Mar 28, 2024  
2022-2023 College Catalog 
    
2022-2023 College Catalog [ARCHIVED CATALOG]

CIS 216 - Introduction to Wireshark and Network Analysis

3 Credits, 4 Contact Hours
2 lecture periods 2 lab periods

Introduction to network analysis with Wireshark and other tools. Includes key Wireshark elements to analyze and identify TCP\IP traffic using capture, display, color filtering, profiles, graphing, and more. Includes the exploration of the basics for analyzing and defining information as provided by network monitoring and intrusion detection.

Prerequisite(s): CIS 119  or CIS 170 .
  button image Prior Learning and link to PLA webpage

Course Learning Outcomes
  1. Analyze network traffic at the packet level to identify threats and problems.
  2. Use filters to evaluate network traffic in order to solve complex issues.
  3. Demonstrate the use of Wireshark features to identify complex network protocols.

Outline:
  1. Key Wireshark Elements and Traffic Flows
    1. Wireshark traffic capture
    2. Differentiate a packet from a frame
    3. Hyper-Text Transfer Protocol (HTTP) packet through a network
    4. Wireshark resources
    5. Typical network traffic
    6. Open trace files captured with other tools
  2. Customize Wireshark Views and Settings
    1. Columns in the packet list pane
    2. Wireshark dissectors
    3. Non-standard port numbers
    4. Wireshark displays certain traffic types
    5. Wireshark for different tasks (profiles)
    6. Wireshark configuration files
    7. Time columns to spot latency problems
  3. Capture Method and Capture Filters
    1. Best capture location to troubleshoot slow browsing or file downloads
    2. Options for Ethernet network
    3. Options for wireless network
    4. Active interfaces
    5. Tons of traffic
    6. Techniques to spot sporadic problems
    7. Amount of traffic you have to work with
    8. Traffic based on addresses Media Access Control/Internet Protocol (MAC/IP)
    9. Traffic for a specific application
    10. Specific Internet Control Message Protocol (ICMP) traffic
  4. Display Filters on Specific Traffic
    1. Display filter syntax
    2. Default display filters
    3. Filter on HTTP traffic
    4. Dynamic Host Configuration Protocol (DHCP) display filter errors
    5. Display filters based on an Internet Protocol (IP) address,  range of addresses, or subnet
    6. Filter on a field in a packet
    7. Filter on a single TCP or Uniform Data Protocol (UDP) conversation
    8. Display filters with multiple include and exclude conditions
    9. Parentheses to change filter meaning
    10. Yellow display filters
    11. Keyword in a trace file
    12. Wildcards in display filters
    13. Filters to spot communication delays
    14. Display filters into buttons
  5. Color and Export Interesting Packets
    1. Applied coloring rules
    2. Checksum errors coloring rule
    3. Coloring rule to highlight delays
    4. Colorize a single conversation
    5. Export packets of interest
    6. Export packet details
  6. Build and Interpret Tables and Graphs
    1. Who is talking to whom on the network
    2. Top talkers
    3. Applications seen on the network
    4. Application and host bandwidth usage
    5. TCP errors on the network
    6. Expert infos errors meaning
    7. Network errors
  7. Reassemble Traffic for Faster Analysis
    1. Web browsing sessions
    2. File transfer via File Transfer Protocol (FTP)
    3. HTTP objects transferred in a web browsing session
  8. Comments to Trace Files and Packets
    1. Comments to trace files
    2. Comments to individual packets
    3. Export packet comments for a report
  9. Command-Line Tools to Capture, Split, and Merge Traffic
    1. Large trace files into a file set
    2. Multiple trace files
    3. Traffic at command line
    4. Capture filters during command-line capture
    5. Display filters during command-line capture
    6. Tshark to export specific field values and statistics from a trace file
    7. Wireshark and network analysis
  10. Analysis Through Monitoring
    1. Palo Alto logs and filtering
    2. Application based firewalling
    3. Correlating traffic