As packet-heads, we all enjoy digging through trace files and finding the hidden gems that lead to resolving a problem. If most of our capturing experience is from a single network or enterprise, it can be hard to grow in new areas and pick up new tricks in packet analysis. Sharkfest is an excellent way to hone our skills and bring our art of analysis to a new level.
The group packet challenge at Sharkfest is designed to bring together Wireshark users from all skill levels in a timed team event. Participants are given several trace files and a question sheet, then as a team they race to find the answers. Typically, the packet challenge will require them to use areas of Wireshark that they may not be as familiar with, which can teach them new things about the analyzer in a fun setting.
Packets don’t lie – well, most of the time.
They tell the truth unless they have been captured incorrectly. In those cases, packets can tell bold-faced lies.
When digging through trace files, we can come upon symptoms in the packets that may raise an eyebrow. These are events that look strange on the surface and may even divert our troubleshooting focus for a time. In fact, some of these issues have misdirected engineers for hours, if not days, causing them to chase down issues and events that simply did not exist on the wire.
When I teach Wireshark classes, I commonly get asked, “What do I do when I get back to my desk?”, “What if I can’t span a port, or don’t have a TAP?”
I typically show my attendees dozens of “Baselines” that would only take a few minutes to complete.
Here’s an example of one of my favorite baselines; Start a capture and analyze whatever you see. No taps, span or mirror ports.
There are an increasing number of network attached devices, and trying to keep them organized gets to be challenging. Since different devices might require different IP configuration settings and statically configuring them isn’t realistic.
There are several approaches to deal with this.
I was speaking with a client the other day and they were asking me how Microsoft behaves if a device has two default gateways.
One thing I have to say about my job and clients, I always get interesting scenarios and questions to figure out.
For packet geeks like me, the annual Wireshark conference SharkFest is the place to be in order to meet and network with other packet geeks. However, for various reasons I haven't been able to attend SharkFest before. So when my friend Jasper Bongertz mentioned that there was going to be a SharkFest conference here in Europe I felt that this was a chance I just couldn't miss.