................................................... 6
Hotel Information ............................................................................................................................................. 8
Contact Us.................................................................................................................................................... 10
1
WHO SHOULD ATTEND
This hands-on course is geared towards IT professionals, network engineers, and escalation teams
who need to find network problems quickly. If you are responsible for any of the following network
issues, this is the event for you!
Find the cause of slow file transfers
Optimize the network
Measure bandwidth use for an application or user
Identify problematic infrastructure devices
COURSE TOPICS
This hands-on course focuses on customization of Wireshark to identify numerous performance
issues including the following:
Connection Blocked or Refused
Application Request Refused
Slow Application Response Times
Server Application Faults
Content Redirection
TCP Receive Buffer Issues
Altered TCP Connection Attributes
Mismatched TCP Parameters
Weak Signal (WLAN)
Asymmetric Routing
Packet Loss in the Infrastructure
High Path Latency Measurements
Bandwidth Throttling
Delayed ACKs/Nagle Issue
Packets Queued along Path
Route Redirections
Virus/Malware on Network Hosts
Name Resolution Problems
Missing Selective Acknowledgment (SACK)
No Support for Window Scaling
Premature TCP Port Number Reuse
and more…
WHEN AND WHERE
June 20-22, 2015
See the Daily Schedule section on page 5 for more
details on daily start/end times.
Computer History Museum
Mountain View, California
Location:
1401 N Shoreline Blvd
Mountain View, California 94043
Closest Airports: ● San Jose Mineta Airport SJC
(11 miles)
● San Francisco Airport SFO
(25 miles)
● Oakland Airport OAK
(33 miles)
Register online at www.wiresharktraining.com/troubleshooting2015.html
ABOUT LAURA CHAPPELL, YOUR INSTRUCTOR
Laura Chappell, Founder of Wireshark University and Chappell University, is renowned for her
Wireshark skills and ability to train in an entertaining manner. She is the author of several Wireshark
books including Wireshark Network Analysis: the Official Wireshark Certified Network Analyst Study
Guide, Wireshark 101: Essential Skills for Network Analysis, and Troubleshooting with Wireshark:
Locate the Source of Performance Problems.
Laura has been analyzing network traffic for over 20 years and has presented to thousands of State,
Federal and international law enforcement officers, judicial members, engineers, network
administrators, technicians and developers on the subject of “tapping into networks.”
Ms. Chappell’s customers include Apple, Cisco, Dell, HP, Microsoft, IBM, Lockheed Martin, McAfee
Corporation, US Arsenal, US Air Force, US Navy, NCIS, US Court of Appeals, United Bank of
Switzerland, Salesforce, SPAWAR, Symantec, Riverbed Technology, Palo Alto Networks, Australian
High Tech Crime Centre, Macau Police Department, Hong Kong Police Department, Qualcomm, and
more.
TUITION AND DISCOUNT SCHEDULE
Tuition covers all course materials, 1-year All Access Pass subscription, breakfast, lunch and break
refreshments, evening events and your Certificate of Completion.
Troubleshooting with Wireshark 3-Day Event ............................................................................. $1,095
Bundle Pricing (Pre-Conference Event AND SharkFest 2015 Entrance)
Early Bird Bundle Price (ends February 15, 2015)...................................................................... $2,090
Regular Bundle Price (after February 15, 2015) ..........................................................................$2,390
Questions? Please email [email protected] or call +1 408-378-7841.
Register online at www.wiresharktraining.com/troubleshooting2015.html
2
HOTEL DISCOUNT BOOKING AND DETAILS
Hotel expenses are not included. We are finishing up the SharkFest and pre-conference event hotel
contracts.
The weather should be fabulous so consider bringing the family to enjoy some Silicon Valley time.
HANDS-ON TRAINING–BRING YOUR OWN LAPTOP (BYOL)
This training event is hands-on. Bring your own laptop pre-configured with
the latest version of Wireshark1.
You can download the latest stable version of Wireshark for MAC OSX,
Linux, or Windows from www.wireshark.org.
Ensure your laptop has a functional USB port as course materials will be
provided on a USB stick. DVD “just-in-case” versions will also be available at
the event, but not provided in the Student Kit.
CANCELLATION AND STUDENT SUBSTITUTION POLICY
If you are unable to attend your scheduled training class, please contact 1 (408) 378-7841. We
require fourteen (14) calendar days’ notice to cancel any registration (and provide refund for prepayment). Failure to provide the required notification will result in 100% charge of the course.
If a student does not attend a scheduled course without prior notification (“no show”) it will result in
full forfeiture of the funds.
Student substitutions are allowed, but we must be notified via email to [email protected] no less
than five (5) full business days before the start of the class (not including the class start date).
EVENING EVENT – SHARKFEST 2015 REGISTRANTS ONLY
When you register for both the 3-Day Troubleshooting with Wireshark event
and SharkFest 2015 (June 23-25, 2015), you will be invited to the
SharkFest 2015 Welcome Dinner taking place on June 22nd in the Grand Hall
of the Computer History Museum.
Register for both events and pick up your SharkFest 2015 badge on Monday,
June 22nd directly outside the Troubleshooting with Wireshark event.
