SharkFest'24 EU
Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems and isolate cybersecurity incidents. This skill will help AllOps (NetOps, SecOps, DevOps) engineers to improve in their analysis and troubleshooting skills. Labs have been designed to give real-world, hands-on experience with protocols using Wireshark.
Network forensic analysis requires the skill to capture suspicious data and discern unusual patterns hidden within seemingly normal network traffic. This class provides the attendee with a set of investigative techniques focusing on security threat recognition for a variety of network attack and exploit scenarios, including network reconnaissance techniques, Bot-Net threat recognition, man-in-the-middle attacks, as well as everyday user vulnerabilities in various standard internet-based user protocols based on IPv4/v6 / TCP/UDP and other network protocols.
Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems and isolate cybersecurity incidents. This skill will help AllOps (NetOps, SecOps, DevOps) engineers to improve in their analysis and troubleshooting skills. Labs have been designed to give real-world, hands-on experience with protocols using Wireshark.
Web Real-Time Communication (WebRTC) describes a standards-based approach to initiating audio and video communication relationships via IP-based networks, in the simplest case using a browser. WebRTC has become the most significant solution for web-based conferencing in our time. It has been implemented by many conferencing solution manufacturers and providers worldwide. In this Pre Conference Class, Robert and Matthias will take you into the world of analyzing WebRTC traffic and WebRTC solutions with Wireshark. It will enable you capturing and analyzing WebRTC Web Conferencing calls, analyzing the salient call components for potential problems and implement the required measures in your network perimeters to overcome such problems.
Let's kick off the conference in style
Gerald Combs & Friends talk about the new developments over the past year
For newcomers to network troubleshooting and security analysis, packet analysis can seem daunting. This session introduces OIDA (Observe, Identify, Dissect, Analyze), a beginner-friendly methodology designed to simplify the packet analysis process using Wireshark. OIDA offers a structured approach that enhances understanding and efficiency, making packet analysis more accessible to those new to Wireshark. Attendees will learn how to apply the OIDA framework, gaining practical skills to approach basic networking challenges with confidence.
Capturing BE traffic and analyze EHT frame with quick review of IEEE802.11 WLAN communications with security standards.
With Logray, we now have a Wireshark-based tool for analysing log events.
In this session I want to show why Logray has been my first choice for months to analyse and investigate AWS Cloudtrail events in an AWS Organization with around 1000 accounts. There are several advantages compared to the standard tools Athena + Glue and it is simply marvellous.
The session should help to spread the spark of Logray into the Dev(Sec)Ops world. Spread the word.... :-)
Get to know how to filter properly in Wireshark
The Internet of Things (IoT) has revolutionized the way we live and work, but it has also created significant challenges for network security and asset management. Most businesses have a blind spot when it comes to IoT devices, which creates an opportunity for attackers. Lacking sufficient visibility and control, these devices provide an easy and inconspicuous way for attackers to infiltrate a network.
With a vast array of devices, identifying what devices are running in the network has become a critical issue for organizations. Software agents have been the standard way to collect this information, but for embedded and IoT devices, it’s not always possible to install them. An effective solution to this problem lies in passive fingerprinting, which involves matching uniquely identifying patterns in the host’s network traffic and classifying it accordingly.
A troubleshooters tale
I routinely help large global enterprises to find problems in their network when our Online conferencing products do not work as expected. The problems range from very low level like broken packet fragmentation to high level like wrong Geolocation detection.
This brings me in contact with network security in various ways, and I learn about their ideas of securing networks and also how to configure such security systems and have to come up with ideas to make the conferencing software work.
As there is obviously no way around making our networks more secure, the question remains, how do we keep them working at the same time. I will show my approach to these problems.
Packet-level analysis stands as the gold standard in incident response, providing the most detailed evidence during security investigations. Despite its importance, packet analysis is often underutilized, typically considered only as a last resort. This session aims to elevate the use of Wireshark in everyday security practices, demonstrating its effectiveness not just in validating security tool alerts but in gaining a profound understanding of attack methodologies through network traces.
The session will focus on:
Explore and demonstrate methods for SSL interception, comparing browser-based versus proxy-based analysis, including techniques like PCAP over IP for remote capturing.
Investigate Attack Vectors: Learn to identify various network scans and conduct in-depth analyses of successful attacks. We will also highlight a successful attack using Metasploit, capturing and analyzing network traces to deepen our understanding and see examples of useful LUA Plugins for Security.
