2026-03-28 sf26us 2026-07-18 2026-07-23 6 00:05 https://conference.wireshark.org https://conference.wireshark.org/media/sharkfest-25-us/img/sf_logo_big_Xf7UCdI.png CST6CDT Room 1 Pre Conference Class 2026-07-18T09:00:00-05:00 09:00 08:00 **Hands on Wireshark Lab and Wireshark Certified Analyst Prep** Practical Wireshark Troubleshooting is a two-day, hands-on course designed to strengthen your packet analysis and troubleshooting skills. On Day 1, Ross Bagurdes guides you through Wireshark’s key features, capture methods, filtering techniques, and foundational protocols at the Data Link and Network layers. On Day 2, Chris Greer takes you deeper into Transport and Application layer analysis, focusing on TCP, UDP, and the tools that uncover real-world performance problems. By the end, you’ll know how to approach network issues with confidence — and be better prepared for the Wireshark Certified Analyst exam. sf26us-189-0-pre-conference-class-i-practical-wireshark-skills-for-it-professionals Pre-conference class Ross BagurdesChris Greer en Level up your Wireshark skills and get ready for Sharkfest! This hands-on course will provide core Wireshark skills for IT pros of all experience levels. Participants will gain a solid understanding of how to use Wireshark to capture, analyze, and troubleshoot network traffic. The course is designed with beginners in mind, but even seasoned packet people will pick up new tips and tricks. true https://conference.wireshark.org/sf26us/talk/BSA8P7/ https://conference.wireshark.org/sf26us/talk/BSA8P7/feedback/ Room 1 Pre Conference Class 2026-07-19T09:00:00-05:00 09:00 08:00 **Hands on Wireshark Lab and Wireshark Certified Analyst Prep** Practical Wireshark Troubleshooting is a two-day, hands-on course designed to strengthen your packet analysis and troubleshooting skills. On Day 1, Ross Bagurdes guides you through Wireshark’s key features, capture methods, filtering techniques, and foundational protocols at the Data Link and Network layers. On Day 2, Chris Greer takes you deeper into Transport and Application layer analysis, focusing on TCP, UDP, and the tools that uncover real-world performance problems. By the end, you’ll know how to approach network issues with confidence — and be better prepared for the Wireshark Certified Analyst exam. sf26us-189-1-pre-conference-class-i-practical-wireshark-skills-for-it-professionals Pre-conference class Ross BagurdesChris Greer en Level up your Wireshark skills and get ready for Sharkfest! This hands-on course will provide core Wireshark skills for IT pros of all experience levels. Participants will gain a solid understanding of how to use Wireshark to capture, analyze, and troubleshoot network traffic. The course is designed with beginners in mind, but even seasoned packet people will pick up new tips and tricks. true https://conference.wireshark.org/sf26us/talk/BSA8P7/ https://conference.wireshark.org/sf26us/talk/BSA8P7/feedback/ Room 1 Pre Conference Class 2026-07-20T09:00:00-05:00 09:00 08:00 Stratoshark brings Wireshark-style visibility to the Linux system, letting you see what's happening inside the OS alongside the network traffic it generates. In this hands-on workshop, you'll learn to use sysdig and Stratoshark to trace system calls, correlate them with packet data, and answer questions that packets alone can't — like which process handled a connection or how a service behaved under load. Designed for network engineers ready to go one level deeper, the session blends short lectures with guided exercises using cloud-based lab systems. You'll leave with a working understanding of Stratoshark and the confidence to begin using it in your own analysis. sf26us-190-pre-conference-class-ii-introduction-to-stratoshark-for-network-engineers Pre-conference class Josh Clark en false https://conference.wireshark.org/sf26us/talk/A3PJVZ/ https://conference.wireshark.org/sf26us/talk/A3PJVZ/feedback/ Room 1 Dinner 2026-07-20T17:30:00-05:00 17:30 03:00 Let's kick-off the conference in style! sf26us-186-sharkfest-26-us-welcome-dinner-sponsor-showcase Organization en SharkFest'26 US Welcome Dinner & Sponsor Showcase false https://conference.wireshark.org/sf26us/talk/X73HTY/ https://conference.wireshark.org/sf26us/talk/X73HTY/feedback/ Room 1 Organization 2026-07-21T09:00:00-05:00 09:00 01:00 Gerald Combs & Friends talk about the new developments over the past year sf26us-191-things-i-love-about-wireshark-and-maybe-a-couple-of-things-i-don-t Organization en false https://conference.wireshark.org/sf26us/talk/H89ETP/ https://conference.wireshark.org/sf26us/talk/H89ETP/feedback/ Room 1 Presentation 2026-07-21T10:15:00-05:00 10:15 01:00 When systems have problems often times engineers say it is a network problem… and they’ll say this without any actual data pointing the finger at the network. Sometimes it is a blamestorming session – database group is blaming the network, network is blaming the software, software is blaming the hardware speed, and hardware is blaming the database. When this happens, the best thing to do is kick everyone out of the room, sniff the data, and see where/what the bottleneck is. More often than not it isn’t one particular thing but the interactions between two endpoints that just don’t completely like each other. Identifying that is the first step in getting the right groups talking to each other and resolving the root of the issue. In this talk I’ll setup N real world scenarios, describe the problem, show the captured data and how if you ask the capture in the right way how the problem will reveal itself. sf26us-165-don-t-blame-the-network-ask-the-network Intermediate /media/sharkfest-25-us/submissions/M8KMKW/Teaser_K1luPWE.PNG David Soussan en false https://conference.wireshark.org/sf26us/talk/M8KMKW/ https://conference.wireshark.org/sf26us/talk/M8KMKW/feedback/ Room 1 Presentation 2026-07-21T11:30:00-05:00 11:30 01:00 **Lessons learned in troubleshooting Westpac Bank application issues using Wireshark** Westpac bank in Australia has a vast number of applications that traverse our network and interact with multiple network components. It is not uncommon to have intermittent failures that involve interactions with F5 load balancers and firewalls, subtle TLS handshake failures, unsuitable TCP configuration settings, VOIP application dropouts, international (MQSeries based) messaging performance issues and communication channel drops, poorly performing & failed file transfer failures etc. We will show how Wireshark helped locate root cause or prove "it's not the network". sf26us-169-lessons-learned-in-troubleshooting Intermediate /media/sharkfest-25-us/submissions/PKFXEY/WestpacPresentationWireshark_NHfwrUx.png Kevin Tobin en false https://conference.wireshark.org/sf26us/talk/PKFXEY/ https://conference.wireshark.org/sf26us/talk/PKFXEY/feedback/ Room 1 Presentation 2026-07-21T13:30:00-05:00 13:30 01:00 Finding and counting packet losts in each layer sf26us-166-lost-in-transmission Intermediate Megumi Takeshita en Packets lost occur in many situations, showing the shape in various layers. Differences in the number of packets between the passive start tap. (layer1,2) The same IPID and a different offset as disappearance in the packet buffer in the router processing Retransmission of TCP segments as a result of a traffic jam. UDP application works with packet loss. In this session, you can learn the major case of packet loss and you can find the way to find and count packet loss and retransmissions. Megumi shares the best way to understand invisible packet losses with Wireshark! false https://conference.wireshark.org/sf26us/talk/SAY8D9/ https://conference.wireshark.org/sf26us/talk/SAY8D9/feedback/ Room 1 Presentation 2026-07-21T14:45:00-05:00 14:45 01:00 "Something is wrong with the network. I used to get 4Gbps transfers but now I'm only getting 120Mbps. Did you change something recently?" Sound familiar? If you've spent any time supporting production systems, you've probably heard some variation of this complaint. Before jumping to conclusions about where the problem lies, we need to understand what's actually happening at the TCP layer on both endpoints. sf26us-196-wireshark-the-prequel-what-to-do-before-you-look-at-a-capture Intermediate Rob MacDonald en This presentation is inspired by a series of articles I wrote on LinkedIn focused on practical, real world troubleshooting of application network performance issues. Instead of deep diving in to packet captures, this presentation will highlight the various tools and metrics available on Linux systems that help engineers and administrators pinpoint the true source(s) of application performance problems when "the network" is blamed. We will focus on how packets are processed in a Linux system from