1.8 sharkfest-24-eu 2024-11-04 2024-11-08 5 00:05 https://conference.wireshark.org Europe/Vienna Ballroom A+B+C Pre Conference Class 2024-11-04T09:00:00+01:00 09:00 08:00 Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems and isolate cybersecurity incidents. This skill will help AllOps (NetOps, SecOps, DevOps) engineers to improve in their analysis and troubleshooting skills. Labs have been designed to give real-world, hands-on experience with protocols using Wireshark. sharkfest-24-eu-51-pre-conference-class-i-core-wireshark-skills-for-network-engineers-and-security-pros-2-day-class-4-5-november Pre-conference class Ross Bagurdes en Wireshark can be intimidating. I remember how it felt when I first started looking at a trace file with Wireshark. Questions started flooding into my mind: What should I look for? Where do I start? How can I find the packets that matter? What filters should I use? What is 'normal' and what can I ignore in all this data? I froze under the weight of all the detail in the packets. If you have ever felt that way when looking at a pcap, this is the course for you! true https://conference.wireshark.org/sharkfest-24-eu/talk/7GM8RQ/ https://conference.wireshark.org/sharkfest-24-eu/talk/7GM8RQ/feedback/ Palais Sachsen Coburg I-III Pre Conference Class 2024-11-04T09:00:00+01:00 09:00 08:00 The field of Cybersecurity has grown tremendously in the past few years. With every new breach, we realize just how important analysis skills have become in identifying, mitigating, and protecting networks. Wireshark is one of the most important tools in the toolbox for identifying threats, spotting unusual behavior, and analyzing malware behavior, we just need to know how to use it. In this class, we will dive deep into traffic flows to learn how Wireshark can be used to analyze different steps in the Cyber Kill Chain. sharkfest-24-eu-52-pre-conference-class-ii-cybersecurity-threat-hunting-go-deep-with-wireshark Pre-conference class Chris Greer en Wireshark is an important skill for those entering the cybersecurity field, as well as seasoned pros who need to dig into the packets. This course is targeted toward Network Engineers with a working understanding of Wireshark who would like to use it for a cybersecurity focus, but don’t have much experience with threat hunting. Those who want to learn to spot attack patterns, analyze malware, or respond to an incident will enjoy this content! false https://conference.wireshark.org/sharkfest-24-eu/talk/KAVG3H/ https://conference.wireshark.org/sharkfest-24-eu/talk/KAVG3H/feedback/ Ballroom A+B+C Pre Conference Class 2024-11-05T09:00:00+01:00 09:00 08:00 Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems and isolate cybersecurity incidents. This skill will help AllOps (NetOps, SecOps, DevOps) engineers to improve in their analysis and troubleshooting skills. Labs have been designed to give real-world, hands-on experience with protocols using Wireshark. sharkfest-24-eu-94-pre-conference-class-i-core-wireshark-skills-for-network-engineers-and-security-pros-2-day-class-4-5-november Pre-conference class Chris Greer en Wireshark can be intimidating. I remember how it felt when I first started looking at a trace file with Wireshark. Questions started flooding into my mind: What should I look for? Where do I start? How can I find the packets that matter? What filters should I use? What is 'normal' and what can I ignore in all this data? I froze under the weight of all the detail in the packets. If you have ever felt that way when looking at a pcap, this is the course for you! true https://conference.wireshark.org/sharkfest-24-eu/talk/C3VWMQ/ https://conference.wireshark.org/sharkfest-24-eu/talk/C3VWMQ/feedback/ Ballroom A+B+C Dinner 2024-11-05T18:00:00+01:00 18:00 02:30 Let's kick off the conference in style sharkfest-24-eu-48-sharkfest-24-europe-welcome-dinner-and-sponsor-showcase Organization Wireshark Foundation en true https://conference.wireshark.org/sharkfest-24-eu/talk/YLULZM/ https://conference.wireshark.org/sharkfest-24-eu/talk/YLULZM/feedback/ Palais Sachsen Coburg I-III Pre Conference Class 2024-11-05T09:00:00+01:00 09:00 08:00 Web Real-Time Communication (WebRTC) describes a standards-based approach to initiating audio and video communication relationships via IP-based networks, in the simplest case using a browser. WebRTC has become the most significant solution for web-based conferencing in our time. It has been implemented by many conferencing solution manufacturers and providers worldwide. In this Pre Conference Class, Robert and Matthias will take you into the world of analyzing WebRTC traffic and WebRTC solutions with Wireshark. It will enable you capturing and analyzing WebRTC Web Conferencing calls, analyzing the salient call components for potential problems and implement the required measures in your network perimeters to overcome such problems. sharkfest-24-eu-53-pre-conference-class-iii-webrtc-network-analysis-masterclass Pre-conference class