SharkFest 25 EUROPE

Level up your Wireshark skills and get ready for Sharkfest! This hands-on course will provide core Wireshark skills for IT pros of all experience levels. Participants will gain a solid understanding of how to use Wireshark to capture, analyze, and troubleshoot network traffic. The course is designed with beginners in mind, but even seasoned packet people will pick up new tips and tricks.

Analyzing TCP connections is one of the biggest topics in network analysis in general, especially when troubleshooting applications or even multi-tiered deployments of servers. How TCP works and detecting problems is one of the 'easy to learn, hard to master' skills that is always in demand. Most Wireshark classes only touch the basics and do not go into the more complex scenarios, especially when it comes to multi point captures to track packet loss and timing issues. In this masterclass you will learn how to troubleshoot TCP in seemingly simple as well as complex and quite challenging cases.

SMB is the bread and butter protocol used to access file shares in virtually every company and home network. Since Windows Vista / Server 2008, the "classic" SMB has been replaced by SMB2 and later SMB3. Since legacy systems running Windows XP / Server 2003 are increasingly rare, we focus on the newer version.

This class will enable students to investigate functional issues and performance problems. Topics covered are

• SMB Handshake, selection of a dialect version and user authentication

• General process of mounting a share and accessing files

• Tracking SMB sessions over multiple interfaces or IP-addresses

• SMB functions beyond file sharing (IPC, Named Pipes)

• Investigating error codes

• Decryption of SMB traffic (not for the faint-hearted)

• Understanding the service response time feature for SMB

• identification of performance bottlenecks in the network, application logic, client or server

Level up your Wireshark skills and get ready for Sharkfest! This hands-on course will provide core Wireshark skills for IT pros of all experience levels. Participants will gain a solid understanding of how to use Wireshark to capture, analyze, and troubleshoot network traffic. The course is designed with beginners in mind, but even seasoned packet people will pick up new tips and tricks.

Let's kick-off the conference in style!

Gerald Combs & Friends talk about the new developments over the past year

Cloud computing is often described in a very abstract way, but in reality relies on the same networking technologies and protocols we use every day. How can we get visibility into Cloud networks to troubleshoot and secure them?

What are the differences between traditional On-premise and Cloud networking and architectures, and what does this tell us about attitudes towards network based security and trouble-shooting?

In this talk we will look at Cloud networking from the user perspective, and what some common Cloud architectures look like. We will review options for Packet Capture and network based tools in Cloud compared to On-prem environments, and discuss whether it is practical, beneficial, and necessary.

To be the network or not to be the network, that's the question!

This is a question we face a lot. The network is blamed by default, but is it really the network. During this session a couple of real life cases will be presented. What was the problem, how was it analyzed, what can we learn about the process and off course the answer to the question: was it the network?

DNS is a foundational part of the Internet - but also a prime target for attackers. In this talk, we dive into common DNS attack vectors like spoofing, command-and-control traffic via DNS, or DNS tunnelling. We'll explore modern defence mechanisms such as DNSSEC, DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT), and how they help protect DNS integrity and privacy. You'll also get insights into leveraging threat intel and malware feeds to detect malicious domains, plus a look at useful tools for DNS troubleshooting and analysis.

Scanning wireless to find devices with Wireshark

Modern industrial networks pose unique challenges for packet analysis. This talk will introduce Wireshark users to the world of Operational Technology (OT) networks – the networks that control physical equipment in factories, power plants, and critical infrastructure – and explain how they differ from traditional Information Technology (IT) networks. We will explore how OT networks prioritize deterministic, time-critical communication in a way that IT networks do not, and why capturing and analyzing packets in OT environments is often more challenging. Attendees will learn about the distinct network architectures and protocols used in OT (from fieldbus and PLC communications to SCADA systems), and how factors like cycle times and real-time scheduling shape traffic patterns. We’ll discuss why OT traffic tends to be highly regular and cyclic (enabling whitelisting of expected flows) in contrast to the bursty, ad-hoc traffic of IT networks . The talk will also highlight security implicat

Unlock a groundbreaking approach to packet analysis with "Talk with Your Packets," where cutting-edge AI and Large Language Models (LLMs) meet the world of .pcap and .pcapng files. This session explores how natural language, combined with artificial intelligence and a Retrieval Augmented Generation (RAG) pipeline, can transform traditional packet analysis.

We’ll dive into how packets are converted into JSON representations via the CLI, chunked for efficient processing, embedded as vectors, and stored in ChromaDB for retrieval. Democratizing access to advanced packet analysis and making it easier for users to ask meaningful questions about their packet captures.

While this solution augments Wireshark by aiding in the filtering and crafting of high-value .pcaps (garbage in, garbage out), it does not replace Wireshark. Instead, it empowers analysts with a more intuitive and streamlined way to interpret packet data.

