SharkFest'24 EU

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:00
09:00
480min
Pre-Conference Class I: Core Wireshark Skills for Network Engineers and Security Pros - 2-day class (4-5 November)
Chris Greer, Ross Bagurdes

Throughout this course, we are going to look at real-world examples of how to practically use Wireshark to solve network problems and isolate cybersecurity incidents. This skill will help AllOps (NetOps, SecOps, DevOps) engineers to improve in their analysis and troubleshooting skills. Labs have been designed to give real-world, hands-on experience with protocols using Wireshark.

Pre-conference class
Room A
09:00
480min
Pre-Conference Class III: WebRTC Network Analysis Masterclass
Matthias Kaiser, Robert Hess

Web Real-Time Communication (WebRTC) describes a standards-based approach to initiating audio and video communication relationships via IP-based networks, in the simplest case using a browser. WebRTC has become the most significant solution for web-based conferencing in our time. It has been implemented by many conferencing solution manufacturers and providers worldwide. In this Pre Conference Class, Robert and Matthias will take you into the world of analyzing WebRTC traffic and WebRTC solutions with Wireshark. It will enable you capturing and analyzing WebRTC Web Conferencing calls, analyzing the salient call components for potential problems and implement the required measures in your network perimeters to overcome such problems.

Pre-conference class
Room B
18:00
18:00
150min
SharkFest'24 EUROPE Welcome Dinner and Sponsor Showcase
Wireshark Foundation

Let's kick off the conference in style

Organization
Room A
09:00
09:00
45min
Keynote: Ecosystem Expansion

Gerald Combs & Friends talk about the new developments over the past year

Organization
Room A
09:45
09:45
90min
How to analysis like a pro
Roland Knall

For newcomers to network troubleshooting and security analysis, packet analysis can seem daunting. This session introduces OIDA (Observe, Identify, Dissect, Analyze), a beginner-friendly methodology designed to simplify the packet analysis process using Wireshark. OIDA offers a structured approach that enhances understanding and efficiency, making packet analysis more accessible to those new to Wireshark. Attendees will learn how to apply the OIDA framework, gaining practical skills to approach basic networking challenges with confidence.

Beginner
Room A
11:15
11:15
15min
Break
Room A
11:15
15min
Break
Room B
11:30
11:30
60min
Capturing WiFi7, understand WiFi again with catching up an Extremely High Throughput mode of IEEE802.11be
Megumi Takeshita

Capturing BE traffic and analyze EHT frame with quick review of IEEE802.11 WLAN communications with security standards.

Intermediate
Room A
11:30
60min
Logray: Or how to inspire your DevOps team to use Wireshark
Uli Heilmeier

With Logray, we now have a Wireshark-based tool for analysing log events.

In this session I want to show why Logray has been my first choice for months to analyse and investigate AWS Cloudtrail events in an AWS Organization with around 1000 accounts. There are several advantages compared to the standard tools Athena + Glue and it is simply marvellous.

The session should help to spread the spark of Logray into the Dev(Sec)Ops world. Spread the word.... :-)

Security
Room B
12:30
12:30
60min
Lunch
Room A
12:30
60min
Lunch
Room B
13:30
13:30
60min
Mastering Wireshark Filtering
Sake Blok

Get to know how to filter properly in Wireshark

Beginner
Room A
13:30
60min
Passive Fingerprinting Methods for IoT Profiling
Asaf Fried

The Internet of Things (IoT) has revolutionized the way we live and work, but it has also created significant challenges for network security and asset management. Most businesses have a blind spot when it comes to IoT devices, which creates an opportunity for attackers. Lacking sufficient visibility and control, these devices provide an easy and inconspicuous way for attackers to infiltrate a network.

With a vast array of devices, identifying what devices are running in the network has become a critical issue for organizations. Software agents have been the standard way to collect this information, but for embedded and IoT devices, it’s not always possible to install them. An effective solution to this problem lies in passive fingerprinting, which involves matching uniquely identifying patterns in the host’s network traffic and classifying it accordingly.

Expert / Developer
Room B
14:30
14:30
90min
Communication breakdown - making online conferencing work in secured company networks
Robert Hess

A troubleshooters tale
I routinely help large global enterprises to find problems in their network when our Online conferencing products do not work as expected. The problems range from very low level like broken packet fragmentation to high level like wrong Geolocation detection.
This brings me in contact with network security in various ways, and I learn about their ideas of securing networks and also how to configure such security systems and have to come up with ideas to make the conferencing software work.
As there is obviously no way around making our networks more secure, the question remains, how do we keep them working at the same time. I will show my approach to these problems.

