Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

SANS SEC556 – Comprehensive Packet Analysis

To finish off my class reviews from SANS London 2009, I just wanted to put forward a few comments about the 1-day SEC556 – Comprehensive Packet Analysis class.

The class is very exercise heavy and although it kicks off with some required groundwork on packet structures and a quick review of things like hexadecimal and binary, the real strength of the course lies with it’s “learn by doing” style of teaching. From simple packet captures, through to finding network faults (retransmits, checksum failures, ..) and reconstructing traffic streams. Each lab builds on the knowledge of the previous one to really improve your knowledge.

As you’d expect from a 1-day course, the range of tools covered is slightly limited.

  • tcpdump
  • ngrep
  • wireshark
  • mergecap
  • tcpflow

The real focus of the class was on the use of tcpdump and wireshark to perform more advanced tasks, such as extracting files from packet captures (file carving), BPF and in particular bitmask filters to finely tune packet captures.

Overall I really enjoyed the class, and love Johannes’ teaching style. As with everything though, you get out of the class what you put in. After 8 days of training I don’t think I really gave it my full attention, which is a shame. I’ll have to make sure to look over the books again in a quiet moment. After all, we all love packets, right ?

Interesting links from the course .:

What ever happened to IPv5 ? Checkout The Internet Stream Protocol–> RFC1819

TCP/IP and tcpdump Pocket Reference Guide (PDF)

http://filext.com/ –> reference of hex file headers for specific filetypes

The Internet Stream Protocol

Comments are closed.

%d bloggers like this: