Stratoshark brings Wireshark-style visibility to the Linux system, letting you see what's happening inside the OS alongside the network traffic it generates. In this hands-on workshop, you'll learn to use sysdig and Stratoshark to trace system calls, correlate them with packet data, and answer questions that packets alone can't — like which process handled a connection or how a service behaved under load. Designed for network engineers ready to go one level deeper, the session blends short lectures with guided exercises using cloud-based lab systems. You'll leave with a working understanding of Stratoshark and the confidence to begin using it in your own analysis.
Let's kick-off the conference in style!
Gerald Combs & Friends talk about the new developments over the past year
When systems have problems often times engineers say it is a network problem… and they’ll say this without any actual data pointing the finger at the network. Sometimes it is a blamestorming session – database group is blaming the network, network is blaming the software, software is blaming the hardware speed, and hardware is blaming the database.
When this happens, the best thing to do is kick everyone out of the room, sniff the data, and see where/what the bottleneck is. More often than not it isn’t one particular thing but the interactions between two endpoints that just don’t completely like each other. Identifying that is the first step in getting the right groups talking to each other and resolving the root of the issue.
In this talk I’ll setup N real world scenarios, describe the problem, show the captured data and how if you ask the capture in the right way how the problem will reveal itself.
Lessons learned in troubleshooting Westpac Bank application issues using Wireshark
Westpac bank in Australia has a vast number of applications that traverse our network and interact with multiple network components. It is not uncommon to have intermittent failures that involve interactions with F5 load balancers and firewalls, subtle TLS handshake failures, unsuitable TCP configuration settings, VOIP application dropouts, international (MQSeries based) messaging performance issues and communication channel drops, poorly performing & failed file transfer failures etc. We will show how Wireshark helped locate root cause or prove "it's not the network".
Finding and counting packet losts in each layer
Engineers at Pacific Northwest National Laboratory (PNNL) have been working to add support for MAC Privacy Protection protocol (IEEE 802.1AEdk) to the Linux kernel. MAC Privacy is a Layer 2 protocol intended primarily for use with MAC Security (IEEE 802.1AE) which can modify network traffic metadata including source and destination addresses, timing, and volume. Engineers decided early that having the ability to dissect this new network protocol in Wireshark would not only aid development and testing but also eventually be expected by the community. In this talk, engineers at PNNL present a new Wireshark dissector plugin for handling MAC Privacy protocol. They cover the plugin and its features as well as the pros and cons of developing a Wireshark plugin in Rust.
we'll walk through how a device connects to an LTE network, from initial access to an active data session, and examined the packet flows that make that connection possible. We also look at how 3GPP protocols structure this communication and how tunneling is used to carry traffic across the network. Providing a clearer understanding of how LTE networks operate and explore similar concepts as they evolve into 5G.
"Something is wrong with the network. I used to get 4Gbps transfers but now I'm only getting 120Mbps. Did you change something recently?"
Sound familiar? If you've spent any time supporting production systems, you've probably heard some variation of this complaint. Before jumping to conclusions about where the problem lies, we need to understand what's actually happening at the TCP layer on both endpoints.
Innovation doesn’t always start with a perfectly reasonable idea—sometimes it starts with something gloriously absurd. This session invites both developers and users to surface their most unconventional, impractical, or outright bizarre ideas for Wireshark and packet analysis. Nothing is too silly, too quirky, or too infeasible to share.
By creating a space free of judgment and full of curiosity, we open the door to unexpected breakthroughs. 99 wild suggestions may go nowhere… but the 100th can trigger a spark that becomes a feature, a tool, or even a whole new product direction.
Join us for an hour where creativity takes the wheel, seriousness stays at the shore, and every idea—no matter how ridiculous—gets its moment in the water.
Ever wondered what really happens inside a power substation during everyday operations? In this session, we’ll take a dynamic “flyover” of a small-to-medium-sized substation, exploring critical points where power and data intersect and uncovering the interactions that keep the power system stable and responsive.
We’ll look at how these elements work together to keep the lights on—and how their digital nervous system communicates in real time.
To bring it all together, we’ll walk through a real-world power system event, following the flow of communication from the initial fault detection all the way to the control center’s response and back to the field. Along the way, we’ll decode how these messages orchestrate recovery and maintain reliability. Whether you’re a packet sleuth or a power systems enthusiast, this session gives you a front-row seat to the intersection of operational technology and network analysis.
Sponsor Showcase and dinner
Before the rise of the internet (mid 1980s through the mid 1990’s , the packet and protocol ecosystem was much different than it was today. Many of the protocols have now gone extinct and new ones have risen in their place.
Moving from the world of serial protocols (e.g. HDLC/SDLC) to the Internet stack was a seismic shift, but the need to understand what’s on the wire only became more important.
What the transition was like, and why Wireshark was crucial in enabling it.
Want to test network scenarios, learn protocols, or debug configurations without expensive hardware? This hands-on session shows how to build realistic network environments using modern containerization and virtualization tools. We'll explore different approaches to spin up multi-vendor topologies on your laptop, capture traffic between simulated devices, and understand what works (and what doesn't) in virtual environments.
Ever have a client fail to find an Apple TV? Or have slow or stuttering streaming?
Well, then look no more! AirPlay and other casting protocols are surprisingly complex, but with the help of packets, you can feel more confident troubleshooting.
The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they’ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees prior to SharkFest and only given to the panel members during the session so that the “not-
knowing what to expect and whether it can be solved” experience of working through an unknown trace file can be preserved.
Come to this session and learn to ask the right questions and look at packets in different ways.
PLEASE SEND PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL TO [email protected] PRIOR TO SHARKFEST!
The Open Markets Initiative (OMI) has generated millions of lines of Lua dissector code for hundreds of binary electronic-trading protocols. This talk explains how we model binary protocols and why binary protocols form their own field of computer science. We will look at real exchange protocols covering how we go from a messy pdf spec to a Wireshark dissector. The session traces the evolution of code generation from early source generators to OMI’s advanced binary data modeling, showing how this shift enabled a large ecosystem of accurate, production-grade dissectors maintained through crowdsourcing. Along the way, we’ll examine what makes a scalable binary dissector, why protocol-driven development changes the rules, and how Wireshark helped form the OMI.
Packet analysis tools present traffic as linear sequences, requiring analysts to reconstruct relationships mentally. This session introduces a topology-based approach that visualises PCAP data as a graph of hosts and interactions, enabling immediate structural understanding.
Using real examples, including DNS failure caused by misconfigured routing, we compare traditional packet list workflows with topology-driven analysis. The approach reduces cognitive load, accelerates diagnosis, and highlights patterns that are difficult to see in sequential views.
The session includes live demonstrations showing how analysts can move from packet inspection to structural reasoning, and how this reasoning can be captured as guided investigative workflows embedded directly within the analysis environment.
The use of Network Address Translation in networks is unavoidable. In this session, we will examine the different use cases of NAT and the design and application of those use cases. We will use Wireshark to examine how NAT modifies fields in the IP and TCP header and how that can aid/hinder network troubleshooting. Attendees can expect an interactive session where we work together to understand the details of NAT operation and usage.
Sponsor showcase and dinner
SharkBytes consist of “little crunchy bits of wisdom.” Like popular TED talks, SharkBytes aim to inform, inspire, surprise, and delight by delivering a speech on a personal topic in under 5 minutes.
Information and a review of past SharkByte presentations can be found https://sharkfest.wireshark.org/sharkbytes
Email us your SharkByte session idea: [email protected]