Intermediate
Room A
14:30
90min
Unlocking Security Insights: Wireshark Techniques for Security Analysts
Walter Hofstetter

Packet-level analysis stands as the gold standard in incident response, providing the most detailed evidence during security investigations. Despite its importance, packet analysis is often underutilized, typically considered only as a last resort. This session aims to elevate the use of Wireshark in everyday security practices, demonstrating its effectiveness not just in validating security tool alerts but in gaining a profound understanding of attack methodologies through network traces.

The session will focus on:
Explore and demonstrate methods for SSL interception, comparing browser-based versus proxy-based analysis, including techniques like PCAP over IP for remote capturing.
Investigate Attack Vectors: Learn to identify various network scans and conduct in-depth analyses of successful attacks. We will also highlight a successful attack using Metasploit, capturing and analyzing network traces to deepen our understanding and see examples of useful LUA Plugins for Security.

Security
Room B
16:00
16:00
15min
Break
Room A
16:00
15min
Break
Room B
16:15
16:15
90min
IPsec VPN Analysis and troubleshooting
Jean-Paul ARCHIER

With this session we intend to demonstrate how Wireshark can be used to analyze IPSec VPNs in site to site and remote access contexts. We will also present some dysfunctioning cases where Wireshark can be of some help.

Intermediate
Room A
16:15
90min
Kerberos Deep Dive
Eddi Blenkers

Kerberos is the bread and butter protocol used for authentication and authorization in a Windows domain.
Like many Windows components, it works fine in the default configuration and offers several options to strengthen its security. This includes the search for old encryption algorithms and the introduction of Kerberos Armoring, a.k.a Kerberos FAST.
This workshop will take you into the inner workings of Kerberos. We will use Wireshark to identify faulty configurations, misleading messages in event logs and decrypt whatever Windows wants to hide from plain view.

Security
Room B
18:30
18:30
180min
Sponsor Technology Showcase Reception, Treasure Hunt & Dinner

Join us for a fun night with an opportunity to enjoin wonderful conversations and win some cool prizes!

Organization
Room A
09:00
09:00
45min
Panel Discussion
Roland Knall

Let us discuss what interesting topics lay ahead of us

Beginner
Room A
09:45
09:45
90min
A Deep Dive Into Traffic Fingerprints using Wireshark
Luca Deri, Ivan Nardi

Understanding network traffic fingerprints is crucial for enhancing cybersecurity and network performance. This talk provides a concise exploration of network traffic fingerprints, discussing their definition, identification methods, and practical applications. We will cover techniques like deep packet inspection, flow analysis, and machine learning to capture and analyze traffic patterns. Real-world examples using Wireshark/tshark will illustrate their use in intrusion detection, anomaly detection, and network optimization.

Challenges such as encryption and evolving threats will be addressed, alongside emerging trends in network traffic analysis. Attendees will gain actionable insights on leveraging traffic fingerprints for improved security and efficiency, making this talk essential for network administrators, security professionals, and researchers. Join us to uncover the hidden patterns within your network and elevate your traffic analysis strategies.

Intermediate
Room A
09:45
90min
Unveiling Network Errors: A Deep Dive into ICMP 'Destination Unreachable' Messages
Johannes Weber

Effective troubleshooting of network issues is a critical concern for network technicians. While many are familiar with basic ICMP tools like ping and traceroute, the breadth of ICMP capabilities often goes underutilized. This session delves into ICMP messages, specifically the 'Destination Unreachable' type, and the insights they provide into network errors.

We will explore methods for capturing and analyzing network traffic, highlighting practical tips and tricks for using Wireshark to diagnose and resolve issues efficiently. Attendees will gain a deeper understanding of ICMP message functions and how to leverage them for improved network troubleshooting.

Expert / Developer
Room B
11:15
11:15
15min
Break
Room A
11:15
15min
Break
Room B
11:30
11:30
60min
3GPP, a walk through the LTE, and 5G networks
Mark Stout

We'll review LTE, and 5G network structure, and some unique protocols that support mobility services.

