SHARKFEST '13 Session Abstracts and Biographies

Performance
Packet Analysis
Security
Hands-on Labs

Sun, June 16
Mon, June 17
Tues, June 18
Wed, June 19

1:30p – 2:45p

NAP-1: Application Performance Analysis

Mike Canney, Principal Network Analyst, getpackets.com

As network speeds continue to grow at an unprecedented rate, the need to be able to quickly analyze multi-GB trace files has become increasingly important. In this session, students will learn how to capture, monitor and analyze extremely large trace files to quickly resolve some of the most common application performance problems seen today. Topics to be covered:

How to quickly create a capture to disk appliance
Using Pilot to go "back in time" for troubleshooting end user issues
Using Pilot to filter and sent only pertinent data to Wireshark
Top Causes for application performance issues
Using Wireshark Profiles to help troubleshoot SMB issues

Mike Canney, well-versed in multiple sniffer technologies, specializes in providing application and network performance consulting services: specifically Application Network-ability Assessments (ANA), network performance troubleshooting, and deep level packet analysis. Over the past 22 years, Mike has helped hundreds of companies identify and resolve their application and network performance issues. Mike has also developed courseware and taught engineers how to identify, remediate, and prevent network and application issues by analyzing traffic flows at the packet level. Mike has been a guest speaker at many industry trade shows (Networld Interop, Cisco Networkers, e.g.) throughout the United States on the topic of application performance analysis.

3:00p – 4:15p

NAP-2: It's Not the Network! The Value of Root Cause Analysis

Graeme Bailey, Founder, TARCA

If you are interested in how to unblock a Brewery order processing system, freeing the warehousing system of a pop (sorry, soda!) company to continue manufacturing, identifying and resolving multiple sources of packet loss in the Citrix environment of a law firm, or speeding up every application for another law firm by eliminating their backup conflicts, you should attend this session. Graeme will use client case studies to walk through the process, the tools and the incredible pace to a resolution that can be achieved when you take a holistic end to end approach to network troubleshooting.

Graeme is a UK-based IT troubleshooter who works globally for clients. With over 30 years experience in all aspects of computer systems having worked for Burroughs, HP, 3Com and others, he founded TARCA in 2008 after identifying a clear need for an independent consultancy firm with the ability to take network analysis further than the network itself and to address end to end system performance. Addressing applications, workstations, servers, storage, networks and even 'users', TARCA provides a unique value in rapidly solving application problems for the end users in their client organizations, resulting in huge savings through productivity improvements.

4:30p – 5:45p

NAP-3: Microsoft SMB Troubleshooting

Rolf Leutert, Founder, Leutert NetServices

Server Message Block (SMB) is Microsoft's client-server protocol and is most commonly used in networked environments where Windows® operating systems are in place. SMB has the reputation of being very complex to analyze due to its large variety of implementations and its huge amount of request/response messages. This is why networkers try to avoid analyzing SMB whenever possible and keep their focus on the underlying TCP layer to prove that the network is performing correctly. This could be the right approach, but sometimes it would be helpful to understand more about the application layer protocol SMB in order to isolate client-server performance problems.

This session, which is reduced to essentials, guides networkers into SMB analyzing and demonstrates Wireshark's ability to assist troubleshooting with special functions and filters.

Rolf Leutert, a native of Switzerland, founded Leutert NetServices to provide network training, network troubleshooting, and consulting in 1988. Since then, the company has delivered hundreds of trainings for Sniffer University and other training organizations, and Rolf has attained both Certified Network Expert (CNX) and Sniffer Certified Master status.

In 2006 Leutert NetServices started as the first company offering Wireshark courses and troubleshooting all over Europe and has a broad range of topics from TCP/IP, VoIP, WLAN to IPv6.

9:00a – 10:00a

Keynote - History of the Wireshark Project – Reminiscing on the 15-Year-Old Project

Gerald Combs, Ethereal/Wireshark Project Founder and Special Guests

Gerald Combs will deliver an overview of Wireshark, including milestones along the way and plans for its evolution. He will also be joined by core developers and other key supporters who will tell their stories of involvement with the project over its’ 15-year lifespan.

Gerald is the original developer of Wireshark. He started the project in 1998 while working at an ISP. Since then, many bright and talented people have contributed to the project, making it the world's premier network protocol analyzer.

He currently works at Riverbed Technology as the Director of Open Source Projects, and is the lead developer of Wireshark. In the past, he has worked as a consultant for firms in a variety of industries ranging from telecommunications to pharmaceuticals to finance. In 2003 he was awarded a UMKC Alumni Achievement Award for his contributions to the field of computer science.

10:15a – 11:30a

NAP-4: Wireless Network Optimization

Trent Cutler, Jedi Trainer, MetaGeek

We've all run into troublesome Wi-Fi issues that we couldn't make sense of in WireShark. In this session, we'll discuss the techniques and visualization schemes used to spot the symptoms of non-Wi-Fi, co-channel or overlapping interference. Open up WireShark and watch legacy devices bring down the performance of your wireless network. We'll take you through multi-channel capturing and explain the methods used to track roaming events.

Trent Cutler is a trainer extraordinaire and the backbone of the MetaGeek support organization.

11:45a – 1:00p

NAP-5: Correlating Traces From Multiple Tiers

Paul Offord, Development Director, Advance7

Enterprise systems have many components that are interconnected using networking. Wireshark enables us to get between these components and watch process-to-process interactions. The challenge then becomes matching these flows at each tier. How can we correlate the HTTP requests to a web service to SQL database interactions? In this presentation you'll learn three techniques that can be used to match trace data from different tiers. The presentation includes a simple demonstration to illustrate the techniques.

Paul Offord has had a 33-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7 in 1989, he worked for IBM, National Semiconductor and Hitachi Data Systems. Paul is now the Development Director at Advance7 and has been pivotal in the development of the RPR® Method. He is a respected speaker on the subject of problem diagnosis and delivers RPR training both in the UK and internationally. Paul is a Certified IT Professional and a Fellow of the British Computer Society.

1:45p – 3:00p

NAP-6: Why Pilot?

Janice Spampinato & Martin Lewald

Come to this session if you want to learn advanced tips and techniques for making the most of Cascade Pilot, the visual analyzer that was created to enhance the Wireshark user experience. Janice will provide the overview while Martin will show you how to create custom filters and Views, interactive Views, merged sources, and more. If you're a Pilot owner, you'll learn many new uses for the tool and if you've never seen Pilot, you're bound to be wowed.

Janice Spampinato is a Business Development Manager for the Riverbed Performance Management BU of Riverbed and Martin is a Riverbed Staff Engineer.

3:15p – 4:30p

NAP-7: Network Programming with Riverbed FlyScript

Chris White, Sr. Director, Riverbed Technical Council

In this session, Chris will introduce the Riverbed FlyScript Python SDK, a set of modules that build on top of REST, SNMP, CLI, and other command line tools to provide a foundation layer for programming your network. He'll start with a demonstration of how to programmatically use active monitoring of end user experience to control policies on a load balancer. Then he'll jump in and show how to spin up a new VM with FlyScript and supporting tools installed and walk through the process of setting up a new dashboard, hooking up UI widgets to data sources, and finally defining a new data source based on tshark to pull data from a pcap file.

Chris White is a Senior Director for Riverbed's Technical Council, responsible for development of the extensibility project dubbed FlyScript that delivers the programmability an information to automate expert workflows, script common or tedious tasks, react to IT events faster, and benefit from custom features created by the newly-created Splash community.

4:45p –6:00p

NAP-8: Using Wireshark as an Application Engineer

Tim Poth, Sr. Priority Response Analyst, Bentley Systems

This presentation will take an interactive look at a number of pcap files to show both interesting “network” and application issues as well as the technique used to find the problem. The files presented show situations that gave our users trouble such as:

Duplex mismatch
HTTP upload / download /auth issues
Poor app error handling
Vanishing packets in the middle of a file download
Other examples pending time

Tim Poth currently works for Bentley Systems, Inc. (www.bentley.com) as a Senior Priority Response Analyst primarily supporting ProjectWise, Bentley's document management system.

