Sunday, July 12, 2009

Review of Laura Chappell's Wireshark 101 Jumpstart

Last Tuesday I took part in Laura Chappell's live online seminar about Wireshark. It's really for those who are new to Wireshark (which I'm not), but I wanted to see how the seminar was presented and I wanted to see if there was something I could learn about Wireshark that I didn't know. I was pleasantly surprised on both accounts. In case you don't know who Laura is, you should know that she has many years of network training to her credit.

The class was free (always a good price) and Laura had a limit of 1000 attendees. I think over 1700 signed up. I was able to make it in under the cutoff a half an hour ahead of time. The class was conducted using a Citrix viewing program that I had to install. This was required so that we could see slides and Wireshark in action. The quality of the audio was similar to that of a phone call, not super high but very intelligible. I used DSL (1.2 mb) which was fast enough for both the video portion and the audio. Laura also provided the slides as a downloadable PDF so you could follow along (I did).

There was a way to communicate back to the Laura and her assistants using both instant messaging and phone or audio link if you need to ask a question. Many people did ask questions. Yesterday I received the complete list of questions and answers by email.

Laura started the seminar by covering Wireshark on a general level, explaining how it can be integrated into the various packet capturing methods and explaining how it could open 'trace files' offline at a later time. Then she covered the various Wireshark placement options with their advantages and disadvantages. This included both tapping into wired network streams, mirroring them and even using wireless capture devices to see traffic on a wireless network.

Laura then moved directly into using Wireshark live to capture data into the file sets. Filesets allow you to create a large capture in multiple smaller files. Then she showed how to alter the time column so that you could see the relative time between packets rather than the default seconds since the beginning of the capture. Of course there were discussions about defining both capture filters to eliminate unwanted packets from our capture file and post capture filtering of the packets in the file. Since post-capture filtering can be complex in this program, Laura also covered changing the coloration of the rows of captured packets depending on the data in the packet. Laura also touched on following streams of TCP or UDP data. This is helpful when you are following communications between a client and server -- especially if the client is compromised by a trojan or something similar.

Even though Laura talked quicker than I ever can (though still slower than my 19 year old daughter), she ran out of time -- 75 minutes quickly ran into nearly 90 minutes. But she did leave us with a "to-do" list. First and foremost was to get the latest version of Wireshark, version 1.2. This version now includes optional GeoIP locating for IP addresses which is quite helpful (NetScanTools Pro does this too!). They take it one step further and display the IPs on a world map, which is always good (NetScanTools Pro will have this soon).

I learned that Laura puts on a very professional and well thought out seminar. This one was free and since Laura is the training business, she also has others that are not free. The other seminars are reasonably priced. They go into detail on many networking subjects, so please consider them. You can find Laura's seminars at You can follow her on Twitter at -- she posts usually every day -- not just business posts!

I also learned things about Wireshark that I didn't know -- particularly that GeoIP option and the colorizing methods.

If you are interested in seeing one of Laura's seminars, she will be repeating this same FREE seminar live on July 30 at 12pm Pacific Time. Please consider it. Go and sign up, then have a look at the other seminars Laura offers because with travel and training budgets tight like they are, having a live seminar delivered to your desk should be something your business should strongly consider. You can sign up for the next Wireshark Jumpstart seminar here.

No comments: