Level up your Wireshark skills and get ready for Sharkfest! This hands-on course will provide core Wireshark skills for IT pros of all experience levels. Participants will gain a solid understanding of how to use Wireshark to capture, analyze, and troubleshoot network traffic. The course is designed with beginners in mind, but even seasoned packet people will pick up new tips and tricks.

Level up your Wireshark skills and get ready for Sharkfest! This hands-on course will provide core Wireshark skills for IT pros of all experience levels. Participants will gain a solid understanding of how to use Wireshark to capture, analyze, and troubleshoot network traffic. The course is designed with beginners in mind, but even seasoned packet people will pick up new tips and tricks.

Analyzing TCP connections is one of the biggest topics in network analysis in general, especially when troubleshooting applications or even multi-tiered deployments of servers. How TCP works and detecting problems is one of the 'easy to learn, hard to master' skills that is always in demand. Most Wireshark classes only touch the basics and do not go into the more complex scenarios, especially when it comes to multi point captures to track packet loss and timing issues. In this masterclass you will learn how to troubleshoot TCP in seemingly simple as well as complex and quite challenging cases.

The applications of today depend more and more on secure communication channels. For most internet applications the TLS protocol (still mostly referred to as SSL) is providing the secure channel to communicate over. To be able to troubleshoot problems with Applications that use (mutual) TLS, one must understand how TLS sessions are set up, how certificates and certificate authorities come into play and how you can look inside the encrypted traffic to analyse the (cleartext) application data. In this session you will gain a better understanding of the operation of the TLS protocol and more importantly, you will learn how to troubleshoot TLS based communications when things don't work as expected.

Let's kick off the conference in style

Gerald Combs & Friends talk about the new developments over the past year

While many people like Ray Kurzweil and Sabine Hossenfelder point out that that we have not really seen any real cause for concern that quantum computing is about to actually work, much less crack the world’s encryption technologies, there are regulations in the works such as FIPS 203 (as well as FIPS 204 & FIPS 205), to migrate to quantum safe algorithms. In this talk, I plan to use Wireshark to sniff out TLS handshakes using Microsoft Edge and Google Chrome to see the algorithms negotiated, which are threatened by quantum computing “Shor’s Algorithm” and why it may actually be faster anyway to migrate.

Gerald has been working on a new tool that has just been released to the public: Stratoshark. It has the same look and feel of Wireshark (as it shares quite a bit of common code), but you can analyze (linux) system calls and (cloud) logs with it.

As per www.stratoshark.org:
Stratoshark lets you explore and investigate the application-level behavior of your systems. You can capture system call and log activity and use a variety of advanced features to troubleshoot and analyze that activity. If you've ever used Wireshark, Stratoshark will look very familiar! It's a sibling application that shares the same dissection and filtering engine and much of the same user interface. It supports the same file format as Falco and Sysdig CLI, which lets you pivot seamlessly between each tool. As an added bonus, it's open source, just like Wireshark and Falco.

This talk will give you an introduction to Stratoshark and some hints to get started your Stratoshark journey.

Using Sharkmon - Wireshark User can now finally start monitoring - using same syntax, same core technology - but for 1000s of pcap files - data over hours, days, months

Unlock a groundbreaking approach to packet analysis with "Talk with Your Packets," where cutting-edge AI and Large Language Models (LLMs) meet the world of .pcap and .pcapng files. This session explores how natural language, combined with artificial intelligence and a Retrieval Augmented Generation (RAG) pipeline, can transform traditional packet analysis.

We’ll dive into how packets are converted into JSON representations via the CLI, chunked for efficient processing, embedded as vectors, and stored in ChromaDB for retrieval. Democratizing access to advanced packet analysis and making it easier for users to ask meaningful questions about their packet captures.

While this solution augments Wireshark by aiding in the filtering and crafting of high-value .pcaps (garbage in, garbage out), it does not replace Wireshark. Instead, it empowers analysts with a more intuitive and streamlined way to interpret packet data.

End users and application teams complain to you about the latency, but we want to prove it is not network, how about that? The latency lies everywhere, not only in the network round trip time.

In this talk we will go over the packet flow when your cell phone acquires a LTE network, and what the packets look like once you are connected. We will also cover how wireshark tools can be used to look at traffic with tunneling protocols used in LTE.

Learn how to recognize and detect malicious activity on the wire.

Wireshark and packet analysis shows us what happened but to understand the why behind what we see, we apply our expectation of what should happen to what we actually observe. To set the proper expectation, how we actually capture and the location of our diagnostic tool is important. This is a discussion of how we can determine where and how a capture is taken based on what we observe in our pcap files.

26 years after the initial release of IPv6 we observe that many networks are not formally implementing IPv6, however, most modern desktop, server, and network OS's have had IPv6 enabled for 15+ years. That means many IT departments and technologists don't understand that IPv6 is in fact all over their networks nor what the potential implications are.

This session will encompass the access/recon/exploit of an "IPv4 only" network using IPv6...and yes, Wireshark will be used!

Did you know that communication networks play a critical role in the power grids reliability and safety? In this session, we will look at the power grid from a bird’s eye view, highlighting its key components: generation, transmission, distribution, and consumers. Each area is interconnected through various networks, which play a crucial role in the efficient operation of the power grid. We will then focus on the devices that are essential for safeguarding the power grid and communicating critical information to other devices and SCADA systems. To bring these concepts to life, we will walk through a real customer issue and highlight the critical role Wireshark played in troubleshooting and determining root cause.

