SANS SEC556 – Comprehensive Packet Analysis
Posted by ChrisJohnRiley on December 20, 2009
To finish off my class reviews from SANS London 2009, I just wanted to put forward a few comments about the 1-day SEC556 – Comprehensive Packet Analysis class.
The class is very exercise heavy and although it kicks off with some required groundwork on packet structures and a quick review of things like hexadecimal and binary, the real strength of the course lies with it’s “learn by doing” style of teaching. From simple packet captures, through to finding network faults (retransmits, checksum failures, ..) and reconstructing traffic streams. Each lab builds on the knowledge of the previous one to really improve your knowledge.
As you’d expect from a 1-day course, the range of tools covered is slightly limited.
- tcpdump
- ngrep
- wireshark
- mergecap
- tcpflow
The real focus of the class was on the use of tcpdump and wireshark to perform more advanced tasks, such as extracting files from packet captures (file carving), BPF and in particular bitmask filters to finely tune packet captures.
Overall I really enjoyed the class, and love Johannes’ teaching style. As with everything though, you get out of the class what you put in. After 8 days of training I don’t think I really gave it my full attention, which is a shame. I’ll have to make sure to look over the books again in a quiet moment. After all, we all love packets, right ?
Interesting links from the course .:
What ever happened to IPv5 ? Checkout The Internet Stream Protocol–> RFC1819
TCP/IP and tcpdump Pocket Reference Guide (PDF)
http://filext.com/ –> reference of hex file headers for specific filetypes
The Internet Stream Protocol
