SharkFest'24 US

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
08:00
08:00
60min
Check-In & Badge Pick-Up + Breakfast
Wireshark Foundation

Check in for your conference classes

Organization
Potomac Ballroom
08:00
60min
Check-In & Badge Pick-Up + Breakfast
Wireshark Foundation

Check in for your conference classes

Organization
Great Falls
09:00
09:00
60min
Keynote: "... So that's what we did!
Gerald Combs

Gerald Combs & Friends talk about the new developments over the past year

Organization
Potomac Ballroom
10:00
10:00
15min
Break
Potomac Ballroom
10:00
15min
Break
Great Falls
10:15
10:15
60min
Finding Duplications with Wireshark
Megumi Takeshita

Duplication tells us the key to troubleshoot the problems.

Intermediate
Potomac Ballroom
10:15
60min
Real-world post-quantum TLS
Peter Wu

Quantum computers are coming which may break the security of existing TLS communications. Therefore we need post-quantum (PQ) cryptography to secure the new world. In this session, we will go over the basic flow of a TLS session, and compare various configurations (TLS 1.2, TLS 1.3, TLS 1.3 with PQ). We will also discuss how we can use Wireshark to study real-world traffic on the public Internet. Since TLS is encrypted, we will also go over methods to enable TLS decryption.

Intermediate
Great Falls
11:30
11:30
15min
Break
Potomac Ballroom
11:30
15min
Break
Great Falls
11:45
11:45
60min
3GPP and me! A walk through of mobility
Mark Stout

We'll review LTE, and 5G network structure, and some unique protocols that support mobility services.

Intermediate
Potomac Ballroom
11:45
60min
Monitoring and Troubleshooting Without Packet Traces
Chris Hull

"Packets Never Lie" has been a phrase that I have lived by for many years, and the ability to tease out root causes of application and network issues with packet data has been a key to my career. But with the move to more data in the cloud and [S,A,I,N]aaS deployments, the ability to capture or monitor at the packet level has been curtailed. I have been working on multiple efforts to obtain key data about network-related incidents and behavior from other sources, primarily from log sources. Proxy, firewall, VPN, application and the more elusive cloud and SAAS logs have all provided insight into network health and fed into incident support. In this presentation, I will share how I have used proxy logs to measure ongoing RTT, VPN logs to measure network hiccups, firewall logs to measure connectivity failures and cloud flow logs to identify security configuration errors. How to trust these data sources? Validation of these approaches with packet traces and Wireshark.

Intermediate
Great Falls
13:00
13:00
60min
Lunch
Potomac Ballroom
13:00
60min
Lunch
Great Falls
14:00
14:00
60min
Bake your own Pi: Building a TLS Decrypting Wireless Traffic Sniffer
Ross Bagurdes

Ever struggled with capturing traffic from your mobile device or felt stumped by encrypted applications? Dive into this comprehensive session to build your very own wired or wireless traffic sniffer using a Raspberry Pi.

In this engaging workshop, you'll explore:

• Selecting the ideal Raspberry Pi hardware and components.
• Choosing the best Raspbian OS versions.
• Building proper interface and routing configurations.
• Setting up a wireless AP.
• Generating and installing certificates.
• Setting up a TLS proxy to export session keys.
• Connecting devices to capture their traffic.
• Limitations of the device and configuration.
• Addressing critical security and privacy considerations associated with the device.
Walk away with the confidence and knowledge to construct a wireless capture device, granting you the power to decrypt and troubleshoot applications with ease(results may vary)

Intermediate
Great Falls
14:00
60min
Using Wireshark to Solve Real Problems for Real People
Kary Rogers

Real-world packet analysis case studies. Stop banging your head on your desk trying to find root cause and solve performance problems. The answers are in the packets and this session will show you step-by-step in Wireshark how to solve real world case studies that had stumped others. Be the hero!

Intermediate
Potomac Ballroom
15:15
15:15
15min
Break
Potomac Ballroom
15:15
15min
Break
Great Falls
15:30
15:30
90min
Smart Networks: Automating Analysis and Troubleshooting with AI Chatbots
Roland Knall

In this SharkFest US talk, we'll cover how to use Python and open-source language models with Wireshark for network troubleshooting. We'll focus on automating packet capture analysis, using language models for anomaly detection, and creating a chatbot to answer common network questions. The talk includes live demos showing how these tools can simplify network analysis and troubleshooting. This session is aimed at providing practical skills for improving network management and security with advanced technology.

Expert / Developer
Potomac Ballroom
15:30
90min
Wireshark plus Advanced Analytics – Better Together (2 part session)
John Pittle

Real life troubleshooting a difficult 3rd party software performance issue with using Wireshark and Advanced Analytics

Intermediate
Great Falls
17:00
17:00
15min
Break
Potomac Ballroom
17:00
15min
New Break
Great Falls
17:15
17:15
60min
Cloud doesn’t have Packets!
Stephen Donnelly

It’s easy to laugh at the apocryphal executive quote “Cloud doesn’t have Packets!”, but is there something more to it? What might they have meant?

