This document discusses the network packet analysis tool Wireshark. It begins with an introduction to Jim Gilsinn and his background in cybersecurity and industrial control systems. It then provides an overview of Wireshark, describing it as an open-source, multi-platform network protocol analyzer that allows users to capture, interactively browse, and decode network traffic. Key features of Wireshark like its large protocol support and graphical interface are highlighted. The document concludes by discussing advanced analysis features, developing custom protocol decoders, and providing resources for more information on Wireshark.
What is Wireshark?
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communication protocol development, and education.
Wireshark perhaps one of the best open source packet analyzer available for Windows and LINX
Some Important Purpose
Network Administrator used for troubleshoot network problem.
Network security engineer used for examine security problem.
Developer used for debug protocol implementation.
People used for learn protocol protocol internals.
What is Wireshark?
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communication protocol development, and education.
Wireshark perhaps one of the best open source packet analyzer available for Windows and LINX
Some Important Purpose
Network Administrator used for troubleshoot network problem.
Network security engineer used for examine security problem.
Developer used for debug protocol implementation.
People used for learn protocol protocol internals.
Become Wireshark Certified - https://www.udemy.com/wireshark-tutorial/?couponCode=CEWS Understand Wireshark and how this network analyzer tool can help you succeed in your Wireshark job!
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
Network analysis Using Wireshark Lesson
By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
Become Wireshark Certified - https://www.udemy.com/wireshark-tutorial/?couponCode=CEWS Understand Wireshark and how this network analyzer tool can help you succeed in your Wireshark job!
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
Network analysis Using Wireshark Lesson
By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
Yoram Orzach is Experienced Instructor in the areas of IP technologies, network design, network analysis and optimization and network forensics, providing courses based on strong theoretical background and real-world case studies, based on many years of training and field experience world-wide.
In this session, Tony will cover some tips, tricks and info covering HTTP baselining for troubleshooting, planning and security.
Specifically, Tony will discuss the following topics.
* HTTP items to document from within your packets
* HTTP commands
* What about proxies?
* Protocol forcing
* Looking for credentials
* Leveraging Wireshark for reporting, etc.
Again, this is a live episode so don't miss the rare opportunity to ask questions and make comments either before or during the show.
CapAnalysis is a great tool that performs deep packet inspection and can easily be used for cyber investigations. This guide demonstrates it's capabilities and features. The advanced reporting and presentation features allows all audiences to understand the information being presented. The advanced filters also provides easy identification and analysis.
How to use Fiddler to inspect traffic, investigate performance of web applications and services, debug web applications, test applications, and support client issues.
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNnvirters
Synopsis
We will start with MPLS 101 and then look into MPLS related OpenFlow actions. In the second half we will delve into RouteFlow architecture and extend it to enable Label Distribution Protocol (LDP) and MPLS routing. We will conclude with a mini-net based test bed switching traffic using MPLS labels instead of IP addresses.
This will be a hands on workshop. VM Images for Virtual Box will be provided. Attendees are expected to bring their laptops loaded with Virtual Box.
About Vikram Dham
Vikram is the CTO and co-founder of Kamboi Technologies, LLC where he advises networking companies, switch vendors and early adopters on SDN technology and distributed software development. Also, he is the founder of Bay Area Network Virtualization (BANV) meet-up group, that brings together technologists in the SDN/NFV/NV domain for technical talks, workshops and creates a truly "open" platform for sharing knowledge.
He has used SDN technologies for building software related to traffic engineering, security and routing. In the past, he was the Principal Engineer at Slingbox where he architected & built the distributed networking software for peer to peer connectivity of millions of end points. He holds MS degree in EE with a specialization in Computer Networks from Virginia Tech and has worked on research projects with companies like ECI Telecom, Raytheon and Avaya Research Labs.
Understanding IT Network Security for Wireless and Wired Measurement Applicat...cmstiernberg
The line between the once mutually exclusive IT and engineering departments is beginning to blur as PC-based technologies familiar to the IT sector find their way into measurement applications. Learn how to create synergy between these two groups by understanding how enterprise security protocols apply to wireless/wired measurement systems.
