|
Nov 24, 2024
|
|
|
|
CVF 1085 - Network Traffic Analysis: Tools & Technology Credits: 3 Hours/Week: Lecture 3 Lab None Course Description: This course explores the use of TCPDUMP and Wireshark to perform network analyses for communications troubleshooting and forensics investigations. Course topics include both the fundamentals of and advanced topics in TCPIP, the live capture and offline analysis of hundreds of protocols, and troubleshooting, optimizing and securing a network based on the evidence found in captured network traffic. Students will have the opportunity to engage in hands-on lab exercises using real-world scenarios that will help students put theory into practice. Certification as a Wireshark Network Analyst is part of this course. MnTC Goals None
Prerequisite(s): ITT 1031 with a grade of C or higher or instructor consent. Corequisite(s): None Recommendation: None
Major Content
- Analyze Address Resolution Protocol (ARP) Traffic
- Define the Purpose of ARP Traffic
- Analyze Normal ARP Requests/Responses
- Analyze Domain Name System (DNS) Traffic
- Define the Purpose of DNS
- Analyze Normal DNS Queries/Responses
- Analyze DNS Problems
- Analyze Dynamic Host Configuration Protocol (DHCP) Traffic
- Define the Purpose of DHCP
- Analyze Normal DHCP Traffic
- Analyze DHCP Problems
- Dissect the DHCP Packet Structure
- Analyze Email Traffic
- Define the Purpose of POP
- Analyze Normal POP Communications
- Analyze POP Problems
- Dissect the POP Packet Structure
- Analyze File Transfer Protocol (FTP) Traffic
- Define the Purpose of FTP
- Analyze Normal FTP Communications
- Analyze FTP Problems
- Analyze Hypertext Transfer Protocol (HTTP) Traffic
- Define the Purpose of HTTP
- Analyze Normal HTTP Communications
- Analyze HTTP Problems
- Dissect HTTP Packet Structures
- Filter on HTTP or HTTPS Traffic
- Analyze Internet Control Message Protocol (ICMP) Traffic
- Define the Purpose of ICMP
- Analyze Normal ICMP Traffic
- Analyze ICMP Problems
- Analyze Internet Protocol (IPv4) Traffic
- Define the Purpose of IPv4
- Analyze Normal IPv4 Traffic
- Analyze IPv4 Problems
- Analyze Suspect Traffic
- Describe Suspect Traffic
- Identify Vulnerabilities in the TCP/IP Resolution Processes
- Identify Unacceptable Traffic
- Find Maliciously Malformed Packets
- Analyze Transmission Control Protocol (TCP) Traffic
- Define the Purpose of TCP
- Analyze Normal TCP Communications
- Define the Establishment of TCP Connections
- Define How TCP-based Services are Refused
- Track TCP Packet Sequencing
- Analyze User Datagram Protocol (UDP) Traffic
- Define the Purpose of UDP
- Analyze Normal UDP Traffic
- Baseline “Normal” Traffic Patterns
- Define the Importance of Baselining
- Baseline Broadcast and Multicast Types and Rates
- Baseline Boot up Sequences
- Baseline Login/Logout Sequences
- Capture Traffic
- Know Where to Tap into the Network
- Know When to Run Wireshark Locally
- Capture Traffic on Switched Networks
- Use a Test Access Port (TAP) on Full Duplex Networks
- Colorize Traffic
- Use Colors to Separate Traffic
- Share and Manage Coloring Rules
- Identify Why a Packet is a Certain Color
- Create and Apply Capture Filters
- Describe the Purpose of Capture Filters
- Build Your Own Set of Capture Filters
- Filter by a Protocol
- Create and Apply Display Filters
- Define the Purpose of Display Filters
- Create Display Filters Using Auto Complete
- Apply Saved Display Filters
- Use the Expressions Filter System
- Make Display Filters Quickly Using Right-Click Filtering
- Customize Wireshark Profiles
- Define the Purpose of Wireshark Profiles
- Share Profiles
- Create a Corporate Profile
- Create a WLAN Profile
- Define Global and Personal Preferences
- Find Your Configuration Folders
- Set Global and Personal Configurations
- Customize Your User Interface Settings
- Define Time Values and Interpret Summaries
- Use Time to Identify Network Problems
- Define How Wireshark Measures Packet Time
- Choose the Ideal Time Display Format
- Detect Scanning and Discovery Processes
- Define the Purpose of Discovery and Reconnaissance