What are the differences between traditional On-premise and Cloud networking and architectures, and what does this tell us about attitudes towards network based security and trouble-shooting?

In this talk we will look at how Cloud differs from On-prem networking, what common Cloud architectures look like, and how they can confound established practice. We will review options for Packet Capture and network based tools in Cloud compared to On-prem environments, and discuss whether it is practical, beneficial, and necessary.

Beginner
Potomac Ballroom
17:15
60min
Wireshark plus Advanced Analytics – Better Together (2 part session)
John Pittle

Real life troubleshooting a difficult 3rd party software performance issue with using Wireshark and Advanced Analytics

Intermediate
Great Falls
18:30
18:30
120min
Sponsor Technology Showcase Reception, Treasure Hunt & Dinner

Join us for a fun night with an opportunity to enjoin wonderful conversations and win some nice gadgets!

Organization
Potomac Ballroom
08:00
08:00
60min
Breakfast
Potomac Ballroom
08:00
60min
Breakfast
Great Falls
09:00
09:00
60min
Panel Discussion: Steering the Wireshark project into the future
Roland Knall

Come join us for an engaging discussion about the future of our small little project

Beginner
Potomac Ballroom
10:00
10:00
15min
Break
Potomac Ballroom
10:00
15min
Break
Great Falls
10:15
10:15
90min
Enhancing Wi-Fi Networks with AI: A Deep Dive into Machine Learning for Wi-Fi Health Checks
Murat Bilgic

This course instructs participants on how to conduct Wi-Fi Health Checks using machine learning (ML). It explores AI and ML technologies tailored for enhancing Wi-Fi network health, addressing issues like interference and congestion. Integrating AI into Wi-Fi monitoring sustains robust connectivity crucial for remote work, online learning, and digital entertainment. Participants gain practical experience in ML techniques for network analysis and optimization. Prerequisites include basic Python knowledge and Internet connectivity. Upon completion, attendees will possess a comprehensive understanding of ML's application in improving Wi-Fi network health.

A.I.
Potomac Ballroom
10:15
60min
TCP Retransmissions - How many is "too" many?
Betty DuBois

Some packet loss is expected, but how do you define "some"? This talk examines the characteristics of expected loss due to signal interference or router queue drops, versus excessive retransmissions indicating deeper issues.

  • Practice with a "normal" TCP stream which has slight packet loss. How long should it take, and what are those darn Dup ACK's?
  • Identifying the source of excessive retransmissions - your network or theirs?
  • Retransmissions of specific packet types within TCP streams. Is it always or only sometimes?
  • High retransmission counts in a pcap captured within a building, yet the switches and routers report no errors. What could cause that?

By analyzing real-world examples, you'll gain a detailed understanding of TCP retransmission patterns, learn to distinguish "normal" from "excessive", and troubleshoot accordingly.

Intermediate
Great Falls
11:30
11:30
15min
Break
Great Falls
11:45
11:45
15min
New Break
Potomac Ballroom
11:45
60min
Passive Fingerprinting Methods for IoT Profiling
Asaf Fried

The Internet of Things (IoT) has revolutionized the way we live and work, but it has also created significant challenges for network security and asset management. Most businesses have a blind spot when it comes to IoT devices, which creates an opportunity for attackers. Lacking sufficient visibility and control, these devices provide an easy and inconspicuous way for attackers to infiltrate a network.
With a vast array of devices, identifying what devices are running in the network has become a critical issue for organizations. Software agents have been the standard way to collect this information, but for embedded and IoT devices, it’s not always possible to install them. An effective solution to this problem lies in passive fingerprinting, which involves matching uniquely identifying patterns in the host’s network traffic and classifying it accordingly.

Intermediate
Great Falls
12:00
12:00
60min
Will QUIC Kill TCP?
Chris Greer

Let's tinker with this new protocol and learn about how it works.

Beginner
Potomac Ballroom
13:00
13:00
60min
Lunch
Potomac Ballroom
13:00
60min
Lunch
Great Falls
14:00
14:00
90min
The Packet Doctors are in! Packet trace examinations with the experts
Sake Blok, Ross Bagurdes, Jasper Bongertz

The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they’ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees prior to SharkFest and only given to the panel members during the session so that the “not-knowing what to expect and whether it can be solved” experience of working through an unknown trace file can be preserved.

Come to this session and learn to ask the right questions and look at packets in different ways.

PLEASE SEND PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL TO [email protected] PRIOR TO SHARKFEST!

Intermediate
Potomac Ballroom
15:30
15:30
15min
Break
Potomac Ballroom
15:30
15min
Break
Great Falls
15:45
15:45
60min
Dissector developer design notes
Jaap Keuter

In this talk we'll go over lots of the details that dissector developers have to contend with. Not only will we touch on some of the Epan APIs available to us, but we will go behind the API's and discuss the way of thinking about packet dissection design. Here we may discover wisdoms which are not only important to dissector developers, but for software development in general.