In this talk we will get an overview of networking setup in Kubernetes on the example of Openshift.
We will also see how application traffic can be captured and analysed.

A hands on lab that goes with the lecture. People will be using AI and NL to 'talk to their packets'

2 hour lab

You’ve wiretapped a suspect’s internet connection. You have the entire packet capture — but not a single clue about what’s relevant, or even what you’re trying to find.

In this session, we walk through a real-life criminal investigation involving the forensic analysis of a standard residential internet connection. The task: uncover evidence of illegal online activity, without prior knowledge of the services used, IP addresses involved, or even the nature of the communication.

Using only Wireshark and patience, the investigator faced hundreds of thousands of packets, countless domains, and protocols ranging from common to obscure. There were no predefined indicators of suspicious communication—just raw traffic and a hunch that something was hidden within.

This talk will demonstrate how targeted filtering, temporal analysis, and a dose of good old-fashioned intuition led to the successful identification of suspicious communication. Starting with nothing but a massive stream of packet

We'll walk through packets captured from a cell phone acquiring a tower, and follow the packet all the way out to the internet. Show filters used when troubleshooting 4G/5G, as well as some real world problems.

This session offers a practical, Wireshark-driven approach to understanding and troubleshooting MPLS. The goal is to articulate the control plane and data plane's inner workings through packet analysis. We'll deep-dive into packet structures, label exchange mechanisms, and eventually explore some traffic engineering scenarios. This session begins with a quick review of MPLS fundamentals, then dives into real-world use cases and potentially explores related technologies and advancements like SR-MPLS.

Join us for a fun night with an opportunity to enjoy wonderful conversations and win some nice prizes!

Open-source software is everywhere—from network security tools like Wireshark and Suricata to the critical infrastructure enterprises rely on daily. Yet, when OSS enters the corporate conversation, it’s often met with "Isn’t it free? Why should we invest in it?" or “Won’t the community just take care of everything.” or "Who’s responsible if something goes wrong?" Instead of treating OSS as a strategic asset, these misconceptions create barriers to security, sustainability, and innovation.

This session will help you shift the OSS conversation—moving from passive consumption to active engagement. Drawing from real-world experience leading OISF (Suricata), we’ll explore how to make the business case for OSS, advocate for responsible adoption, and integrate due diligence into enterprise processes. Attendees will leave with strategies to foster internal support and transform OSS from an afterthought into a competitive advantage.

Gerald has been working on a new tool that has just been released to the public: Stratoshark. It has the same look and feel of Wireshark (as it shares quite a bit of common code), but you can analyze (linux) system calls and (cloud) logs with it.

As per www.stratoshark.org:
Stratoshark lets you explore and investigate the application-level behavior of your systems. You can capture system call and log activity and use a variety of advanced features to troubleshoot and analyze that activity. If you've ever used Wireshark, Stratoshark will look very familiar! It's a sibling application that shares the same dissection and filtering engine and much of the same user interface. It supports the same file format as Falco and Sysdig CLI, which lets you pivot seamlessly between each tool. As an added bonus, it's open source, just like Wireshark and Falco.

This talk will give you an introduction to Stratoshark and some hints to get started your Stratoshark journey.

The SMB masterclass (available as pre-conference training) throws students into the network of a fictitious company. With the limited time of a one-day class, I had prepared few use cases that did not make it into the class. Here is an extra hour of SMB analysis with a focus on performance analysis.

In this talk we'll go over lots of the details that dissector developers have to contend with. Not only will we touch on some of the Epan APIs available to us, but we will go beyond the API's and discuss the way of thinking about packet dissection design. Here we may discover wisdoms which are not only important to dissector developers, but for software development in general.

Even though in this talk we will focus on development of C code, Lua dissector developers may take away some deeper insights as well.

According to their documentation, modern WebRTC based conferencing solutions require literally thousands of open ports to hundreds of thousands IP addresses to play.
How come they still work in todays super restrictive corporate networks - when they were conceived at a time were the Internet was still an idyllic place and a firewall just a clean cut packet filter.
And how you can fix them, in case they don't cooperate
I invite you to my journey of finding this out and I'll show you my implements ;-)

The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they’ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees prior to SharkFest and only given to the panel members during the session so that the “not-
knowing what to expect and whether it can be solved” experience of working through an unknown trace file can be preserved.
Come to this session and learn to ask the right questions and look at packets in different ways.
PLEASE SEND PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL TO [email protected] PRIOR TO SHARKFEST!

Every once in a while there is a need to share actual capture files with others. Maybe a technical support person at a vendor needs packets to troubleshoot a device your company bought. Or you want to ask a more seasoned network analyst for help (the packet doctors at Sharkfest, for example ;)) In many cases it is necessary to remove sensitive information from the capture file first, for example IP addresses or even meta information about the capture itself. There are different ways to achieve the goal of a sanitized capture file, but there are pros and cons to all of them. In this session we'll take a look at the various option so that you know how to share your capture files without exposing sensitive information.