With this session we intend to demonstrate how Wireshark can be used to analyze IPSec VPNs in site to site and remote access contexts. We will also present some dysfunctioning cases where Wireshark can be of some help.
Kerberos is the bread and butter protocol used for authentication and authorization in a Windows domain.
Like many Windows components, it works fine in the default configuration and offers several options to strengthen its security. This includes the search for old encryption algorithms and the introduction of Kerberos Armoring, a.k.a Kerberos FAST.
This workshop will take you into the inner workings of Kerberos. We will use Wireshark to identify faulty configurations, misleading messages in event logs and decrypt whatever Windows wants to hide from plain view.
Join us for a fun night with an opportunity to enjoin wonderful conversations and win some cool prizes!
Let us discuss what interesting topics lay ahead of us
Understanding network traffic fingerprints is crucial for enhancing cybersecurity and network performance. This talk provides a concise exploration of network traffic fingerprints, discussing their definition, identification methods, and practical applications. We will cover techniques like deep packet inspection, flow analysis, and machine learning to capture and analyze traffic patterns. Real-world examples using Wireshark/tshark will illustrate their use in intrusion detection, anomaly detection, and network optimization.
Challenges such as encryption and evolving threats will be addressed, alongside emerging trends in network traffic analysis. Attendees will gain actionable insights on leveraging traffic fingerprints for improved security and efficiency, making this talk essential for network administrators, security professionals, and researchers. Join us to uncover the hidden patterns within your network and elevate your traffic analysis strategies.
Effective troubleshooting of network issues is a critical concern for network technicians. While many are familiar with basic ICMP tools like ping and traceroute, the breadth of ICMP capabilities often goes underutilized. This session delves into ICMP messages, specifically the 'Destination Unreachable' type, and the insights they provide into network errors.
We will explore methods for capturing and analyzing network traffic, highlighting practical tips and tricks for using Wireshark to diagnose and resolve issues efficiently. Attendees will gain a deeper understanding of ICMP message functions and how to leverage them for improved network troubleshooting.
We'll review LTE, and 5G network structure, and some unique protocols that support mobility services.
In September 2018, the Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the Federal Bureau of Investigation, warned of attackers exploiting legitimate tools like Remote Desktop Protocol (RDP) for malicious purposes. This presentation explores a recently discovered large-scale RDP Tunneling Attack that weaponized the mstshash cookie, a session management mechanism within RDP. The most intriguing aspect of this attack was the attacker's diverse use of protocols, including TCP, SSL, MEMCACHE, Socks, WOW, WOWW, MySQL, X11, MQTT, LISP, VICP, RSL, KDSP, ICAP, BitTorrent, CVSPSERVER, NDPS, PTP/IP, TPM, kNet, ECMP, and FF. This talk utilizes deep packet inspection (DPI) analysis to dissect this attack, revealing why seemingly unrelated protocols were chosen and emphasizing the attacker's strategy to bypass traditional security measures.
Analyzing TCP connection is the most common task a network analyst has to perform. And even though tracking sequence numbers, packet loss and generally understanding the TCP handshake and teardown can be tricky as well many analysts know how to deal with those steps. But sometimes you need to analyze complex situations and figure out what is going on, for example look at packet timing or troubleshooting an issue with less than ideal capture results. In this talk we'll look at techniques that can help and of course look at some example traces.
This talk will focus on VXLAN and MP-BGP EVPN in datacenter environments. It will analyze some of the inner workings and interactions between all the different components using Wireshark and will hopefully provide attendees with a better understanding of how these different pieces of technology work altogether. It will also give some troubleshooting tips for VXLAN EVPN. The discussion will first cover foundational concepts (VXLAN encapsulation, EVPN route types, L3VNI/L2VNI...) and get into more advanced topics (BGP unnumbered, RTs, MLAG/MH interactions, TE).
In this talk we'll go over lots of the details that dissector developers have to contend with. Not only will we touch on some of the Epan APIs available to us, but we will go beyond the API's and discuss the way of thinking about packet dissection design. Here we may discover wisdoms which are not only important to dissector developers, but for software development in general.
Even though in this talk we will focus on development of C code, Lua dissector developers may take away some deeper insights as well.
More and more traffic is encrypted using TLS: “https is the new tcp”. What if you need to troubleshoot but can’t use decryption? Either because it is hard to do or not allowed.
But based on traffic patterns, or meta data, it is still possible to draw conclusions. Like who is slow, how many applications turns (request/response pairs), size of the data, is the communication efficient (overhead ratio), etc..