Even though in this talk we will focus on development of C code, Lua dissector developers may take away some deeper insights as well.

Expert / Developer
Great Falls
15:45
60min
Filters from a novice; Back to the Basics
Kirsten Stoner, Karinne Bessette

Do you know what traffic is making its way to your application server? Organizations often manage multiple applications across their networks, but without the proper oversight, these applications can inadvertently create security risks and data sprawl. In this session, we will explore how Wireshark can help maintain hygiene by using filters and profiles. Learn how to apply what you find to improve documentation, gain visibility into change management, and help mitigate security threats

Beginner
Potomac Ballroom
16:45
16:45
15min
Break
Potomac Ballroom
16:45
15min
Break
Great Falls
17:00
17:00
60min
An API-Driven approach to automating packet captures in cloud-native systems
Nigel Douglas

In Kubernetes, the management and analysis of network traffic is complicated by the transient nature of containers and the complex architecture of Kubernetes elements such as pods, deployments, and services. Traditional tools like Wireshark, while robust, often fail to effectively navigate these intricacies, capturing excessive and irrelevant data that we call "noise."

In this presentation, we will explore how Falco, a cloud-native detection engine, integrated with Falco Talon, a specialized response engine designed for the open-source Falco community, can streamline this process. We'll show how this open-source proof-of-concept enables the automatic initiation of tshark captures directly in response to security alerts triggered by Falco in environments like containers and Kubernetes, which typically do not support interactive GUIs.

Security
Great Falls
17:00
60min
Gotta catch 'em all! A field test of portable gigabit taps
Sake Blok

Capturing packets on the road can be a challenge. Do you have access to the switch? Are you able to install Wireshark on the endpoints. What if one side says it sends packets, but the other side does not receive them. There are many situations in which a tap might be handy or needed to make a useful packet capture. In those cases, having a portable tap in your laptop bag is a life-saver.

There are a few portable USB powered gigabit Ethernet taps on the market that have different capabilities. I made an overview of available portable taps and reached out to vendors to supply me one for a thorough test. This presentation gives an overview of the portable gigabit taps on the market, their capabilities and how well they performed on the test-bench.

Intermediate
Potomac Ballroom
18:30
18:30
120min
Sponsor Technology Showcase & Dinner

Sponsor Technology Showcase, esPCAPe Group Packet Challenge, Reception & Dinner

Organization
Potomac Ballroom
08:00
08:00
60min
Breakfast
Potomac Ballroom
08:00
60min
Breakfast
Great Falls
09:00
09:00
60min
SharkBytes
Wireshark Foundation

SharkBytes consist of “little crunchy bits of wisdom.” Like popular TED talks, SharkBytes aim to inform, inspire, surprise, and delight by delivering a speech on a personal topic in under 5 minutes.

Information and a review of past SharkByte presentations can be found https://sharkfest.wireshark.org/sharkbytes

Email us your SharkByte session idea: [email protected]

Organization
Potomac Ballroom
10:00
10:00
15min
Break
Potomac Ballroom
10:00
15min
Break
Great Falls
10:15
10:15
60min
Advanced TCP Troubleshooting
Jasper Bongertz

Analyzing TCP connection is the most common task a network analyst has to perform. And even though tracking sequence numbers, packet loss and generally understanding the TCP handshake and teardown can be tricky as well many analysts know how to deal with those steps. But sometimes you need to analyze complex situations and figure out what is going on, for example look at packet timing or troubleshooting an issue with less than ideal capture results. In this talk we'll look at techniques that can help and of course look at some example traces.

Expert / Developer
Great Falls
10:15
60min
Logging and Packet-like Objects
Mike Kershaw

Dig into some of the extra uses of PCAP-NG logging: As the cloud of "smart" devices around us gets more complex and the hardware to monitor it gets cheaper, the prevalence of data which doesn't fit into traditional packet structures increases. With PCAP-NG we can log custom content and custom metadata in a cross-device, cross-platform, standard way.

Intermediate
Potomac Ballroom
11:30
11:30
15min
Break
Potomac Ballroom
11:30
15min
Break
Great Falls
11:45
11:45
60min
Packet-Guided Infrastructure Optimization
Josh Clark

Using packet captures as a feedback mechanism, we will explore how to tune your server environment to both application requirements and network conditions

Intermediate
Potomac Ballroom
11:45
60min
Three-dimensional display filters with MATE
Chuck Craft

"MATE’s goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other."

Wireshark display filters are great when looking at individual packets.
MATE allows filtering using fields from more than one packet to create a filtered list of packets.

This will be a workshop format, solving a problem in steps using MATE.
In the cases where MATE needs just a little extra we will look at adding a Lua script to the solution.

Intermediate
Great Falls
13:00
13:00
120min
Closing Remarks and Farewell reception

Closing Remarks and Farewell reception

Organization
Potomac Ballroom