the NIC, through the OS, up to the application. We will then take a closer look at TCP itself, utilizing native Linux tooling to introspect on individual TCP socket performance. This TCP socket introspection will dive in to each socket's calculated network latency (RTT), packet sizing (MTU and MSS), and packet loss (retransmissions, SACK, duplicate ACKs false https://conference.wireshark.org/sf26us/talk/XPYXAB/ https://conference.wireshark.org/sf26us/talk/XPYXAB/feedback/ Room 1 Organization 2026-07-21T16:00:00-05:00 16:00 01:00 Innovation doesn’t always start with a perfectly reasonable idea—sometimes it starts with something gloriously absurd. This session invites both developers and users to surface their most unconventional, impractical, or outright bizarre ideas for Wireshark and packet analysis. Nothing is too silly, too quirky, or too infeasible to share. By creating a space free of judgment and full of curiosity, we open the door to unexpected breakthroughs. 99 wild suggestions may go nowhere… but the 100th can trigger a spark that becomes a feature, a tool, or even a whole new product direction. Join us for an hour where creativity takes the wheel, seriousness stays at the shore, and every idea—no matter how ridiculous—gets its moment in the water. sf26us-197-feeding-frenzy-of-wild-ideas-when-sharks-brainstorm Beginner /media/sf26us/submissions/FYWGV9/shark_waci_j4GEXty.png en *Goal:* Generate offbeat, humorous, impossible or “why would anyone even…” suggestions that just might reveal a surprisingly valuable insight for Wireshark’s future capabilities. *Format:* * Why absurd ideas matter. * Warm Up * Open SharkTank * The ‘Maybe…’ scan *Ground Rules:* * All ideas are welcome. * No shooting down concepts—only building on them. * Humor encouraged; feasibility optional. * The wilder, the better. *Who Should Attend:* Anyone who uses Wireshark, contributes to it, builds tooling around it, or likes thinking sideways. No technical depth required—just curiosity and a willingness to have fun. false https://conference.wireshark.org/sf26us/talk/FYWGV9/ https://conference.wireshark.org/sf26us/talk/FYWGV9/feedback/ Room 1 Presentation 2026-07-21T17:15:00-05:00 17:15 01:00 Ever wondered what really happens inside a power substation during everyday operations? In this session, we’ll take a dynamic “flyover” of a small-to-medium-sized substation, exploring critical points where power and data intersect and uncovering the interactions that keep the power system stable and responsive. We’ll look at how these elements work together to keep the lights on—and how their digital nervous system communicates in real time. To bring it all together, we’ll walk through a real-world power system event, following the flow of communication from the initial fault detection all the way to the control center’s response and back to the field. Along the way, we’ll decode how these messages orchestrate recovery and maintain reliability. Whether you’re a packet sleuth or a power systems enthusiast, this session gives you a front-row seat to the intersection of operational technology and network analysis. sf26us-199-packets-in-the-power-grid-a-journey-inside-the-substation Beginner /media/sf26us/submissions/LRBBM8/Packets_in_the_Power_Grid_Lopez_Session_Image_tfk_TO2yCQv.webp Daniel Lopez en false https://conference.wireshark.org/sf26us/talk/LRBBM8/ https://conference.wireshark.org/sf26us/talk/LRBBM8/feedback/ Room 1 Dinner 2026-07-21T18:30:00-05:00 18:30 03:00 Sponsor Showcase and dinner sf26us-187-sponsor-technology-showcase-reception-and-dinner Organization en false https://conference.wireshark.org/sf26us/talk/WNWRRU/ https://conference.wireshark.org/sf26us/talk/WNWRRU/feedback/ Room 2 Presentation 2026-07-21T13:30:00-05:00 13:30 01:00 Engineers at Pacific Northwest National Laboratory (PNNL) have been working to add support for MAC Privacy Protection protocol (IEEE 802.1AEdk) to the Linux kernel. MAC Privacy is a Layer 2 protocol intended primarily for use with MAC Security (IEEE 802.1AE) which can modify network traffic metadata including source and destination addresses, timing, and volume. Engineers decided early that having the ability to dissect this new network protocol in Wireshark would not only aid development and testing but also eventually be expected by the community. In this talk, engineers at PNNL present a new Wireshark dissector