Practical Packet Analysis
Hi, I'm Chris Sanders.
One of my earliest computer jobs was as a network administrator for a school district. I was responsible for four thousand computers across ten locations, and the network was an absolute disaster. The equipment was dusty and dying, the server closets were a tangled mess of wires, and nobody had given much of a thought to security.
If I could sum it up in one picture, it’d be something like this:
Not long into the job I got an odd request from a teacher…
“I think one of my students changed his grade in the computer somehow.”
I came to the conclusion that the student had guessed the teacher’s password. After all, the software claimed it was secure. The student denied it, but we reset the password anyway — something that wouldn’t be guessable.
The next semester, the same teacher called again. A different student’s grade had been changed. What was going on?
I told my boss that I suspected the student was somehow stealing the password from the software. The teacher’s logged into the grading system from their workstations, which talked back to a central server. I thought that the password was being transmitted across the network without being encrypted, meaning it was easily readable by someone with the right knowledge.
His response to me? Prove it.
After all…the software is secure. It says so right on the login page.
I did some research and learned about a technique called packet analysis and tools like tcpdump and Ethereal (now called Wireshark). I used these tools to demonstrate how anybody on the network could redirect the flow of network traffic through an intermediary host and capture network traffic. Within that network traffic, they could extract a teacher’s password and log right in.
I eventually found out that the first student we suspected of changing his grades had been the culprit again, this time changing one of his buddies grades. The software vendor eventually fixed the problem, but that was just the beginning for me. Through that experience, I had an epiphany. Analyzing communication at the network level opened up a whole new world.
Packets are the truth.
Many of the biggest problems I had experienced in my career were caused by software not doing what it said it would do or by attackers who were really good at hiding from me. By learning how to analyze network traces, I could flip the script.
However, it wasn’t quite that easy. Figuring out how students were stealing passwords was simple, but to go much further I would have to learn new skills.
There were three barriers I had to conquer before packet analysis would come easier to me.
I wanted to use packet analysis techniques to catch attackers, troubleshoot network performance issues, and understand the things malware and legitimate software were trying to hide from me. But, there were barriers in my way.
I want to share those with you here.
BARRIER #1: Finding that one thing in a sea of noise
There are few secrets at the network level, but there are millions of truths. The amount of data, even on a slow network, is completely overwhelming. Only capturing a few seconds of packet data can yield thousands of packets to analyze, and most of them are unrelated to what you’re looking for.
If you can’t find the right answer it’s often because you aren’t asking the right question. To zero in on the right packets you have to learn to ask better questions — a problem well stated is a problem half solved.
BARRIER #2: Mastering the tools of the trade
Packet analysts use tools to interpret what they’ve found. Those tools provide valuable analysis techniques that help to summarize data and spot interesting trends.
Tools like Wireshark are the gateway to the right knowledge, but you must understand their strengths and limitations. It isn’t just about knowing when to use something like a TCP Stream Graph or a conversation summary, it’s knowing when to use them and what they’re telling you.
BARRIER #3: Seeing the network as a living thing
The network is constantly moving and changing as packets flow through wires like cars flow through the streets in a city. Packets are defined not just by their source and destination, but also by the path they take.
Knowing when something is wrong requires you know what normal looks like. That means understanding the rules that govern network communication, network protocols — and how those rules can (are often are) broken.
There are barriers I overcame, and so can you.
When I first started learning the ways of the packet ninja, there weren’t a lot of accessible resources out there. I still have nightmares about combing through RFC documents into the late hours of the night. It was a long drawn out process and I wanted to provide a better way for people to learn this critical skill.
Now, I’m excited to offer an online course dedicated to teaching you how to make sense of the packets on your network.
It’s easy to fire up Wireshark and capture packets…but making sense of them is another story.
There’s nothing more frustrating than knowing the answers you need lie in a mountain of data that you don’t know how to sift through.
That’s why I wrote the first Practical Packet Analysis book a decade ago. That book is now in its third edition, has been translated into several languages, and has sold over 30,000 copies. Now, I’m excited to create an online course based on the book.
The Practical Packet Analysis course is the best way to get hands-on visual experience capturing, dissecting, and making sense of packets.
Practical Packet Analysis IS for you if…
- You’ve ever sat at your screen staring at a bunch of packets and felt paralyzed by not knowing what to do next
- The only Wireshark trick you know is how to Follow a TCP Stream
- You can’t spot things that are abnormal, because you don’t know what normal on your network looks like
- You’ve always wanted to be able to prove that the network isn’t why things are running slow
- You’ve tried a bunch of different approaches to becoming more comfortable analyzing packets — but haven’t found anything that works for YOU yet!
Whether you’re looking to gain new skills in your current job, or for your next one, know this:
The ability to understand packets is a critical skill for SOC analysts, network engineers, system administrators, forensic investigators, reverse engineers, and programmers alike.
Practical Packet Analysis will help you build those skills through a series of expert-led lectures, scenario-based demonstrations, and hands-on lab exercises.
- 5 techniques for capturing packets in any scenario and how to know which one is appropriate
- The life of a packet and how data moves through the network.
- How to use packet maps to navigate protocols. I’ll give you color-coded printable maps for all the most common protocols you’ll encounter.
