Archive for April 2015
Well, I finally took the time to buckle down and take the WCNA – Wireshark Certified Network Analyst. Once I finished up with the exam I can happily say I successfully past the exam which I have to admit is pretty cool. Protocol Analysis is definitely an interesting set of technologies to learn & know, it is also extremely beneficial for troubleshooting certain types of issues.
How I studied:
Having a few years a packet analysis behind me certainly helped, however the Wireshark WCNA Books from Wireshark University are absolutely fantastic!
The network analysis book, while it is expensive is definitely worth it. To me, this book is to protocol analysis; is what Routing TCP/IP Vol I & II is to a CCIE: R/S candidate. It is a large book with great material, a book you can keep on your book shelf at an arms length for years and still use for reference. This book will also cover all the WCNA Exam Objectives, making it an important resource if you are studying for this exam. The other great piece I loved about this book was all the real world case studies, it’s one thing for a book to teach you topic but it’s completely differently for a book to show you how this knowledge is applied in the real world. At the end of each the chapter the book points you toward PCAPs to test your newly learned knowledge which are available for free off the Wireshark book website.
Once you finish with the Network Analysis book, this is where the Prep Guide comes in. I bought the prep guide the weekend before my exam and went through all the questions, using that book to judge where I stand with the objectives. I did pretty well with the Prep Guide, missing maybe 10% of all the 300 questions so I figured it was time to schedule the exam and took it later that week.
I also read through the Wireshark 101 book, which in my opinion is a good book for anyone just starting out with Wireshark or if you want to start customizing wireshark. Which I highly recommend, however if you already familiar with Wireshark I’d skip over this one.
There are also a few great YouTube channels out there, with some great Wireshark videos and even some Sharkfest videos.
Just because I finished the WCNA, does not mean I will stop posting my Wireshark Tid-Bits I’ve still got plenty more of those in store.
Many of us are familiar with the GUI version of Wireshark, but believe it or not but there are also a slew of other command line based utilities that enhance Wireshark and also aid us in capturing and analyzing data. Let’s take a quick look at some of these tools.
- tshark – This is pretty much the CLI equivalent of Wireshark. Allowing you to capture packets like you are using tcpdump, specifing interfaces, filters, etc. It’s definitely worth taking the time to get familiar with tshark.
- dumpcap – This is another CLI equivalent of Wireshark, however this utility writes directly to a file and is less feature-rich then its ‘tshark‘ equivalent. Think of this as the cheap and dirty Wireshark, hop into a system and initiate a dumpcap then boom you have your capture.
- mergcap – As the name implies, this tool allows you to merge multiple captures files into a single capture. Since, Wireshark does have a limitation on processing large file sizes you also have the ability to truncate packets after so many bytes. Similar to what we will do with editcap shortly.
- editcap – This is very nifty, allowing you to do many different things:
- Pick out specific time frames of a packet capture.
- Remove duplicate packets. In case you accidentally captured at multiple locations or fubar-ed your SPAN or TAP locations.
- Truncate packets after so many bytes. This is very handy incase you only want to look at packet headers.
In the below example I am taking an existing PCAPNG file and limit every packet to 40 bytes into a new file filter.pcapng. So you can decrease the file size making it easier for Wireshark process while still keeping the header information. 40-bytes is a bit much but hey it gets the point across.
- capinfos – Provides detailed information about the packet capture in question.
- Average Packet Size
- Time stamp information
- Data rate or packet rate
In the GUI you can get most of this information from the ‘summary‘ -> ‘statistics‘ page which I covered in a previous post, but the CLI version can provide quick and easy access to this information without the need to even launch Wireshark.
Sample output from capinfo is below: