Articles

Getting started with packet analysis for network and security issues

4 min read

There’s three questions we get asked the most here at CloudShark:

  1. How do I capture packets and get them into CloudShark?
  2. Where can I find example packet captures?
  3. Where do I start with packet capture analysis?

That last question is very important to us, because one of the things we always want to promote is demystifying the use of packet captures to troubleshoot network and security problems. They are really are the best way, and with the right tools and knowledge they can be your first go-to.

Here’s a list of our favorite resources for getting started with packet captures.

Books

Chris Sanders puts a lot of time and effort into making sure the wider community understands how to use packet captures for troubleshooting and security analysis.

Laura Chappell is one of the founders of Wireshark University. The textbook on Wireshark analysis is big and in-depth, but this book is a little more targeted towards beginners looking to start learning about networks through packets 

Richard Bejtlich has been writing and teaching for decades on network security. His book covers the use of NSM tools, how and where to deploy them, and details about working with packet captures during incident response.

A note about Wireshark examples

Many of the resources we introduce here base their training and examples on Wireshark. The good news is that almost anything that you learn about packet capture analysis in Wireshark applies to analysis in CloudShark, and is usually done more easily in CloudShark! We encourage you to go through some of these resources using CloudShark for your hands-on experience.

Blogs & Videos

Here’s some of our go-to blogs to with examples and training resources to get familiar with capture analysis.

  • Betty Dubois (Packet Detectives) - Betty is one of the foremost experts on how to do packet capture analysis well, in particular, using profiles to make it so much easier. She has been gracious enough to host a webinar with us on that very topic too!
  • chrissanders.org - mentioned above, the author of practical packet analysis has a ton of articles and resources here that he updates regularly.
  • Packet Pioneer - Chris Greer is a SharkFest regular and has a great blog with both basic and advanced topics.
  • Packet Foo - Jasper Bongertz is an undisputed master of TCP packet analysis and goes in-depth on many different topics on this blog.
  • Packetlife.net - a great resource for packet capture examples while you’re learning.
  • PacketBomb Blog - Kary Rogers has an ongoing blog on various network troubleshooting concepts and basics on packet capture and packet analysis.
  • Malware Traffic Analysis - If you’re looking for topics related to security and malicious traffic, this blog has both capture examples and exercises. Be careful though, some of the examples contain real malware examples, so do go through them lightly.

Other resources

  • ask.wireshark.org - This is not only a great place to ask questions but it’s great to follow along with the analysis performed by some of the biggest packet experts out there. Using CloudShark to post the captures you have questions about makes this even easier!
  • Sharkfest - Sharkfest is a collaborative event held three times a year (in the US, Europe, and Asia) with various experts talking on a number of packet capture and network troubleshooting concepts. If you want to really get going from being a beginner to a packet capture guru, there’s no better way than live with the experts themselves. If you can’t, they keep a record of most talks (many on video), called their “retrospectives”. Watch the retrospectives for their US, Europe, and Asia Sharkfests - there are lots there!
  • CloudShark's Zeek Logs tool use the popular Zeek (formerly Bro) software used in network and security analysis. When working with packets, Zeek's documentation can help you understand the meaning behind different logs and what to look for when you pivot to the packets.
  • The Suricata IDS team has a great archive of their webinars on how to use Suricata for security analysis. Suricata is the tech behind CloudShark the threat assessment tool!

Those are just a short list of some of the resources we know about for diving into the world of network packets. Like we said, with the right tools using captures can be both easy and the best way to troubleshoot tough network problems. Have any more resources you want to see listed? Let us know!

 

Want articles like this delivered right to your inbox?

Sign up for our Newsletter

No spam, just good networking