Matthias KaiserRobert Hess en Have you ever wondered why your favorite web conferencing tool sometimes had bad video or audio quality? Did you experience problems connecting, when your VPN is active? Are you responsible, supporting users with their communication needs in diverse network environments? Or did you just stumble across weird UDP traffic in your latest trace files? Then this course is for you. We will explain the insides of the WebRTC communication protocols used in most modern products and show our praxis-proven approach analyzing problems in this field. The course includes hands-on capturing and analyzing problem situations including firewall restrictions and proxy use. To the best of our abilities, we will also address your real live problems you bring to the table. false https://conference.wireshark.org/sharkfest-24-eu/talk/HDZTV3/ https://conference.wireshark.org/sharkfest-24-eu/talk/HDZTV3/feedback/ Ballroom A+B+C Organization 2024-11-06T09:00:00+01:00 09:00 00:45 Gerald Combs & Friends talk about the new developments over the past year sharkfest-24-eu-55-keynote-ecosystem-expansion Organization en false https://conference.wireshark.org/sharkfest-24-eu/talk/RPQSCC/ https://conference.wireshark.org/sharkfest-24-eu/talk/RPQSCC/feedback/ Ballroom A+B+C Short Presentation 2024-11-06T09:45:00+01:00 09:45 01:00 We'll review LTE, and 5G network structure, and some unique protocols that support mobility services. sharkfest-24-eu-77-3gpp-a-walk-through-the-lte-and-5g-networks Intermediate Mark Stout en Look through a few key 3GPP docs that describe mobility call flow. Along with a couple packet walks through mobility events, and VoLTE. false https://conference.wireshark.org/sharkfest-24-eu/talk/TFGQAU/ https://conference.wireshark.org/sharkfest-24-eu/talk/TFGQAU/feedback/ Ballroom A+B+C Short Presentation 2024-11-06T11:00:00+01:00 11:00 01:00 Get to know how to filter properly in Wireshark sharkfest-24-eu-73-mastering-wireshark-filtering Beginner Sake Blok en false https://conference.wireshark.org/sharkfest-24-eu/talk/NTUTHL/ https://conference.wireshark.org/sharkfest-24-eu/talk/NTUTHL/feedback/ Ballroom A+B+C Short Presentation 2024-11-06T13:00:00+01:00 13:00 01:00 Capturing BE traffic and analyze EHT frame with quick review of IEEE802.11 WLAN communications with security standards. sharkfest-24-eu-43-capturing-wifi7-understand-wifi-again-with-catching-up-an-extremely-high-throughput-mode-of-ieee802-11be Intermediate Megumi Takeshita en WiFi has been upgraded in the next phase, 7th generation bumped up from 6/6E, enabling over 30Gbps wireless communication using 320MHz, 16 streams and 4096 QAM modulation. In this session, we try Intel BE200 adapter to capture actual live traffic of WiFI7 and dissect extended tags of IEEE802.11be using Wireshark. And this session includes the basic dissection of WLAN and WiFi security standards, too. We dissect the management, control and data frames of WiFi and learn mechanisms and standards of IEEE802.11 protocols. It also includes security dissection based on WPA2/WPA3. false https://conference.wireshark.org/sharkfest-24-eu/talk/PDYKPQ/ https://conference.wireshark.org/sharkfest-24-eu/talk/PDYKPQ/feedback/ Ballroom A+B+C Long Presentation 2024-11-06T14:00:00+01:00 14:00 01:30 A troubleshooters tale I routinely help large global enterprises to find problems in their network when our Online conferencing products do not work as expected. The problems range from very low level like broken packet fragmentation to high level like wrong Geolocation detection. This brings me in contact with network security in various ways, and I learn about their ideas of securing networks and also how to configure such security systems and have to come up with ideas to make the conferencing software work. As there is obviously no way around making our networks more secure, the question remains, how do we keep them working at the same time. I will show my approach to these problems. sharkfest-24-eu-71-communication-breakdown-making-online-conferencing-work-in-secured-company-networks Intermediate Robert Hess en High level network requirements of online communication (WebRTC and the other big ones) Security requirements in modern corporate networks The everlasting conflict: tighter security vs. faster and more diverse communication connections Some typical problems with field examples and how to identify them in Wireshark - Analysing UDP performance - DNS - a story of misunderstandings - VPN - what could possibly go wrong? History excurse : Why is it so complicated - The wild-west times of networked software - Things not to do in your software and why not - Things not to do in your network and why not The perfect network - how would it look like? false https://conference.wireshark.org/sharkfest-24-eu/talk/TP88BZ/ https://conference.wireshark.org/sharkfest-24-eu/talk/TP88BZ/feedback/ Ballroom A+B+C Long Presentation 2024-11-06T15:45:00+01:00 15:45 01:30 With this session we intend to demonstrate