Network forensics can be generally defined as monitoring a network for anomalous traffic and intrusions, and analyzing captured network traffic to reconstruct the underlying semantics. Wireshark is a free, multi-platform network packet capture and analysis tool. It has become the standard bearer for network analysis. Wireshark enables you to troubleshoot hundreds of network protocols including the entire TCP/IP suite (e.g., DNS, HTTP, and SMTP). The packet-centric approach of Wireshark is not limited to protocol troubleshooting, it is also useful for performing network forensic analysis.
In this course, you will become intimately familiar with Wireshark as we perform a live network analysis on a simulated network (i.e., virtualized network). In particular, we provide in-class instruction on the setup, configuration, and use of Wireshark, as well as in-class activities that further explore these concepts. We also provide a variety of network packet captures that will guide you through the retroactive analysis of an unknown network.
Once you have become comfortable with Wireshark, we will describe a set of network attacks and the tools that perform them. Working in small groups, you will use these tools to perform a network attack that another group will analyze in real-time. The goal is for every student to successfully perform a network attack and identify an attack using Wireshark.
The course concludes with an active capture the flag exercise.
Topics Covered Include
- PCAP files
- Network protocol analysis
- Live packet capture, retroactive analysis
- TCP/IP and popular application-layer protocols (e.g., HTTP)
- MITM (man-in-the-middle)
- DNS injection
- ARP cache poisoning
- Charles Proxy
Who should attend?
This class is intended for anyone who wants to learn about how network protocols work in the context of hands-on network packet analysis. The students should be familiar with basic networking and TCP/IP, with the concept of network layering, and with how to use a standard application user interface.
General IT knowledge or Computer Science background. Laptop required.