Wireless Security Best Practices for Remote Monitoring Applicationscmstiernberg
Wireless network security continues to be an area of intense research and development, particularly in applications where wireless sensors are extending the reach of traditional monitoring and control systems. While the IT sector has embraced the IEEE 802.11i standard for corporate networks, engineers have many more options available to them for their industrial network designs. This presentation will provide an overview of IEEE 802.11i, IEEE 802.15.4, ZigBee, and other security protocols as they relate to measurement and automation applications. In addition, network design and commissioning best practices will provide attendees with a set of recommendations for guarding against the most common security attacks.
Tech 2 tech low latency networking on Janet presentationJisc
This event took place on 27 October 2021.
In this Tech 2 Tech session, we considered questions such as:
- Which types of applications need low latency, and what are their specific requirements for both latency and jitter?
- What levels of latency might you expect across Janet?
- What can you do to optimise latency for your networked applications?
- How can we measure latency and jitter?
A session in the DevNet Zone at Cisco Live, Berlin. Flare allows users with mobile devices to discover and interact with things in an environment. It combines multiple location technologies, such as iBeacon and CMX, with a realtime communications architecture to enable new kinds of user interactions. This session will introduce the Flare REST and Socket.IO API, server, client libraries and sample code, and introduce you to the resources available on DevNet and GitHub. Come visit us in the DevNet zone for a hands-on demonstration.
Platforms for Accelerating the Software Defined and Virtual Infrastructure6WIND
As network infrastructures evolve and selected elements shift from physical systems to virtual functions a new class of network appliance is required that provides high performance processing, balanced I/O and hardware or software acceleration. Such a platform must combine standard server technology and modular systems that can be configured to support line rate performance with network interfaces up to 100Gbit/s.
This webinar will discuss a class of network appliance that offers performance levels previously requiring more complex and costly architectures while integrating seamlessly with standard software frameworks such as Linux, Open vSwitch (OVS) and Intel® Data Plane Development Kit (DPDK).
Le SDN et NFV sont très à la mode en ce moment car en passant des appliance physiques aux équipement réseau massivement logiciel, celà devrait offrir une grande flexibilité et agilité aux entreprises (et telco en particulier). Néanmoins chainer des services réseau est un exercice encore très complexe et ce document vous explique ce qu'il est déjà possible de faire sur OpenStack en couplant par exemple : un load balancer (BigIP), un Firewall (BigIP), un réseau virtuel WAN (RiverBed) ou encore un routeur virtuel (Brocade).
RDKB is Open Source Broadband Gateway platform stack, built on top of an OpenEmbedded build framework. It’s currently deployed on all Comcast broadband home gateways. This talk will introduce the internals of RDKB and features forming the basis of the IoT framework for the Comcast Network.
A detailed overview of Sierra Monitor's FieldServer protocol gateways for integrators. This covers the FieldServer product line, features, and building automation use cases.
Presented: September 21, 2017
At: CS2AI, Washington, DC
A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
Presented @ 2016 ISA Process Control & Safety Symposium, November 10, 2016
The exchange of key information between business operations, suppliers, customers, production, and ultimately the production equipment itself can provide significant financial and productivity advantages. This presentation will discuss some practical approaches to utilizing the cyber security principles from ISA/IEC 62443 in order to integrate the business and production environments. It will also present some of the different solutions for meeting a variety of scenarios, such as data historians, patching/updating, and remote maintenance.
Presented @ Frederick Linux Users Group (KeyLUG)
May 7, 2016
A presentation on protecting Small Office/Home Office (SOHO) networks that I made at the Frederick Linux Users Group (KeyLUG). I work virtually from my home, and this presentation goes through some of my experiences setting up my home network to be better and more secure. I ditched my consumer-grade NAT router and have installed a firewall, commercial-grade wireless access points, and an intrusion detection system (IDS). I'm not finished yet, but this presentation will give you an idea of some of the things that I've done, where I'm thinking about going, and as some things to consider as you setup your own network.
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
Presented: BSidesDC 2015, Washington, DC, October 18, 2015
YouTube Video @ https://youtu.be/v3LBywLthjY
Determining the overall health and security of an industrial control system (ICS) network is currently done by looking at the negative case. If the network infrastructure devices indicate that all the devices are connected and communicating, then the network must be operating correctly. If the controllers indicate that they are able to communicate with the other devices in the system, then the system must be operating correctly. If the network security monitoring (NSM) or security information and event management (SIEM) system are not indicating any security events, then the system must be operating correctly. In each of these cases, the assumption is that the system is operating correctly if there are no errors or events being indicated by any of the devices. In reality, the actual health and security of the system can only be determined by positive conditions. The communication streams need to be measured to determine that they are operating within certain limits based upon a desires set of conditions, like rate and maximum latency. Many controllers keep track of these factors for real-time communications, however they are often only recorded as averages and not high-fidelity measurements.