9:00a – 10:00a

Keynote: "The Nice Thing About Standards is That There are so Many of Them!": Musings of an Early Networker

Rich Seifert, M.S.E.E., M.B.A, J.D., President of Networks and Communications Consulting and co-author of the original Ethernet Specification

Mr. Seifert will discuss the original DEC-Intel-Xerox Ethernet development and the evolution of network standards over 30 years. From the early battles between Ring, Star, and Bus topologies through the market war among Ethernet, Token Ring, and ATM, he will provide insight into why some technologies succeed and others fail. As a test of that insight, he will revisit his 2001 proclamation of "Stupid Network Ideas" to see where he was right and wrong.

Mr. Seifert has over 40 years of experience in the computer industry, specializing in computer network architecture, systems, and product design. He was one of the original developers of the 10 Mb/s Ethernet technology at Digital Equipment Corporation, and is now President of Networks and Communications Consulting, providing services to a wide range of network, semiconductor, and computer systems manufacturers, investors, and users. He taught graduate-level courses at the University of California for over 15 years, has published three best-selling technology treatises, and has chaired and co-authored numerous international standards for computer communications, including IEEE 802.1, 802.3, and 802.4. He has served as a technology consultant and testifying expert to law firms in more than thirty cases over the past fifteen years, is an advisor to numerous venture capital investors, and has founded high-tech companies both in the U.S. and abroad.

10:15a – 11:30a

NAP-9: Application Performance Analysis

Mike Canney, Principal Network Analyst, getpackets.com

As network speeds continue to grow at an unprecedented rate, the need to be able to quickly analyze multi Gigabyte sized trace files has become increasingly important. In this session, students will learn how to capture, monitor and analyze extremely large trace files to quickly resolve some of the most common application performance problems seen today.

Topics to be covered include:

How to quickly create a capture to disk appliance
Using Pilot to go "back in time" for troubleshooting end user issues
Using Pilot to filter and sent only pertinent data to Wireshark
Top Causes for application performance issues: Application Turns, TCP Window size, Inflight Data
Using Wireshark Profiles to help troubleshoot SMB issues

Mike Canney, well-versed in multiple sniffer technologies, specializes in providing application and network performance consulting services: specifically Application Network-ability Assessments (ANA), network performance troubleshooting, and deep level packet analysis. Over the past 23 years, Mike has helped hundreds of companies identify and resolve their application and network performance issues. Mike has also developed courseware and taught engineers how to identify, remediate, and prevent network and application issues by analyzing traffic flows at the packet level. Mike has been a guest speaker at many industry trade shows (Networld Interop, Cisco Networkers, e.g.) throughout the United States on the topic of application performance analysis.

11:45a – 1:00p

NAP-10: Enabling Visibility for Wireshark Across Physical, Virtual and SDN

Patrick Leong, Ph.D.

Evolving networking technologies such as server and network virtualization and SDN are creating new challenges to the way we monitor and secure our networks. As organizations adopt and deploy these new technologies, Wireshark will remain a tool of great value to troubleshoot network issues. However, the Wireshark solution will need visibility into all islands of topologies including physical, virtual, and SDN. We will discuss how we can preserve the advantage of the Wireshark solution now and in the future.

Patrick co-founded Gigamon in 2004 and has served as Chief Technology Officer since October 2005. Prior to founding Gigamon, he served as a Principal Engineer at Ciena Corporation from March 2001 to August 2004, which he joined in connection with Ciena's acquisition of Cyras Systems, Inc. in March 2001, where he served in a similar capacity from August 2000. From December 1996 to July 2000, Patrick served in various roles, including manager of high speed products, at the Sniffer Division of McAfee, Inc. Patrick holds a Ph.D. degree in applied physics from Columbia University.

1:45p – 3:00p

NAP-11: Expanding Wireshark Beyond Ethernet & Network Interfaces

Mike Kershaw and Mike Ryan

Wireshark's capture interface is currently highly oriented toward ethernet-like netif interfaces. New research hardware such as Ubertooth and HackRF present opportunities to capture new and interesting types of data that is fundamentally different from Ethernet.

We present our flexible plugin system for capturing packets from multiple packet sources which do not present Ethernet-like interfaces.

Mike Kershaw is the author and maintainer of Kismet, a wireless packet sniffer and IDS system. He also dabbles in hardware design and building sniffing hardware for other protocols.

Mike Ryan researches Bluetooth Smart Security (AKA Bluetooth Low Energy). He implemented BTLE capture and injection for Ubertooth, and Wireshark plugins for digesting the data.

3:15p –4:30p

NAP-12: Packet Optimization and Visibility using Wireshark and pcaps

Gordon Beith, Dir. of Product Management, VSS Monitoring

This technical presentation will describe the various packet optimization, stamping, and storage features available in VSS Monitoring's range of network packet brokers (NPBs), namely Distributed, vProtector, Finder, and vBroker series of products. The audience will get to know about Selective aggregation, Layer 2 through layer 7 filtering, Flow and session based load balancing, Packet time stamping, Packet source port stamping, Packet VLAN tagging, Conditional packet slicing, Protocol stripping, Tunneling deencapsulation, Packet de‐duplication, IP packet fragment reassembly, Writing direct‐to‐network storage, and Supporting virtualization. The ways in which to use Wireshark to decode and interpret these packets will be explained, as well as the ability to generate PCAP files as desired in real‐time.

Gordon Beith holds a BEE degree Swinburne University, and joined VSS Monitoring in 2010, with responsibility for overseeing product management of the entire VSS Monitoring product line. His extensive career includes over 25 years of work in telecommunications product management, marketing, hardware & software development, and related next-generation services areas. In addition to his work with VSS Monitoring, his background includes product, project, marketing, and account management positions for IneoQuest, Empirix, Spirent, Cisco, and Ericsson in global locations including North America, Europe, Australia, and China. Mr. Beith is also co-author of the book on IMS testing and monitoring, entitled "Ensuring a Quality IMS Experience", published in 2007.

4:45p –6:00p

NAP-13: Wireshark Users Ask the Experts!

Moderator: Chris Bidwell, Network Engineer

Come to this session if you want the chance to experience a lively exchange of information between the Wireshark developer and user communities. Moderated by long-time Wireshark User and Enthusiast Chris Bidwell, you will have the opportunity to ask questions of Gerald Combs, the creator of the Ethereal and Wireshark open source projects, and core developers actively engaged in the product and help influence the development direction of the Wireshark project.

Chris Bidwell is a Network Engineer for an IT services company in the UK implementing low-latency IT systems for use in investment management. Chris is also a veteran Wireshark user and lively advocate for the open source project.

9:00a – 10:00a

Keynote: To Engineer is Human… So is Being Lazy

Charles Kaplan, Senior Technical Director, Office of the CTO, Riverbed

Most security is designed to keep honest people honest. Not surprisingly, most vulnerabilities are the result of systems being used and abused in a way never anticipated by the author.

Users have an innate ability to find workarounds to any security roadblocks, real or perceived. Yet that same human nature that drives us to find workarounds can be harnessed as a means of exposing opportunities for improvement.

Despite (security) being a hot topic these days, the likely result of ever-more-sophisticated attacks and a greatly expanded surface area upon which to attack, most people simply don't take it as seriously as they should.

Charles Kaplan is a Senior Technical Director in the CTO Office at Riverbed, focused on the Cascade product line. A security veteran for over 20 years, Mr. Kaplan has spent his career protecting electronic assets. With years under his belt as both a CISO (Verisign and Breakaway Solutions) and an executive for security product and service vendors (Guardent, Mazu Networks, norSEC), Mr. Kaplan is fluent in the expectations placed upon practitioners today and how to implement and run an effective security program.

10:15a – 11:30a

NAP-14: Accessing Packet Traces from Multiple Locations with Packet Trace Warehouse

Bill Eastman, Dir. System Engineering, RPM BU, Riverbed

In this session, you will learn how to securely manage agents deployed across your enterprise using AppTransaction Xpert Packet Trace Warehouse. From a centralized, web-based interface, you will learn how to capture, preview, and access packet traces from multiple locations, as well as analyze these traces using powerful visualizations and predictive analysis. This session also covers leveraging enterprise-wide agents to populate run-time application maps and make informed decisions during data center migration and consolidation. As network speeds continue to grow at an unprecedented rate, the need to be able to quickly analyze multi Gigabyte sized trace files has become increasingly important.