- Detect ARP Scans (aka ARP Sweeps)
- Detect ICMP Ping Sweeps
- Effective Use of Command-Line Tools
- Define the Purpose of Command-Line Tools
- Use Wireshark.exe (Command-Line Launch)
- Capture Traffic with Tshark
- List Trace File Details with Capinfos
- Find the Top Causes of Performance Problems
- Troubleshoot Performance Problems
- Identify High Latency Times
- Point to Slow Processing Times
- Find the Location of Packet Loss
- Follow Streams and Reassemble Data
- Follow and Reassemble UDP Conversations
- Follow and Reassemble TCP Conversations
- Identify Common File Types
- Follow and Reassemble SSL Conversations
- Graph IO Rates and TCP Trends
- Use Graphs to View Trends
- Generate Basic I/O Graphs
- Filter I/O Graphs
- Generate Advanced I/O Graphs
- Interpret Basic Trace File Statistics
- Launch Wireshark Statistics
- Identify Network Protocols and Applications
- Identify the Most Active Conversations
- List Endpoints and Map them on the Earth
- List Conversations or Endpoints for Specific Traffic Types
- Evaluate Packet Lengths
- Introduction to 802.11 (WLAN) Analysis
- Analyze Signal Strength and Interference
- Capture WLAN Traffic
- Compare Monitor Mode and Promiscuous Mode
- Set up WLAN Decryption
- Introduction to Wireshark
- Describe Wireshark’s Purpose
- Know How to Obtain the Latest Version of Wireshark
- Compare Wireshark Release and Development Versions
- Report a Wireshark Bug or Submit an Enhancement
- Network Analysis Overview
- Define the Purpose of Network Analysis
- List Troubleshooting Tasks for the Network Analyst
- List Security Tasks for the Network Analyst
- List Optimization Tasks for the Network Analyst
- Network Forensics Overview
- Compare Host Forensics to Network Forensics
- Gather Evidence
- Avoid Detection
- Save, Export and Print Packets
- Save Filtered, Marked and Ranges of Packets
- Export Packet Contents for Use in Other Programs
- Save Conversations, Endpoints, I/O Graphs and Flow Graph Information
- TCP/IP Analysis Overview
- Define Basic TCP/IP Functionality
- Define the Multistep Resolution Process
- Define Port Number Resolution
- Define Route Resolution for a Remote Target
- Define Local MAC Address Resolution for a Gateway
- Use Wireshark’s Expert System
- Launch Expert Info Quickly
- Colorize Expert Info Elements
- Filter on TCP Expert Information Elements
- Define TCP Expert Information
- Voice over IP (VoIP) Analysis Fundamentals
- Define VoIP Traffic Flows
- Analyze VoIP Problems
- Analyze SIP and RTP Traffic
Learning Outcomes At the end of this course students will be able to:
- use Wireshark’s Expert System to understand various traffic problems.
- use time values to identify network performance problems.
- utilize tools to recognize traffic patterns associated with suspicious network behavior.
- capture packets on wired and wireless networks.
- create statistical charts and graphs to pinpoint performance issues.
- configure various open source tools for network forensics analysis.
- filter out traffic for more efficient troubleshooting and analysis.
- place the analyzer properly for traffic capture on a variety of network types.
- configure Wireshark for best performance and non-intrusive analysis.
- customize Wireshark coloring to focus on network problems faster.
- navigate through, split, and work with large traffic files.
- explain principles of network forensics analysis and how to apply them.
- analyze normal/abnormal: Address Resolution Protocol (ARP) traffic, Domain Name System (DNS) traffic, Hypertext Transport Protocol (HTTP/HTTPS) traffic, Internet Control Messaging Protocol (ICMP) traffic, Internet Protocol v4 (IPv4) traffic
- analyze normal/abnormal: Transmission Control Protocol (TCP) traffic, User Datagram Protocol (UDP) traffic
- recognize potential network security infrastructure misconfigurations.
- use the TCP/IP Resolution Flowchart to identify possible communication faults.
- reconstruct suspicious activities for detailed analysis and evidentiary purposes.
Competency 1 (1-6) None Competency 2 (7-10) None Courses and Registration
Add to Portfolio (opens a new window)
|
|