The most trusted source for computer security training, certification and research.

select a course
Global Information Assurance Certification

I have no idea how I was doing my job without this information.
-Jonathon Turner, Paycom Payroll

SECURITY 556

Comprehensive Packet Analysis

6 CPE Credits

Knowing how to decode network traffic is a skill requirement for any serious network or information security administrator. Being able to decode the bits and bytes that represent mission-critical networks will give you the skills to identify malicious activity, troubleshoot network failures, and analyze other desirable or undesirable network events.

This class will give you the skills necessary to decode network traffic with open-source tools available for Unix and Windows systems. Students will learn advance pcap packet filtering methods to decode and manipulate network traffic using tcpdump and use Wireshark to extract files (pictures, documents, executable, etc) from a data stream for malware recovery, incident response and forensics analysis. You'll be able to use these new skills to analyze current or future network protocols and gain a better understanding of your network traffic. The tools covered in this class are: Windump/TCPdump, Wireshark, Mergecap, Unix file command, and a Hex Editor.

Students are expected to be generally familiar with TCP/IP and decimal, binary, and hexadecimal at the theoretical level. If you are not familiar with TCP/IP and decimal, binary, and hexadecimal, we recommend you read and review the following documents before attending:

Linux Primer

The course uses a custom Backtrack 2 CD and requires some basic Linux skills. The following sites are suggested to get some basic information on Linux commands:

Backtrack 2 Original CD

  • Who should attend this course?
    • Incident response analysts and firewall and network administrators looking to learn advance packet decoding skills
    • Analysts looking to learn advance techniques in packet analysis
    • Analysts wanting to learn how to recover and analyze files from packet streams
    • Network administrators and operations professionals seeking a deeper understanding of network analysis techniques
  • Topic Covered
    • TCP/IP basics
    • TCPdump from basic to advance
    • Writing simple to complex TCPdump filters
    • TCPdump exercises
    • Introduction to Ngrep
    • Ngrep exercises
    • Wireshark as an analyst and forensic tool
    • Introduction to tshark and mergecap
    • Filters in Wireshark
    • Using Wireshark for troubleshooting VoIP
    • Using Wireshark to carve out files from pcap data (malware, pictures, documents, etc)
    • Wireshark exercises
    • Troubleshooting network and applications

I have attended several of SANS rivals and SANS blew them away!
-Alton Thompson, US Marines

Author Statement

If you have not yet attended Security 502: Perimeter Protection In-Depth or Security 503: Intrusion Detection In-Depth and want some solid skills to analyze and troubleshoot traffic flowing through your network, this is the course for you. This course is designed to teach the core skills to read and understand various types of traffic that you will see in a corporate network with TCPdump and Wireshark. About one third of the course is spent on exercises to reinforce the material taught in the class. We are confident the skills you will learn here will be put into practice the day you get back to the office.

- Guy Bruneau

Training Events By Course

SECURITY 556 :: Comprehensive Packet Analysis
SANS 2010 Orlando, FL March 06, 2010 - March 15, 2010
SANS Security West 2010 San Diego, CA May 07, 2010 - May 15, 2010
SANS London 2009 London, United Kingdom November 28, 2009 - December 06, 2009
SANS SCDP SEC556 Comprehensive Packet Analysis Ottawa, ON February 10, 2010 - February 11, 2010