Mastering TShark Packet Analysis

What You Will Learn

With system compromises and data breaches being reported almost daily and more of our activities are moved online, it is imperative that network defenders ensure they have the relevant tools and skillset to detect these compromises sooner rather than later. While attackers (advanced or not) may make every attempt to hide their suspicious activities on the compromised host, the reality is, all their activities leave breadcrumbs on the network. This is true whether reconnaissance activity is being performed or actions and objectives are being achieved, according to the Lockheed Martin Cyber Kill Chain. Basically, there are packets or it did not happen.

With SEC582, you will master performing packet analysis through TShark and learn how to solve real-world problems through 19 different labs, demos, and challenges. This is the most in-depth, hands-on packet analysis course available.

Course author Nik Alleyne has hands-on experience supporting and monitoring network infrastructures in organizations that spans verticals such as financial, education, media, scientific services, etc., using both commercial and open-source solutions to detect threats. In this course, he teaches you how to use one of his favorite tools, TShark. Using TShark, he moves you from beginner level, where you capture your first packet, to more advanced level, where you are detecting buffer overflows, exfiltration, passwords, decrypting TLS and WPA2-PSK traffic, along with setting up TShark for continuous monitoring and ultimately, using TShark along with Python to perform threat intelligence against packet data.

Syllabus (12 CPEs)

Overview
On day one, we start off from the basics moving through decoding protocols and services, all the way to hiding behind non-standard ports. This provides us insight into what we should expect as normal versus abnormal. Part of what we do when supporting a network is to look for deviations from norm or better yet, look for the anomalies. As we go through the day, there are a number of labs that reinforce the content just learned.
Exercises
- Capturing basics
- Leveraging BPF filters
- Spanning bytes
- Decoding packets
- Decrypting encrypted traffic
Topics
Course Outline and Lab Setup
- Lab 0: Preparing for success
- Module 1: Packet capturing basics
- Module 2: TShark basics
- Module 3: TShark configuration basics
- Module 4: Capturing live traffic
- Lab: capturing live traffic
- Module 5: BPF filters and TShark
- Lab: Monitoring hosts networks and ports
- Module 6: BPF filters and TShark - not so basic filters
- Lab: Spanning bytes
- Module 7: Continuous "hands-free" monitoring
- Lab: Hands-free monitoring
- Module 8: Reading PCAPS
- Lab: Controlling packet count and time format
- Module 9: TShark statistics
- Module 10: Exporting objects
- Lab: Exporting objects
- Module 11: Hiding behind other services/protocols
- Lab: Decoding as
- Module 12: Not so basic tricks
- Module 13: Decrypting and analyzing SSL/TLS
- Lab: Decrypting TLS
- Module 14: Decrypting and analyzing WPA2
Overview
On day 2 we begin moving way beyond the basics of TShark. We transition into the realm of automating packet intelligence by leveraging Python in combination with TShark. We then move to real-world challenges, where we solve real-world problems while solidifying our mastery of TShark. This day also has bonus content on how to edit, merge, and rewrite packets.
Exercises
- Leveraging Python and TShark for packet threat intelligence
- Real-world challenges
Topics
Common Delivery Mechanisms
- Module 15: Beyond basics with Python
- Lab: IP Threat Intelligence
- Module 16: A touch of Lua
- Module 17: The Final Cheat
- Module 18: Real-world challenges with TShark
- 10 Challenges
BONUS CONTENT
- Module 19: Editing PCAPS
- Module 20: Merging PCAPS
- Module 21: Rewriting packets

Prerequisites

Experience with Linux from the command line
A baseline understanding of cyber security topics
A baseline understanding of TCP/IP and networking concepts
A baseline understanding of application layer protocols
A baseline knowledge of packet capturing tools

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

You will need to run two copies of the supplied Linux VMware images on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.

You can use any version of Windows, Mac OSX, or Linux, as long as your core operating system can install and run current VMware virtualization products. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 40 gigabytes of free hard disk space.

Please download and install one of the following: VMware Workstation or VMware Fusion on your system prior to the beginning of the class. If you do not own a licensed copy of VMware Workstation or VMware Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Operating System

Students must bring a laptop to class running any of the following OS families:

Windows 7, 8.1, or 10
MacOS Mavericks, Yosemite, El Capitan, or Sierra
Linux-based distributions
For troubleshooting reasons, please ensure you have local administrator privileges on your laptop

Hardware

x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
4 GB RAM minimum with 8 GB or higher recommended
A wireless network adapter
10 GB available hard-drive space

As a best practice, it is strongly advised that you do not bring a system storing any sensitive data to this course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

Author Statement

"While my career has spanned multiple verticals, it is without a doubt, that my past few years at a Managed Security Service Provider (MSSP) is what has given me the visibility across a larger set of organizations. This experience puts me in a position to gain insights into what is being done or not done for monitoring. It is as a result of this insight that Iâ€™m ecstatic about leading a course which talks about monitoring using the free and open-source solution TShark.

SANS SEC582 is the course you need to give you the knowledge and confidence to perform packet analysis. This is true whether you are a network engineer or a network forensic analyst."

-- Nik Alleyne

Ways to Learn

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend SEC582?

Network Forensic Analysts looking to improve their existing skillset or validate their existing knowledge. Especially if new to the role, this training will take you from zero to hero as you gain critical skills related to packet analysis.
Security architects and security engineers who want to better understand how to implement continuous monitoring
Red teamers and penetration testers who want to understand how their activities can be detected via both cleartext and encrypted protocols, basically how their breadcrumbs can be used by defenders.
Technical security managers who want to gain insights into how to take advantage of packet data
Security Operations Center analysts and engineers looking to understand packet analysis, so that they can provide the appropriate perspective on detected threats.
Individuals looking to expand their knowledge of TShark and or packet analysis.

See prerequisites

SEC582: Mastering TShark Packet Analysis

Course Authors:

Nik Alleyne