Bill Eastman has been a Systems Engineer for 15 years, specializing in helping customers solve application perfromance problems. Bill is currently based in San Diego, CA and works for Riverbed Technologies/Opnet.

11:45a – 1:00p

NAP-15: Understanding Wireshark's Reassembly Features

Christian Landström, Sr. Consultant, Fast Lane Gmbh

In this session, Christian will explain the often-overlooked Wireshark reassembly capabilty and its impact on statistics.

Christian Landström graduated in computer science in 2004, with a strong focus on network communications and IT security. After joining Synerity Systems directly afterwards he moved with the whole Synerity team to work for Fast Lane GmbH in 2009 as a Senior Consultant. He is a certified Cisco teacher as well as being an OSCP, working on IT security and network analysis projects.

2:00p –3:15p

NAP-16: Capture Limitations of a Laptop: When Does It Start Dropping Packets?

Chris Greer, Network Analyst, Packet Pioneer, LLC

Are the packet drops in the trace file real? Can your laptop keep up with a 1Gbps stream of data? Do you really need to buy that high-end hardware analyzer to capture?

In this session, we will look at the capture thresholds of common laptops running Wireshark to see at exactly what point they start to drop packets. Additionally, we will examine several different SPAN sessions to see if they really can keep up with the line-rate of the traffic stream, or if they too start dropping packets. This will let us know at what traffic level we need to consider using a hardware analyzer, as well as when using a network TAP is critical. Following the session, we invite you to bring up your laptop for a capture shootout to see what it can do!

Chris Greer is a Network and Application Performance Analyst for Packet Pioneer LLC. He regularly assists companies in getting to the root cause of performance issues that impact IT. Chris provides product and technology training for several analysis vendors, assisting clients in the implementation of monitoring platforms.

3:30p –4:45p

NAP-17: Network Virtualization: the SDN You REALLY Want

Steve Riley, Technical Director, Office of the CTO, Riverbed

The success of compute virtualization is particularly noteworthy because it creates useful operational capabilities. In complex computing environments, it can be a challenge to rapidly provision new servers and move them around. But when a "server" is software, these limitations evaporate: rapid moves, adds, changes, snapshots, and rollbacks suddenly become possible. Piles of bits create great disposable horsepower. Effective network virtualization shares the same goal of providing useful operational capabilities. When the "network" is pulled out of specialized (and expensive) hardware and reconstituted as a collection of logical abstractions expressed in software, many of the usual constraints fade away. Topologies and connectivity becomes more flexible; real end-to-end visibility displaces limited state awareness. The implications for multitenant networks are clear. Piles of bits also, it turns out, create great disposable pathways. Steve Riley will review the emerging trend of software-defined networking and place it in the larger context of fully virtualized networks.

Steve Riley is a Technical Director in the Office of the CTO at Riverbed Technology. His specialties include the performance and security aspects of enterprise and cloud computing. Steve has a long career of public speaking, having participated in hundreds of events around the world. He is co-author of Protect Your Windows Network, contributed a chapter to Auditing Cloud Computing, has published numerous articles, and conducted technical reviews of several data networking and telecommunications books. At Riverbed, Steve concentrates on high-performance architectures that span multiple clouds, public and private; advises field teams and customers about secure deployments; and contemplates the future of networking. Before Steve joined Riverbed, he was the cloud security strategist at Amazon Web Services and a security consultant and advisor at Microsoft; in both capacities, he developed patterns and practices for secure deployments and operations. Steve is a member of the Kubuntu Team (which maintains Ubuntu's KDE-flavored distribution) and is a global moderator of its community forum. Besides lurking in the Internet's dark alleys and secret passages, he enjoys freely sharing his opinions about the intersection of technology and culture.

Sun, June 16
Mon, June 17
Tues, June 18
Wed, June 19

1:30p – 2:45p

PA-1: Deep Dive Packet Analysis

Hansang Bae, Dir. of Cascade Product Architecture, Riverbed

In this session, we will explore one trace file in detail. Extensive analysis will be performed to identify the root cause of slow NFS/VM interaction – extending beyond the usual suspects. Evidence gathering techniques will be discussed that can assist the troubleshooter in identifying issues that may be related to vendor equipment. Exhaustive packet trace analysis will be performed to ferret out some surprising conditions.

Hansang Bae led the Network/Application Performance Engineering Team with direct responsibility for Packet Capture Infrastructure at Citi until July, 2012 when he joined Riverbed as Director of Cascade Product Architecture. He brings a unique perspective with his broad knowledge of protocol analysis in a complex enterprise infrastructure.

3:00p –4:15p

PA-2: Introduction to IPv6 Addressing

Nalini Elkins, CEO & Founders, Inside Products, Inc.

In this session, Nalini will cover:

Prefixes
Zero-compression
Extension headers
IPv4 / IPv6 differences
Addressing models and types : site local, link local, global unicast
IPv6 Address States / Basic IPv6 Trace Reading (Stateless and Statefull autoconfiguration)
Privacy addressing
Reading IPv6 traces

Nalini Elkins, the CEO and Founder of Inside Products, Inc., is a recognized leader in the field of computer performance measurement and analysis. In addition to being an experienced software product designer, developer, and planner, she is a formidable businesswoman. She has been the founder or co-founder of two start-ups in the high-tech arena. Nalini has a strong computer networking background, but specializes in network performance analysis, measurement, monitoring, tuning, and troubleshooting of large enterprise networks including TCP/IP & SNA.

4:30p – 5:45p

PA-3: Debugging Wireless with Wireshark Including Large Trace Files, AirPcap & Cascade Pilot

Megumi Takeshita, Founder, Ikeriri Network Services

Megumi, a Tokyo-based entrepreneur, will introduce her debugging work in Akihabara style using Wireshark. The Akihabara area in central Tokyo is well known as a marketplace of cutting edge technology.

In this session, Megumi will demonstrate tips and techniques for troubleshooting WLANs using Wireshark through the examination of very large pcap files. She will also show the hardware side of expanding Wireshark use through customized capture devices, AirPcap and Cascade Pilot. The agenda for this session includes:

Packet capturing in Akihabara style
Debugging WLAN networking using Wireshark
Customizing devices and creating a capture system
Dealing with 10GB+ pcap files
WLAN capturing and debugging
AirPcap Windows vs Linux Backtrack
Wireshark TIPS

Megumi is a typical otaku person in Japan. Otaku (おたく/オタク?) is a Japanese term used to refer to people with obsessive interests, particularly (but not limited to) anime and manga. From an early age she played with 8-bit PCs, was enamored of video games, and loved to tinker with NES, Mark-III and NEC systems with Z80-A menmonics and Centronics 50-pin I/O, capturing and backing-up ROM images. In Junior High, the PC programming boom came to Japan. Megumi found favorites in Assemblers, C, and Hu-Basic. She used disk copy tools and tried to read and change many sectors in 5-inch disks using Sharp X1. In high school, BBSs came into fashion, so she used V.24bis, V.90 modem in Zmodem connected with NEC-DOS from PCs and Mac s and, of course, was scolded by her parents for the exorbitant telephone bills. Megumi finally encountered the internet in college, using trumpet api and open transport. After graduating from Sophia University, she worked as a Product Engineer at Bay Networks and an Enterprise Solutions Specialist at Nortel Networks before starting her own packet capture business in Tokyo. Megumi has written more than 10 books about packet analysis and Wireshark in Japanese. Her company, Ikeriri, is a Riverbed reseller of Wireshark-enhanced products, Metageek, and Dualcomm in Japan.