1
You will be advised in advance of the event if a specific version of Wireshark is required to avoid any current bugs or
vulnerabilities.
Register online at www.wiresharktraining.com/troubleshooting2015.html
3
ABOUT THE ALL ACCESS PASS ($699 VALUE)
The All Access Pass (AAP) one-year subscription enables you to take numerous online courses
whenever and wherever you want. In addition, you can join Laura Chappell live in a variety of online
events that happen through the year.
AAP Portal Features
Course Gradebooks indicate progress through your courses.
Print Course Certificates upon successful completion.
Download course documents and trace files for many classes.
Use the Chat feature to communicate with other students
and the instructor.
Sample Online Course List
WCNA Exam Prep Questions
Lab Solutions for Wireshark 101: Essential Skills
for Network Analysis
Analyzing the Window Zero Condition
Build Wireshark Filters from Snort Rules
Create a Security Profile
Find Stuff Fast with Wireshark Filter Expression Buttons
CS42: Hacked Hosts
CS43: Analyze and Improve Throughput
CS44: Top 10 Reasons Your Network is Slow
CS45: TCP Analysis in-Depth
CS46: DHCP/ARP Analysis
CS47 Nmap Network Scanning 101
CS48: Wireshark 101 Jumpstart
CS50: WLAN Analysis 101
AAP subscription access is provided in the
event Registration packets on Saturday,
June 20, 2015.
Register online at www.wiresharktraining.com/troubleshooting2015.html
4
DAILY SCHEDULE
Class runs from 9am-5pm each day.
Saturday, June 20
8:00 am
Coffee and Registration (Second Floor – Hahn Auditorium Lobby)
9:00 am
Class begins (with morning break)
12:00 pm Lunch break (45 minutes)
12:45 pm Class resumes (with afternoon break)
5:00 pm
Class day ends
Sunday, June 21
8:00 am
Coffee (Second Floor – Hahn Auditorium Lobby)
9:00 am
Class begins (with morning break)
12:00 pm Lunch break (45 minutes)
12:45 pm Class resumes (with afternoon break)
5:00 pm
Class day ends
Monday, June 22
8:00 am
Coffee (Second Floor – Hahn Auditorium Lobby)
9:00 am
Class begins (with morning break)
12:00 pm Lunch break (45 minutes)
12:45 pm Class resumes (with afternoon break)
5:00 pm
Class ends
5:30 pm
SharkFest 2015 Welcome Dinner2 (Grand Hall) - Badges required
2
SharkFest 2015 Registrants only.
Register online at www.wiresharktraining.com/troubleshooting2015.html
5
DETAILED CONTENT OUTLINE
The following outline defines the course content. The order in which materials are presented may be
altered to allow more complex topics to be presented earlier in the day.
Part 1: Troubleshooting Methodology
•
•
Overview of the Four-Part Analysis Methodology
Use Your Troubleshooting Checklist
Part 2: Master Key Wireshark Troubleshooting Tasks
•
•
•
•
•
•
•
•
•
•
•
•
•
Create a Troubleshooting Profile
Enhance the Packet List Pane Columns
Change the Time Column Setting
Filter on a Host, Subnet or Conversation
Filter on an Application Based on Port Number
Filter on Field Existence or a Field Value
Filter OUT “Normal” Traffic (Exclusion Filters)
Create Filter Expression Buttons
Launch and Navigate Through the Expert Infos
Change Dissector Behavior (Preference Settings)
Find the Top Talkers
Build a Basic IO Graph
Add a Coloring Rule
Part 3: Capture Technique
•
•
•
•
•
•
•
•
•
•
Tips on Choosing a Capture Location
Tips for Working with Large Trace Files and High Throughput Networks
Tips for Locating the Cause of Intermittent Problems
Tips for Naming Your Trace Files
Capture Options for a Switched Network
Capture on High Traffic Rate Links
Consider Your Wireless Capture Options
Capture to a File Set in High Traffic Rate Situations
Use Capture Filters when Necessary
Command-Line Capture Techniques (Tshark/dumpcap)
Part 4: Identify TCP/IP Resolution Problems
•
•
•
Name Resolution Problems
Route Resolution Problems
MAC Address Resolution Problems
Part 5: Troubleshoot with Time
•
•
•
•
•
•
Avoid the Distractions of “Normal” or Acceptable Delays
Detect Delays in UDP Conversations
Detect Delays in TCP Conversations
Identify High DNS Response Time
Identify High HTTP Response Time
Identify High SMB/SMB2/SMB3 Response Time
Register online at www.wiresharktraining.com/troubleshooting2015.html
6
Part 6: Identify Problems Using Wireshark’s Expert
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Understand Wireshark’s Expert Infos System/Dissector Designations
Previous Segment Not Captured
Duplicate ACKs
Out-of-Order Packets
Fast Retransmissions
Retransmissions
Spurious Retransmissions
ACKed Unseen Segment
Keep Alive and Keep Alive ACK
Zero Window
Window Full
Zero Window Probe and Zero Window Probe ACK
Window Update
Reused Ports
Checksum Errors
Part 7: Identify Application Errors
•
•
•
•
•
Detect DNS Errors
Detect HTTP Errors
Detect SMB/SMB2 Errors
Detect SIP Errors
Detect Error Responses of Other Applications
