For packet geeks like me, the annual Wireshark conference SharkFest is the place to be in order to meet and network with other packet geeks. However, for various reasons I haven't been able to attend SharkFest before. So when my friend Jasper Bongertz mentioned that there was going to be a SharkFest conference here in Europe I felt that this was a chance I just couldn't miss.
One thing I really liked about SharkFest Europe (#sf16eu) was the unique chance to discuss topics such as network traffic analysis and protocol specifications with other attendees. One example of such a discussion was an interesting breakfast conversation regarding whether the TCP receive window size is affected when TCP segments are SACK'ed.
There were, of course, also several great presentations at SharkFest Europe. Many of these talks were recorded and can now be found on the SharkFest'16 Europe Retrospective page.
One of my favorite presentations was Jasper's talk titled “Tackling the Haystack: How to Process Large Numbers of Packets”, where he provided some reflections from working with large PCAP datasets to find network problems or intrusions. Jasper gave lots of good advice on how to approach the task of analyzing PCAP datasets containing several hundred gigabytes of captured traffic.
I also enjoyed Eddi Blenkers' talk “Windows Filesharing De-Mystified: SMB with a Eureka! Effect” where Eddi took us for a trip down memory lane to revisit the early days of NetBIOS and the “Yellow Cable” a.k.a. Thick Ethernet (10BASE5).
The fact that I and Eddie have approached these protocols from different angles and for different purposes is most likely the reason why we have both deep-dived into different aspects of these protocols. I usually analyze SMB traffic when performing network forensics in order to find out what commands and resources an attacker accesses on a compromised network, while the work Eddi presented focused on finding bottlenecks and performance problems in a Windows file sharing environment.
For me, who has primarily worked with incident response and network forensics, meeting all these experts in network performance troubleshooting was a refreshing change of crowd compared to the security researchers and hackers that I usually meet at security conferences. Nevertheless, there were many SharkFest visitors working in the security field as well as within law enforcement, so I felt quite at home as well.
Erik Hjelmvik is the Developer of NetworkMiner, a Network Forensic Analysis Tool (NFAT) and a frequent contributor to Garland Technology's Expert Corner and Tap into Technology blog.
Read more from Erik.
Photo: Garland's Chris Bihary with Erik at Sharfest '16 Europe