Network packet analysis remains a cornerstone in both education and research. In this session, we will present a series of practical examples that illustrate its continued relevance and versatility. Our proven format remains unchanged from previous years—expect an interactive, engaging experience enhanced by gamification elements that create a dynamic learning environment.
As technology and methodologies evolve, so does our content. We will explore and demonstrate new insights, and approaches that have emerged over the past year. Whether you're new to packet analysis or looking to deepen your expertise, this session will leave you with fresh perspectives and actionable ideas to take away.

Modern operating systems ship with native IPv6 support and dual stack configurations enabled by default. While this is essential for comprehensive connectivity, it introduces subtle yet critical security risks - especially in environments still predominantly focusing on IPv4 and IPv4 security.
This talk provides an overview of dynamic IPv6 configuration options and explores how attackers can exploit IPv6 capabilities to compromise IPv4 networks. We will demonstrate how IPv6 features - such as SLAAC, Router Advertisements, and DHCPv6 - can be weaponized in dual stack setups. For this, we will use Wireshark to analyze different types of attacks and the corresponding behaviors of the targeted operating systems at the packet level. Finally, we will conclude our talk with recommended mitigation strategies for the identified issues.

• You want to reproduce a network problem for specific frames?
• You want to test a Wireshark dissector you’ve developed but a sample capture is missing?
• You want to test whether an application reacts to all defined commands?
• You do a penetration test and want to see how a network device handles undefined data (e.g. with TCP MSS=0)

For all these cases, Scapy can help you build the packets you need. In this talk, I will show you how to do it. Scapy is
a packet manipulation tool written in Python. It can forge or decode packets, send them on the wire, capture them, and
match requests and replies. At the end of the session, we can assemble packages together in a hands-on session. => Bring
your laptop with you.

In the past HTTP was just used for websites. Today many applications depend on APIs, using HTTP(S) as communication protocol as well. So, when troubleshooting there is a big change that you have to investigate HTTP traffic. With HTTP/2 and HTTP/3 becoming more popular that may require a different approach.
This session is not only about how to use Wireshark, but especially about understanding the protocol. What the HTTP status codes really mean, quirks of cookies, caching done the right way, compression and more.

Nearly every organization is using Voice over IP (VoIP) in their networks. But sometimes Administrators and Engineers are facing complex challenges. At the signalling part they see incompatibilities between vendors from over 100 RFCs regarding SIP or some weird SIP stack implementations. On the audio side, end-users sometimes experience bad quality because of jitter, loss or latency or they have one-way audio effects because of bad media descriptions. All this comes coupled with the increasing use of encryption and NAT by cloud PBX solutions such as Teams Phone or Webex Calling.

Attendees will explore the fundamentals of SIP and RTP paired with the use of integrated tools in Wireshark for an effective and efficient troubleshooting. They get some real-world examples and they will be told how these were solved using Wireshark.

Sake's esPCAPe Group Packet Challenge is back!

Come and enjoy an interesting session with learning interesting stuff about each other!

Ever struggled with capturing traffic from your mobile device or felt stumped by encrypted applications? Dive into this comprehensive session to build your very own wired or wireless traffic sniffer using a Raspberry Pi.

To analyze PCAP files, you have to learn a lot about protocols, processes and typical problems in networks. However, it is just as important to collect the right data at the right place in the network in order to obtain the packet data required for the analysis.
Network analysts need clearly defined tasks of what to identify, check, prove or solve. They need to understand the network structure and application behavior at customer sites and finally get permission to capture application traffic with the required equipment.
In this presentation, Matthias will discuss the issues network analysts need to address before they start collecting data from customer sites or from their own corporate networks. Using real cases, he will explain what was helpful for a successful analysis, and what was not.

This talk presents NetCapVis, a visual analytics tool that allows users to easily overview PCAP data and quickly filter to relevant data.
While Wireshark excels at data processing, its data presentation is complex, and operating it efficiently requires expertise.
NetCapVis is the result of a research project and is under development. New research ideas focus on AI classification of packets and explainable AI visualization.
One possible future direction is to collaborate on connecting the visual-interactive dashboard to Wireshark as a plugin.
The talk will focus on three core topics.
1. Visual-Interactive Analysis
2. AI Classification and Explainable AI
3. The combination of the visual-interactive dashboard and Wireshark

This year was the first time that the election of Wireshark Technical Steering Committee (WTSC) members took place.
In this session we want to report how the election went, how it was organised, what we learned for the next time and why "a few emails and validating and counting responses and maybe a couple of online meetings for the EC folks" is not enough.

Come and talk to us if you have any wishes or requests for the foundation or the WTSC board members.

Lunch, Closing Remarks and Farewell reception