This paper presents an approach to analyzing the real-time network traffic performance of an ICS by measuring the jitter and latency associated with individual network traffic streams in the system. By using statistical and mathematical analysis of the high-fidelity jitter and latency data, a network reliability factor can be determined and used to indicate the health of those traffic streams. The author will present a method to combine the individual network reliability factors into a network reliability monitoring system. Lastly, the author will discuss how network reliability monitoring can be used to indicate potential security problems by observing the network traffic patterns.
Presented @ BSidesDE, November 14, 2014
Cook like a hacker, and I don’t mean Ramen noodles, take-out pizza, and a bowl of cereal. A lot of hacking involves using a basic set of equipment, learning a powerful set of tools, following a basic set of procedures, a lot of improvising and experimenting, and learning from your mistakes. Cooking is the same. You can cook amazing meals, but it means that you have to be willing to apply a hacker-type mindset to an area that doesn’t involve computers.
Integrating the Alphabet Soup of StandardsJim Gilsinn
Presented @ 2014 ICS Cyber Security Conference
October 21, 2014
It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.
Presented @ ISA Process Control & Safety Symposium
October 8, 2014
Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
Presented @ Emerson Exchange
October 7, 2014
Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.
Cyber & Process Attack Scenarios for ICSJim Gilsinn
Presented at the OPC Foundation's "The Information Revolution 2014" in Redmond, WA August 5-6, 2014
This presentation discusses the modes and methodologies an attacker may use against an industrial control system in order to create a complex process attack. The presentation then discusses some specific examples, both real and hypothetical. The presentation finishes with a description of some common ways in which an organization could defend itself against these types of attacks.
Network performance testing for devices and systems can be a daunting task for vendors and end-users given the cost of test equipment and the investment that the companies have to spend in developing relevant tests and understanding the results. During the last couple years, a group of low cost computing systems have been introduced that are very capable from a functional point of view, but how well do they actually perform? Can they be used in a low-cost performance testing lab system to validate ICS devices before they go into production? Can end-users use them to capture live traffic in their network and get reliable performance results? This talk will discuss how and when different types of equipment can be used to develop a low-cost network performance testing lab. It will also show results from a series of performance tests conducted on some of the equipment and with different testing architectures.
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
With the recent publication of ANSI/ISA-62443-3-3-2013, it is possible for end-users, system integrators, and vendors to qualify the capabilities of their systems from an ICS cyber security perspective. This process is not as simple as it may seem, though. In many cases, the capabilities of individual components of a system can be determined from specifications and manuals. The capabilities of the system also needs to be evaluated as a whole to determine how those individual components work together. Component-level and System-level certifications are common practice in the safety environment, and will eventually become common in the ICS cyber security environment as well. Certification bodies, like the ISA Security Compliance Institute (ISCI), have begun the process to develop certification efforts around ISA-62443-3-3. Until many more groups of components and systems have been officially certified, third-party assessments and evaluations will be common. This presentation will discuss an example of how Kenexis Consulting has evaluated a particular vendor’s components and systems to determine compliance with ISA-62443-3-3. The presentation will go through the evaluation methodology used and describe how Kenexis used the evaluation to develop a series of real-world use-cases of the components and system in the ICS environment.
With the ever increasing number of networking protocols, it can be difficult for vendors, integrators, and end-users to determine how well different products and systems perform in real-world networking situations. Each protocol has their own method of defining traffic streams and message structures. Packet analyzers, like Wireshark, have been developed to interpret individual network packets and can perform rudimentary analysis of traffic streams for well-known packet types. Analyzing industrial protocols usually requires much more massaging of the data and in many cases requires a user to do much of the work by hand. This session will present a method to break-down industrial traffic streams into the core components necessary to analyze their performance. By identifying a few key fields in each protocol, a user can define their own method to identify individual traffic streams and analyze their performance.
Presented in May 2010
This presentation goes through the Wireshark network analyzer. It presents an overview of the different features that I've found useful while doing network performance analysis for ICS network protocols.
Test Tool for Industrial Ethernet Network Performance (June 2009)Jim Gilsinn
Presented @ 55th International Instrumentation Symposium
League City, Texas, 1–5 June 2009
Ethernet is being used by a wider variety of industrial devices and applications. Industrial applications and systems require deterministic operations that traditional Ethernet and Transport Control Protocol / Internet Protocol (TCP/IP) suites were not originally designed to support. A standardized way to describe and test industrial devices is needed in order to aid users to characterize the performance of their software and hardware applications.
The Manufacturing Engineering Laboratory (MEL) of the National Institute of Standards & Technology (NIST) has been working to develop a set of standardized network performance metrics, tests, and tools since 2002. NIST has cooperated with standards organizations and other groups during that time.
NIST is presently working on developing an open-source test tool, called Industrial Ethernet Network Performance (IENetP), to aid vendors in characterizing the performance of their devices. The IENetP test tool will be capable of conducting a full series of performance tests and reporting the results to the user. The current version of the software is capable of analyzing network traffic and producing statistics and graphs showing the network performance of a device.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Leading Change strategies and insights for effective change management pdf 1.pdf
Network Packet Analysis with Wireshark
1. Network Packet
Analysis with Wireshark
Jim Gilsinn
National Institute of Standards & Technology
Engineering Laboratory
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
2. Jim Gilsinn - Bio
• Electronics Engineer with NIST/EL for over 20 years
• Cybersecurity for Factory Control Systems
– Co-Chair and General Editor, ISA99 Committee
– Co-Chair, ISA99 WG2, Security Program
– Co-Chair, ISA99 WG7, Safety & Security
• Factory Equipment Network Testing Framework
– Co-Investigator & Main Developer, FENT software
– Extension of previous IENetP project
• Education
– MSEE in Controls from Johns Hopkins University
– BSEE in Controls from Drexel University
2
3. What is Wireshark?
• The De-Factor Network Protocol Analyzer
–
–
–
–
Open-Source (GNU Public License)
Multi-platform
Easily extensible
Large development group
• Allows Users to…
– Capture network traffic
– Interactively browse that traffic
– Decode packet protocols using dissectors
• Previously Named “Ethereal”
3
4. What is Wireshark?
• Development Version (as of last night @ 11:30pm)
– 1,300+ Protocols
– 112,600+ Protocol Header Fields
• Almost Every Ethernet/TCP/IP Protocol
• Many Industrial Ethernet Protocols
–
–
–
–
–
–
–
–
–
–
–
–
BACnet
EtherNet/IP & CIP, CIP Safety, CIP Motion
DNP 3.0
EtherCAT
Foundation Fieldbus
IEC 61850 & GOOSE
Modbus & Modbus/TCP
openSAFETY
Profinet
SERCOS III
TTEthernet
Zigbee
4
5. Network Layering
• Network Protocols Generally Have Some Header
–
–
–
–
Who sent the information
Who needs the information
Information about the payload
Other protocol specific information
• Headers Can Be Significant Part of Packet
– Ethernet/IP/UDP
– Minimum 42 Bytes of Header (65%)
– Minimum 64 Bytes Ethernet packet
– Many industrial Ethernet protocols only transmit a few bytes of data in
real-time
?? Bytes
8/20+ Bytes
20 Bytes
IP Header
Protocol
Header
UDP/TCP
Header
Data
TCP Payload
IP Payload
14 Bytes
Ethernet
Header
Ethernet Payload
5
11. Using & Interfacing With Wireshark
• Wireshark Strictly Uses GNU Public License
– Any derived work with Wireshark code SHALL be open-source
• You Can Use Wireshark Hands-Off, Though
– Network Socket Interface
– Tshark.exe
• Network Socket Interface
– Rudimentary control
• Tshark.exe
– Most features available through command-line interface
11
12. Developing Your Own Protocol Dissectors
• Not Every Protocol Exists in Wireshark
– When you need a protocol that doesn’t exist, you can relatively
easily build your own dissector
• Not Every Protocol Dissector Has Full Coverage
– Open-source software allows anyone to modify the code
– Protocols generally change over time
– The original dissector developer may not exist any longer
• Bugs Can Exist in Dissectors
– Code almost always has bugs
12
13. For More Information…
• Wireshark Website
– http://www.wireshark.org
• Wireshark Documentation
– http://www.wireshark.org/docs/
• Wireshark Wiki
– http://wiki.wireshark.org
13