The Wireshark Certified Analyst exam is here. This is an exciting step for the Wireshark Community!

In this session, Chris and Ross, who helped to develop the WCA, go into the steps that were taken to create, develop and deliver the exam. Beyond sharing the objectives, we will explore the intended audience, how to prepare, sample labs, and what types of jobs this certification will support. Time will be taken for live training labs that feature exam objectives, as well as for Q+A about the certification.

Come learn more about the certification and find out if you are ready to become one of the first WCA’s in the world!

Join us for a fun night with an opportunity to enjoy wonderful conversations and win some nice prizes!

It’s easy to laugh at the apocryphal executive quote “Cloud doesn’t have Packets!”, but is there something to it? What might they have meant?

What are the differences between traditional On-premise and Cloud networking and architectures, and what does this tell us about attitudes towards network based security and trouble-shooting?

In this talk we will look at how Cloud differs from On-prem networking, what common Cloud architectures look like, and how they can confound established practice. We will review options for Packet Capture and network based tools in Cloud compared to On-prem environments, and discuss whether it is practical, beneficial, and necessary.

In this presentation I will explain how JA4+ network fingerprinting works and show you how to use it to detect malware clients, their c2 servers, reverse SSH shells, connections from proxies and VPNs, estimating the location of the true client behind the proxy or VPN, and a lot more, all just by passively looking at the network traffic with JA4+ and without the need to break encryption.

JA4+ is free and available across a wide range of open source and vendor tools you already use including Wireshark, Zeek, Arkime, Suricata, Censys, Vectra, etc.

While many companies have a network engineer that becomes the de facto packet analyst, building a full performance engineering (PE) team takes time and effort, as well as support from upper management. This talk will chronicle one team's experience with building and maintaining a high-achieving PE team over the past 13 years.
This is designed to be an interactive discussion of what Performance Engineering is and what the future is for packet experts. Come ready to share your stories and challenges.

To be the network or not to be the network!

This is a question we face a lot. The network is blamed by default, but is it really the network. During this session a couple of real life cases will be presented. What was the problem, how was it analyzed, what can we learn about the process and off course the answer to the question: was it the network?

RFC 3271 spoke about the Internet being for everyone. Even today, in 2025, it isn't. Its functionality keeps growing and changing - new protocols are created - a good reason that Wireshark has a future! Despite its penetration, the Internet is not yet reliably for everyone. In this talk, I will review technical and policy considerations that must be treated to overcome to achieve an Internet that really is for everyone. Will AI help? A question worthy of exploration.

The experts on this panel have been asked to look at a trace file and help find a reason for certain behaviors by attendees at many SharkFests. Based on this, they’ve decided to create a public forum for examining individual trace files with a broader audience for a collective learning experience. Trace files will be gathered from attendees prior to SharkFest and only given to the panel members during the session so that the “not-
knowing what to expect and whether it can be solved” experience of working through an unknown trace file can be preserved.
Come to this session and learn to ask the right questions and look at packets in different ways.
PLEASE SEND PERPLEXING TRACE FILES FOR ANALYSIS BY THE PANEL TO [email protected] PRIOR TO SHARKFEST!

Wireless environments are complicated. Sometimes devices do not behave the way we expect. When these strange situations occur, how do you know whether your client device, AP, or other server resource is the issue? This presentation will review how to determine if devices are following the IEEE 802.11 standard and how to approach Wi-Fi issue resolution between client device and AP vendors.

Ahead of time, please ensure you have both Wireshark (www.wireshark.org) and Stratoshark (www.stratoshark.org) installed, and download the session resources from Github: https://github.com/je-clark/sharkfest-25-us-stratoshark

With the recent release of Stratoshark, we finally have a familiar tool that helps us understand how the internals of servers and operating systems function. This talk will walk through some basic examples of how to set up and run sysdig to gather system call captures, and how to use Stratoshark to gain a deeper understanding of what runs on our networks.

From this talk, expect:
- Detailed sysdig and Stratoshark capture information
- Examples showing how packet data from Wireshark shows up in a Stratoshark capture
- Examples of real life troubleshooting with Stratoshark

Being a network engineer today requires much more than an understanding of subnets, spanning tree, and packet capture decodes. All the traditional skills matter, but many more are required in today's increasingly software-centric world. You can add on many of the new skills desired, and this presentation takes you through new topics for your consideration, and approaches to learning and acquiring skills in ways that fit your interest and job needs.

Containerlab is a modern open source tool to orchestrate and manage container based labs. During this session, we will provide an introduction to Containerlab and its features, deployment examples with container and VM based images followed by packet capture methods using Wireshark and Edgeshark.

Ever struggled with capturing traffic from your mobile device or felt stumped by encrypted applications? Dive into this comprehensive session to build your very own wired or wireless traffic sniffer using a Raspberry Pi.

Sake's esPCAPe Group Packet Challenge is back!

Come and enjoy an interesting session with learning interesting stuff about each other!

Real life troubleshooting a difficult 3rd party software performance issue with using Wireshark and Advanced Analytics

Pcap gives us a way to log packets - but pcap-NG gives us a way to log packets, packet-like objects, and environmental metadata to fully understand the capture. An introduction to generating pcap-NG logs from multiple (even hundreds) of interfaces, metadata, custom packet types, and custom meta-data.

This session will demonstrate the capability for Wireshark and tshark to be a more versatile tool for packet capture.

Closing Remarks and Farewell reception