how Wireshark can be used to analyze IPSec VPNs in site to site and remote access contexts. We will also present some dysfunctioning cases where Wireshark can be of some help. sharkfest-24-eu-72-ipsec-vpn-analysis-and-troubleshooting Intermediate Jean-Paul ARCHIER en We will present the differents steps of an IPsec connexion (we'll base our presentation on IKEv2) with the help of Wireshark. We will use some profiles to highlight the most important elements and we'll detail the colors, columns, filters, buttons used in these profiles . Our presentation will focus mainly on two site-to site situations : fhe first illustrating a VPN without NAT with a simple situation (one tunnel) and a more complex one (several tunnels), the second one involving some NAT between the two sites. In each of these labs we will present capture files with functional VPNS and others with some issues. When necessary and possible we'll useWireshark to decipher the IKE and ESP exchanges. If some time remains we will present capture files for a VPN between a Windows PC and a central site false https://conference.wireshark.org/sharkfest-24-eu/talk/ZLH8RF/ https://conference.wireshark.org/sharkfest-24-eu/talk/ZLH8RF/feedback/ Ballroom A+B+C Short Presentation 2024-11-06T17:15:00+01:00 17:15 01:00 As infrastructure managers, we often have to deal with malwares. Although we do our best to avoid or block them, some slip through the net anyway. Let's imagine that you or a member of your team got their hands on one of these malicious binaries. How can you find out what its purpose was? You can try to uncompile the binary or explore it in hexadecimal mode, two tried and tested but time-consuming methods. Let's try a new approach and analyze the malware's behavior by running it in an isolated environment and collecting all its syscalls using eBPF. The final step will be to explore the captures with Logray, a project forked from Wireshark, especially made to analyze syscall packets captures. sharkfest-24-eu-85-let-s-dissect-malwares-by-collecting-their-syscalls-with-ebpf Beginner Thomas Labarussias en false https://conference.wireshark.org/sharkfest-24-eu/talk/PJCUHK/ https://conference.wireshark.org/sharkfest-24-eu/talk/PJCUHK/feedback/ Ballroom A+B+C Dinner 2024-11-06T18:30:00+01:00 18:30 03:00 Join us for a fun night with an opportunity to enjoin wonderful conversations and win some cool prizes! sharkfest-24-eu-54-sponsor-technology-showcase-reception-treasure-hunt-dinner Organization en true https://conference.wireshark.org/sharkfest-24-eu/talk/UPEDSC/ https://conference.wireshark.org/sharkfest-24-eu/talk/UPEDSC/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-06T09:45:00+01:00 09:45 01:00 With Stratoshark, we now have a Wireshark-based tool for analysing log events. In this session I want to show why Logray has been my first choice for months to analyse and investigate AWS Cloudtrail events in an AWS Organization with around 1000 accounts. There are several advantages compared to the standard tools Athena + Glue and it is simply marvellous. The session should help to spread the spark of Logray into the Dev(Sec)Ops world. Spread the word.... :-) sharkfest-24-eu-58-stratoshark-or-how-to-inspire-your-devops-team-to-use-wireshark Security Uli Heilmeier en false https://conference.wireshark.org/sharkfest-24-eu/talk/G7FWSD/ https://conference.wireshark.org/sharkfest-24-eu/talk/G7FWSD/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-06T11:00:00+01:00 11:00 01:00 Falco, a CNCF project, is the de facto solution for runtime threat detection in Linux and Kubernetes environments. It offers complete kernel-level visibility by capturing Syscalls via eBPF, analyzing this flow with a powerful rules engine and alerting when a rule is triggered. Over time, the Falco ecosystem has grown to include the ability to retrieve events from different sources, such as SaaS or Cloud provider audit logs, and to integrate with dozens of tools for notification, analysis and reaction. The last born in its ecosystem is Falco Talon, a tailor made no-code response engine, which react to the Falco events with out of the box actions, such as terminating a pod, or triggering a tcpdump. In this talk, listeners will learn the basics of Falco, and will be treated to a real-time demonstration of remediation action against intrusions, with a big focus on the capacity to trigger a tcpdump, to observe what the attacker did following the raised alert. sharkfest-24-eu-86-automatically-trigger-captures-via-tcpdump-when-a-suspicious-event-occurs-in-your-kubernetes-cluster Security Thomas Labarussias en false https://conference.wireshark.org/sharkfest-24-eu/talk/FW933D/ https://conference.wireshark.org/sharkfest-24-eu/talk/FW933D/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-06T13:00:00+01:00 13:00 01:00 This talk is an introduction to intuiting where non-network latency comes from. While it's usually quite clear how to determine what is network latency and what isn't, it's less clear