Nov 24, 2024  
2017-2018 Course Catalog 
    
2017-2018 Course Catalog [ARCHIVED CATALOG]

Add to Portfolio (opens a new window)

CVF 1085 - Network Traffic Analysis: Tools & Technology

Credits: 3
Hours/Week: Lecture 3Lab None
Course Description: This course explores the use of TCPDUMP and Wireshark to perform network analyses for communications troubleshooting and forensics investigations. Course topics include both the fundamentals of and advanced topics in TCPIP, the live capture and offline analysis of hundreds of protocols, and troubleshooting, optimizing and securing a network based on the evidence found in captured network traffic. Students will have the opportunity to engage in hands-on lab exercises using real-world scenarios that will help students put theory into practice. Certification as a Wireshark Network Analyst is part of this course.
MnTC Goals
None

Prerequisite(s): System administration experience on Microsoft Windows or Linux operating systems.
Corequisite(s): None
Recommendation: None

Major Content
  1. Analyze Address Resolution Protocol (ARP) Traffic
    1. Define the Purpose of ARP Traffic
    2. Analyze Normal ARP Requests/Responses
  2. Analyze Domain Name System (DNS) Traffic
    1. Define the Purpose of DNS
    2. Analyze Normal DNS Queries/Responses
    3. Analyze DNS Problems
  3. Analyze Dynamic Host Configuration Protocol (DHCP) Traffic
    1. Define the Purpose of DHCP
    2. Analyze Normal DHCP Traffic
    3. Analyze DHCP Problems
    4. Dissect the DHCP Packet Structure
  4. Analyze Email Traffic
    1. Define the Purpose of POP
    2. Analyze Normal POP Communications
    3. Analyze POP Problems
    4. Dissect the POP Packet Structure
  5. Analyze File Transfer Protocol (FTP) Traffic
    1. Define the Purpose of FTP
    2. Analyze Normal FTP Communications
    3. Analyze FTP Problems
  6. Analyze Hypertext Transfer Protocol (HTTP) Traffic
    1. Define the Purpose of HTTP
    2. Analyze Normal HTTP Communications
    3. Analyze HTTP Problems
    4. Dissect HTTP Packet Structures
    5. Filter on HTTP or HTTPS Traffic
  7. Analyze Internet Control Message Protocol (ICMP) Traffic
    1. Define the Purpose of ICMP
    2. Analyze Normal ICMP Traffic
    3. Analyze ICMP Problems
  8. Analyze Internet Protocol (IPv4) Traffic
    1. Define the Purpose of IPv4
    2. Analyze Normal IPv4 Traffic
    3. Analyze IPv4 Problems
  9. Analyze Suspect Traffic
    1. Describe Suspect Traffic
    2. Identify Vulnerabilities in the TCP/IP Resolution Processes
    3. Identify Unacceptable Traffic
    4. Find Maliciously Malformed Packets
  10. Analyze Transmission Control Protocol (TCP) Traffic
    1. Define the Purpose of TCP
    2. Analyze Normal TCP Communications
    3. Define the Establishment of TCP Connections
    4. Define How TCP-based Services are Refused
    5. Track TCP Packet Sequencing
  11. Analyze User Datagram Protocol (UDP) Traffic
    1. Define the Purpose of UDP
    2. Analyze Normal UDP Traffic
  12. Baseline “Normal” Traffic Patterns
    1. Define the Importance of Baselining
    2. Baseline Broadcast and Multicast Types and Rates
    3. Baseline Boot up Sequences
    4. Baseline Login/Logout Sequences
  13. Capture Traffic
    1. Know Where to Tap into the Network
    2. Know When to Run Wireshark Locally
    3. Capture Traffic on Switched Networks
    4. Use a Test Access Port (TAP) on Full Duplex Networks
  14. Colorize Traffic
    1. Use Colors to Separate Traffic
    2. Share and Manage Coloring Rules
    3. Identify Why a Packet is a Certain Color
  15. Create and Apply Capture Filters
    1. Describe the Purpose of Capture Filters
    2. Build Your Own Set of Capture Filters
    3. Filter by a Protocol
  16. Create and Apply Display Filters
    1. Define the Purpose of Display Filters
    2. Create Display Filters Using Auto Complete
    3. Apply Saved Display Filters
    4. Use the Expressions Filter System
    5. Make Display Filters Quickly Using Right-Click Filtering
  17. Customize Wireshark Profiles
    1. Define the Purpose of Wireshark Profiles
    2. Share Profiles
    3. Create a Corporate Profile
    4. Create a WLAN Profile
  18. Define Global and Personal Preferences
    1. Find Your Configuration Folders
    2. Set Global and Personal Configurations
    3. Customize Your User Interface Settings
  19. Define Time Values and Interpret Summaries
    1. Use Time to Identify Network Problems
    2. Define How Wireshark Measures Packet Time
    3. Choose the Ideal Time Display Format
  20. Detect Scanning and Discovery Processes
    1. Define the Purpose of Discovery and Reconnaissance
    2. Detect ARP Scans (aka ARP Sweeps)
    3. Detect ICMP Ping Sweeps
  21. Effective Use of Command-Line Tools
    1. Define the Purpose of Command-Line Tools
    2. Use Wireshark.exe (Command-Line Launch)
    3. Capture Traffic with Tshark
    4. List Trace File Details with Capinfos
  22. Find the Top Causes of Performance Problems
    1. Troubleshoot Performance Problems
    2. Identify High Latency Times
    3. Point to Slow Processing Times
    4. Find the Location of Packet Loss
  23. Follow Streams and Reassemble Data
    1. Follow and Reassemble UDP Conversations
    2. Follow and Reassemble TCP Conversations
    3. Identify Common File Types
    4. Follow and Reassemble SSL Conversations
  24. Graph IO Rates and TCP Trends
    1. Use Graphs to View Trends
    2. Generate Basic I/O Graphs
    3. Filter I/O Graphs
    4. Generate Advanced I/O Graphs
  25. Interpret Basic Trace File Statistics
    1. Launch Wireshark Statistics
    2. Identify Network Protocols and Applications
    3. Identify the Most Active Conversations
    4. List Endpoints and Map them on the Earth
    5. List Conversations or Endpoints for Specific Traffic Types
    6. Evaluate Packet Lengths
  26. Introduction to 802.11 (WLAN) Analysis
    1. Analyze Signal Strength and Interference
    2. Capture WLAN Traffic
    3. Compare Monitor Mode and Promiscuous Mode
    4. Set up WLAN Decryption
  27. Introduction to Wireshark
    1. Describe Wireshark’s Purpose
    2. Know How to Obtain the Latest Version of Wireshark
    3. Compare Wireshark Release and Development Versions
    4. Report a Wireshark Bug or Submit an Enhancement
  28. Network Analysis Overview
    1. Define the Purpose of Network Analysis
    2. List Troubleshooting Tasks for the Network Analyst
    3. List Security Tasks for the Network Analyst
    4. List Optimization Tasks for the Network Analyst
  29. Network Forensics Overview
    1. Compare Host Forensics to Network Forensics
    2. Gather Evidence
    3. Avoid Detection
  30. Save, Export and Print Packets
    1. Save Filtered, Marked and Ranges of Packets
    2. Export Packet Contents for Use in Other Programs
    3. Save Conversations, Endpoints, I/O Graphs and Flow Graph Information
  31. TCP/IP Analysis Overview
    1. Define Basic TCP/IP Functionality
    2. Define the Multistep Resolution Process
    3. Define Port Number Resolution
    4. Define Route Resolution for a Remote Target
    5. Define Local MAC Address Resolution for a Gateway
  32. Use Wireshark’s Expert System
    1. Launch Expert Info Quickly
    2. Colorize Expert Info Elements
    3. Filter on TCP Expert Information Elements
    4. Define TCP Expert Information
  33. Voice over IP (VoIP) Analysis Fundamentals
    1. Define VoIP Traffic Flows
    2. Analyze VoIP Problems
    3. Analyze SIP and RTP Traffic