This session we cover the methods of analyzing using Wireshark. First part for TLS up to version 1.2. The second part using version TLS 1.3, which is much harder to do, but not impossible.
This talk covers using Pyshark for analyzing pcap files, focusing on accessing nested elements in network packets, particularly within Client Hello packets, including encryption suites and TLS versions. This presentation provides an updated guide on effectively using Pyshark, addressing the gaps in current documentation and offering practical insights. The session will cover the basics of loading pcap files, inspecting packet types and layers, and using commands to list packet layers and extract details. It includes a practical example of extracting offered encryption suites from Client Hello packets to ensure secure encryption methods. By applying Wireshark display filters in Pyshark, the talk demonstrates how to efficiently find needed packets. Key issues and solutions when using JSON and Python objects will be highlighted, helping avoid errors and process data smoothly. Learn to effectively access and use nested elements and specific data points with Pyshark.
This talk explores how we might use Wireshark to optimize servers and applications even when they aren't slow. Depending on the type of traffic, optimizing TCP windowing and reducing the number of round trips required to transmit information can improve the speed of an application significantly.
Wireshark has become an omnipresent tool in the realms of IT, OT, IoT, and cybersecurity.
Recognizing that today's higher education students rely less on textbooks and more on dynamic learning experiences, educators must adapt and develop innovative methods to effectively engage students and help them achieve their aims.
The goal of this presentation is to flatten the learning curve of network packet analysis. By using captures within the learner’s living space, we can teach necessary skills and gain insights without much overhead. In addition, the particular communication behaviour of smart devices (lights, television, vacuum cleaner, Xbox, doorbell, pet cam, … ) is often unknown to many people.
The objective of this interactive session is to provide participants with ideas on harnessing Wireshark's capabilities for their own activities while showcasing its usage in higher education and research endeavours.
Sponsor Technology Showcase & Dinner
Come and enjoy an interesting session with learning interesting stuff about each other!
Modern networks and devices rely heavily on two critical protocols: WiFi and TLS encryption. Many devices, such as smartphones, tablets, IoT devices, and others, lack built-in options for packet capture or the ability to obtain session keys.
My objective was to develop a device that functions as a proxy, capable of capturing traffic from wireless devices, decrypting and re-encrypting it, and outputting session keys—all while remaining invisible to the end user. The ultimate goal is to enable engineers to analyze decrypted traffic.
In this session, I'll share my motivation for building the cyberdeck, the challenges and successes I encountered, how the system works, and review traffic captures from well-known smartphone apps.
This presentation dives deep into the inherent vulnerabilities within web pages, exposing them to Layer 7 Denial-of-Service (DoS) attacks regardless of the encryption protocol employed (e.g. ICP, WTLS, DTLS, TLS 1.2/1.3, or QUIC). We'll meticulously dissect the specific weaknesses of the Internet Cache Protocol (ICP) and explore how it can be weaponized to circumvent security measures. Our analysis will further delve into the vulnerabilities residing within the handshake processes of DTLS, QUIC, TLS 1.2 and WTLS, along with a critical examination of the concerning bypass of TLS 1.3's renegotiation mitigation strategies. This session will provide valuable insights for security professionals and web developers, highlighting the importance of layered security strategies beyond encryption protocols to defend against DoS attacks.
This talk is an introduction to intuiting where non-network latency comes from. While it's usually quite clear how to determine what is network latency and what isn't, it's less clear how to dig into the timing differences between packets at different stages of a TCP conversation to direct troubleshooting at different layers of the stack.
Using a Linux-based web server as an example platform, this talk will demonstrate what network latency looks like, what host latency looks like, and what application/backend latency looks like. To explain what we see in the demonstration, we will also examine the web server to show how packets and requests propagate through the Linux OS to the web server application.
Attendees to this talk will leave with a greater understanding of how to identify latency at different stages of a web request. They will understand the basic Linux kernel and OS structure and how different stresses on a system show up in packet captures.
It’s easy to laugh at the apocryphal executive quote “Cloud doesn’t have Packets!”, but is there something more to it? What might they have meant?
What are the differences between traditional On-premise and Cloud networking and architectures, and what does this tell us about attitudes towards network based security and trouble-shooting?
In this talk we will look at how Cloud differs from On-prem networking, what common Cloud architectures look like, and how they can confound established practice. We will review options for Packet Capture and network based tools in Cloud compared to On-prem environments, and discuss whether it is practical, beneficial, and necessary.
Closing Remarks and Farewell reception