9:00a – 10:00a

Keynote: History of the Wireshark Project – Reminiscing on the 15-Year-Old Project

Gerald Combs, Ethereal/Wireshark Project Founder and Special Guests

10:15a – 11:30a

PA-4: Inside the TCP Handshake

Betty DuBois, Sr. Marketing Manager, Endace, a division of Emulex

All TCP streams begin with the handshake, yet so often its power to determine fault in low throughput, connection failures, and hideous user experience streams is unrecognized. If you can capture the handshake in Wireshark, troubleshooting time is greatly minimized. This session will cover the handshakes from the single required option to the complex option combinations, and how they affect the subsequent conversation. Both live capturing and trace files will be used in the session so bring your laptops!

Betty DuBois recently joined Endace as a Senior Marketing Manager. She has been analyzing networks since 1997, performing fault isolations, application profiles, and network baselines for a wide variety of clients. As an Instructor for Wireshark University and other organizations, she has been widely recognized for her ability to make dry, complex subjects fun and interesting through humor and real-world examples.

She has presented at Sharkfest and Networld+Interop, and her "Network Mystery" series can be found at www.wireshark.org/docs.

Betty's industry certifications include Certified Wireshark University Instructor, Wireshark Certified Network Analyst, HP ProCurve AIS, and Sniffer Certified Expert.

11:45a – 1:00p

PA-5: Capture Limitations of a Laptop: When Does It Start Dropping Packets?

Chris Greer, Packet Analyst, Packet Pioneer LLC

Are the packet drops in the trace file real? Can your laptop keep up with a 1Gbps stream of data? Do you really need to buy that high-end hardware analyzer to capture?

1:45p – 3:00p

PA-6: Wireshark in the Large Enterprise

Hansang Bae, Dir. of Cascade Product Architecture, Riverbed

In this session, you'll learn how to optimize use of the world's most popular network and protocol analyzer in a large enterprise from a master Wireshark veteran. Root cause analysis and interesting troubleshooting techniques will be presented using real-world trace file examples.

Hansang Bae led the Network/Application Performance Engineering Team with direct responsibility for Packet Capture Infrastructure at Citi until July, 2012 when he joined Riverbed as Director of Cascade Product Architecture. He brings a unique perspective to troubleshooting with Wireshark through his broad knowledge of protocol analysis in a complex enterprise infrastructure.

3:15p – 4:30p

PA-7: Troubleshooting from the field (Troubleshooting in optimized environment)

Herbert Grabmayer, Technical Sales Consultant, ARROW ECS

In this session, you will learn to identify problems in optimized environments. In this scenarios it is important to find if problem is in faulty optimization, network problems or applications that cannot be optimized. The source of the problem will be made visible with Cascade Pilot Views, customized Summary Panels in Wireshark and the Wireshark TCP Stream Graph. By attending this session, you'll learn how you can identify where the problems are.

Herbert currently works as a Technical Sales Consultant for ARROW ECS Internet Security AG, a distributor in Austria. Previously, he worked in the IT Department of an Austrian Government Agency for over 15 years, starting with mainframe operation and customer helpdesk positions, then transferring to IBM/SNA network administration. Herbert first encountered TCP Networking in the late 1980s while troubleshooting with the Network General Sniffer. In the late 1990s, he moved to Schoeller Network Control, a VAR, specializing in Network Troubleshooting and Monitoring where he worked until recently moving to his position with ARROW ECS.

4:45p –6:00p

PA-8: IPv6 Address Planning

Nalini Elkins, CEO & Founders, Inside Products, Inc.

In this IPv6 Address Planning session, we will cover:

IPv4 address planning
How to do a simple addressing plan
Security issues
Migration strategies

9:00a – 10:00a

Keynote: "The Nice Thing About Standards is That There are so Many of Them!": Musings of an Early Networker

Rich Seifert, M.S.E.E., M.B.A, J.D., President of Networks and Communications Consulting and co-author of the original Ethernet Specification

10:15a – 11:30a

PA-9: Pervasive Visibility in the Clouded Data Center: Distributed, Real-Time Monitoring & Wireshark Drill Down On-Demand

Rony Kay, President and CTO , cPacket Networks Inc.

The advent of large-scale data centers, virtualization, and cloud application delivery imply a more distributed computing environment and higher dependency on the network. As the underlying complexity and speed of the infrastructure are increasing dramatically, it necessitates more scalable and agile performance monitoring, optimization, and trouble-shooting. Today's legacy solutions fail to address the demands of modern networks because their architecture was designed decades ago and does not scale to the complexity of modern data center environments and high speed networks. The traditional approach relies on aggregating the network traffic centrally for post processing analysis. This approach creates a "bottle-neck by design" at high speed networks, and - by definition - the post-processing is not real-time. In contrast, the SPIFEE approach to Pervasive Network Intelligence is physically distributed and logically centralized. Distributed Smart Ports of Traffic Monitoring Switches perform the heavy lifting of inspecting every bit in every packet and every flow on-the-fly to deliver detailed counters, application performance indicators, and proactive alerts. The centralized dashboard allows analysis and correlation of information across the entire infrastructure. For troubleshooting, SPIFEE allows users to grep the network environment in real-time for specific traffic profiles according to any combination of protocol header fields and patterns anywhere in the payload content. Instead of collecting excessive amount of unusable data, this unique real-time filtering allow operators to apply detailed Wireshark analysis to the relevant subset of the traffic and to analyze and solve problems effectively. SPIFEE allows multiple operators to access different data-sets concurrently with Wireshark and significantly shorten the time to resolution.

Dr. Kay combines unique expertise in high performance HW & SW systems with 20+ years of experience in optimization and algorithms Dr. Kay founded cPacket Networks and he is the architect of its hardware and software technology. Before founding cPacket, Dr.Kay worked for Intel's Enterprise Platform Group, where he managed engineering teams working on high-end server platforms. Previously, he was an IBM research fellow and a project manager and brought several cutting edge products from inception, through conceptual design and development to execution and successful customer deployments. Prior to IBM Dr. Kay was the R&D manager of a company developing innovative CAD/CAM systems. Dr. Kay has published dozen technical papers and been issued ten patents. He earned his Ph.D in Computer & Electrical Engineering from Carnegie Mellon University.

11:45a – 1:00p

PA-10: Writing a Wireshark Dissector

Graham Bloice, Wireshark Core Developer

This session should be attended by anyone wanting to write their own Wireshark dissectors. Graham Bloice presents easy to follow and implement instructions for rolling your own so that you can expand your use of Wireshark to suit your particular environment and packet-level analysis requirements. The dissectors to be presented include:

A simple dissector with WSGD.
A dissector using the built-in scripting language Lua.
A traditional dissector in C.

For the past 15 years, Graham has been a Windows C++ developer and member of the R&D Department at Trihedral, a company that produces a SCADA/HMI toolkit (http://www.trihedral.com). He first contributed code to Wireshark in 2000 and was made a Core Developer shortly after. His early commits were minor things such as enabling real-time captures on Windows and allowing the hex bytes display to use inverse video. More recent work has been mostly in the DNP3 dissector and Windows build environment.

1:45p – 3:00p

PA-11: How to Use Wireshark to Analyze Video

Betty DuBois, Sr. Marketing Manager, Endace, a division of Emulex

Video is now ubiquitous. The network demands and requirements are very different than other applications, even different than the shared protocols of VoIP. Whether your business utilizes video conferencing, surveillance systems, video based distance learning, or video streaming – you need to analyze the traffic for planning and troubleshooting. This session will cover a wide variety of protocols and features in Wireshark that make this task less daunting. Trace files containing MPEG4, MPEG2, RTP, RTCP, RTSP and H2.64 will be made available before the session so you can follow along. Bring your laptops!

She has presented at Sharkfest and Networld+Interop, and her "Network Mystery" series can be found at www.wireshark.org/docs.

Betty's industry certifications include Certified Wireshark University Instructor, Wireshark Certified Network Analyst, HP ProCurve AIS, and Sniffer Certified Expert.

3:15p –4:30p

PA-12: WLAN Troubleshooting with Wireshark & AirPcap

Rolf Leutert, Founder, Leutert NetServices

Finding WLAN problems can be a very challenging task. The wireless media is known to be unreliable; signal interferences, low signal areas or overloaded cells are just a few of possible issues. In addition, the compatibility between the different IEEE standards and the vendor's way of implementation is not always granted. Having so many factors potentially impacting the performance of a WLAN, a systematic root-cause analysis will be more promising than the trial and error method.