plugin for handling MAC Privacy protocol. They cover the plugin and its features as well as the pros and cons of developing a Wireshark plugin in Rust. sf26us-201-mac-privacy-protocol-wireshark-plugin Expert / Developer Cameron Smith en false https://conference.wireshark.org/sf26us/talk/PDJYJ9/ https://conference.wireshark.org/sf26us/talk/PDJYJ9/feedback/ Room 2 Presentation 2026-07-21T14:45:00-05:00 14:45 01:00 we'll walk through how a device connects to an LTE network, from initial access to an active data session, and examined the packet flows that make that connection possible. We also look at how 3GPP protocols structure this communication and how tunneling is used to carry traffic across the network. Providing a clearer understanding of how LTE networks operate and explore similar concepts as they evolve into 5G. sf26us-202-understanding-lte-5g-3gpp-packet-flow-and-network-analysis Intermediate Mark Stout en false https://conference.wireshark.org/sf26us/talk/RKVN3B/ https://conference.wireshark.org/sf26us/talk/RKVN3B/feedback/ Room 1 Presentation 2026-07-22T09:00:00-05:00 09:00 01:00 Before the rise of the internet (mid 1980s through the mid 1990’s , the packet and protocol ecosystem was much different than it was today. Many of the protocols have now gone extinct and new ones have risen in their place. Moving from the world of serial protocols (e.g. HDLC/SDLC) to the Internet stack was a seismic shift, but the need to understand what’s on the wire only became more important. What the transition was like, and why Wireshark was crucial in enabling it. sf26us-200-keynote-packets-through-the-ages-a-personal-story Beginner Peter Jones en false https://conference.wireshark.org/sf26us/talk/3BTBPN/ https://conference.wireshark.org/sf26us/talk/3BTBPN/feedback/ Room 1 Presentation 2026-07-22T10:15:00-05:00 10:15 01:00 Want to test network scenarios, learn protocols, or debug configurations without expensive hardware? This hands-on session shows how to build realistic network environments using modern containerization and virtualization tools. We'll explore different approaches to spin up multi-vendor topologies on your laptop, capture traffic between simulated devices, and understand what works (and what doesn't) in virtual environments. sf26us-193-from-zero-to-captures-setting-up-your-own-network-simulation-lab Intermediate Roland Knall en Ever wanted to test a complex routing scenario, understand how a specific protocol behaves under certain conditions, or simply learn networking concepts without investing in expensive hardware? Network simulation offers a powerful alternative - your laptop becomes a complete network lab. In this practical, hands-on session, you'll discover how to create your own virtual network environments where you can safely experiment, break things, and learn. We'll start from scratch and build up to capturing real traffic between simulated network devices, showing you exactly what's possible with modern tools and where the boundaries lie. **What You'll Experience:** The session begins with the fundamentals: why simulate networks, what scenarios benefit most from simulation, and what the realistic expectations are. You'll see live demonstrations of creating network topologies - routers, switches, and hosts - all running on a single machine. We'll capture traffic between these virtual devices using Wireshark, examining how packets flow through simulated networks. A key focus will be understanding the difference between simulated and physical networks. What traffic patterns look like in virtual environments vs. real hardware, which protocols behave identically and which don't, and when timing and performance characteristics matter. You'll learn to recognize these differences in your captures. We'll explore practical integration scenarios: connecting your physical monitoring tools to virtual networks, setting up capture points in containerized environments, and understanding device-in-the-loop testing where virtual and physical components work together. This is especially relevant for anyone working with network TAPs, packet brokers, or monitoring solutions who want to test configurations before deploying to production. false https://conference.wireshark.org/sf26us/talk/3YYFJM/ https://conference.wireshark.org/sf26us/talk/3YYFJM/feedback/ Room 1 Presentation 2026-07-22T11:30:00-05:00 11:30 01:00 