how to dig into the timing differences between packets at different stages of a TCP conversation to direct troubleshooting at different layers of the stack. Using a Linux-based web server as an example platform, this talk will demonstrate what network latency looks like, what host latency looks like, and what application/backend latency looks like. To explain what we see in the demonstration, we will also examine the web server to show how packets and requests propagate through the Linux OS to the web server application. Attendees to this talk will leave with a greater understanding of how to identify latency at different stages of a web request. They will understand the basic Linux kernel and OS structure and how different stresses on a system show up in packet captures. sharkfest-24-eu-80-beyond-network-latency-chasing-latency-up-the-stack Intermediate Josh Clark en "The website is slow, so the network must be having an issue." Network engineers skilled with Wireshark are masters of responding to statements like this one. With one peek at the iRTT, one scroll through the TCP stream, and one long-running ping to the web server, network latency can be disproven. But how do we take the next step? How do we help a server admin or application owner identify exactly what is happening? Packets can isolate latency at the network, the server, and the application, and this talk will walk through how to find and understand those latencies. Expect a review of identifying network latency. Expect to learn how to isolate both server and application latency. Expect to learn how network data propagates through a Linux server and where it makes pit stops along the way. true https://conference.wireshark.org/sharkfest-24-eu/talk/TABABN/ https://conference.wireshark.org/sharkfest-24-eu/talk/TABABN/feedback/ Palais Sachsen Coburg I-III Long Presentation 2024-11-06T14:00:00+01:00 14:00 01:30 Packet-level analysis stands as the gold standard in incident response, providing the most detailed evidence during security investigations. Despite its importance, packet analysis is often underutilized, typically considered only as a last resort. This session aims to elevate the use of Wireshark in everyday security practices, demonstrating its effectiveness not just in validating security tool alerts but in gaining a profound understanding of attack methodologies through network traces. The session will focus on: Explore and demonstrate methods for SSL interception, comparing browser-based versus proxy-based analysis, including techniques like PCAP over IP for remote capturing. Investigate Attack Vectors: Learn to identify various network scans and conduct in-depth analyses of successful attacks. We will also highlight a successful attack using Metasploit, capturing and analyzing network traces to deepen our understanding and see examples of useful LUA Plugins for Security. sharkfest-24-eu-64-unlocking-security-insights-wireshark-techniques-for-security-analysts Security Walter Hofstetter en false https://conference.wireshark.org/sharkfest-24-eu/talk/XFQZQA/ https://conference.wireshark.org/sharkfest-24-eu/talk/XFQZQA/feedback/ Palais Sachsen Coburg I-III Long Workshop 2024-11-06T15:45:00+01:00 15:45 01:30 Kerberos is the bread and butter protocol used for authentication and authorization in a Windows domain. Like many Windows components, it works fine in the default configuration and offers several options to strengthen its security. This includes the search for old encryption algorithms and the introduction of Kerberos Armoring, a.k.a Kerberos FAST. This hands-on workshop will take you into the inner workings of Kerberos. We will use Wireshark to identify faulty configurations, misleading messages in event logs and decrypt whatever Windows wants to hide from plain view. Trace files included: Bring your own laptop! sharkfest-24-eu-76-kerberos-deep-dive Security /media/sharkfest-24-eu/submissions/ULC3YU/Kerberos_Lw6xb9v.png Eddi Blenkers en After a quick introduction on standard Kerberos operations we will examine advanced features. This workshop will teach you * How to configure Wireshark for a speedy analysis of Kerberos packets * How to identify hosts and accounts that use old encryption protocols * Why you should use Kerberos Armoring and how to prepare your systems * How Kerberos encrypts messages and how to decrypt them with Wireshark Feel free to bring your laptop and click along during the workstation. Tracefiles are ready for download at https://sharkfest.packet-foo.com/kerberos-deep-dive.zip A Python interpreter is recommended, but not required. false https://conference.wireshark.org/sharkfest-24-eu/talk/ULC3YU/ https://conference.wireshark.org/sharkfest-24-eu/talk/ULC3YU/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-06T17:15:00+01:00 17:15 01:00 In September 2018, the Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the Federal Bureau of Investigation, warned of attackers exploiting legitimate tools like Remote Desktop