Intermediate
Room A
11:30
60min
Deep packet inspection analyses: Unveiling a shocking RDP Attack through unusual protocol combinations
Michal Soltysik

In September 2018, the Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the Federal Bureau of Investigation, warned of attackers exploiting legitimate tools like Remote Desktop Protocol (RDP) for malicious purposes. This presentation explores a recently discovered large-scale RDP Tunneling Attack that weaponized the mstshash cookie, a session management mechanism within RDP. The most intriguing aspect of this attack was the attacker's diverse use of protocols, including TCP, SSL, MEMCACHE, Socks, WOW, WOWW, MySQL, X11, MQTT, LISP, VICP, RSL, KDSP, ICAP, BitTorrent, CVSPSERVER, NDPS, PTP/IP, TPM, kNet, ECMP, and FF. This talk utilizes deep packet inspection (DPI) analysis to dissect this attack, revealing why seemingly unrelated protocols were chosen and emphasizing the attacker's strategy to bypass traditional security measures.

Security
Room B
12:30
12:30
60min
Lunch
Room A
12:30
60min
Lunch
Room B
13:30
13:30
60min
Advanced TCP Troubleshooting
Jasper Bongertz

Analyzing TCP connection is the most common task a network analyst has to perform. And even though tracking sequence numbers, packet loss and generally understanding the TCP handshake and teardown can be tricky as well many analysts know how to deal with those steps. But sometimes you need to analyze complex situations and figure out what is going on, for example look at packet timing or troubleshooting an issue with less than ideal capture results. In this talk we'll look at techniques that can help and of course look at some example traces.

Expert / Developer
Room B
13:30
60min
VXLAN, EVPN and other intricacies unpacked
Pierre Besombes

This talk will focus on VXLAN and MP-BGP EVPN in datacenter environments. It will analyze some of the inner workings and interactions between all the different components using Wireshark and will hopefully provide attendees with a better understanding of how these different pieces of technology work altogether. It will also give some troubleshooting tips for VXLAN EVPN. The discussion will first cover foundational concepts (VXLAN encapsulation, EVPN route types, L3VNI/L2VNI...) and get into more advanced topics (BGP unnumbered, RTs, MLAG/MH interactions, TE).

Intermediate
Room A
14:30
14:30
60min
Dissector developer design notes
Jaap Keuter

In this talk we'll go over lots of the details that dissector developers have to contend with. Not only will we touch on some of the Epan APIs available to us, but we will go beyond the API's and discuss the way of thinking about packet dissection design. Here we may discover wisdoms which are not only important to dissector developers, but for software development in general.

Even though in this talk we will focus on development of C code, Lua dissector developers may take away some deeper insights as well.

Expert / Developer
Room B
14:30
60min
Everything is encrypted
André Luyer

More and more traffic is encrypted using TLS: “https is the new tcp”. What if you need to troubleshoot but can’t use decryption? Either because it is hard to do or not allowed.
But based on traffic patterns, or meta data, it is still possible to draw conclusions. Like who is slow, how many applications turns (request/response pairs), size of the data, is the communication efficient (overhead ratio), etc..
This session we cover the methods of analyzing using Wireshark. First part for TLS up to version 1.2. The second part using version TLS 1.3, which is much harder to do, but not impossible.

Intermediate
Room A
15:45
15:45
15min
Break
Room A
15:45
15min
Break
Room B
16:00
16:00
60min
Dissecting the Client Hello with Pyshark
Katherine Leese

This talk covers using Pyshark for analyzing pcap files, focusing on accessing nested elements in network packets, particularly within Client Hello packets, including encryption suites and TLS versions. This presentation provides an updated guide on effectively using Pyshark, addressing the gaps in current documentation and offering practical insights. The session will cover the basics of loading pcap files, inspecting packet types and layers, and using commands to list packet layers and extract details. It includes a practical example of extracting offered encryption suites from Client Hello packets to ensure secure encryption methods. By applying Wireshark display filters in Pyshark, the talk demonstrates how to efficiently find needed packets. Key issues and solutions when using JSON and Python objects will be highlighted, helping avoid errors and process data smoothly. Learn to effectively access and use nested elements and specific data points with Pyshark.

Intermediate
Room A
16:00
60min
Optimizing Server Settings Using Packet Captures
Josh Clark

This talk explores how we might use Wireshark to optimize servers and applications even when they aren't slow. Depending on the type of traffic, optimizing TCP windowing and reducing the number of round trips required to transmit information can improve the speed of an application significantly.

Expert / Developer
Room B
17:00
17:00
60min
Network traffic @ your home
Ville Haapakangas, Tom Cordemans

Wireshark has become an omnipresent tool in the realms of IT, OT, IoT, and cybersecurity.

Recognizing that today's higher education students rely less on textbooks and more on dynamic learning experiences, educators must adapt and develop innovative methods to effectively engage students and help them achieve their aims.

The goal of this presentation is to flatten the learning curve of network packet analysis. By using captures within the learner’s living space, we can teach necessary skills and gain insights without much overhead. In addition, the particular communication behaviour of smart devices (lights, television, vacuum cleaner, Xbox, doorbell, pet cam, … ) is often unknown to many people.

The objective of this interactive session is to provide participants with ideas on harnessing Wireshark's capabilities for their own activities while showcasing its usage in higher education and research endeavours.

Beginner
Room A
18:30
18:30
150min
Sponsor Technology Showcase & Dinner

Sponsor Technology Showcase & Dinner

Organization
Room A
09:00
09:00
45min
SharkBytes

Come and enjoy an interesting session with learning interesting stuff about each other!

Organization
Room A
09:45
09:45
90min
Sharksniff 3000 - the Wireless Decrypting Cyberdeck
Ross Bagurdes

Modern networks and devices rely heavily on two critical protocols: WiFi and TLS encryption. Many devices, such as smartphones, tablets, IoT devices, and others, lack built-in options for packet capture or the ability to obtain session keys.

My objective was to develop a device that functions as a proxy, capable of capturing traffic from wireless devices, decrypting and re-encrypting it, and outputting session keys—all while remaining invisible to the end user. The ultimate goal is to enable engineers to analyze decrypted traffic.

In this session, I'll share my motivation for building the cyberdeck, the challenges and successes I encountered, how the system works, and review traffic captures from well-known smartphone apps.

Intermediate
Room A
09:45
90min
Why web pages remain vulnerable to Layer 7 DoS Attacks (even with TLS 1.3 and QUIC)
Michal Soltysik

This presentation dives deep into the inherent vulnerabilities within web pages, exposing them to Layer 7 Denial-of-Service (DoS) attacks regardless of the encryption protocol employed (e.g. ICP, WTLS, DTLS, TLS 1.2/1.3, or QUIC). We'll meticulously dissect the specific weaknesses of the Internet Cache Protocol (ICP) and explore how it can be weaponized to circumvent security measures. Our analysis will further delve into the vulnerabilities residing within the handshake processes of DTLS, QUIC, TLS 1.2 and WTLS, along with a critical examination of the concerning bypass of TLS 1.3's renegotiation mitigation strategies. This session will provide valuable insights for security professionals and web developers, highlighting the importance of layered security strategies beyond encryption protocols to defend against DoS attacks.

Security
Room B
11:15
11:15
15min
Break
Room A
11:15
15min
Break
Room B
11:30
11:30
60min
Beyond Network Latency: Chasing Latency up the Stack
Josh Clark

This talk is an introduction to intuiting where non-network latency comes from. While it's usually quite clear how to determine what is network latency and what isn't, it's less clear how to dig into the timing differences between packets at different stages of a TCP conversation to direct troubleshooting at different layers of the stack.

Using a Linux-based web server as an example platform, this talk will demonstrate what network latency looks like, what host latency looks like, and what application/backend latency looks like. To explain what we see in the demonstration, we will also examine the web server to show how packets and requests propagate through the Linux OS to the web server application.

Attendees to this talk will leave with a greater understanding of how to identify latency at different stages of a web request. They will understand the basic Linux kernel and OS structure and how different stresses on a system show up in packet captures.

Intermediate
Room B
11:30
60min
Cloud doesn’t have Packets!
Stephen Donnelly

It’s easy to laugh at the apocryphal executive quote “Cloud doesn’t have Packets!”, but is there something more to it? What might they have meant?

What are the differences between traditional On-premise and Cloud networking and architectures, and what does this tell us about attitudes towards network based security and trouble-shooting?

In this talk we will look at how Cloud differs from On-prem networking, what common Cloud architectures look like, and how they can confound established practice. We will review options for Packet Capture and network based tools in Cloud compared to On-prem environments, and discuss whether it is practical, beneficial, and necessary.

Beginner
Room A
14:00
14:00
60min
Closing Remarks and Farewell reception

Closing Remarks and Farewell reception

Organization
Room A