Ever have a client fail to find an Apple TV? Or have slow or stuttering streaming? Well, then look no more! AirPlay and other casting protocols are surprisingly complex, but with the help of packets, you can feel more confident troubleshooting. sf26us-195-media-casting-protocols-everything-airplay-airdrop-and-wi-fi-aware Intermediate Eva Santos en We will walk through: -AirPlay vs AirDrop -The five phases of AirPlay -How to troubleshoot the phases over packet capture (802.11, BLE) and MacBook console -The changes to AirPlay above iOS 26 and Android support -Alternatives to AirPlay such as Wi-Fi Aware and Miracast, differences over in packet captures false https://conference.wireshark.org/sf26us/talk/VAHVRB/ https://conference.wireshark.org/sf26us/talk/VAHVRB/feedback/ Room 1 Packetdoctors Session 2026-07-22T13:30:00-05:00 13:30 01:30 The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they’ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees prior to SharkFest and only given to the panel members during the session so that the “not- knowing what to expect and whether it can be solved” experience of working through an unknown trace file can be preserved. Come to this session and learn to ask the right questions and look at packets in different ways. PLEASE SEND PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL TO jasper@packet-foo.com PRIOR TO SHARKFEST! sf26us-194-the-packet-doctors-are-in-packet-trace-examinations-with-the-experts en true https://conference.wireshark.org/sf26us/talk/A7BFDV/ https://conference.wireshark.org/sf26us/talk/A7BFDV/feedback/ Room 1 Presentation 2026-07-22T15:15:00-05:00 15:15 01:00 The Open Markets Initiative (OMI) has generated millions of lines of Lua dissector code for hundreds of binary electronic-trading protocols. This talk explains how we model binary protocols and why binary protocols form their own field of computer science. We will look at real exchange protocols covering how we go from a messy pdf spec to a Wireshark dissector. The session traces the evolution of code generation from early source generators to OMI’s advanced binary data modeling, showing how this shift enabled a large ecosystem of accurate, production-grade dissectors maintained through crowdsourcing. Along the way, we’ll examine what makes a scalable binary dissector, why protocol-driven development changes the rules, and how Wireshark helped form the OMI. sf26us-198-from-specs-to-packets-generating-binary-exchange-dissectors-at-scale Intermediate /media/sf26us/submissions/FTMZDH/Logo_zB5ntT7_EeoWRFg_99P09kh.webp William Tegel en This talk presents the Open Markets Initiative (OMI) as a research platform built around a protocol-driven approach to dissector generation. OMI has produced over four million lines of Lua dissectors for real-world binary exchange protocols. The core idea is that the protocol binary data model itself, not the dissector, is the primary artifact. Once the protocol is captured in a structured, reusable form, multiple classes of tooling can be generated from it, with Wireshark dissectors as a key output. We will examine several classes of exchange protocols and show how OMI’s generator differs from earlier iterations of code generation tools, “generations of generators.” Instead of emitting code from message templates, flat schemas or other domain specific languages, our binary data models encode protocol semantics, constraints, and structural variation explicitly. This allows families of related protocols to share definitions, makes version evolution tractable, and produces dissectors that are both predictable and auditable. Using real examples, we’ll show how generator design choices directly affect correctness, maintainability, and crowd contribution. The entire electronic trading industry benefits from the open-source Wireshark and dissector ecosystem. Many exchange protocols are underspecified, implicitly defined, or guarded by information barriers. OMI turns reverse-engineering knowledge into shared specifications that can be reviewed, improved, and extended collaboratively. That process has led to a rapid expansion of accurate, production-grade dissectors, many of which are now relied on as primary analysis tools in the electronic-trading ecosystem. The session is aimed at attendees interested in protocol modeling, code generation, advanced dissector design, and the ways open tooling can transform opaque binary systems into observable, debuggable infrastructure. false https://conference.wireshark.org/sf26us/talk/FTMZDH/ https://conference.wireshark.org/sf26us/talk/FTMZDH/feedback/ Room 1 Presentation 2026-07-22T16:30:00-05:00 16:30 01:00 The use of Network Address Translation in networks is unavoidable. In this session, we will examine the different use cases of NAT and the design and application of those use cases. We will use Wireshark to examine how NAT modifies fields in the IP and TCP header and how that can aid/hinder network troubleshooting. Attendees can expect an interactive session where we work together to understand the details of NAT operation and usage. sf26us-204-examining-nat-behavior-with-wireshark-wca-core-topic Beginner Ross Bagurdes en false https://conference.wireshark.org/sf26us/talk/SJTHY9/ https://conference.wireshark.org/sf26us/talk/SJTHY9/feedback/ Room 1 Dinner 2026-07-22T18:30:00-05:00 18:30 03:00 Sponsor showcase and dinner sf26us-188-sponsor-technology-showcase-reception-and-dinner Organization en false https://conference.wireshark.org/sf26us/talk/WVUP7Q/ https://conference.wireshark.org/sf26us/talk/WVUP7Q/feedback/ Room 2 Presentation 2026-07-22T15:15:00-05:00 15:15 01:00 Packet analysis tools present traffic as linear sequences, requiring analysts to reconstruct relationships mentally. This session introduces a topology-based approach that visualises PCAP data as a graph of hosts and interactions, enabling immediate structural understanding. Using real examples, including DNS failure caused by misconfigured routing, we compare traditional packet list workflows with topology-driven analysis. The approach reduces cognitive load, accelerates diagnosis, and highlights patterns that are difficult to see in sequential views. The session includes live demonstrations showing how analysts can move from packet inspection to structural reasoning, and how this reasoning can be captured as guided investigative workflows embedded directly within the analysis environment. sf26us-203-topology-based-pcap-analysis-faster-insight-beyond-packet-lists Intermediate /media/sf26us/submissions/8BDMAY/gt_ultimate_LIr7eeJ_5qbCS1x.webp Ryan Younger en Traditional packet analysis relies on sequential inspection of frames, which can obscure higher-level structure and slow down diagnosis, particularly for less experienced analysts. However, network behaviour is inherently relational, involving hosts, conversations, and protocol groupings. This session presents a practical approach to PCAP analysis using real-time topology visualisation. Instead of focusing on individual packets, traffic is represented as a graph of nodes (hosts) and edges (conversations), allowing analysts to immediately identify communication patterns, dependencies, and anomalies. A core case study will demonstrate a DNS resolution failure caused by a misconfigured gateway. In a standard packet list, this requires careful inspection of ARP requests, repeated DNS queries, and missing responses. In a topology view, the same issue is visible at a glance: a central host attempting external communication, combined with a misleading local dependency and no successful continuation. The session will show how topology-based analysis: Reduces cognitive load by externalising relationships Accelerates identification of failure patterns Supports both novice learning and expert triage workflows Complements, rather than replaces, traditional packet inspection Attendees will leave with a new mental model for analysing network traffic, and practical techniques for integrating structural reasoning into their existing workflows. false https://conference.wireshark.org/sf26us/talk/8BDMAY/ https://conference.wireshark.org/sf26us/talk/8BDMAY/feedback/ Room 1 Organization 2026-07-23T09:00:00-05:00 09:00 01:00 SharkBytes consist of “little crunchy bits of wisdom.” Like popular TED talks, SharkBytes aim to inform, inspire, surprise, and delight by delivering a speech on a personal topic in under 5 minutes. Information and a review of past SharkByte presentations can be found https://sharkfest.wireshark.org/sharkbytes Email us your SharkByte session idea: sharkfest@wireshark.org sf26us-192-sharkbytes Organization en false https://conference.wireshark.org/sf26us/talk/EUUK7H/ https://conference.wireshark.org/sf26us/talk/EUUK7H/feedback/