Protocol (RDP) for malicious purposes. This presentation explores a recently discovered large-scale RDP Tunneling Attack that weaponized the mstshash cookie, a session management mechanism within RDP. The most intriguing aspect of this attack was the attacker's diverse use of protocols, including TCP, TLS, SSL, MEMCACHE, Socks, WOW, WOWW, MySQL, X11, MQTT, LISP, VICP, RSL, KDSP, ICAP, BitTorrent, CVSPSERVER, NDPS, PTP/IP, TPM, kNet, ECMP, and FF. This talk utilizes deep packet inspection (DPI) analysis to dissect this attack, revealing why seemingly unrelated protocols were chosen and emphasizing the attacker's strategy to bypass traditional security measures. sharkfest-24-eu-45-deep-packet-inspection-analyses-unveiling-a-shocking-rdp-attack-through-unusual-protocol-combinations Security /media/sharkfest-24-eu/submissions/BB3E8B/RDP_Tunneling_Attack_over_MySQL_51iL3u7.PNG Michal Soltysik en Presentation Outline: (1) Introduction: - I will briefly explain Remote Desktop Protocol (RDP) and its importance and broad utilization on the Internet. - I will discuss the role of the mstshash cookie in RDP session management. - I will introduce the concept of RDP Tunneling Attacks and their potential dangers. (2) Unveiling the Attack with Deep Packet Inspection (DPI): - I will analyze the attacker's use of common protocols, such as TCP, TLS and SSL for tunneling RDP traffic. - I will deep dive into the lesser-known and very diverse protocols (such as MEMCACHE, Socks, WOW, WOWW, MySQL, X11, MQTT, LISP, VICP, RSL, KDSP, ICAP, BitTorrent, CVSPSERVER, NDPS, PTP/IP, TPM, kNet, ECMP, and FF) used in the attack and their role in tunneling RDP. (3) Why These Protocols? Identifying Shared Characteristics: - I will explore the common features of the chosen protocols that make them suitable for tunneling RDP traffic. - I will discuss how attackers exploit limitations of traditional port-based security measures by using this diverse protocol set. (4) The Need for Broader Network Monitoring: - I will explain the limitations of focusing solely on RDP's standard port (3389). - I will emphasize the importance of DPI and comprehensive network monitoring to detect attacks hidden within other protocols. (5) Conclusion: - I will recap key takeaways: the importance of minimal RDP library usage, dangers of RDP Tunneling Attacks, and the need for broader network monitoring. - I will conclude by emphasizing the critical need for vigilance against evolving attack methods and the importance of expanding network monitoring practices. Target Audience: This presentation is designed for security professionals, network administrators, and anyone interested in understanding advanced attack techniques and network security best practices - especially professionals interested in protocol security. false https://conference.wireshark.org/sharkfest-24-eu/talk/BB3E8B/ https://conference.wireshark.org/sharkfest-24-eu/talk/BB3E8B/feedback/ Ballroom A+B+C Organization 2024-11-07T09:00:00+01:00 09:00 00:45 Let us discuss what interesting topics lay ahead of us sharkfest-24-eu-66-panel-discussion Beginner Roland Knall en false https://conference.wireshark.org/sharkfest-24-eu/talk/TBWNC7/ https://conference.wireshark.org/sharkfest-24-eu/talk/TBWNC7/feedback/ Ballroom A+B+C Long Presentation 2024-11-07T09:45:00+01:00 09:45 01:30 Understanding network traffic fingerprints is crucial for enhancing cybersecurity and network performance. This talk provides a concise exploration of network traffic fingerprints, discussing their definition, identification methods, and practical applications. We will cover techniques like deep packet inspection, flow analysis, and machine learning to capture and analyze traffic patterns. Real-world examples using Wireshark/tshark will illustrate their use in intrusion detection, anomaly detection, and network optimization. Challenges such as encryption and evolving threats will be addressed, alongside emerging trends in network traffic analysis. Attendees will gain actionable insights on leveraging traffic fingerprints for improved security and efficiency, making this talk essential for network administrators, security professionals, and researchers. Presentation slides and pcaps are available at https://tinyurl.com/sf24derinardi sharkfest-24-eu-60-a-deep-dive-into-traffic-fingerprints-using-wireshark Intermediate Luca DeriIvan Nardi en false https://conference.wireshark.org/sharkfest-24-eu/talk/KCCXJY/ https://conference.wireshark.org/sharkfest-24-eu/talk/KCCXJY/feedback/ Ballroom A+B+C Long Presentation 2024-11-07T11:30:00+01:00 11:30 01:30 The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they’ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees prior to SharkFest and only given to the panel members during the session so that the “not- knowing what to expect and whether it can be solved” experience of working through an unknown trace file can be preserved. Come to this session and learn to ask the right questions and look at packets in