- All of Wireshark’s analysis features, including how to create graphs, traverse protocol hierarchy charts, and generate stats that are simple AND useful.
- Manipulate packet timestamps to sync captures taken from different sources and more quickly spot large gaps in sequences of events.
- My tips for customizing your analysis environment by using features like Wireshark profiles, custom columns, and individual packet color coding.
- Techniques for extracting complete files from network communication via multiple protocols — even custom malware command and control.
- How to use tshark and tcpdump to perform packet analysis on the command line.
- The basic stimulus and response of common protocols — and how attackers use this to their advantage.
- How to approach and dissect these protocols: IPv4, IPv6, TCP, UDP, DHCP, DNS, HTTP, SMTP, and ICMP.
- Filtering techniques using Wireshark display filters and BPF capture filters so you can quickly eliminate noise and get to the data you need
- A strategy for approaching unknown or undocumented protocols like you might encounter when dealing with malware of custom applications.
Practical Packet Analysis takes a fundamental approach by exploring the concepts you need to know without all the fluff that is normally associated with learning about network protocols.
When I say PRACTICAL, I mean it! Everything you’ll learn is something you can directly apply to the job you have or the job you want.
I’ll be your personal packet sherpa as I guide you through the process of actually dissecting real packet captures as I would do it.
This course is loaded with actual PCAPs that you can download and interact with. Some of the scenarios I’ll guide you through include:
- How an attacker at a coffee shop could use HTTP session hijacking to access accounts
- An infection chain that starts with an exploit kit and ends with ransomware
- The Heartbleed attack and how it takes advantage of an HTTPS flaw
- The difference between IPv4 and IPv6
- Identifying network latency by examining TCP connection characteristics
- ARP cache poisoning as seen from the attacker and victim POV
- Troubleshooting IOT device communication
- DNS recursion from three different perspectives
- A remote access trojan that uses custom command and control to steal data
You can view the detailed course syllabus here.
Practical Packet Analysis includes:
Over 40 hours of demonstration videos. These videos will break down the concepts and skills you need to become adept and packet analysis.
Hands-on labs to help you develop and test your skills. You’ll go through packet captures I’ve created (and some I found in the wild) to develop analytic muscle memory and strengthen the concepts you’ve learned.
Access to our exclusive student-only Slack channel. Here you can ask questions, learn about upcoming courses, network with other students, and communicate directly with AND course authors. It’s a great place to get some help analyzing tricky packet captures you encounter!
Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
Frequently Asked Questions:
Is this course live?
This is NOT a live course. It’s an online video course you can take at your own pace.
How long do I have access to the course material?
You have access to the course for six months following your purchase date. You can purchase an extension if you need more time or would like to retain course updates.
How much time does it take to do this course?
Given the amount of content, it takes people dramatically different times to complete the material. If you focus all your time on it, you can complete everything in about a week. Most choose to devote 3-4 hours per week until they’ve finished.
How many CPEs/CMUs is this course worth?
Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course is approximately 40 hours of video content, plus the time you spend on the lab exercises.
Do you offer discounts for groups from the same organization?
Yes. To inquire about discounts or group invoices please contact me at firstname.lastname@example.org.
“Practical Packet Analysis made it possible to understand Wireshark and the protocol stack. The OSI model makes much more sense when you see it put to use. The depth of instruction with both the tools and the packets was surprising. It’s a great course.” – David, Cyber Security Manager
“Practical Packet Analysis has a gentle and consistent progression from introductory academic concept to understanding how the concept works in the wild to understanding how to read the concept in a packet. It helps you understand networks and events via analyzing packets. The labs were excellent. Especially the labs with video explanations available to look at afterward.” – Josephine, Analyst
“Practical Packet Analysis has given me additional knowledge in using Wireshark to confidently analyze network traffic, and some techniques to share with my peers. There is significant bang for your buck in this course.” Alex, Cyber Security Specialist
“I would highly recommend it to anyone that’s a new or mid level SOC analyst. I expected some labs, but was seriously impressed with how relevant they were and the difficulty of them being so dead on the level of the content.” – David Burkett
“Even with prior knowledge this course brings everything you need for efficient packet analysis nicely together and helps you learn to utilise Wireshark with ease and to its full potential.” – Eliska Copland
“This class is an excellent introduction to the complexities of packet analysis and Wireshark; it is intense, with a lot of information to take in, but the concepts are explained very well. This course was wonderful, and extremely practical. I have used Wireshark in lab environments before this class, but never really understood what I was doing beyond following the lab workbook instructions. Now I feel like I have a solid basic understanding of Wireshark and packet analysis that I can use as a foundation to build more knowledge on.” – Stef Rand
“This course provides a great introduction to the fundamentals of packet analysis and highlights the importance of being able to break down and analyze what is actually happening on your network. I was surprised by the realization that understanding the protocol (and any abnormalities) is more essential than simply being able to read the packet’s info.” – Tim Boyer
“A very strong course, from fundamental protocol and network tech, through practical examples of using Wireshark efficiently. Examples of identifying normal, non-normal and malicious activity in packets. Very thorough..” – Andrew Gleeson
“A really awesome class that teaches you networking fundamentals, packet capture assessments, and dives into some basic security investigations. It has already been really valuable in making me a better analyst.” – Security Analyst