- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Projects
- Security Policy Project
- Security+ Study Guide
- S.C.O.R.E.
- Awards & Recognitions
- SANS Buyers Guide
- Security Tool Demos
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
select a course
Toronto, ON - May 10 - 16, 2008
- Event Location & Info
- General Info
- Faculty
- Vendor Expo
- Vendor Events
- Special Events
- SANS @Night
- Brochure (PDF)
The information presented is priceless!
-Nehal Parmar, North Fork Bank
Security 556
1 Day Course
Comprehensive Packet Analysis
Saturday, May 10, 2008 : 9am - 5pmGuy Bruneau, IPSS Inc.
6 CPE Credits Per Day
Knowing how to decode network traffic is a skill requirement for any serious network or information security administrator. Being able to decode the bits and bytes that represent mission-critical networks will give you the skills to identify malicious activity, troubleshoot network failures, and analyze other desirable or undesirable network events.
This class will give you the skills necessary to decode network traffic with open-source tools available for Unix and Windows systems. Students will learn advance pcap packet filtering methods to decode and manipulate network traffic using tcpdump and use Wireshark to extract files (pictures, documents, executable, etc) from datastream for malware recovery, incident response and forensics analysis. You'll be able to use these new skills to analyze current or future network protocols and gain a better understanding of your network traffic. The tools covered in this class are: Windump/TCPdump, Wireshark, Mergecap, Unix file command and an Hex Editor.
Students are expected to be generally familiar with TCP/IP at the theoretical level. If you are not familiar with TCP/IP, we recommend you read the following documents before attending:
- Who should attend this course?
- Incident Response analysts, firewall and network administrators looking to learn advance packet decoding skills
- Analysts looking to learn advance techniques in packet analysis
- Analysts wanting to learn how to recover and analyze files from packet streams
- Network administrators and operations professionals seeking a deeper understanding of network analysis techniques
- Topics Covered
- TCP/IP basics
- TCPdump from basic to advance
- Writing simple to complex TCPdump Filters
- TCPdump exercises
- Introduction to Ngrep
- Ngrep exercises
- Wireshark as an analyst and forensic tool
- Introduction to tshark and mergecap
- Filters in Wireshark
- Using Wireshark for troubleshooting VoIP
- Using Wireshark to carve out files from pcap data (malware, pictures, documents, etc)
- Wireshark exercises
- Troubleshooting network and applications