Learning Outcomes
At the end of this course students will be able to:

  1. use Wireshark’s Expert System to understand various traffic problems.
  2. use time values to identify network performance problems.
  3. utilize tools to recognize traffic patterns associated with suspicious network behavior.
  4. capture packets on wired and wireless networks.
  5. create statistical charts and graphs to pinpoint performance issues.
  6. configure various open source tools for network forensics analysis.
  7. filter out traffic for more efficient troubleshooting and analysis.
  8. place the analyzer properly for traffic capture on a variety of network types.
  9. configure Wireshark for best performance and non-intrusive analysis.
  10. customize Wireshark coloring to focus on network problems faster.
  11. navigate through, split, and work with large traffic files.
  12. explain principles of network forensics analysis and how to apply them.
  13. analyze normal/abnormal: Address Resolution Protocol (ARP) traffic, Domain Name System (DNS) traffic, Hypertext Transport Protocol (HTTP/HTTPS) traffic, Internet Control Messaging Protocol (ICMP) traffic, Internet Protocol v4 (IPv4) traffic
  14. analyze normal/abnormal: Transmission Control Protocol (TCP) traffic, User Datagram Protocol (UDP) traffic
  15. recognize potential network security infrastructure misconfigurations.
  16. use the TCP/IP Resolution Flowchart to identify possible communication faults.
  17. reconstruct suspicious activities for detailed analysis and evidentiary purposes.


Courses and Registration



Add to Portfolio (opens a new window)