different ways. PLEASE SEND PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL TO jasper@packet-foo.com PRIOR TO SHARKFEST! sharkfest-24-eu-90-the-packet-doctors-are-in-packet-trace-examinations-with-the-experts en true https://conference.wireshark.org/sharkfest-24-eu/talk/N99N8N/ https://conference.wireshark.org/sharkfest-24-eu/talk/N99N8N/feedback/ Ballroom A+B+C Short Presentation 2024-11-07T14:00:00+01:00 14:00 01:00 This talk will focus on VXLAN and MP-BGP EVPN in datacenter environments. It will analyze some of the inner workings and interactions between all the different components using Wireshark and will hopefully provide attendees with a better understanding of how these different pieces of technology work altogether. It will also give some troubleshooting tips for VXLAN EVPN. The discussion will first cover foundational concepts (VXLAN encapsulation, EVPN route types, L3VNI/L2VNI...) and get into more advanced topics (BGP unnumbered, RTs, MLAG/MH interactions, TE). sharkfest-24-eu-63-vxlan-evpn-and-other-intricacies-unpacked Intermediate Pierre Besombes en false https://conference.wireshark.org/sharkfest-24-eu/talk/9RT9SP/ https://conference.wireshark.org/sharkfest-24-eu/talk/9RT9SP/feedback/ Ballroom A+B+C Short Presentation 2024-11-07T15:00:00+01:00 15:00 01:00 More and more traffic is encrypted using TLS: “https is the new tcp”. What if you need to troubleshoot but can’t use decryption? Either because it is hard to do or not allowed. But based on traffic patterns, or meta data, it is still possible to draw conclusions. Like who is slow, how many applications turns (request/response pairs), size of the data, is the communication efficient (overhead ratio), etc.. This session we cover the methods of analyzing using Wireshark. First part for TLS up to version 1.2. The second part using version TLS 1.3, which is much harder to do, but not impossible. sharkfest-24-eu-68-everything-is-encrypted Intermediate André Luyer en false https://conference.wireshark.org/sharkfest-24-eu/talk/YHDD3S/ https://conference.wireshark.org/sharkfest-24-eu/talk/YHDD3S/feedback/ Ballroom A+B+C Short Presentation 2024-11-07T16:15:00+01:00 16:15 01:00 Wireshark has become an omnipresent tool in the realms of IT, OT, IoT, and cybersecurity. Recognizing that today's higher education students rely less on textbooks and more on dynamic learning experiences, educators must adapt and develop innovative methods to effectively engage students and help them achieve their aims. The goal of this presentation is to flatten the learning curve of network packet analysis. By using captures within the learner’s living space, we can teach necessary skills and gain insights without much overhead. In addition, the particular communication behaviour of smart devices (lights, television, vacuum cleaner, Xbox, doorbell, pet cam, … ) is often unknown to many people. The objective of this interactive session is to provide participants with ideas on harnessing Wireshark's capabilities for their own activities while showcasing its usage in higher education and research endeavours. sharkfest-24-eu-75-network-traffic-your-home Beginner Ville HaapakangasTom Cordemans en This inspirational session will feature two senior lecturers from different European Universities of Applied Sciences, who will share their insights and best practices on leveraging Wireshark in both educational and research contexts. The primary focus of this presentation is on using Wireshark correctly to become more efficient packet analyser. Drawing from our personal experiences as lecturers and researchers, we will discuss practical examples that underscore the tool's versatility and value. This session is interactive and includes hands-on tasks with trace files. Trace files will be provided to the participants. Some info about Ville Haapakangas: • Senior Lecturer at Tampere University of Applied Sciences (Tampere, Finland) • Lecturer in Computer Networks and Cybersecurity, several cybersecurity related research projects • A speaker at Sharkfest22EU and Sharkfest23EU and a participant of SharkFest EU for a few years now Some info about Tom Cordemans: • Lecturer at Odisee University of Applied Sciences (Gent, Belgium) • ICT Technologist at DistriNet Research Unit @KU Leuven (Gent, Belgium) • A speaker at Sharkfest23EU and a participant of SharkFest EU for many years now. false https://conference.wireshark.org/sharkfest-24-eu/talk/SZH3SB/ https://conference.wireshark.org/sharkfest-24-eu/talk/SZH3SB/feedback/ Ballroom A+B+C Short Presentation 2024-11-07T17:15:00+01:00 17:15 01:00 in this short presentation we transfer a file and record the event with a tap and the Cisco ACI engine Intuitively, we might configure a SPAN port because it's cheap and fast. This presentation will explore the situation when the infrastructure or the virtual capture points are overloaded sharkfest-24-eu-87-compare-the-accuracy-of-trace-files-captured-with-a-tap-and-cisco-aci Beginner /media/sharkfest-24-eu/submissions/J8NNR3/ACI_ZGcAqrF.png Markus LiechtiEddi Blenkers en false https://conference.wireshark.org/sharkfest-24-eu/talk/J8NNR3/ https://conference.wireshark.org/sharkfest-24-eu/talk/J8NNR3/feedback/ Ballroom A+B+C Dinner 2024-11-07T18:30:00+01:00 18:30 02:30 Sponsor Technology Showcase & Dinner sharkfest-24-eu-57-sponsor-technology-showcase-packet-hero-quiz-dinner Organization en false https://conference.wireshark.org/sharkfest-24-eu/talk/7USMUA/ https://conference.wireshark.org/sharkfest-24-eu/talk/7USMUA/feedback/ Palais Sachsen Coburg I-III Long Presentation 2024-11-07T09:45:00+01:00 09:45 01:30 Effective troubleshooting of network issues is a critical concern for network technicians. While many are familiar with basic ICMP tools like ping and traceroute, the breadth of ICMP capabilities often goes underutilized. This session delves into ICMP messages, specifically the 'Destination Unreachable' type, and the insights they provide into network errors. We will explore methods for capturing and analyzing network traffic, highlighting practical tips and tricks for using Wireshark to diagnose and resolve issues efficiently. Attendees will gain a deeper understanding of ICMP message functions and how to leverage them for improved network troubleshooting. sharkfest-24-eu-59-unveiling-network-errors-a-deep-dive-into-icmp-destination-unreachable-messages Expert / Developer Johannes Weber en false https://conference.wireshark.org/sharkfest-24-eu/talk/JZ8MZJ/ https://conference.wireshark.org/sharkfest-24-eu/talk/JZ8MZJ/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-07T14:00:00+01:00 14:00 01:00 Analyzing TCP connection is the most common task a network analyst has to perform. And even though tracking sequence numbers, packet loss and generally understanding the TCP handshake and teardown can be tricky as well many analysts know how to deal with those steps. But sometimes you need to analyze complex situations and figure out what is going on, for example look at packet timing or troubleshooting an issue with less than ideal capture results. In this talk we'll look at techniques that can help and of course look at some example traces. sharkfest-24-eu-81-advanced-tcp-troubleshooting Expert / Developer Jasper Bongertz en false https://conference.wireshark.org/sharkfest-24-eu/talk/WX9LX3/ https://conference.wireshark.org/sharkfest-24-eu/talk/WX9LX3/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-07T15:00:00+01:00 15:00 01:00 In this talk we'll go over lots of the details that dissector developers have to contend with. Not only will we touch on some of the Epan APIs available to us, but we will go beyond the API's and discuss the way of thinking about packet dissection design. Here we may discover wisdoms which are not only important to dissector developers, but for software development in general. Even though in this talk we will focus on development of C code, Lua dissector developers may take away some deeper insights as well. sharkfest-24-eu-84-dissector-developer-design-notes Expert / Developer Jaap Keuter en As a core developer I get to see a lot of dissector code, in the form of merge requests, during investigation of bugs, or written by myself. While working on this code I often come across designs which are not optimal for the purpose they serve. This may have to do with the use of poor examples, missing insight into how the packet dissection process really works or lack of understanding of the protocols at hand. Either way more knowledge and insight will hopefully help you to create better dissectors. false https://conference.wireshark.org/sharkfest-24-eu/talk/N3XNY9/ https://conference.wireshark.org/sharkfest-24-eu/talk/N3XNY9/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-07T16:15:00+01:00 16:15 01:00 This talk explores how we might use Wireshark to optimize servers and applications even when they aren't slow. Depending on the type of traffic, optimizing TCP windowing and reducing the number of round trips required to transmit information can improve the speed of an application significantly. sharkfest-24-eu-79-optimizing-server-settings-using-packet-captures Expert / Developer Josh Clark en The internet operates using standards, and these standards were developed, debated, and ratified with the entirety of the internet in mind. But are these standards ideal for your environment? The largest internet companies tune their servers to operate best in the environments they maintain. That tight control lets them reduce application response times even when latency might be high. We will use packet captures to identify application traffic patterns and active network conditions, and we’ll explore options to customize how servers put data on the network to fit the application and the network. true https://conference.wireshark.org/sharkfest-24-eu/talk/DPTKUS/ https://conference.wireshark.org/sharkfest-24-eu/talk/DPTKUS/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-07T17:15:00+01:00 17:15 01:00 This