This session demonstrates steps to isolate different causes of WLAN problems by using Wireshark and AirPcap Adapters.

In 2006 Leutert NetServices started as the first company offering Wireshark courses and troubleshooting all over Europe and has a broad range of topics from TCP/IP, VoIP, WLAN to IPv6.

4:45p –6:00p

PA-13: IPv6 Trace Analysis Using Wireshark

Nalini Elkins, CEO & Founders, Inside Products, Inc.

In this session, Nalini will cover:

What has changed between IPv4 and IPv6 traces
What has not changed between IPv4 and IPv6 traces
IPv6 extension headers
Flow label
Who sent it and who received it? (Global Unicast, Multicast, Link Local)
Reading multiple native traces
Tunneling (Teredo, 6to4, tunnel broker)
DNSv6 / DHCPv6/

9:00a – 10:00a

Keynote: To Engineer is Human… So is Being Lazy

Charles Kaplan, Senior Technical Director, Office of the CTO, Riverbed

Most security is designed to keep honest people honest. Not surprisingly, most vulnerabilities are the result of systems being used and abused in a way never anticipated by the author.

10:15a – 11:30a

PA-14: Top 5 False Positives when Analyzing Networks

Jasper Bongertz, SR. Technical Consultant, CASSIDIAN CyberSecurity

When doing network analysis you often say "Eureka!" at some point, thinking that you found the reason for things not working as they should. Unfortunately, there are quite a few symptoms that can fool the analyst, leading to a false positive in the analysis report. In this talk we'll take a look at some of the most common pitfalls in day to day network analysis. Note: This is a beginner-level talk and, though I haven't done beginner level talks the last three years at SHARKFEST, this one should be fun. We'll look at duplicate packets (appearing as retransmissions and dup acks etc), long delta times (that are in fact user delays), Window Size Zero symptoms that aren't so bad,etc.

11:45a – 1:00p

PA-15: So You've Found the Suspect Traffic, But What's Causing It?

Graeme Bailey, CEO & Founder, TARCA Systems

You've analysed all the Wireshark captures and have identified what you don't like about the network traffic, but how do you find out exactly what is causing it? In this session Graeme will show how to use Process Monitor and Wireshark to find out what process is responsible for the traffic. Even in complex multi-tiered Windows applications the combination of Wireshark and Process Monitor make it impossible for a rogue application to hide. These tools are key to the process of identifying the root cause of performance problems and are incredibly valuable when taking a holistic end to end approach to troubleshooting. It will also include handy tips on how to efficiently filter through the millions of rows of data that Process Monitor generates and really find out why things are slow.

2:00p –3:15p

PA-16: Wireshark in the Large Enterprise

Hansang Bae, Dir. of Cascade Product Architecture, Riverbed

In this session, you'll learn how to optimize use of the world's most popular network and protocol analyzer in a large enterprise from a master Wireshark veteran.

3:30p –4:45p

PA-17: TCP Performance Problem Analysis Through Multiple Network Segments

Instructors: Jasper Bongertz, IT Security Analyst & Sr. Consultant & Christian Landström, Sr. Consultant, CASSIDIAN Cyber Security

Analyzing performance issues throughout a whole network path can be very challenging. Load balancers, Firewalls, Proxy Servers might be involved, and finding the right spot to analyze the problem is not always an easy task. This talk focuses on multipoint capture file analysis and packet matching between different capture points. Bring your Wireshark and join the fun!

Jasper Bongertz is a Senior Technical Consultant and started working freelance in 1992 when he began studying computer science at the Technical University of Aachen, before joining Fast Lane GmbH in 2009. In 2013, he joined CASSIDIAN CyberSecurity, focusing on IT security and network forensics. During his time with Fast Lane Jasper created a large training portfolio with a special focus on Wireshark. Jasper is certified Sniffer Certified Professional (SCP), VMware Certified Professional (VCP3/4/5) and VMware Certified Instructor (VCI). Christian Landström has been working in IT since 2004, with a strong focus on network communications and IT security. After graduating in computer science in 2008 and joining Synerity Systems directly afterwards, he moved with the whole Synerity team to work for Fast Lane GmbH in 2009 as a Senior Consultant. Since 2013 he's been working as a Senior Consultant for CASSIDIAN CyberSecurity. He is a certified Cisco teacher as well as being an OSCP, working on IT security and network analysis projects.

Sun, June 16
Mon, June 17
Tues, June 18
Wed, June 19

1:30p –2:45p

SEC-1: Understanding Encryption Services using Wireshark

Larry Greenblatt, Network Security Consultant and Founder, InterNetwork Defense

Many people equate cryptography with confidentiality, but today we use cryptographic algorithms to validate authenticity, integrity and non-repudiation of information as well. In this session Larry will use Wireshark to sniff a number of SSL handshakes, using different browsers, to explain how algorithms are negotiated and keys exchanged. The hardest part about encryption, key management will also be discussed including a description of PKI standards, using Wireshark to illustrate certificate signing and revocation using both Certificate Revocation Lists (CRL) and the Online Certificate Status Protocol (OCSP).

Larry started his IT career in 1984 as a technician for MicroAge, cutting his teeth on IBM PC-based networks and Netware 86. After four years in the 90s working for CGI/IBM as a senior network consultant designing and supporting IPX, SNA and TCP/IP-based network solutions, Larry founded InterNetwork Defense, an information security training and consulting company, where he currently teaches CEH, CISM and CISSP training classes. Larry is also the co-author of the cryptography section for the CEH official study guide.

3:00p –4:15p

SEC-2: VoIP Fundamentals

Phill Shade, CEO & Founder, Merlion's Keep Consulting

A hands-on examination of key VoIP signaling, set-up and tear-down protocols and behaviors. We will use Wireshark to examine various specific VoIP Protocols with an emphasis on the analytics that Wireshark provides including VoIP signalling details, reassembly and play-back.

Phillip D. Shade is the CEO and founder of Merlion's Keep Consulting, a professional services company specializing in all aspects of Network and Forensics Analysis and providing a full range of professional training and customized curriculum development. Phill is now a certified instructor for Wireshark University and Global Knowledge. Drawing from his 30+ years of hands-on, real world experience in Network Analysis, troubleshooting and Cyber Forensics/Security, Phill's presentations use a highly energetic, knowledgeable and informative style. Phill can be contacted at phill.shade@gmail.com or merlions.keep@gmail.com.

4:30p – 5:45p

SEC-3: IPv6 Security Assessment Tools & Infrastructure Mitigation

Jeff Carrell, Network Security Consultant, Network Conversions

Similar infrastructure security issues found in IPv4 exist for IPv6. Router Advertisements (RAs) play a key role in IPv6 address auto-configuration operations as the means for host devices obtaining their IPv6 address and default gateway definitions. DHCPv6 may be a key method for assigning hosts their IPv6 addresses as well. In both cases, rogue devices can disrupt network operations, but infrastructure devices (ie, switches and routers) generally have technology to mitigate such attacks - RA Gaurd, DHCPv6 Snooping, and ND Snooping. There are also more IPv6 "attack tools" becoming available. This presentation provides a series of mini-studies about IPv6 Neighbor Discovery Protocol (NDP) to understand where IPv6 Address Auto-configuration functions may be present in the network, why they may or may not be desired, and how the network infrastructure should be configured accordingly. In addition, we'll review the other roles of NDP and how IPv6 hosts "keep track" of each other on the network. Configuration options will be demonstrated on a live network deploying switches, servers, and clients. Using the latest IPv6 tools, attacks to the network will be orchestrated, "First Hop security" protection techniques will be implemented on the switches, and verification of the mitigation will be validated.

Jeff Carrell is a frequent industry speaker, freelance writer, IPv6 Forum Certified Trainer, network instructor and course developer to major networking manufacturers, and IPv6 technical lead and co-author on Guide to TCP/IP 4th edition. Jeff's primary focus is on IPv6 systems interoperability, and provides consulting services, delivers lectures, conducts IPv6 training classes, and facilitates IPv6 hands-on labs at technical conferences worldwide. His involvement in the computer industry for 34 years has culminated in the concentration of his endeavors in the internetworking portion of the industry for over 27 of those years.

9:00a – 10:00a

Keynote: History of the Wireshark Project – Reminiscing on the 15-Year-Old Project

Gerald Combs, Ethereal/Wireshark Project Founder and Special Guests

10:15a – 11:30a

SEC-4: Trace File Sanitization NG

Jasper Bongertz, IT Security Analyst & Sr. Consultant, CASSIDIAN CyberSecurity

PCAPng is the new default capture file format, and it comes with new challenges when trying to remove sensitive information. Most tools do not support the format yet, and converting pcapng files to pcap to do it isn't helping either. We will take a look at the tools available and compare their functionality.

Jasper Bongertz is a Senior Technical Consultant who started working freelance in 1992 when he began studying computer science at the Technical University of Aachen, before joining Fast Lane GmbH in 2009. In 2013, he joined CASSIDIAN CyberSecurity, focusing on IT security and network forensics. During his time with Fast Lane Jasper created a large training portfolio with a special focus on Wireshark. Jasper is certified Sniffer Certified Professional (SCP), VMware Certified Professional (VCP3/4/5) and VMware Certified Instructor (VCI).

11:45a – 1:00p

SEC-5: Using Wireshark to Gather Forensic Evidence on Malware Outbreaks in Enterprise Networks

Christian Landström, Senior Consultant, CASSIDIAN CyberSecurity

This is an advanced/expert track about combining Wireshark, tshark, and command line scripting skills to quickly mangle huge captures from internet outbreaks to scan for certain patterns we have been using to identify malicious activities over the course of the past 2 years.

Christian Landström has worked in IT since 2004, with a strong focus on network communications and IT security. After graduating in computer science in 2008 and joining Synerity Systems directly afterwards, he moved with the whole Synerity team to work for Fast Lane GmbH in 2009 as a Senior Consultant. Since 2013 he's been working as a Senior Consultant for CASSIDIAN CyberSecurity. He is a certified Cisco teacher as well as being an OSCP, working on IT security and network analysis projects.

1:45a – 3:00p

SEC-6: I Can Hear You Tunneling…

Alex Weber, Security Software Developer

SSH is the de facto standard for accessing remote Unix-like servers over a hostile Internet. SSH has many other capabilities, including secure file transfer and the ability to tunnel TCP-based protocols, providing an additional layer of transport security. All of this functionality is great for users that legitimately need to protect their communications, but without the ability for network administrators to do Deep Payload Inspection, SSH presents a very real risk to an organization's network security.

In this presentation, Alex Weber will summarize previous research and present tools and techniques to passively analyze SSH traffic for evidence of policy violation and intrusion.

Alex Weber is a Canadian software developer with an interest in network security, cryptography, and interesting programming languages.
Outside of his day job, Alex has contributed patches to the Nmap network scanner, the FreeBSD Documentation Project, and has been featured on the front page of Threatpost for writing a malicious bootloader program to steal Windows passwords

3:15p – 4:30p

SEC-7: Wireshark Network Forensics

Laura Chappell, Founder, Wireshark and Chappell University

Join Laura Chappell in this session as she examines a slew of malicious traffic, customizes Wireshark to detect these problems faster, and extracts relevant information using command-line tools. You'll learn how Wireshark can be used as network forensic software and how it helped detect various successful/unsuccessful breaches in a recent project.

Laura Chappell is the founder of Chappell University and the co-founder of Wireshark University with Gerald Combs. Long-time, well-known Wireshark evangelist and author of the best-selling "Wireshark Network Analysis: Official Wireshark Certified Network Analyst Study Guide" and numerous other industry books, Ms. Chappell began her career as a network analyst in 1991 when Novell acquired the LANalyzer product. She has worked with numerous analyzer products since then but, in 1999, decided to focus her analysis time working exclusively with the open source Ethereal (now known as Wireshark) network and protocol analysis tool. Laura developed the Wireshark Certified Network Analyst Program and manages the Wireshark University Authorized Training Partner Program and the Wireshark University Authorized Instructor Program.

4:45p – 6:00p

SEC-8: Why is Cryptography So Hard to Get Right?

Ron Bowes, Vulnerability Research Engineer, Leviathan Security Group

As a group. the security industry has solved a lot of difficult problems. Firewalls do a great job blocking traffic, overflow vulnerabilities are getting harder and harder to exploit on modern systems, and spam filters/captchas are nearly perfect. But there's one place where we have dropped the ball: cryptography. Why is cryptography so hard to get right? As a developer, you have to understand random numbers, key generation, padding, block chaining, initialization vectors, proper signature generation and more just to be somewhat safe. Even security professionals manage to screw it up, so how do we expect an average developer to get it right?

For this talk, we'll be getting into deep detail on a bunch of well-known attacks against crypto - including padding oracles (the Vaudenay attack), hash length extension, BEAST, CRIME, poorly generated random numbers, WEP, and more - to help demonstrate the problem, and begin to look at how we might be able to fix it.

Ron Bowes works as a vulnerability research engineer for Leviathan Security Group in Canada. Formed by recognized security industry leaders with proven track records (including former principals of @stake, Guardent, Symantec, and Foundstone), Leviathan Security Group, Inc. is an information security consulting and training company specializing in application security design, assessment, and remediation. They offer both strategic and technical advisory services targeted at overall risk management and compliance needs. Previously, Ron held a similar position for Tenable Network Security and is best known for his contributions to open source security software including the Nmap Security Scanner, for which he has written dozens of scripts covering a number of complex protocols. He also has a Bachelor of Computer Science from the University of Manitoba, runs a Winnipeg-based security consulting company (Dash9 Security), and is a founding member of SkullSpace - Winnipeg`s first and only hackerspace.

9:00a – 10:00a

Keynote: "The Nice Thing About Standards is That There are so Many of Them!": Musings of an Early Networker

Rich Seifert, M.S.E.E., M.B.A, J.D., President of Networks and Communications Consulting and co-author of the original Ethernet Specification

10:15a – 11:30a

SEC-9: Attack Trends & Techniques

Steve Riley, Technical Director, Office of the CTO, Riverbed

The bad guys just keep getting better! They're constantly changing their tactics and inventing new techniques to cause you harm, damage your data, and make your resources unavailable. Why do they do this? What motivates someone to—let's call it what it is—commit computer-related crimes? How have they changed and improved? What kinds of attacks are popular now and why are they so effective? What might we expect to see in the future? We'll help you understand the latest in attacker trends and techniques, so that you can plan appropriately and implement effective processes and technologies to mitigate threats.

11:45a – 1:00p

SEC-10: Wireshark Network Forensics

Laura Chappell, Founder, Wireshark and Chappell University

Join Laura Chappell in this session as she examines a slew of malicious traffic, customizes Wireshark to detect these problems faster and extracts relevant information using command-line tools. You'll learn how Wireshark can be used as network forensic software and how it helped detect various successful/unsuccessful breaches in a recent project.

1:45p –3:00p

SEC-11: IPv6 Security

Nalini Elkins, CEO & Founder, Inside Products, Inc.

Hackers are already aware of the security vulnerabilities in IPV6, and there are implications across all TCP connected platforms. Forewarned is forearmed. Our speaker will identify the critical vulnerabilities and provide a technical and management overview of how the new IPV6 intrusions work, what is more secure, and what is not so secure.

Nalini Elkins, the CEO and Founder of Inside Products, Inc., is a recognized leader in the field of computer performance measurement and analysis. In addition to being an experienced software product designer, developer, and planner, she is a formidable businesswoman. She has been the founder or co-founder of two start-ups in the high-tech arena. Nalini has a strong computer networking background, but specializes in network performance analysis, measurement, monitoring, tuning, and troubleshooting of large enterprise networks including TCP/IP & SNA.

3:15p –4:30p

SEC-12: Trace File Sanitization NG

Jasper Bongertz, IT Security Analyst & Sr. Consultant, CASSIDIAN CyberSecurity

4:45p –6:00p

SEC-13: How 802.11ac Will Hide Problems From Wireshark

Joe Bardwell, Founder & President, Connect802 Corp.

