This event had place on Tuesday 14th, April 2020 at 10hrs PDT
You can download the slides of the presentation in PDF format here.
A: You can download it here: https://www.wireshark.org/download.html
A: It is free software, supported in many operating systems
A: You can go to my friend Chris Youtube Channel. His channel name is Packet life, and also a Facebook group called Wireshark.
A: You can apply a filter for destination IP address. Specify your DNS server address and you will see all packets that are destined to your server
A: The latest stable is 3.2.3 unless you are using an operating system that does not support it.
A: With a Windows script, you can do almost anything. I didn't try it yet, but I am sure that if you use Windows Script or Linux Script you can run it, because there is a CLI version of Wireshark called TShark, so with this common line, we can do any script.
A: Tshark is the live sea version of Wireshark. If you want to do a scrip or something like this, you have TShark as a Common line version of Wireshark.
A: It is another tool. I don't use this tool, so I can not give an opinion.
A: I have this on my Youtube Channel, but it is in Portuguese. It is a very interesting thing because you just go, login, then you go to send boxes, search for Cisco IOS Virl, and it will open the emulator for you.
A: If you are in an upper layer, you can capture anything, and Wireshark will show it, but you have a layer2 protocol it will show, but it will not read it.
A: No, all participating devices must be connected by Layer 2 trunks.
A: Wireshark should capture all protocols; however, due to platform restrictions, sometimes it will not happen. An example is the dot1q headers because the switch removes the VLAN tags before delivering it to the end device.
A: In the Wireshark Wiki, you can find some:https://wiki.wireshark.org/RTP
A: Yes, further information here: https://wiki.wireshark.org/SIP
A: To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers.
A: It depends on how it is configured; the default is both.
A: No, when we mirror traffic from one interface to another interface on the same device it is a local span.
A: It was Packet Tracer: https://www.netacad.com/courses/packet-tracer
A: You can apply access lists when you configure the session, filtering anything you want.
A: Cisco VIRL: https://learningnetwork.cisco.com/s/virl
A: You can find an example here: https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951
A: You can find some good examples here: https://wiki.wireshark.org/SampleCaptures
A: Please find the Fundamentals of 802.11 Wireless Sniffing here: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html
A: You can check timestamps and see if anything is lost, for example.
A:You can use this display filter to show packet with specific IP source and destination:
ip.src== 192.168.1.1 and ip.dst == 188.8.131.52
A:Sure. Tap makes possible for you to have a copy of the traffic between A and B in a third device C.
The simpler TAP is a hub. If you insert a Hub between A and B you will be able to see traffic in C connected in another hub port.
Of course, there are more sophisticated TAPs you can buy from 100 to several thousands of dollars. Take a look at https://en.wikipedia.org/wiki/Network_tap for more information.
A:Both streams and packet loss have to do with the TCP protocol. A Wireshark stream is nothing more than a socket filter. It identifies traffic with specific source and destination IP: PORT that can be understood as a TCP conversation. So, to filter by the stream, you must be looking for TCP communication. It does not work with UDP, for example. Packet loss can be identified, for example, when a retransmission occurs, that is marked as a black packet in packet pane. That's why Wireshark is so important to learn and teach TCP.
A:The command-line version of Wireshark - Tshark - can be called by programming languages like Python.
Also, Wireshark is a free and open-source packet analyzer, so, you can go deep and program new stuff like drivers for Wireshark.
A: There are some graphic tools in Wireshark. Please explore the menu Statistics --> TCP stream graphics.
For the decryption of capture data such as SSH and TLS, you will have to inform Wireshark of the keys. That can be done using the menu Wireshark --> preferences. Step by step you can find googling "how to decrypt Wireshark packets".
A:If you use Linux it is straightforward. Just use a Wi-fi driver. Windows is very difficult.
For step by step, take a look at https://wiki.wireshark.org/CaptureSetup/WLAN
A: I encourage you to check DHCP by yourself. It is easy and you will learn a lot. Open Wireshark, turn off and on your NIC and filter the results using "dhcp" or "bootp" filter. Simple like that.
A:Wireshark, TCPDump and other capture software read and show the Headers content. The gold mine of Wireshark is that it processes this information almost in real-time and display the analysis results in that information between brackets.
For example, Wireshark reads the TCP sequence number and the size of the segment. So it calculates the next sequence number. This info will be displayed between brackets. Everything in the bracket is NOT in headers.
A: Sure. The simpler is the "debug ip packet". It is similar to TCPDump in Linux. The "monitor capture" is more sophisticated and capture can be saved in a pcap file (https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html)
Ciscodump is an extcap tool that relies on Cisco EPC to allow a user to run a remote capture on a Cisco router in a SSH connection. The minimum IOS version supporting this feature is 12.4(20)T.
More details can be found here: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
But, many times, with Cisco Netflow, we can do a better network diagnostic (https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html)
About the diagrams, please, explore the Wireshark Statistics menu. It is awesome.
A: I don't know any tool that does this, but the Wireshark front-end is very good. Maybe what you want can be done just with the display filters. Also, explore the Statistics and Analyze menus.
A: You can find a very good example here: https://community.cisco.com/t5/collaboration-voice-and-video/how-to-use-wireshark-for-voip-troubleshooting/ba-p/3098804