talk covers using Pyshark for analyzing pcap files, focusing on accessing nested elements in network packets, particularly within Client Hello packets, including encryption suites and TLS versions. This presentation provides an updated guide on effectively using Pyshark, addressing the gaps in current documentation and offering practical insights. The session will cover the basics of loading pcap files, inspecting packet types and layers, and using commands to list packet layers and extract details. It includes a practical example of extracting offered encryption suites from Client Hello packets to ensure secure encryption methods. By applying Wireshark display filters in Pyshark, the talk demonstrates how to efficiently find needed packets. Key issues and solutions when using JSON and Python objects will be highlighted, helping avoid errors and process data smoothly. Learn to effectively access and use nested elements and specific data points with Pyshark. sharkfest-24-eu-65-dissecting-the-client-hello-with-pyshark Beginner /media/sharkfest-24-eu/submissions/GEJMM9/pyshark_GA7QOgT.jpg Katherine Leese en false https://conference.wireshark.org/sharkfest-24-eu/talk/GEJMM9/ https://conference.wireshark.org/sharkfest-24-eu/talk/GEJMM9/feedback/ Ballroom A+B+C Organization 2024-11-08T09:00:00+01:00 09:00 00:45 Come and enjoy an interesting session with learning interesting stuff about each other! sharkfest-24-eu-74-sharkbytes Organization en false https://conference.wireshark.org/sharkfest-24-eu/talk/MLBZMC/ https://conference.wireshark.org/sharkfest-24-eu/talk/MLBZMC/feedback/ Ballroom A+B+C Short Presentation 2024-11-08T09:45:00+01:00 09:45 01:30 Modern networks and devices rely heavily on two critical protocols: WiFi and TLS encryption. Many devices, such as smartphones, tablets, IoT devices, and others, lack built-in options for packet capture or the ability to obtain session keys. My objective was to develop a device that functions as a proxy, capable of capturing traffic from wireless devices, decrypting and re-encrypting it, and outputting session keys—all while remaining invisible to the end user. The ultimate goal is to enable engineers to analyze decrypted traffic. In this session, I'll share my motivation for building the cyberdeck, the challenges and successes I encountered, how the system works, and review traffic captures from well-known smartphone apps. sharkfest-24-eu-82-sharksniff-3000-the-wireless-decrypting-cyberdeck Intermediate Ross Bagurdes en false https://conference.wireshark.org/sharkfest-24-eu/talk/RVUPLY/ https://conference.wireshark.org/sharkfest-24-eu/talk/RVUPLY/feedback/ Ballroom A+B+C Short Presentation 2024-11-08T11:30:00+01:00 11:30 01:00 It’s easy to laugh at the apocryphal executive quote “Cloud doesn’t have Packets!”, but is there something more to it? What might they have meant? What are the differences between traditional On-premise and Cloud networking and architectures, and what does this tell us about attitudes towards network based security and trouble-shooting? In this talk we will look at how Cloud differs from On-prem networking, what common Cloud architectures look like, and how they can confound established practice. We will review options for Packet Capture and network based tools in Cloud compared to On-prem environments, and discuss whether it is practical, beneficial, and necessary. sharkfest-24-eu-83-cloud-doesn-t-have-packets Beginner Stephen Donnelly en false https://conference.wireshark.org/sharkfest-24-eu/talk/TPT9PT/ https://conference.wireshark.org/sharkfest-24-eu/talk/TPT9PT/feedback/ Ballroom A+B+C Long Presentation 2024-11-08T12:30:00+01:00 12:30 01:30 Closing Remarks and Farewell reception sharkfest-24-eu-56-lunch-closing-remarks-and-farewell-reception Organization en false https://conference.wireshark.org/sharkfest-24-eu/talk/GUGZZQ/ https://conference.wireshark.org/sharkfest-24-eu/talk/GUGZZQ/feedback/ Palais Sachsen Coburg I-III Short Presentation 2024-11-08T11:30:00+01:00 11:30 01:00 Capturing packets on the road can be a challenge. Do you have access to the switch? Are you able to install Wireshark on the endpoints. What if one side says it sends packets, but the other side does not receive them. There are many situations in which a tap might be handy or needed to make a useful packet capture. In those cases, having a portable tap in your laptop bag is a life-saver. There are a few portable USB powered gigabit Ethernet taps on the market that have different capabilities. I made an overview of available portable taps and reached out to vendors to supply me one for a thorough test. This presentation gives an overview of the portable gigabit taps on the market, their capabilities and how well they performed on the test-bench. sharkfest-24-eu-91-gotta-catch-em-all-a-field-test-of-portable-gigabit-taps Beginner Sake Blok en false https://conference.wireshark.org/sharkfest-24-eu/talk/VBHSF3/ https://conference.wireshark.org/sharkfest-24-eu/talk/VBHSF3/feedback/