It's coming: 802.11ac. With it come a number of unexpected packet capture challenges that have the potential to hide unauthorized devices, penetration attempts and device behavior from Wireshark (and all packet capture tools). Between now and Sharkfest 2014 you'll probably encounter the need for wireless analysis in an 802.11ac environment – find out what you're going to be up against and how to develop a best-practices analysis methodology.

Mr. Bardwell is the President of Connect802 Corporation, a national wireless system solution provider. Mr. Bardwell was the founding engineer and program manager for the Certified Network Expert (CNX) professional certification program. His professional career, which spans over 30 years, includes technical management and executive positions with a number of network industry leaders, including WildPackets and Network General.

9:00a – 10:00a

Keynote: To Engineer is Human… So is Being Lazy

Charles Kaplan, Senior Technical Director, Office of the CTO, Riverbed

Most security is designed to keep honest people honest. Not surprisingly, most vulnerabilities are the result of systems being used and abused in a way never anticipated by the author.

10:15a – 11:30a

SEC-14: Understanding Encryption Services Using Wireshark

Larry Greenblatt, Network Security Consultant and Founder, InterNetwork Defense

11:45a – 1:00p

SEC-15: Why is Cryptography So Hard to Get Right?

Ron Bowes, Vulnerability Research Engineer, Leviathan Security Group

2:00p –3:15p

SEC-16: I Can Hear You Tunneling…

Alex Weber, Security Software Developer

In this presentation, Alex Weber will summarize previous research and present tools and techniques to passively analyze SSH traffic for evidence of policy violation and intrusion.

Alex Weber is a Canadian software developer with an interest in network security, cryptography, and interesting programming languages.

Outside of his day job, Alex has contributed patches to the Nmap network scanner, the FreeBSD Documentation Project, and has been featured on the front page of Threatpost for writing a malicious bootloader program to steal Windows passwords

3:30p –4:45p

SEC-17: Wireless Intrusion Detection

Mike Kershaw, Wireshark Core Developer

In this session, Mike "Mr. Kismet" Kershaw will demonstrate various techniques for Wireless Intrusion Detection using Wireshark,Kismet and other open source tools.

Mike Kershaw is a well-respected expert in the field of wireless security and an open-source advocate as the author of the wireless analysis tool Kismet, and as co-author of the 802.11 injection library LORCON. Mike has worked in the wireless industry doing product security assessment and prototyping, and independently developing new wireless capture open-source hardware.

Mon, June 17
Tues, June 18
Wed, June 19

9:00a – 10:00a

Keynote: History of the Wireshark Project – Reminiscing on the 15-Year-Old Project

Gerald Combs, Ethereal/Wireshark Project Founder and Special Guests

10:15a – 6:00p

HOL-1: Root Cause Analysis

Stuart Kendrick, IT Architect, Fred Hutchinson Cancer Research Center

MAX ATTENDEES: 25

Troubleshooting is hard. In hindsight, the answer to a problem is often obvious, but in the chaos and confusion of the moment – with too much data flowing in, time pressure, misleading clues – slicing through the distractions and focusing on the key elements is tough. In this hands-on seminar you will work through case studies taken from real-world situations. We divide into groups of 3–5, review a simplified version of Advance7's Rapid Problem Resolution (RPR) methodology, and then oscillate, on about a half-hour cycle, between coming together as a class and working in groups. During class time, I describe the scenario, explain the current RPR step, and offer to role-play key actors. During group time, I walk around, coaching and answering questions.
The course material includes log extracts, packet traces, strace output, network diagrams, Cacti snapshots, and vendor tech support responses, all taken from actual RCA efforts. We also cover sample case studies, such as:

Hourly Data Transfer Failures—Every hour, an application at the clinic wakes up, contacts its partner at a central hospital, and exchanges data, thus keeping the patient databases synchronized. Several times a day, this process fails, alerting the database administrator with the helpful message "A Network Error has occurred."
The Many Applications Crash—The office automation applications servicing ~1500 users intermittently report a range of error messages. Suspicion falls on the mass-storage device hosting home and shared directories.
Slow Downloads—Internal and external users intermittently see slow downloads from the public Web site. Is it the load-balancer or the firewall?

To get a feel for the course, please review the deck employed at LISA 2012:
http://www.skendric.com/problem/rca/Root-Cause-Analysis-LISA-2012.pdf

Who Should Attend: System administrators and network engineers tasked with troubleshooting multidisciplinary problems.

What You'll Need: BYOL (Bring Your Own Laptop) loaded with Wireshark and a graphics viewer (PDF and PNG) for some hands-on, interactive, team-oriented, real-world puzzle solving.

What You'll Takeaway: A structured approach to analyzing problems that span multiple technology spaces.

Stuart Kendrick is an IT Architect at the Fred Hutchinson Cancer Research Center, specializing in troubleshooting, device monitoring, and transport. He started his career in 1984, writing in FORTRAN on Crays for Science Applications International Corporation; he worked in help desk, desktop support, system administration, and network support for Cornell University in Ithaca and later Manhattan. He has been in his multi-disciplinary role at FHCRC in Seattle since 1993, where he functions as ITIL problem manager/problem analyst and leads root cause analysis efforts. He is happiest when correlating packet traces with syslog extracts and writing scripts to query device MIBs.

10:15a – 6:00p

HOL-2: WiFi Security & aircrack-ng

Thomas D'Otreppe, creator of aircrack-ng & Jon Ford, Software Developer, NEK Advanced Securities Group

MAX ATTENDEES: 15

This lab is designed to provide an understanding of the fundamentals of WiFi networks as well as packet
analysis. You will also learn how to use Aircrack-ng to assess the security of wireless networks.

The course is broken out into 2 parts:
Part 1: Wireless network theory: how WLANs work, their structures and wireless frames
Part 2: Hands-on, learning how to use Aircrack-ng, Wireshark and other (wireless) tools

The course will cover topics that include:

WiFi network structure
The different wireless frames
How WiFi networks work (at the frame level)
Basic antenna theory
Using the Aircrack-ng tools
Cracking WEP and WPA networks
Generating custom dictionaries for WPA cracking

Who Should Attend: Anyone interested in learning more about WiFi, WLANs and securing a wireless infrastructure.

What You'll Need: An Alfa AWUS036H and a laptop with Kali Linux running natively (installed or as a Live CD/USB) or as a virtual machine. If you are going to virtualize it, Virtualbox is not recommended because its USB driver is highly unstable. VMware Player (v5+) / Workstation (v9+) / Fusion (v5+) are recommended.

What You'll Takeaway: At the end of this class, you will have an understanding of WiFi networks (from the big picture to the frame level), will be able to do wireless penetration test/audit as well as choose the right hardware for the job (card/antenna) and also secure wireless networks.

Thomas d'Otreppe? Mister X? is a wifi hacker and the author of Aircrack-ng, a Wi-Fi auditing suite. He has designed Offensive-Security WiFu, a proactive wireless security course, with Mati Aharoni ,and also contributes to BackTrack Linux. He works as a software developer for NEK Advanced Securities Group. Twitter: @aircrackng and @openwipsng

9:00a – 10:00a

Keynote: "The Nice Thing About Standards is That There are so Many of Them!": Musings of an Early Networker

Rich Seifert, M.S.E.E., M.B.A, J.D., President of Networks and Communications Consulting and co-author of the original Ethernet Specification

10:15a – 6:00p

HOL-3: Cyber Security Investigation & Network Forensic Analysis – Practical Techniques for Analyzing Suspicious Network Traffic

Phill Shade, CEO and founder of Merlion's Keep Consulting and Wireshark University Instructor

MAX ATTENDEES: 12 - Session has reached capacity and is FULL

Network forensics analysis encompasses the skill to capture suspicious data and the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate techniques focusing on the use of vendor-neutral, open-source tools to provide insight into:

Forensics analysis fundamentals
Data recorder technology and data-mining
Network security principles including encryption technologies and defensive configurations of network infrastructure devices
Security threat recognition for a variety of network attack and exploit scenarios including: network reconnaissance techniques, Bot-Net threat recognition and man-in-the-middle attacks as well as common user protocol vulnerabilities including IP related Protocols (IP(v4/v6) / TCP, DNS/DNSSec, ARP, ICMP), email protocols (POP / SMTP / IMAP) and other common internet-based user protocols (HTTP, NNTP, IRC, IM)
Specialized practices including suspicious data traffic reconstruction and viewing techniques

Real-world examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical forensics analysis skills.

Who Should Attend: This course is designed for network engineers and security and law enforcement personnel who possess a basic to intermediate general security and networking knowledge. Those who already possess a working knowledge of host-based forensics analysis should also attend this course as a means of gaining expertise in the end-toend digital forensics process.

What You'll Need: For maximum effectiveness, attendees should have at least basic familiarity with Wireshark, TCP/IP networking, and basic network infrastructure devices such as switches, routers, etc. Attendees will also be required to bring their own laptop with Wireshark and Network Miner pre-loaded.

Takeaway: Successful completion of this course will provide attendees with a pathway into the field of Network Forensics Analysis. Specifically, participants will be able to:

Understand the principles of network forensics analysis and how to apply them
Select and configure various open-source tools for network forensics analysis to capture and recognize traffic patterns associated with suspicious network behavior
Reconstruct suspicious activities such as emails, file transfer or web-browsing for detailed analysis and evidentiary purposes
Understand and recognize potential network security infrastructure misconfigurations

Phillip D. Shade is the CEO and founder of Merlion's Keep Consulting, a professional services company specializing in all aspects of Network and Forensics Analysis and providing a full range of professional training and customized curriculum development. Phill is also a certified instructor for Wireshark University and Global Knowledge. Drawing from his 30+ years of hands-on, real world experience in network analysis, troubleshooting and cyber forensics/security, Phill's presentations use a highly energetic, knowledgeable and informative style. Phill can be contacted at phill.shade@gmail.com or merlions.keep@gmail.com.

10:15a – 6:00p

HOL-4: IPv6: Build It, Use It

Jeff Carrell, Network Systems and Security Instructor

MAX ATTENDEES: 16

By attending this two-part hands-on workshop, attendees will work through a series of lab exercises
configuring a network system of several different brands of infrastructure equipment, utilizing only IPv6, DHCPv6, and IPv6 routing, and finally dual-stack IPv4 & IPv6 operations. Once you have built an operational dual-stack network, we'll configure the base network applications: DNS, DHCPv6, and Web, to support the use of both IPv4 and IPv6 network protocols. We'll also reconfigure the IPv6 router options available for IPv6 address auto-configuration for clients on the network (SLAAC, Stateful (DHCPv6), Stateless DHCPv6, and the combination of all).

In addition, bonus labs are available to: telnet and web management to your switch, tftp the switch configuration file to the client, and RDP to the server.

There will be short lecture sessions between each lab, explaining the technology, purpose, and the desired results of each lab.

Who Should Attend: Network engineers interested in building out a solid IPv6 Infrastructure, network architects, network administrators, and any IT Professional who could benefit from an IPv6 immersion course.

What You'll Need: Attendees will be required to provide their own laptop with any operating system that has a Java enabled browser, wired and wireless interfaces, and full administrator rights to your laptop. A working knowledge of IPv6, DNS, DHCPv6, and Web services is helpful but not required, as lab configurations are fully detailed.

Takeaway: Attendees will gain a solid understanding of how to configure and build a fully operational IPv6 network.

Jeff Carrell is a network systems and security instructor and course developer for HP Networking, delivering technical courses throughout North America. In addition, Jeff provides network consulting services with an emphasis on security for wired, wireless and VoIP networks. Though his endeavors have rested mainly in the internetworking space for 25 of the past 33 years, Jeff's recent focus has been on IPv6 systems interoperability, providing lectures and hands-on labs on the topic at various technical conferences. Jeff has enjoyed successful career advancements with several network equipment manufacturers, including Foundry Networks (acquired by Brocade Networks) and HP Networking as a pre-sales consulting engineer and technical instructor. In an end-user position he has designed mission-critical, high-availability networks.

9:00a – 10:00a

Keynote: To Engineer is Human… So is Being Lazy

Charles Kaplan, Senior Technical Director, Office of the CTO, Riverbed

Most security is designed to keep honest people honest. Not surprisingly, most vulnerabilities are the result of systems being used and abused in a way never anticipated by the author.

9:30a – 4:45p

HOL-5: SSL Troubleshooting With Wireshark

Sake Blok, Application Delivery Networking Consultant and Troubleshooter

MAX ATTENDEES: 30

SSL plays an important role in ensuring confidentiality, integrity and authentication of communication over a public network like the Internet. It is used for securing (web) applications as well as for implementing a public key infrastructure (PKI). A good understanding of the SSL protocol will help solve issues in setting up secure communication based on SSL. In this Hands-On Lab, we'll review the SSL protocol and how Wireshark and tshark can be used to analyze the different handshake messages, troubleshoot common problems in the SSL session setup and successfully decrypt SSL traffic for further analysis of the transported data.

Who Should Attend: Network engineers, network security professionals, software developers

What You'll Need: Bring your own laptop with Wireshark installed.

Takeaway: A good understanding of the SSL and a sure footing in setting up secure communication based on the protocol.

Sake Blok, a Wireshark/Ethereal devotee since 1999, is the founder of SYN-bit in the Netherlands. His company focuses on troubleshooting Application Delivery Networks. He also trains customers to enable them to solve their own networking issues. In 2006, Sake started to add code to Wireshark for the functionality he was missing. He also started to fix Wireshark bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Core Development Team.

10:00a – 4:45p

HOL-6: IPv6: Build It, Use It

Jeff Carrell, Network Systems and Security Instructor

MAX ATTENDEES: 16

In addition, bonus labs are available to: telnet and web management to your switch, tftp the switch configuration file to the client, and RDP to the server.

There will be short lecture sessions between each lab, explaining the technology, purpose, and the desired results of each lab.

Takeaway: Attendees will gain a solid understanding of how to configure and build a fully operational IPv6 network.

10:00a – 4:45p

HOL-7: Cyber Security Investigation & Network Forensic Analysis – Practical Techniques for Analyzing Suspicious Network Traffic

Phill Shade, CEO and founder of Merlion's Keep Consulting and Wireshark University Instructor

MAX ATTENDEES: 12 - Session has reached capacity and is FULL

Forensics analysis fundamentals
Data recorder technology and data-mining
Network security principles including encryption technologies and defensive configurations of network infrastructure devices
Security threat recognition for a variety of network attack and exploit scenarios including: network reconnaissance techniques, Bot-Net threat recognition and man-in-the-middle attacks as well as common user protocol vulnerabilities including IP related Protocols (IP(v4/v6) / TCP, DNS/DNSSec, ARP, ICMP), email protocols (POP / SMTP / IMAP) and other common internet-based user protocols (HTTP, NNTP, IRC, IM)
Specialized practices including suspicious data traffic reconstruction and viewing techniques

Real-world examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical forensics analysis skills.

Takeaway: Successful completion of this course will provide attendees with a pathway into the field of Network Forensics Analysis. Specifically, participants will be able to:

Understand the principles of network forensics analysis and how to apply them
Select and configure various open-source tools for network forensics analysis to capture and recognize traffic patterns associated with suspicious network behavior
Reconstruct suspicious activities such as emails, file transfer or web-browsing for detailed analysis and evidentiary purposes
Understand and recognize potential network security infrastructure misconfigurations

Phillip D. Shade is the CEO and founder of Merlion's Keep Consulting, a professional services company specializing in all aspects of Network and Forensics Analysis and providing a full range of professional training and customized curriculum development. Phill is also a certified instructor for Wireshark University and Global Knowledge. Drawing from his 30+ years of hands-on, real world experience in network analysis, troubleshooting and cyber forensics/security, Phill's presentations use a highly energetic, knowledgeable and informative style. Phill can be contacted at phill.shade@gmail.com or merlions.keep@gmail.com.

SHARKFEST '13 Session Abstracts and Biographies

WCNA Boot Camp