Part 8: Master Basic and Advanced IO Graph Functions
•
•
•
Graph and Compare Conversation Throughput
Graph Application Traffic
Use CALC Functions on the Advanced IO Graph
Part 9: Graph Throughput Problems
•
•
•
Detect Consistently Low Throughput due to Low Packet Sizes
Identify Queuing Delays along a Path
Correlate Drops in Throughput with TCP Problems (the “Golden Graph”)
Part 10: Graph Time Delays
•
•
Graph High Delta Times (UDP-Based Application)
Graph High TCP Delta Time (TCP-Based Application)
Part 11: Graph Other Network Problems
•
•
Graph Window Size Problems
Graph Packet Loss and Recovery
Part 12: Working with Command Line Tools and 3rd Party Tools
•
•
•
Export Packet List Pane Columns to CSV Format
Export Your Trace File/Packet Comments Report
Sanitize Trace Files
Register online at www.wiresharktraining.com/troubleshooting2015.html
7
HOTEL INFORMATION
Hotel 1: Wild Palms
408.738.0500
910 East Fremont Avenue
Sunnyvale, CA 94087
$159 USD + tax June 19-21, 2015 (Friday, Sunday)
$169 USD + tax June 22-24, 2015 (Monday thru Wednesday)
Plus applicable state and local taxes (currently 10.565%) Hotel Amenities
The Wild Palms hotel features two spectacular courtyards and guestrooms decorated in a festive
bungalow style. The hotel’s Mediterranean-inspired atmosphere is accented by tropical foliage,
exquisite mosaics, dramatic murals and handcrafted furnishings. Breakfast, parking, and high-speed
wireless internet is included in the SharkFest 2015 room rate. The Wild Palms is located 7.3 miles
from the Computer History Museum.
The Wild Palms will house Wireshark core development staff and is the recommended hotel for your
stay during the conference. A limited number of rooms are available on a first-come, first-served
basis, so please reserve yours as soon as possible.
Method of Reservations
Group Code for the SharkFest 2015 Room Block June 19-25, 2015 is SHARKFEST2015.
Reservations for the Group will be made by individual attendees directly with the Hotel at 408-7380500 or online via the Group Code by going to www.wildpalmshotel.com, then (a) select your check
in and check out dates, (b) enter the Group Code where it says "group id", and (c) click on "Book Your
Stay."
Cutoff Date for SharkFest Room Rate
The Cut-off Date is Midnight, Saturday, June 1st, 2015. Any reservation requests made after the Cutoff Date will be accepted subject to room and rate availability.
Hotel Room Cancellation Policy
Any changes and/or cancellations made to group individual reservations must be made through the
reservations department 72 hours prior to arrival. Group individual reservations changed and/or
canceled within 72 hours prior to arrival are subject to availability and will be charged for the entire
amount of the original reservation. Additional room reductions include, but are not limited to,
cancellations and changes in arrival or departure dates. All no-shows will be billed even if the guest
arrives at a later date.
Register online at www.wiresharktraining.com/troubleshooting2015.html
8
Hotel 2: MapleTree Inn
408.720.9700
711 East El Camino Real
Sunnyvale, CA 94087
$159 USD + tax (10.565%) June 19-25, 2015 Hotel Info
The Maple Tree Inn is contemporary and elegant. Enjoy the
meaning of comfort at the Maple Tree Inn in Sunnyvale. The
Maple Tree Inn offers stylish oversized accommodations
with value-added services and amenities. Breakfast,
parking, and high-speed wireless internet is included in the
SharkFest 2015 room rate. The Maple Tree Inn is located
5.70 miles from the Computer History Museum.
Single or Double occupancy in Deluxe Queen/Queen, Single
Queen or King room.
The hotel has 170 guest rooms and a nice, large pool patio area with a fire pit.
Hotel Amenities
•
•
•
•
•
•
•
•
Guest Laundry
Fitness Center
Lobby Computer/Printer
Outdoor Heated Pool
Hot Tub
BBQ, Fire Pit, Wet Bar
Complimentary Hospitality Reception Mon-Thurs
Every room has a microwave, refrigerator, hair dryer, umbrella, iron and full ironing board
Cutoff Date for SharkFest Room Rate
The Cut-off Date is: Midnight, Saturday, June 1st, 2015. Any reservation requests made after the Cutoff Date will be accepted subject to room and rate availability. Method of Reservations
Group Code for the SharkFest 2015 Room Block June 19-25, 2015 is 603.
Hotel Cancellation Policy
Individual reservations within a group may cancel 3 days before arrival with no penalty.
Register online at www.wiresharktraining.com/troubleshooting2015.html
9
CONTACT US
Do you have any questions about this event?
Please feel free to contact us directly.
Email: [email protected]
Phone: 1 (408) 378-7841
Fax:
1 (408) 378-7891
5339 Prospect Road, #343
San Jose, California 95129 USA
Register online at www.wiresharktraining.com/troubleshooting2015.html
10